No doubt that any user account compromised would be unfortunate and would also mean that developers didn't make the software secure enough. On one side there are needs for big restriction on community developers from being able to access resources (not just shell access is restricted a lot) but it was also announced recently that any site using standard api authentication to wikimedia would be blocked from having access to cluster, unless it uses any other authentication despite that there is no other way (so it completely blocks various projects). On other side you are telling here that security isn't so important since the compromised accounts couldn't do much damage.
I don't really know what is true, but I agree that security is something important, we shouldn't underestimate, so any improvement which actually doesn't cost much (in some cases it does cost literally 0$, for example rewriting some policies on projects requiring sysops to have strong passwords is something what would cost only a time needed to fix it) is worth of implementing.
Ariel: I didn't propose to auto desysop anyone, I proposed to improve security for users themselves, the accounts wouldn't get really desysoped but deactivated and needed to be activated by email. Also if you really want to tell us how is it possible to hack to the site, please don't post it publicly next time, "If I wanted to cause harm to an editing community, one of the better ways might be ..." sounds dangerous from someone who has access to servers :-)
On Fri, Apr 13, 2012 at 9:06 AM, Ariel T. Glenn ariel@wikimedia.org wrote:
Στις 13-04-2012, ημέρα Παρ, και ώρα 12:49 +1000, ο/η Andrew Garrett έγραψε:
On Wed, Apr 4, 2012 at 6:25 PM, Petr Bena benapetr@gmail.com wrote:
An account with sysop rights cannot do that much damage anyway. Deleting a page does no more damage than deleting a paragraph in an existent page, and the latter can be done by anybody; in fact, deleting a page makes a lot more noise. The same goes for protection, blocking and editing in the MediaWiki space - everything is easily traceable and reversible, and in a functioning wiki community the damage will be minimal.
That isn't excuse to leave project open to damage. Security of mediawiki users and their accounts should be important for us anyway.
Actually, this is the most important thing to think about.
There is no such thing as perfect security. You just need to make it more costly to breach security than the benefit that a hacker would get for it. Conversely, you need to expend no more effort in security than the cost of a breach in security.
Now, there are things that sysops can do that aren't so easily reversible. You could surreptitiously add site JS that captured tokens from checkusers and released large amounts of sensitive data, so it's not exactly without merit. But I don't think it's justifiable to dismiss discussion about whether extra security is "worth it".
If I wanted to cause harm to an editing community, one of the better ways might be to take over a few inactive sysop accounts and slowly start to push for policies and take actions that are divisive. The resulting damage to community trust would be hard indeed to undo; think back to the various infiltration programs of law enforcement into activist groups in the 1960's and 1970's in the U.S. for a prime example of this.
I don't think this justifies automated de-sysopping of inactive accounts (because this also sends a message about trust or value to the account owner), but a notification system of some sort, as has been proposed earlier in this thread, might be nice.
Ariel
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l