Re: [Wikimedia-l] [Wikimedia Announcements] Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Rogol Domedonfors 
Christophe,

Thank you for explaining that there were two meetings involved.

I welcome the assurance that the agenda will be published earlier in future.

"Rogol"
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] storing IP addresses and their geolocations?

2016-11-13 Thread Nuria Ruiz 
James:

Seems (to me, I might be wrong) that you are mixing different issues,
technical aspects and concerns in order to create drama. On my end I try to
give my very limited time and attention to threads that foster
collaboration and this really doesn't seem one of those.

Thanks,

Nuria






On Sun, Nov 13, 2016 at 8:47 AM, James Salsman  wrote:

> >> storing the geolocation of every reader request is not within
> >> the letter or the spirit of the Foundation's privacy policy,
> >> which explicitly requires consent for the use of geolocation
> >
> > No, this is not correct. The reasons why this statement is
> > incorrect have already been discussed in the already mentioned thread.
>
> The only such discussion I see on the analytics list is:
>
> > The privacy policy talks about client side geo location to offer you
> > geo-specific features on the client side, which is an entirely different
> > topic of what we are taking about here. IP addresses are going to be
> > sent via HTTP regardless with your request and the geo location we
> > do (to be able to report  for example pages per country, one of the
> > reports most sought after by our community) has nothing to do with
> > geolocated features.
>
> On the contrary, all geolocation services, processing, and logging
> is performed on Foundation servers, not client equipment. Every
> reader's request is currently being geolocated without regard to
> whether consent has been asked or obtained. If readers' refuse
> consent for their GPS information to be used (which is the only
> consent we ask even though the Privacy Policy says we require
> consent to use any geolocation) we store their IP addresses in
> the clear with their associated geolocation anyway, and make
> them available to several external researchers at Stanford, the
> École polytechnique fédérale de Lausanne, and the Leibniz
> Institute for the Social Sciences.
>
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] (no subject) - was Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Jimmy Wales 
On 11/13/16 5:57 PM, Rogol Domedonfors wrote:
> Jimmy
> 
> You seem anxious to deflect my question by making an unfounded accusation
> of distortion.  

I'm afraid you have misunderstood me.  It is never appropriate to quote
part of a conversation when the issue is broader.

The board welcomes engagement.  That one particular mechanism isn't
working is unfortunate, but not cause to cast aspersions.

--Jimbo


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] (no subject) - was Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Rogol Domedonfors 
Jimmy

You seem anxious to deflect my question by making an unfounded accusation
of distortion.  The plain meaning of the posting I quoted was that Board
members had no more time to devote to engagement with community members
than they were currently allocating, and you clearly have read the entire
thread that made it clear that that particular venue was faling at its
avowed purpose of bringing Board and community together, apparently for the
very reason of lack of time.  That seems to me entirely relevant to the
topic under discussion, in which you stated that "it is possible and
welcomed to bring forward issues to board members at any time", which has
not always been my experience in the past.  Your knee-jerk antagonism does
not help.

"Rogol"
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

[Wikimedia-l] (no subject)

2016-11-13 Thread Rogol Domedonfors 
Jimmy Wales wrote: "it is possible and welcomed to bring forward issues to
board members at any time".

It would be most helpful to know where and how the Board in general would
welcome such issues being raised and how much resource they will have to
sustain those discussions.  Attempting to raise issues at
https://meta.wikimedia.org/wiki/Wikimedia_Foundation_Board_noticeboard for
example, has not met with great success: indeed, one Board member has
written there "I honestly disagree that "additional effort" is a realistic
opportunity",

It is fair to say that at least one other Board member has taken a very
positive attitude, and we have had some constructive engagement for which I
am duly grateful.

"Rogol"
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] [Wikimedia Announcements] Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Jimmy Wales 
It is worth noting in this context that although in-person board
meetings take place at fixed times, the board is in constant
communication between meetings, and it is possible and welcomed to bring
forward issues to board members at any time, and the kinds of issues
that the board grapples with are seldom short-term one-off decisions,
but require thought and reflection over a long period of time.

On 11/13/16 4:41 PM, Rogol Domedonfors wrote:
> This announcement was sent out on the 12th, and refers to a meeting on the
> 13th which would have been just enough time, I suppose, to raise a point
> directly with a Board member before the meeting.  However, the web page
> referred to,
> https://meta.wikimedia.org/wiki/Wikimedia_Foundation_board_agenda_2016-11
> states that the meeting was on the 11-12th, in other words, before the
> announcement was made.  So, when exactly was this meeting?  And would it
> not be helpful to the community to give enough notice to allow for a
> resonable probability of bringing forward an issue?
> 
> "Rogol"
> ___
> Wikimedia-l mailing list, guidelines at: 
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> 
> 


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] [Wikimedia Announcements] Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Christophe Henner 
Oh yes, 100% my duty to approve and Stephen publish it right away :)

Le 13 nov. 2016 4:47 PM, "Lodewijk"  a écrit :

