Wikitech-l November 2016

wikitech-l@lists.wikimedia.org

94 participants
100 discussions

Update on WMF account compromises
by Tim Starling 21 Nov '16

21 Nov '16

Since Friday, we've had a slow but steady stream of admin account compromises on WMF projects. The hacker group OurMine has taken credit for these compromises. We're fairly sure now that their mode of operation involves searching for target admins in previous user/password dumps published by other hackers, such as the 2013 Adobe hack. They're not doing an online brute force attack against WMF. For each target, they try one or two passwords, and if those don't work, they go on to the next target. Their success rate is maybe 10%. When they compromise an account, they usually do a main page defacement or similar, get blocked, and then move on to the next target. Today, they compromised the account of a www.mediawiki.org admin, did a main page defacement there, and then (presumably) used the same password to log in to Gerrit. They took a screenshot, sent it to us, but took no other action. So, I don't think they are truly malicious -- I think they are doing it for fun, fame, perhaps also for their stated goal of bringing attention to poor password security. Indications are that they are familiarising themselves with MediaWiki and with our community. They probably plan on continuing to do this for some time. We're doing what we can to slow them down, but admins and other users with privileged access also need to take some responsibility for the security of their accounts. Specifically: * If you're an admin, please enable two-factor authentication. <https://meta.wikimedia.org/wiki/H:2FA> * Please change your password, if you haven't already changed it in the last week. Use a new password that is not used on any other site. * Please do not share passwords across different WMF services, for example, between the wikis and Gerrit. (Cross-posted to wikitech-l and wikimedia-l, please copy/link elsewhere as appropriate.) -- Tim Starling

26 37

Better code review processes for reviewers (potential Developer Summit session)
by Andre Klapper 21 Nov '16

21 Nov '16

Hi, as a followup to previous activities and ideas how to improve code review, we've proposed a session at the upcoming Developer Summit to concentrate on organizational and social aspects. Sharing your experience and thoughts is welcomed: https://phabricator.wikimedia.org/T149639 Thanks in advance, andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/

1 0

Implementing Katherine's Vision: "Discussing Discussions"
by C. Scott Ananian 19 Nov '16

