Hi,
within the last few days we had various complaints in the OTRS (info-de) that people cannot log into their accounts on de.WP. Can somebody please check if there is any problem on the server side? And it is not the password=username-problem.
Best regards, Sven
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sven Hagge wrote:
within the last few days we had various complaints in the OTRS (info-de) that people cannot log into their accounts on de.WP. Can somebody please check if there is any problem on the server side? And it is not the password=username-problem.
There aren't any problems that we know of, unless they're making failed login attempts, triggering the lockout for their IP, and can't type the captcha properly.
If nobody's going to give us any details we can't really look further, without having some idea where to look.
- -- brion vibber (brion @ wikimedia.org)
Hi Brion,
On Wed, 13 Jun 2007 20:46:49 +0200, Brion Vibber brion@wikimedia.org wrote:
There aren't any problems that we know of, unless they're making failed login attempts, triggering the lockout for their IP, and can't type the captcha properly.
If nobody's going to give us any details we can't really look further, without having some idea where to look.
The problem is that I cannot give you more details because people writing to the OTRS are normally not very good in analyzing computer problems. The observation is that we got over the last couple of days several complaints that were (not identical) but pretty similar so they might be related. And it is not that we get like 10 mails or so, it is one or two per day but it is more than normal. (Or maybe I am just paranoid.)
Similarities are:
User cannot log into his account with old PW. We get the message, I let them check their software, request new PWs. Doublecheck the captach. Type the PW in a text editor an copy it to the web interface. The full programm. In most cases it results in "PW or Captcha incorrect" messages. And in most cases it works again after a while but just by trying again and again. Nothing specific (believe me, I would tell you). Now, I have (at least) one guy here that cannot get into their account for 2 days! Maybe there is a second one but I havent heard from him today. And actually I am absolutely helpless cause I dont know what to tell them.
Best regards and thanks, Sven
Similarities are:
User cannot log into his account with old PW. We get the message, I let them check their software, request new PWs. Doublecheck the captach. Type the PW in a text editor an copy it to the web interface. The full program. In most cases it results in "PW or Captcha incorrect" messages. And in most cases it works again after a while but just by trying again and again. Nothing specific (believe me, I would tell you). Now, I have (at least) one guy here that cannot get into their account for 2 days! Maybe there is a second one but I haven't heard from him today. And actually I am absolutely helpless cause I don't know what to tell them.
If you're starting to get to the hair-pulling-out stage, then in order to comprehensively diagnose, you _may_ need something like UltraVNC, to effectively take control of the end-user's computer and/or see what they see on their screen and be able to watch exactly what they are doing. You'd probably get them to put their username & password into a text editor (so that you can see them, and watch them be copied/pasted), and then observe them try to login. At the server end, I'm guessing there'd be some method for a sysop to monitor the login failure reason, and communicate that reason back to the people trying to login. Hopefully this method would allow ruling out both client and server-side issues (since effectively both the client and the server are being monitored & controlled in this scenario) - e.g. mistyping the captcha, entering the wrong password, problems with throttling login attempts, etc.
It's a lot of work though, and getting UltraVNC set up and the appropriate ports forwarded through their firewall/router (and for security turned off again once you're done) can be a fairly technically involved endeavour in its own right, plus the end-user has to be comfortable with someone temporarily taking control of their system.
-- All the best, Nick.
On 6/13/07, Nick Jenkins nickpj@gmail.com wrote:
Similarities are:
User cannot log into his account with old PW. We get the message, I let them check their software, request new PWs. Doublecheck the captach. Type the PW in a text editor an copy it to the web interface. The full program. In most cases it results in "PW or Captcha incorrect" messages. And in most cases it works again after a while but just by trying again and again. Nothing specific (believe me, I would tell you). Now, I have (at least) one guy here that cannot get into their account for 2 days! Maybe there is a second one but I haven't heard from him today. And actually I am absolutely helpless cause I don't know what to tell them.
If you're starting to get to the hair-pulling-out stage, then in order to comprehensively diagnose, you _may_ need something like UltraVNC, to effectively take control of the end-user's computer and/or see what they see on their screen and be able to watch exactly what they are doing. You'd probably get them to put their username & password into a text editor (so that you can see them, and watch them be copied/pasted), and then observe them try to login. At the server end, I'm guessing there'd be some method for a sysop to monitor the login failure reason, and communicate that reason back to the people trying to login. Hopefully this method would allow ruling out both client and server-side issues (since effectively both the client and the server are being monitored & controlled in this scenario) - e.g. mistyping the captcha, entering the wrong password, problems with throttling login attempts, etc.
It's a lot of work though, and getting UltraVNC set up and the appropriate ports forwarded through their firewall/router (and for security turned off again once you're done) can be a fairly technically involved endeavour in its own right, plus the end-user has to be comfortable with someone temporarily taking control of their system.
-- All the best, Nick.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Can OTRS ask for the password, and try to login from their computer, to isolate the problem to either client or server?
