Do any of the volunteers contributing to this list have ideas for
changes that may make a significant difference to security?
Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the
process appearing to promote an organisation.[1] It was not the only
account compromised. This is being analysed, though as there are
security issues being examined, the analysis has not been made public
so far; plus it's the weekend :-)
Over the last few years, there have improvements on account set-up and
choice of passwords, along with user suggestions for better account
management. Users can also chose to use committed identities[2] to
make account recovery easier, and are encouraged to use more secure
passwords. Two-factor authentication,[3] such as using mobile phone
text messages, has been suggested a few times by volunteers, and this
might be a good moment to encourage the WMF to have better facilities
built into the projects. We could even make two-factor identification
a requirement for trusted users, such as administrators, important
bots, and "high profile" accounts, where they may have special rights
that could cause a fair amount of disruption if a hacked account were
not identified quickly. Considering that some administrator accounts
can lie dormant for many months without the actual user monitoring it,
these could end up being far more disruptive than well-watched
accounts like Jimmy's.
We may want extra security to remain mostly optional, keeping our
projects simple to access. Education of new volunteers and trusted
users may be critical for making it effective, such as avoiding social
hacking. A clearer understanding of what the community would want to
see improved would probably help set development priorities.
Links
1.
https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
2.
https://en.wikipedia.org/wiki/Template:Committed_identity
3.
https://en.wikipedia.org/wiki/Multi-factor_authentication
Thanks,
Fae
--
faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae