Good point about MITM doing script injection, which I hadn't fully
considered. I'm not sure that going to HTTPS would solve everything (e.g.
that alone wouldn't prevent the origin site from reading passwords that
someone enters into the tool, and HTTPS is not foolproof) but it would
indeed be a big step in the right direction to avoid MITM.
I wonder (looking at the WMF people in the room) how quickly could WMF
deploy a password strength checking tool to the Wikimedia sites? That won't
solve all of the problems but it would be a step in the right direction.
Pine
On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
> On Thu, Nov 17, 2016 at 12:28 PM, Pine W <wiki.pine(a)gmail.com> wrote:
>
> > 1. If you don't trust that strength testing site (which is fine), choose
> > another. I did a couple of quick checks on that site; while it's entirely
> > possible that I missed something, it appeared to me that the site was not
> > sending passwords over the Internet, whether in the clear or encrypted.
> The
> > use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> > the first place.
> >
>
> Or use a password manager that has a local built-in password strength tool,
> that way you don't risk being MiTMed by an HTTP site.
>
> In general, as mentioned, you should simply not enter your password on any
> website that is not the site the password belongs to. For my full-time job,
> employees have a Chrome extension where accidentally type your password on
> any website (even if it's not in a text box) you're required to reset it.
>
> *-- *
> Regards,
>
> *Tyler Romeo*
> 0x405d34a7c86b42df
> https://parent5446.nyc
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
I'm not sure that I agree with that assessment *of password strength
testing tools* (not humans), for a couple of reasons.
0. Weak passwords are a huge problem, and may be closely related to the
weakness that the attackers are currently using to compromise Wikimedia
accounts. As far as I know, Wikimedia currently has no internal way to deal
with that problem. We *should* have a way to deal with that problem, but it
seems to me that using a tool that I recommended is the lesser of two evils
at the moment. In the long run, it would be much better if Wikimedia had an
internal tool to validate the strength of users' passwords and block
passwords that fall below a certain strength level.
1. If you don't trust that strength testing site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely
possible that I missed something, it appeared to me that the site was not
sending passwords over the Internet, whether in the clear or encrypted. The
use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
the first place.
Do you have a better solution in mind to deal with the immediate problem of
weak passwords, besides 2FA which is not available to everyone?
Pine
On Thu, Nov 17, 2016 at 12:08 AM, Antoine Musso <hashar+wmf(a)free.fr> wrote:
> Le 16/11/2016 à 19:19, Pine W a écrit :
> >
> > (0) Consider testing your password strength with a tool like
> > http://www.testyourpassword.com/; be sure that the tool you use does not
> > send your chosen password over the Internet and instead tests it locally.
>
> By using an online testing tool, you are effectively breaking the very
> first rule:
>
> DO NOT GIVE OUT YOUR PASSWORD. EVER.
>
> Using that site is exactly like sharing your password with a random
> stranger in the world. Even if you trusted that website, and audited
> the code at a given point in time, you have no guarantee the site hasn't
> changed or that it is not collecting passwords.
>
>
>
>
> --
> Antoine "hashar" Musso
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
Hello all,
As some of you may have seen there are two open positions (both paid) in
the Community Engagement department for internships on the Learning &
Evaluation team:
-
Communications Intern:. (6 months, up to 30 hours/week) We are looking
for a candidate who works and / or studies in the field of communications,
has excellent verbal and written English communications skills and the
ability to excel in a fast-paced, multitasking environment. Knowledge
and/or experience with Wikimedia Projects a plus!