19 Nov '16

A few weeks ago our Executive Director gave a talk on "Privacy and Harassment on the Internet" at MozFest 2016 in London. I encourage you to read the transcript: https://en.wikisource.org/wiki/Privacy_and_Harassment_on_the_Internet Katherine argued that the Wikimedia project can take a lead role in creating a culture of respect and inclusion online. I whole-heartedly agree, and I hope you all do too. She concluded with: "We have a lot of work to do. I know that. We know that. As Molly’s story > illustrates, we are not there yet." I'd like to open a broader discussion on how we get "there": how to build/maintain places where we can get work done and control abuse and vandalism while still remaining wide open to the universe of differing viewpoints present in our projects. We can't afford to create filter bubbles, but we must be able to provide users safe(r) spaces to work. By habit I would propose that this be a technical discussion, on specific tools or features that our platform is currently missing to facilitate healthy discussions. But the "filter bubble" is a social problem, not a technical one. Our project isn't just a collection of code; it's a community, a set of norms and habits, and a reflection of the social process of collaboration. A graph algorithm might be able to identify a filter bubble and good UX can make countervailing opinions no more than a click away, but it takes human will to seek out uncomfortable truth. So although my endgame is specific engineering tasks, we need to start with a broader conversation about our work as social creatures. How do we work in the projects, how do we communicate among ourselves, and how do we balance openness and the pursuit of truth with the fight against abuse, harassment, and bias. Let's discuss discussions! Here are some jumping off points; feel free to contribute your own: We currently use a mixture of Talk pages, Echo, mailing lists, IRC, Phabricator, OTRS, Slack, Conpherence, and Google Doc on our projects, with different logging, publication, privacy/identity, and other characteristics. I tried to start cataloging them here: https://lists.wikimedia.org/pipermail/wikimedia-l/2016-November/085542.html Because of this diversity, we lack a unified code of conduct or mechanism to report/combat harassment and vandalism. Matt Flaschen replied in the above thread with an update on the Code of Conduct for technical spaces: https://lists.wikimedia.org/pipermail/wikimedia-l/2016-November/085542.html ...which should definitely help! The creation of a centralized reporting mechanism, in particular, would be most welcome. I created a proposal for the Wikimedia Developer Summit in January discussing "safe spaces" on our projects: https://phabricator.wikimedia.org/T149665 Subscribe/comment/click "award token" to support its inclusion in the dev summit or to start a conversation there. I have another, broader, proposal as well, on the "future of chat" on our projects: https://phabricator.wikimedia.org/T149661 Subscribe/comment/click "award token" there if that angle piques your interest. It seems that "groups of users" arise repeatedly as an architectural meta-concept, whether it's a group of collaborators you want to invite to an editing session, a group of users you want to block or ban, a group of users who belong to a particular wikiproject, or who watch a certain page. We don't really have a first-class representation of that concept in our code right now. In previous conversations I've heard that people "don't want <their wiki project> to turn into another facebook" and so have pushed back strongly on the idea of "friend lists" (one type of group of users) -- but inverting the concept to allow WikiProjects to maintain a list of "members of the wikiproject" is more palatable, more focused on the editing task. From a computer science perspective "friend list" and "member of a wikiproject" might seem identical--they are both lists of users--but from a social perspective the connotations and focus are significantly different. But who administers that list of users? Perhaps we can build a system which avoids grappling with user groups entirely. It was suggested that we might use an ORES-like system to automatically suggest collaborators on an editing project based on some criteria (like editing history), rather than force you or the WikiProject to maintain an explicit list. Perhaps you can implement block lists to combat harassment based entirely on keywords, not users. Do we trust the machine to be more fair and less abusive than us mere mortals? Additional ideas welcome! (I don't have a dedicated phab task for this, but https://phabricator.wikimedia.org/T149665 might be appropriate if you want to contribute off-list.) Hopefully this has been enough to prime the pump. Let's discuss discussions. Let's live up to the hope placed in us by the Washington Post: https://www.washingtonpost.com/news/wonk/wp/2016/10/25/somethings-terribly-… Let's retake the lead on building and renewing a healthy collaborative community. We can't afford to be complacent or content with the status quo. Let's come up with new ideas, build them, find the problems, and try again. It starts with deciding that we can do better. --scott -- (http://cscott.net)

2 1

Discovery Weekly Update for the week starting 2016-11-14
by Chris Koerner 19 Nov '16

19 Nov '16

Hello, A few updates from the Discovery department this week. Programming note: There will be no status update next week due to the holiday. [0] ==Highlights== * BM25 is now enabled on the ten wikis with largest traffic. This improves numerous relevance issues in search queries. [1] * The Interactive Team's roadmap was finalized in Nov 2016 for FY 2016/2017. [2] * You can now search for file properties such as file size and and file type on Commons. See the documentation for more information. [3] ==Discussions== * The Interactive and Analysis team had a good discussion on KPIs and moving forward with logging what is needed [4] * Lots of great analysis and discussions about using BM25 on languages with spaces, [5] === Search === * BM25 is now enabled on the ten wikis with largest traffic. This improves numerous relevance issues in search queries. [6] * You can now search for file properties such as file size and and file type on Commons. [7] * Fixed issue where search would behave unexpectedly if the query contained the name of a namespace and a colon. [8] [9] === Analysis === * New Analysis: From Zero To Hero 2: Electric Boogaloo - or - how does stripping out question marks improve search [10] [11] [0] https://en.wikipedia.org/wiki/Thanksgiving [1] https://en.wikipedia.org/wiki/Okapi_BM25 [2] https://www.mediawiki.org/wiki/File:Interactive_Roadmap_2016-2017.pdf [3] https://www.mediawiki.org/wiki/Help:CirrusSearch#File_properties_search [4] https://phabricator.wikimedia.org/T149834#2804436 [5] https://phabricator.wikimedia.org/T147500 [6] https://phabricator.wikimedia.org/T147508 [7] https://phabricator.wikimedia.org/T144447 [8] https://phabricator.wikimedia.org/T148344 [9] https://phabricator.wikimedia.org/T150232 [10] https://phabricator.wikimedia.org/T147216 [11] https://commons.wikimedia.org/wiki/File:Query_Features_and_Search_Performan… ---- The full update, and archive of past updates, can be found on MediaWiki.org: https://www.mediawiki.org/wiki/Discovery/Status_updates Interested in getting involved? See tasks marked as Easy or Volunteer needed in Phabricator. [1] https://phabricator.wikimedia.org/maniphest/query/qW51XhCCd8.7/#R [2] https://phabricator.wikimedia.org/maniphest/query/5KEPuEJh9TPS/#R Yours, Chris Koerner Community Liaison - Discovery Wikimedia Foundation

1 0

Supporting offline reading on the web - looking for testers
by Anne Gomez 18 Nov '16

18 Nov '16

Hello! The Reading team at the Wikimedia Foundation is working to support readers who want to take articles offline to read and share later on their phones - a use case we learned about from deep research earlier this year <https://meta.wikimedia.org/wiki/New_Readers/Findings> [0]. We’ve built a few prototypes and are looking for people to test them, particularly people who don’t know Wikipedia all that well. We’d love if you could help us find anyone who doesn’t edit who might be interested in this feature and would want to test it. If you know anyone like this, please send them the following message: ---- Hello! Wikipedia needs your help to improve. We’re looking for people who have internet access at least sometimes and like to have access to content when they’re not connected to the internet. We would like to learn from you. If you would be willing to participate in a study to tell us more, please fill out this survey <https://wikimedia.qualtrics.com/SE/?SID=SV_09wJQzQs54DETUF> [1] before November 25. Testing will only be available in English for now. Thank you! [1] https://wikimedia.qualtrics.com/SE/?SID=SV_09wJQzQs54DETUF This survey is hosted on a third-party service. For information about data handling and privacy, please see the survey privacy statement: https://wikimediafo undation.org/wiki/Screener_Survey_for_Offline_Reading_ Study_Privacy_Statement ---- You can see the prototypes and leave comments on meta <https://meta.wikimedia.org/wiki/New_Readers/Offline>[2], though please don’t send this page to anyone filling out the survey as it could bias test results. Thanks, Anne + New Readers [0] https://meta.wikimedia.org/wiki/New_Readers/Findings [1] (duplicated from excerpt above) https://wikimedia.qualt rics.com/SE/?SID=SV_09wJQzQs54DETUF This survey is hosted on a third-party service. For information about data handling and privacy, please see the survey privacy statement: https://wikimediafoundation.org/wiki/Screener_ Survey_for_Offline_Reading_Study_Privacy_Statement [2] https://meta.wikimedia.org/wiki/New_Readers/Offline [3] https://meta.wikimedia.org/wiki/New_Readers/Target_countries -- *Anne Gomez* // Reading Product Manager, New Readers <https://meta.wikimedia.org/wiki/New_Readers> https://wikimediafoundation.org/ *Imagine a world in which every single human being can freely share in the sum of all knowledge. That's our commitment. Donate <http://donate.wikimedia.org>. *

1 0

Awesome AI topics in need of discussion (Dev Summit)
by Aaron Halfaker 18 Nov '16

18 Nov '16

Hey folks, I'm your friendly facilitator for who forgot that today was the last day to gather discussion on a set of topics of the Dev Summit. I might be a bit biased, but I think they are all pretty interesting, so I'm reaching out with a quick overview to see if I can spur some interest from ya'll. Check 'em out: - https://phabricator.wikimedia.org/T149373 -- Evaluating the user experience of AI systems - https://phabricator.wikimedia.org/T147710 -- Building an AI wishlist & working groups for Wikimedia Projects - https://phabricator.wikimedia.org/T148690 -- Where to surface AI in Wikimedia Projects - https://phabricator.wikimedia.org/T147929 -- Algorithmic dangers and transparency -- Best practices - https://phabricator.wikimedia.org/T149666 -- Next steps for machine translation If you're interested, please drop a note or a token in the task. BTW, you don't have to physically attend the dev summit in order to participate. I'll make sure that IRC and Etherpad are shared with all remote attendees who want to attend the sessions I'm helping to organize. I've heard that there will be additional facilities for remote attendees (maybe a youtube stream!?) this year, but I can't confirm yet. -Aaron

1 0

Updated documentation on Selenium tests (including support for Node.js)
by Željko Filipin 17 Nov '16

17 Nov '16

In the last few weeks I have been updating documentation on Selenium tests. You can find it here: https://www.mediawiki.org/wiki/Selenium Please notice that there is documentation on how to write Selenium tests in Node.js: https://www.mediawiki.org/wiki/Selenium/Node.js There is still a lot of things I would like to do, but I think the documentation is now in a good enough shape to announce it. I am still working on it and I really need your feedback. Feel free to reply here, at IRC (zeljkof at #wikimedia-releng) or at Phabricator: https://phabricator.wikimedia.org/T108108 I was not working on the documentation alone. I would like to say thank you to Antoine Musso (hashar), Dan Duvall and Greg Grossmeier, among others. Željko

1 0

Re: [Wikitech-l] Update on WMF account compromises
by Alex Monk 17 Nov '16

17 Nov '16

The 'phabricator model' is far from perfectly fitting our needs though: https://secure.phabricator.com/maniphest/query/qWbzSK1NVwb0/ On 17 Nov 2016 1:07 pm, "Vi to" <vituzzu.wiki(a)gmail.com> wrote: That's obvious, anybody knows only bag inspectors are allowed to inspect wallets. Coming back to be serious, imho, Wikimedia should apply the "phabricator model" to a 2FA open source app: collaborating in development and making it perfectly fit with our needs Vito 2016-11-17 13:06 GMT+01:00 Dmitry Brant <dbrant(a)wikimedia.org>: > Don't give your wallet to anyone claiming to be a Wallet Inspector. > > On Nov 17, 2016 4:48 AM, "Vi to" <vituzzu.wiki(a)gmail.com> wrote: > > So are you telling me that tool "test if your credit card was cloned" is a > fraud? But its test included my ccv2 too! :p > > Vito > > 2016-11-17 9:33 GMT+01:00 Chad <innocentkiller(a)gmail.com>: > > > On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <hashar+wmf(a)free.fr> > wrote: > > > > > Le 16/11/2016 à 19:19, Pine W a écrit : > > > > > > > > (0) Consider testing your password strength with a tool like > > > > http://www.testyourpassword.com/; be sure that the tool you use does > > not > > > > send your chosen password over the Internet and instead tests it > > locally. > > > > > > By using an online testing tool, you are effectively breaking the very > > > first rule: > > > > > > DO NOT GIVE OUT YOUR PASSWORD. EVER. > > > > > > Using that site is exactly like sharing your password with a random > > > stranger in the world. Even if you trusted that website, and audited > > > the code at a given point in time, you have no guarantee the site > hasn't > > > changed or that it is not collecting passwords. > > > > > > > > Not to mention, it's plain-old-insecure HTTP, so of course anyone and > > their mother's uncle could be sniffing the traffic ;-) > > > > Same rule goes for a "generate a random password" site. Don't use > > them. > > > > -Chad > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l(a)lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

