Re: [Wikitech-l] Inactive sysops + improving security

-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name] On Wed, 04 Apr 2012 04:31:02 -0700, Petr Bena benapetr@gmail.com wrote: > Ok, your reply makes a lot of sense. However problem is that how users > get more "hats" they are usually more afraid of loosing them :-) and > would probably like to have an option to protect from attackers (I > don't really know but I hope that people with some extra flags are > trying to have a secure password at least). The account is getting > more valuable and for example account of some stewards might be a good > target for hackers. The question is how these people can defend > themselves when the philosophy is "we don't need strong security > because user accounts aren't valuable / can't do much damange to site" > - when their account is compromised, they will surely have the flags > revoked permanently, that's likely not what they want. So at some > point, having more security measures which could be opt-in for people > who do care about their account, in opposite of people whom account > isn't interesting for hackers would make some point too. Given that > there are thousands of sysops on big projects, I guess they would > welcome to have this feature. (Not that I care, personally, I was just > interested in implementing that to mediawiki) > > On Wed, Apr 4, 2012 at 11:48 AM, Thomas Morton > morton.thomas@googlemail.com wrote: >>> >>> The current process needs to be done by hand, which isn't just >> >> annoying, but also not fail safe, some accounts might be overlooked, >>> etc. Bureaucrats can mislick or forget. >> >> >> Certainly automatic de-sysoping after a certain inactivity would be >> useful; >> an extension that does the notifications and ultimately the de-sysoping >> would be useful to automate the community approved process, don't get me >> wrong on that front, I like the idea! >> >> >>> The email account is likely >>> much more safe than wikimedia account, >> >> >> Not a good premise to take; email accounts are high value targets (as >> opposed to a Wikipedia account, which has relatively low general value). >> So although they are harder to crack (to a point) they are also more >> worthwhile targets. >> >> So an email account is a significant risk. >> >> And an account without an email address added could be argued to be >> *more*secure. >> >> the google for example offers a >>> lot of security measures we don't, because they don't follow "hacking >>> user wouldn't do much damage" philosophy. >> >> >> It's largely security theatre; except the two factor authentication >> (which >> is actually useful). Our accounts simple aren't that valuable, which is >> why >> actual security of that form isn't really a good option. What you >> proposed >> is only really a stopgap. >> >> >>> And I guess many other >>> providers do the same. Hacking to two accounts would be much harder >>> than hacking one, given to that once the first account is hacked, the >>> user would be immediately notified in email (hacker would have very >>> limited time to hack to email box as well). >>> >> >> Realistically, and in my experience, this is not the case. You're >> relying >> on the user to respond, or being in a position to respond - which is the >> critical failing of the proposal. >> >> When we do pen tests often we will make notifications of some sort >> appear >> in front of users to see how they respond to them - and often the >> response >> is confusion, not concern. Remember; the large part of the WM community >> is * >> not* technical. >> >> Tom