The Communications Iintern will primarily support conference communications
for the Community Engagement Team (including event planning and materials
preparation), help plan workshops and community events for program leaders
(as well as document the outcome of those events), and assist with the
coordination of technology supports for communications and events. You can
find the complete job description here:
https://boards.greenhouse.io/wikimedia/jobs/488571#.WCHxXOErKRs
-
Technical Intern (3 months up to 20 hours/week) We are looking for a
candidate that has experience in Mediawiki mark-up and technical
communications experience in designing for web content curation and user
flow, has proficiency in at least three of the following programming
languages: Javascript, Lua, Python, MySQL, has experience developing or
administrating MediaWiki websites. The candidate should have a strong
interest in archival systems, searchability and usable portals on wiki, and
technical skills for designing Wikimedia templates and pages.
The Technical Design Intern will work closely with the Communications and
Outreach Coordinator (that would be me!) on the Wikimedia Resource Center,
the redesign of the Evaluation Portal on Meta Wikimedia, and migration and
archiving of L&E portal pages from existing namespaces to new namespace,
among other tasks. You can find the complete job description here:
<https://boards.greenhouse.io/wikimedia/jobs/488570#.WBE6X-ErKRs>
https://boards.greenhouse.io/wikimedia/jobs/488570#.WBE6X-ErKRs
If you are interested, please apply. If you know someone who might fit this
position, please forward the email to them!
Cheers,
María
In addition to the suggestions from Tim:
(0) Consider testing your password strength with a tool like
http://www.testyourpassword.com/; be sure that the tool you use does not
send your chosen password over the Internet and instead tests it locally.
(1) If you find it difficult to remember strong passwords then consider
using a password manager <https://en.wikipedia.org/wiki/Password_manager>.
(2) As a variation on the suggestions above, please *do not* use the same
password, or a similar password, for your email account that you use for
your Wikimedia password. This applies both to WMF email accounts and
community email accounts.
(3) Also consider changing, testing, and upgrading your passwords for your
bot accounts.
(4) Also consider changing, testing, and upgrading your passwords for your
IRC accounts.
Pine
On Wed, Nov 16, 2016 at 1:57 AM, Tim Starling <tstarling(a)wikimedia.org>
wrote:
> Since Friday, we've had a slow but steady stream of admin account
> compromises on WMF projects. The hacker group OurMine has taken credit
> for these compromises.
>
> We're fairly sure now that their mode of operation involves searching
> for target admins in previous user/password dumps published by other
> hackers, such as the 2013 Adobe hack. They're not doing an online
> brute force attack against WMF. For each target, they try one or two
> passwords, and if those don't work, they go on to the next target.
> Their success rate is maybe 10%.
>
> When they compromise an account, they usually do a main page
> defacement or similar, get blocked, and then move on to the next target.
>
> Today, they compromised the account of a www.mediawiki.org admin, did
> a main page defacement there, and then (presumably) used the same
> password to log in to Gerrit. They took a screenshot, sent it to us,
> but took no other action.
>
> So, I don't think they are truly malicious -- I think they are doing
> it for fun, fame, perhaps also for their stated goal of bringing
> attention to poor password security.
>
> Indications are that they are familiarising themselves with MediaWiki
> and with our community. They probably plan on continuing to do this
> for some time.
>
> We're doing what we can to slow them down, but admins and other users
> with privileged access also need to take some responsibility for the
> security of their accounts. Specifically:
>
> * If you're an admin, please enable two-factor authentication.
> <https://meta.wikimedia.org/wiki/H:2FA>
> * Please change your password, if you haven't already changed it in
> the last week. Use a new password that is not used on any other site.
> * Please do not share passwords across different WMF services, for
> example, between the wikis and Gerrit.
>
> (Cross-posted to wikitech-l and wikimedia-l, please copy/link
> elsewhere as appropriate.)
>
> -- Tim Starling
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l(a)lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
---------- Forwarded message ----------
From: Samantha Lien <slien(a)wikimedia.org>
Date: Thu, Nov 10, 2016 at 7:32 PM
Subject: Invitation to WMF November 2016 Metrics & Activities Meeting:
Thursday, November 17, 19:00 UTC
To: wikimediaannounce-l(a)lists.wikimedia.org
Hello everyone,
The next Wikimedia Foundation metrics and activities meeting will take
place on Thursday, November 17, 2016 at 7:00 PM UTC (11 AM PST). The IRC
channel is #wikimedia-office on irc.freenode.net, and the meeting will be
broadcast as a live YouTube stream.