On Thu, 14 Jun 2007 03:18:13 +0200, Dan Collins en.wp.st47@gmail.com wrote:
On 6/13/07, Nick Jenkins nickpj@gmail.com wrote:
It's a lot of work though, and getting UltraVNC set up and the appropriate ports forwarded through their firewall/router (and for security turned off again once you're done) can be a fairly technically involved endeavour in its own right, plus the end-user has to be comfortable with someone temporarily taking control of their system.
The UltraVNC thing sounds nice, however, it is irrealistic to explain to those type of people how to use such a program. Sometimes it is even hard to figure out, what they really want.
Can OTRS ask for the password, and try to login from their computer, to isolate the problem to either client or server?
We could surely ask the people to request a new PW and send it to the OTRS. And I guess some people would do that (if not us who should they trust). However, I had never problems with the login neither with my main account nor with some test accounts. Also PW request works pretty well for me, so I think it is at least not a general problem with de. I remember that some weeks ago when captcha was activated for retyping the password we discussed the problem in the german IRC and I remember that there was at least one guy who could reproduce the problem. His way to solve the problem was just by trying over and over again. Which is actually a bad way. Anyway, the problem might not only be related to client or server but also to the combination of client and server (and possibly what is inbetween).
I know it would be a hell lot of work to search the server logs for strange requests (if they are loged at all). And i do not expect that for sure. At the moment it is just an observation that might help solving or at least identifying that we have a problem. BTW, would it be helpful for the server admins to know the respective usernames? Then I could send them to Brion or somebody else in private mail. I just dont want to post them here in the public list.
Best regards, Sven
I remember that some weeks ago when captcha was activated for retyping the password we discussed the problem in the german IRC and I remember that there was at least one guy who could reproduce the problem. His way to solve the problem was just by trying over and over again. Which is actually a bad way. Anyway, the problem might not only be related to client or server but also to the combination of client and server (and possibly what is inbetween).
Could it be that there is a mistake in the captchas? The picture and text not being the same so when someone types in the captcha it tells them they got it wrong. Trying again and again would give you a different captcha each time until you eventually get one that is correct, and you can then log on. I don't know if different languages have different captchas, but if they do, that would explain why it appears to be a german problem only.
On Thu, 14 Jun 2007 13:22:42 +0200, Thomas Dalton thomas.dalton@gmail.com wrote:
I remember that some weeks ago when captcha was activated for retyping the password we discussed the problem in the german IRC and I remember that there was at least one guy who could reproduce the problem. His way to solve the problem was just by trying over and over again. Which is actually a bad way. Anyway, the problem might not only be related to client or server but also to the combination of client and server (and possibly what is inbetween).
Could it be that there is a mistake in the captchas? The picture and text not being the same so when someone types in the captcha it tells them they got it wrong. Trying again and again would give you a different captcha each time until you eventually get one that is correct, and you can then log on. I don't know if different languages have different captchas, but if they do, that would explain why it appears to be a german problem only.
Good point, however, as the captchas are in English I think they are not specific for de.WP. Maybe somebody can correct me if I am wrong.
Regards, Sven
It might still be a problem with the captcha's, because there's no distinction in user-message between a wrong password, and a wrong captcha. You always get the message that your password is wrong, while it is actually the captcha.
Maybe that's what confusing the users.
Greetings, Tuvic
2007/6/14, Sven Hagge shagge@freenet.de:
Good point, however, as the captchas are in English I think they are not specific for de.WP. Maybe somebody can correct me if I am wrong.
Regards, Sven
On 14/06/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Could it be that there is a mistake in the captchas? The picture and text not being the same so when someone types in the captcha it tells them they got it wrong. Trying again and again would give you a different captcha each time until you eventually get one that is correct, and you can then log on. I don't know if different languages have different captchas, but if they do, that would explain why it appears to be a german problem only.
Don't rule it out, but I would consider such a problem less likely...the captcha extension we're using has been around since about 1.6.0, and it's been in use on thousands of third-party sites since then. I'd be inclined to suggest we'd have heard about this sort of problem before, if it existed...
...then again, at this stage, I can't think of anything that would actually be causing the error, so your guess is as good as mine.
Rob Church
The captchas don't need to be wrong. It's enough to result in an output quite similar to a german word, so it's more likely to fail it. Tricky because the same person can pass it at a different moment.
Statistical information about language/captcha word/failed answer could give interesting results.
Long time running the captchas is not so important, as they can have been logging all these time without getting the captcha.
Somebody on a german ISP trying to break de: passwords, could be showing captchas for users who have never passed one.
If the attack is complete enough / the ISP uses a few proxys, the simply increment of people seeing captchas could explain the increment of OTRS complains. I suggest asking them for their ISP / IP.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sven Hagge wrote:
User cannot log into his account with old PW. We get the message, I let them check their software, request new PWs. Doublecheck the captach. Type the PW in a text editor an copy it to the web interface. The full programm. In most cases it results in "PW or Captcha incorrect" messages. And in most cases it works again after a while but just by trying again and again. Nothing specific (believe me, I would tell you). Now, I have (at least) one guy here that cannot get into their account for 2 days! Maybe there is a second one but I havent heard from him today. And actually I am absolutely helpless cause I dont know what to tell them.
