On 09/05/07, wikien-l-request@lists.wikimedia.org wikien-l-request@lists.wikimedia.org wrote:
Message: 8 Date: Wed, 9 May 2007 01:03:31 +0100 From: Zoney zoney.ie@gmail.com Subject: Re: [WikiEN-l] Please change your passwords. To: "English Wikipedia" wikien-l@lists.wikimedia.org Message-ID: 4418c60e0705081703s16605974id0e134c9b91435f@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The project should be managed professionally if it is indeed a serious project. Otherwise it's all just a bit of a larf and it'll eventually come crashing down. However, the project *is* taken seriously by those of us involved, and attempts to pass itself off as a serious endeavour. Indeed that mostly works, and so a large section of the media and the public take the project seriously (maybe they shouldn't). That is why I consider it serious for us to be so unprofessional about such a critical issue as site security.
Please explain how we are going to fund this "professional" management? As someone involved with the development of the software powering the Wikimedia projects, I am mildly insulted at the insinuation that we're all a bunch of amateurs. At the technical level, at least, a lot of time and effort has been invested into pulling off the damn impossible, that is, keeping an Alexa top 10 web site running, accepting thousands of reads and edits per second, with an IT budget that would cause the technical staff of companies below us on the list to, ah, "void their bladders" with laughter.
Is there an official line on what needs to be done, and what exactly administrators should do with respect to passwords? Has it been relayed to each and every administrator in a proper fashion? (the email I received was rather informal) Is this information put to new admins (or even ordinary users) in a coherent fashion? I do not think being knowledgable on the subject of password security should be a necessary criterion for a Wikipedia administrator. So there needs to be a definitive process for the uninitiated to follow.
As far as I'm aware, the Chief Technical Officer made an official announcement regarding the issue on the technical mailing list, and perhaps others, and asked for this information to be passed onto individual communities. This means that we trust the established lines of communication; village pumps, the Wikipedia Signpost, the usual fora for announcements...we trust those to work.
The actual responsibility for communication throughout the Foundation, between the Board and the communities, and the development and system administration teams and those communities lies with the Communications Committee, who do not, as far as I can see, appear to have provided any advice to communities on this issue. This means, in my opinion, that they have failed to act within their remit.
You're also inflating the position of administrator, all of you, in saying that they are the only accounts worth protecting with decent passwords. Pure bosh; a compromised bot account is just as harmful, because a properly flagged bot is able to bypass captchas and make edits which do not immediately show up on many change lists, including recent changes, and watchlists.
At the end of the day, an administrator is just a user who is able to delete pages and images and edit a few protected pages. All of this can be undone; it's just a matter of how much it inconveniences us to restore order. I would also point out that unauthorised access to the CheckUser tool, in itself, does not consitute a serious problem, although it is a complicated privacy issue; the disclosure of information gained through the tool is much more damaging than some user who may have cracked David Gerard's password (in a parallel dimension, of course) knowing that, zomg, Kelly Martin is Jimbo!
~()____) This message will self-destruct in 5 seconds...
I have to chuckle at the fact that someone is ranting about "professionalism" and presentation, and then signs their emails with something like that.
Rob Church