Update/change to meeting format: The Wikimedia Foundation is exploring a
revised format for the November meeting. Our intent is to share work from
the Foundation and movement, but also to connect our work more broadly
within the movement’s biggest opportunities and challenges.
To do this, we are piloting the November meeting around a theme that has
been at the forefront of much of our work recently: “Building an inclusive
movement.”
In November, speakers will highlight projects, initiatives, and work that
actively foster inclusivity within our movement -- to create a space for
everyone to contribute and share in knowledge on the Wikimedia sites.
Here is the agenda for the November meeting:
* Welcomes, theme introduction - “Building an inclusive movement”
* Executive Director update
* Community update
* June 2016 Inspire Campaign - Chris Schilling
* Guest speaker - Wikipedia Asian Month - Addis Wang
* Questions and discussion
* Wikilove
As you may have seen, we are inviting a guest speaker to participate at the
November meeting. Addis Wang, an active member of the Wikimedia User Group
China, will be sharing some of his work with Wikipedia Asian Month and his
efforts to create an inclusive space and invite people to participate in
the edit-a-thon.
In future meetings, we would like to have one guest speaker from a
Wikimedia community or someone from outside the movement present on their
work that ties in with that month’s theme. (More information to come on
this process moving forward, and who to reach out to if you would like to
present in future meetings).
If you have any questions about the new format, please feel free to reach
out to me, Sam Lien, at the Communications department slien(a)wikimedia.org.
Please review
https://meta.wikimedia.org/wiki/Wikimedia_Foundation_metrics_and_activities_
meetings
for further information about the meeting and how to participate.
We will post the video recording publicly after the meeting.
Thank you,
Sam
--
*Samantha Lien*
Communications Manager
Wikimedia Foundation
149 New Montgomery Street
San Francisco, CA 94105
--
*Samantha Lien*
Communications Manager
Wikimedia Foundation
149 New Montgomery Street
San Francisco, CA 94105
[Apologies for cross-posting]
Hi everyone,
Almost a year ago, we [1] embarked on a research project to understand who
Wikipedia readers are. More specifically, we set a goal for finding a
taxonomy of Wikipedia readers. In the upcoming Research Showcase, I will
present the findings of this research.
*Logistics*
The Research Showcase will be live-streamed on Wednesday, November 16, 2016
at 11:35 (PST) 19:35 (UTC).
YouTube stream: https://www.youtube.com/watch?v=O24F1xkbNwI
As usual, you can join the conversation on IRC freedone at
#wikimedia-research. And, you can watch our past research showcases at
https://www.mediawiki.org/wiki/Wikimedia_Research/Showcase.
*Title*
Why We Read Wikipedia
*Abstract*
Every day, millions of readers come to Wikipedia to satisfy a broad range
of information needs, however, little is known about what these needs are.
In this presentation, I share the result of a research that sets to help us
understand Wikipedia readers better. Based on an initial user study on
English, Persian, and Spanish Wikipedia, we build a taxonomy of Wikipedia
use-cases along several dimensions, capturing users’ motivations to visit
Wikipedia, the depth of knowledge they are seeking, and their knowledge of
the topic of interest prior to visiting Wikipedia. Then, we quantify the
prevalence of these use-cases via a large-scale user survey conducted on
English Wikipedia. Our analyses highlight the variety of factors driving
users to Wikipedia, such as current events, media coverage of a topic,
personal curiosity, work or school assignments, or boredom. Finally, we
match survey responses to the respondents’ digital traces in Wikipedia’s
server logs, enabling the discovery of behavioral patterns associated with
specific use-cases. Our findings advance our understanding of reader
motivations and behavior on Wikipedia and have potential implications for
developers aiming to improve Wikipedia’s user experience, editors striving
to cater to (a subset of) their readers’ needs, third-party services (such
as search engines) providing access to Wikipedia content, and researchers
aiming to build tools such as article recommendation engines.
*How to prepare? What to expect?*
If you decide to attend, here are a few things I would like to ask you to
keep in mind, especially if this will be your first time to one of our
research showcases:
* Like many other research projects in fields that are not heavily
explored, the findings of this research will create more questions than
they answer. I encourage you to keep these questions in mind throughout the
presentation and discussion: "What can we do with this finding? What other
questions can we ask? What other ideas can we try?"
* Be open to ask these questions to yourself, especially if you are a
Wikipedia editor, even before coming to the showcase: "Why do I edit
Wikipedia? Who am I writing the content for, if anyone? Will I change the
way I write content if I know more about who reads it (to encourage or
discourage certain types of reading or readers)? What needs an encyclopedia
should serve? What is Wikipedia: A place one can quickly find the answer to
his/her questions, or a place that one can go to when he/she wants to spend
a quiet time reading and learning, or a place for both and even more? etc."
* And, see if you would be interested to see the result of this study in
your language. What will be presented is based on research on English,
Persian, and Spanish Wikipedia (the data from the latter two projects have
been used only for one part of the research). We are interested in running
the study on at least 2-3 more languages to understand the robustness of
some of the results across different languages, and to also help
communities with having access to the results for their specific language
project.
Looking forward to seeing you there, and if you can't make it, please feel
free to watch the video later and get in touch with us with
questions/comments. :)
Best,
Leila
--
Leila Zia
Senior Research Scientist
Wikimedia Foundation
[1] WMF Research and researchers from three academic institutions: EPFL,
GESIS, and Stanford University, in collaboration with WMF Reading.
Hey all,
Today Apple announced a bunch of 501(c)3 partners which now can use Apple
Pay to make instant donations. Announcement at:
http://www.apple.com/newsroom/2016/11/a-touch-of-giving-with-apple-pay.html
Does WMF fundraising have plans to integrate with Apple Pay, especially on
mobile devices? I understand that right now it's limited to the US and the
team has been focusing a ton on international payment providers (which is
great). Given that payments on mobile are such a huge headache and
declining desktop traffic to Wikimedia properties, it might be an
interesting pilot to explore nonetheless.
<!--Apologies if this mail is not in your language.-->
Friends,
TL; DR
After almost five years of professional engagement with the South Asian
language Wikimedia communities, I have decided to step down from my current
role. And I will remain a Wikipedian friend of yours who you can reach out
in volunteer capacity on my talk page.
——
I was about to complete my first wiki-versary when I joined the Wikimedia
Foundation’s India Program as a Consultant for Community and Program
Support. The program ran until August of 2012 and then got housed at the
Centre for Internet Society’s Access to Knowledge program (CIS-A2K) [0].
Thanks to Sunil, Pranesh, Nirmita, Nishant and many others at the CIS
family who embraced my team from India Program with great amount of trust.
CIS became more like a family for me all these years. It will always remain
my other home and alma mater - calling CIS a former employer will be quite
an understatement. I feel I grew as a person along with the organization
that is today a noted name for its research in openness, accessibility,
privacy, IP reform, access to knowledge, and digital humanity.
Over these years I have had the most memorable time in my personal and
professional life. I have traveled a lot in the country and across the
world, met many friends in the Wikimedia and the open knowledge community,
and had the privilege of working on many important projects both locally
and globally. The South Asian language Wikimedia communities that I have
worked with have not just been patient and understanding, but have been my
mentor in many ways. I thank you all wholeheartedly for being such great
friends and guides. And I hope that I have added some value to your
community, project and the larger Wikimedia movement.