Well, let me give an example.
Let's say we run a building with access control using key codes. Somebody tells us "hey, I heard from a couple people that they couldn't get into the building. Can you see what's wrong?"
Now we know that: a) a lot of people are getting into the building just fine b) nobody who can't get into the building has contacted us about it c) it's normal for some people to occasionally type in passwords wrong
So if we need to respond to some particular person's problem, we can't just look for "every mistyped code". That won't help anything.
We need to know who we're actually looking for, so we can see which are actually a problem, look for commonalities, etc.
So please, please, please, please, please forward specific information to us. It won't always help, but it usually will.
- -- brion vibber (brion @ wikimedia.org)
On Thu, 14 Jun 2007 15:28:57 +0200, Brion Vibber brion@wikimedia.org wrote:
So please, please, please, please, please forward specific information to us. It won't always help, but it usually will.
So please tell me, what type of info do you need. I can request them, that is no problem. I dont have the problem myslef and actually I start to wish I had, then I could give you a detailed description (incl. OS, browser, firewall, etc.). I cannot look on the peoples computers. You understand our problem? We are just a simple support team. We can just ask you if there is something obvious and as you told there is nothing. Which does not mean there is nothing that migh be somehow related to us.
Now I can start to ask the people for specific info. But with all the info you might need, I need to explain those people, what it is, where they have to look. They are normally noobs not computer geeks. They dont know anything about firewall, DNS, routers and all that techie stuff. In many cases they just click on the "e" *sigh* in their destop to get WP running.
I know myself pretty well that most users do not have the problem (or maybe many do not complain about that on the OTRS which I cannot exclude but, hey, Germans are good in complaining). However, they seem to be too many to be independent cases. As I tried to point out with my little story, it is always pretty much the same. And that is all info I have at the moment everything else I have to request but then I need to know, what to request.
What I could easily provide are a couple of usernames if it might help (I would send that to you in private).
Regards and thanks, Sven
On 6/14/07, Sven Hagge shagge@freenet.de wrote:
On Thu, 14 Jun 2007 15:28:57 +0200, Brion Vibber brion@wikimedia.org wrote:
So please, please, please, please, please forward specific information to us. It won't always help, but it usually will.
So please tell me, what type of info do you need. I can request them, that is no problem. I dont have the problem myslef and actually I start to wish I had, then I could give you a detailed description (incl. OS, browser, firewall, etc.). I cannot look on the peoples computers. You understand our problem? We are just a simple support team. We can just ask you if there is something obvious and as you told there is nothing. Which does not mean there is nothing that migh be somehow related to us.
Now I can start to ask the people for specific info. But with all the info you might need, I need to explain those people, what it is, where they have to look. They are normally noobs not computer geeks. They dont know anything about firewall, DNS, routers and all that techie stuff. In many cases they just click on the "e" *sigh* in their destop to get WP running.
I know myself pretty well that most users do not have the problem (or maybe many do not complain about that on the OTRS which I cannot exclude but, hey, Germans are good in complaining). However, they seem to be too many to be independent cases. As I tried to point out with my little story, it is always pretty much the same. And that is all info I have at the moment everything else I have to request but then I need to know, what to request.
What I could easily provide are a couple of usernames if it might help (I would send that to you in private).
Regards and thanks, Sven
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
Well, the most important thing is username, so system admins can perhaps review the database or look for log information, and perhaps one time/date when they attempted to log in and failed, as perhaps captchas are logged. Perhaps the ISP of the users would help, if, perhaps, the captcha is being cached by the ISP (can they even do this) or if something is being modified en route.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sven Hagge wrote:
On Thu, 14 Jun 2007 15:28:57 +0200, Brion Vibber brion@wikimedia.org wrote:
So please, please, please, please, please forward specific information to us. It won't always help, but it usually will.
So please tell me, what type of info do you need.
First and foremost:
1) Which wiki 2) Which user 3) Approximate time
It sometimes also helps to get other details like operating system, but we can't do *anything* if we don't know what planet to look on.
- -- brion vibber (brion @ wikimedia.org)
On Thu, 14 Jun 2007 17:18:01 +0200, Brion Vibber brion@wikimedia.org wrote:
First and foremost:
- Which wiki
de.wikipedia.org is the only wiki I know about.
- Which user
- Approximate time
I have to screen a couple of tickets I worked on and will send these details directly to you. (That might take a while.)
It sometimes also helps to get other details like operating system, but we can't do *anything* if we don't know what planet to look on.
(Planet is easy: Earth, solar system. :-D However, sometimes I do not believe that.)
Greetings, Sven
wikitech-l@lists.wikimedia.org