Okay, how about now? Any comments would be appreciated.
Original: http:///www.twoevils.org/files/wiki/Rabbit.html
Minimal: http:///www.twoevils.org/files/wiki/Rabbit-minimal.html
Note that I think the footer (on all the pages) should be changed from
'It was last modified...' to '(Article title) was last modified...'; but
that isn't part of my skin. :)
--
Nick Reinking -- eschewing obfuscation since 1981 -- Minneapolis, MN
So, if the masses finally decide that we "need" SSL, who's paying for
the security certificate? Or would we have to plan to run without a
properly signed cert?
Of course, the certifiacte would have to be "owned" by someone. Who's
name is going to be on the certificate? Bomis'? That wouldn't make
sense, since we'd have to get a new one when the non-profit is set up.
Whether SSL is a good idea in this situation isn't the issue. Setting
it up properly involves getting some other things done first. IMHO,
Moving forward on SSL at this point would be slightly premature.
Jason
Tomasz Wegrzanowski wrote:
> On Mon, Mar 31, 2003 at 01:38:19PM -0600, Lee Daniel Crocker wrote:
> > > (Tim Starling <ts4294967296(a)hotmail.com>):
> > >
> > > If we really want to be serious about security we'll have to use
> > > ssl for login, but I don't know how to do that.
> >
> > That's entirely too paranoid. Frankly, I don't see much need
> > for high security of Wikipedia logins. It's not like we're
> > storing medical records. (Oh my God! My neighbor might find
> > out that I like the "Nostalgia" skin!) The only real risk is
> > that someone might log in as me and make edits in my name, but
> > then I'd just disavow them and change my password.
>
> We should make it an option to login via SSL at least for sysops.
> It's pretty dangerous to send sysop passwords unencrypted.
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l(a)wikipedia.org
> http://www.wikipedia.org/mailman/listinfo/wikitech-l
--
"Jason C. Richey" <jasonr(a)bomis.com>
>Si.
>And remember, on the first of january 2003, someone
>took over three sysops accounts on the french wiki,
>and indicated our passwords in clear to the three of
>us.
>So...well...security...hum
If we really want to be serious about security we'll have to use ssl for
login, but I don't know how to do that.
-- Tim Starling
_________________________________________________________________
MSN Instant Messenger now available on Australian mobile phones. Go to
http://ninemsn.com.au/mobilecentral/hotmail_messenger.asp
http://www.search.com/search?channel=19&cat=63
On this page you can send a search query to several encyclopedia but
Wikipedia does not work anymore.
There must be more websites who send direct query's to wikipedia and now do
not work anymore.
Is there anything that can be done?
--
Contact: giskart AT wikipedia.be
Ook een artikeltje schrijven? WikipediaNL, de vrije GNU/FDL encyclopedie
http://www.wikipedia.be
> > In any case, do you plan to keep up the site? A Wikipedia mirror would
> > certainly be nice.
> >
>It would be if it respected the copyright of the text and the code. It
>clearly doesn't, yet. For one thing, they need to change the name of their
>mirror. But I hope they're willing to work with us to make it comply with
>the GFDL.
Wikipedia is a great resource (that I have personally enjoyed contributing
information to) and we respect the work and effort that has gone into its
creation. We want to support that effort, and definitely want to comply
with the licence terms. Any assistance (by pointing out problems) you can
give us is greatly appreciated. We will modify our installation to make it
compliant.
>There are also questions about the GPL phpwiki code that are
>raised, though it does seem at first blush that they're properly keeping
>their code separate from ours.
Yes, we believe this is the case. InfoWrangler Server is a stand alone
application that provides a service to Wikipedia. It does not rely on any
database info, or code from Wikipedia.
We have of course modified some of the PHP code of Wikipedia so that
appropriate calls are made to InfoWrangler Server when a page is
viewed/created/edited. This is currently being packaged and will be
released to the Wikipedia development team when its ready.
Once again, we wish to support the Wikipedia project and respect the
licensing scheme it is released under.
Regards - Langdon
----------------------------------------------------
Managing Director
Object Positive
Sydney, Australia
Ph: + 61 2 9659 2344
Fx: + 61 2 9659 2355
http://www.infowrangler.com
>
>"I'm open to suggestions as to the setting of $delay. If anyone wants to
>see
>the rest of the code, I'll send it by private email.
>
>-- Tim Starling."
>
>What's up with this guy?
>
>Fred
Sorry if I gave the wrong impression, but the reason I'm sending it by
private email is so that I control who gets it. As I said on User:Timbot:
:In keeping with Wikipedia policy, the source code is secret,
:however, it will be made available via email to well-behaved
:users if required
Fred, you've been here only since November, your first post to wikitech-l
was in February. With those 224 edits, you've only managed to piss me off
with a non-productive and persistent edit war over chiropractic medicine. In
that short time, you've managed to form an impression in my mind of
unilateralism and an aversion to real debate. You're not in a position to
contribute to the approval process, so why do you want the bot code? That
bot could be used very destructively if it fell into the hands of someone
interested in enforcing partisan article names. With a minor modification,
it could be made into an automated revert-bot.
Perhaps if The Cunctator or Lee have formed a better impression of you, you
can convince one of them to give you the code.
-- Tim Starling.
_________________________________________________________________
MSN Instant Messenger now available on Australian mobile phones. Go to
http://ninemsn.com.au/mobilecentral/hotmail_messenger.asp
Are the schemas for the Wikipedia database available from within the 'pedia, say in the Wikipedia: namespace?
Gaz
--------------------------------------------------------
Looking for a free email account?
Get one now at http://www.freemail.com.au/
--------------------------------------------------------
>>No-one will have to reset their password. I'll just use md5(md5(password)
>>+ salt) for the new hash. The only thing users will notice is that their
>>stored cookies will stop working and they'll have to log in again.
>>
>I hope that wikipedia isn't currently storing raw passwords in the user
>table. So the only way you could implement a resetles upgrade would be to
>add a second password field.
>If a user logs in with only the original password field set, you validate
>against that and if okay, MD5 the password they entered and store it. After
>about a year you remove the original password field (anyone who hasn't
>logged in in that time deserves to have to do a password reset!). I used
>this technique recently to upgrade from Unix CRYPT to MD5 for password
>storage.
No, wikipedia isn't storing raw passwords, it's storing unsalted MD5 hashes.
But no second password field is required. We just concatenate the salt (in
this case, a concatenation of the user number and "wikipedia") to the
unsalted hash, then MD5 the whole lot again. Ordinary validation is then
conducted by calculating md5(md5(password) + salt), and comparing it with
the database value. You could have used this trick for your own upgrade. It
increases the CPU time needed for validation by a few microseconds, but one
could easily argue that's a good thing.
As an extra security measure, I realised that we could continue to use
md5(password) for our persistent session cookies. This means that a stolen
hash can no longer be used to log in.
By the way, the code is now written, and I've sent it to Brion.
-- Tim Starling.
_________________________________________________________________
Hotmail now available on Australian mobile phones. Go to
http://ninemsn.com.au/mobilecentral/hotmail_mobile.asp
>Obviously we'd have to add a note explaining that everyone has to reset
>their password. Not everyone has an e-mail address attached to their
>account, so we'd need to add a web form for doing this. That obviously
>would require first validating the person with their current password
>with the current hashing code; so we'd probably need a marker to
>indicate that each users' password field is upgraded.
No-one will have to reset their password. I'll just use md5(md5(password) +
salt) for the new hash. The only thing users will notice is that their
stored cookies will stop working and they'll have to log in again.
-- Tim Starling.
_________________________________________________________________