This was an incredible journey and I feel really honored to see as many as
three new Wikimedia projects taking birth where I had a chance to
contribute. Many of you have shared your stories in an interview series
WikipediansSpeak [1] that I started during my time at CIS, and I felt so
touched and connected to many people that spoke languages that I never even
understood. I want to thank many Wikimedians both from the Indian and the
global Wikimedia community that participated in @WeAreWikipedia [2], a
rotation curation project on Twitter that I started as a voluntary project.
The good news is @WeAreWikipedia has always been and will be a
volunteer-led project even after I leave my professional role at CIS.
In the last few days of my work at CIS, my biggest worry was if I will be
able to give much time to wrap up Project Ol Chiki [3], a project to create
typeface family and input tools for the Ol Chiki script (used to write the
Santali language) that I was leading. I would like to personally thank to
colleagues T.Vishnuvardhan (former Programme Director of CIS-A2K) for his
guidance, Pooja Saxena for designing the typeface and several other
peripherals, Prof. Damayanti Besra and other friends of the
Santali-language community who have reviewed the typeface, and Wikimedians
Jnanaranjan Sahu and Nasim Ali who have created the input tools. A few
years of my childhood was spent in a place where 30% of people spoke this
aboriginal language Santali, and I cannot share how nostalgic it felt when
the opportunity came to lead this project.
Once again, thanks you all the friends in the Wikimedia community, and the
larger openness movement for your kind support over all these years. In the
long road, this was a great milestone but there are many more to come. I
hope to continue working with you in my volunteer capacity, and/or may be
in my new role.
Where I am heading next?
Some of you might know this already. I am super excited that the next
milestone is going to be another open source community as I am joining
Mozilla’s Participation team as South Asia Community Catalyzer [4]. I am
super excited for it. And I will keep seeing you all amazing people on the
Wikimedia projects like before.
Do feel free to get in touch with me in my talk page at User:Psubhashish,
or over email at psubhashish (at) gmail (dot) com, or at @subhapa on both
Twitter and Telegram.
0. https://meta.wikimedia.org/wiki/CIS-A2K
1. https://commons.wikimedia.org/wiki/WikipediansSpeak
2. https://twitter.com/wearewikipedia
3. https://www.mediawiki.org/wiki/Project_Ol_chiki
4. https://discourse.mozilla-community.org/t/introducing-
our-new-south-asia-community-catalyzer/11975
Love,
Subhashish
Subhashish Panigrahi
Programme Officer, Access To Knowledge
Centre for Internet and Society
@subhapa / https://cis-india.org
Just a reminder that we are running community sessions relating to our
online fundraising efforts over the next week. They will focus on new
banner and email designs and new ideas for appeals.
It's vital to get community input for the fundraiser since it ultimately
represents our whole movement.
Please do sign up here:
* https://meta.wikimedia.org/wiki/Fundraising/Community_Feedback_Series_2
The dates are as follows:
Thursday 17th November - 1300 UTC
Thursday 17th November - 1900 UTC
Tuesday 21st November - 0100 UTC
Regards
--
Seddon
*Advancement Associate (Community Engagement)*
*Wikimedia Foundation*
We, Wikimedians of Bulgaria, led by Spasimir Pilev (User:Спасимир), have
started this year's Archives Challenge! There are over 6500 images of
people, Bulgaria, the world, ethnography and more to be used on Wikipedia.
And you can help doing this by participating, translating the page in your
language, and spreading the word about it in your communities.
There are no remunerative prizes, only the one that you would help in the
spirit of free knowledge with global usage of public domain materials.
We invite you to join us in organising something like an Archives World Cup
where we promote materials from worldwide partnerships with archives to the
worldwide Wikimedian community.
Join us on Meta: https://meta.wikimedia.org/wiki/Archives_Challenge_2016
* We keep the right to decide to reward some of the participants in any way
we like.
Best regards,
Nikola / User:Lord Bumbury
Wikimedians of Bulgaria