1 0

Re: [Wikitech-l] Update on WMF account compromises
by Dmitry Brant 17 Nov '16

17 Nov '16

Don't give your wallet to anyone claiming to be a Wallet Inspector. On Nov 17, 2016 4:48 AM, "Vi to" <vituzzu.wiki(a)gmail.com> wrote: So are you telling me that tool "test if your credit card was cloned" is a fraud? But its test included my ccv2 too! :p Vito 2016-11-17 9:33 GMT+01:00 Chad <innocentkiller(a)gmail.com>: > On Thu, Nov 17, 2016 at 12:18 AM Antoine Musso <hashar+wmf(a)free.fr> wrote: > > > Le 16/11/2016 à 19:19, Pine W a écrit : > > > > > > (0) Consider testing your password strength with a tool like > > > http://www.testyourpassword.com/; be sure that the tool you use does > not > > > send your chosen password over the Internet and instead tests it > locally. > > > > By using an online testing tool, you are effectively breaking the very > > first rule: > > > > DO NOT GIVE OUT YOUR PASSWORD. EVER. > > > > Using that site is exactly like sharing your password with a random > > stranger in the world. Even if you trusted that website, and audited > > the code at a given point in time, you have no guarantee the site hasn't > > changed or that it is not collecting passwords. > > > > > Not to mention, it's plain-old-insecure HTTP, so of course anyone and > their mother's uncle could be sniffing the traffic ;-) > > Same rule goes for a "generate a random password" site. Don't use > them. > > -Chad > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

2 1

Fwd: [Wikimedia-l] Two internships in the Community Engagement department
by Quim Gil 16 Nov '16

16 Nov '16

Hi, the second role mentioned in the email below is technical, and maybe someone in this list is interested. ---------- Forwarded message ---------- From: Maria Cruz <mcruz(a)wikimedia.org> Date: Thu, Nov 17, 2016 at 12:17 AM Subject: [Wikimedia-l] Two internships in the Community Engagement department To: Wikimedia Mailing List <wikimedia-l(a)lists.wikimedia.org> Hello all, As some of you may have seen there are two open positions (both paid) in the Community Engagement department for internships on the Learning & Evaluation team: - Communications Intern:. (6 months, up to 30 hours/week) We are looking for a candidate who works and / or studies in the field of communications, has excellent verbal and written English communications skills and the ability to excel in a fast-paced, multitasking environment. Knowledge and/or experience with Wikimedia Projects a plus! The Communications Iintern will primarily support conference communications for the Community Engagement Team (including event planning and materials preparation), help plan workshops and community events for program leaders (as well as document the outcome of those events), and assist with the coordination of technology supports for communications and events. You can find the complete job description here: https://boards.greenhouse.io/wikimedia/jobs/488571#.WCHxXOErKRs - Technical Intern (3 months up to 20 hours/week) We are looking for a candidate that has experience in Mediawiki mark-up and technical communications experience in designing for web content curation and user flow, has proficiency in at least three of the following programming languages: Javascript, Lua, Python, MySQL, has experience developing or administrating MediaWiki websites. The candidate should have a strong interest in archival systems, searchability and usable portals on wiki, and technical skills for designing Wikimedia templates and pages. The Technical Design Intern will work closely with the Communications and Outreach Coordinator (that would be me!) on the Wikimedia Resource Center, the redesign of the Evaluation Portal on Meta Wikimedia, and migration and archiving of L&E portal pages from existing namespaces to new namespace, among other tasks. You can find the complete job description here: <https://boards.greenhouse.io/wikimedia/jobs/488570#.WBE6X-ErKRs> https://boards.greenhouse.io/wikimedia/jobs/488570#.WBE6X-ErKRs If you are interested, please apply. If you know someone who might fit this position, please forward the email to them! Cheers, María _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l(a)lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe> -- Quim Gil Engineering Community Manager @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Wikitech-l November 2016