> (just so you know who to chase if next time the agenda is not published in
> time ;) )
>
> 2016-11-13 22:45 GMT+01:00 Christophe Henner :
>
> > The board had a retreat the 11th and the 12th and a board meeting today,
> > the 13th.
> >
> > I approved the agenda last minute, hence the late publication.
> >
> > We try to publish it as early as possible, in that instance because of my
> > tardiness to approved it it was published yesterday.
> >
> > Have à good day :)
> >
> > Le 13 nov. 2016 4:42 PM, "Rogol Domedonfors"  a
> > écrit :
> >
> > > This announcement was sent out on the 12th, and refers to a meeting on
> > the
> > > 13th which would have been just enough time, I suppose, to raise a
> point
> > > directly with a Board member before the meeting.  However, the web page
> > > referred to,
> > > https://meta.wikimedia.org/wiki/Wikimedia_Foundation_
> > board_agenda_2016-11
> > > states that the meeting was on the 11-12th, in other words, before the
> > > announcement was made.  So, when exactly was this meeting?  And would
> it
> > > not be helpful to the community to give enough notice to allow for a
> > > resonable probability of bringing forward an issue?
> > >
> > > "Rogol"
> > > ___
> > > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > > wiki/Mailing_lists/Guidelines
> > > New messages to: Wikimedia-l@lists.wikimedia.org
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > 
> > ___
> > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> > wiki/Mailing_lists/Guidelines
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > 
> >
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] [Wikimedia Announcements] Agenda for the November 13, 2016 Board Meeting

2016-11-13 Thread Samuel Klein 
Thank you, Stephen.

On Nov 12, 2016 6:37 PM, "Stephen LaPorte"  wrote:

> Hi all,
>
> The agenda for the next Wikimedia Foundation Board of Trustees meeting is
> now available on Meta Wiki: https://meta.wikimedia.
> org/wiki/Wikimedia_Foundation_board_agenda_2016-11
>
> Thank you,
> Stephen
>
> --
> Stephen LaPorte
> Senior Legal Counsel
> Wikimedia Foundation
>
> *NOTICE: As an attorney for the Wikimedia Foundation, for legal and
> ethical reasons, I cannot give legal advice to, or serve as a lawyer for,
> community members, volunteers, or staff members in their personal capacity.
> For more on what this means, please see our legal disclaimer
> .*
>
> ___
> Please note: all replies sent to this mailing list will be immediately
> directed to Wikimedia-l, the public mailing list of the Wikimedia
> community. For more information about Wikimedia-l:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ___
> WikimediaAnnounce-l mailing list
> wikimediaannounc...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikimediaannounce-l
>
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] storing IP addresses and their geolocations?

2016-11-13 Thread James Salsman 
>> storing the geolocation of every reader request is not within
>> the letter or the spirit of the Foundation's privacy policy,
>> which explicitly requires consent for the use of geolocation
>
> No, this is not correct. The reasons why this statement is
> incorrect have already been discussed in the already mentioned thread.

The only such discussion I see on the analytics list is:

> The privacy policy talks about client side geo location to offer you
> geo-specific features on the client side, which is an entirely different
> topic of what we are taking about here. IP addresses are going to be
> sent via HTTP regardless with your request and the geo location we
> do (to be able to report  for example pages per country, one of the
> reports most sought after by our community) has nothing to do with
> geolocated features.

On the contrary, all geolocation services, processing, and logging
is performed on Foundation servers, not client equipment. Every
reader's request is currently being geolocated without regard to
whether consent has been asked or obtained. If readers' refuse
consent for their GPS information to be used (which is the only
consent we ask even though the Privacy Policy says we require
consent to use any geolocation) we store their IP addresses in
the clear with their associated geolocation anyway, and make
them available to several external researchers at Stanford, the
École polytechnique fédérale de Lausanne, and the Leibniz
Institute for the Social Sciences.

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-13 Thread 
Task https://phabricator.wikimedia.org/T150605

I have raised the above task for the WMF to publish an appropriate
summary of the behind the scenes analysis of the recent hack of
accounts and the claimed copying of the English Wikipedia database
(presumably user account tables). The request summary is pasted below
for those that don't want to read the detail, though I recommend that
technically minded volunteers subscribe to it on Phabricator --

"This is a request for a report of the analysis of the OurMine hack to
be published. It is understood that a non-public investigation is
necessary, but it also makes sense to be transparent about events and
as quickly as possible. This will provide an 'official' public
assurance of the steps being taken by the WMF to make the systems more
secure. Volunteers have rapidly responded by promoting two-factor
authentication, as well as working collegiately on guidance for
volunteers. A report of the behind the scenes analysis would aid these
efforts and ensure that if wider changes of passwords or the roll-out
of 2FA to non-sysop accounts makes sense, that these can be discussed
within the community in a positive way. It is likely that volunteer
discussions will continue and this will be reported in the Signpost
next week, so timing a report in the next few days would be helpful in
ensuring factual reporting."

Thanks,
Fae

On 12 November 2016 at 23:34, MZMcBride  wrote:
> Fæ wrote:
>>Do any of the volunteers contributing to this list have ideas for
>>changes that may make a significant difference to security?
>
> When you log in, you're given a user session. This session, along with
> local Web browser HTTP cookies, allows you to stay logged in and
> authenticated as you browse and edit a wiki. We've previously discussed
> the ability for a user to see all of his or her account's active sessions,
> similar to what other sites (GitHub, Facebook, Google) already allow.
>
> This type of interface lets a user see his or her own active sessions,
> originating IP addresses and User-Agent strings, and sometimes the
> interface allows destroying all or some sessions (e.g., if you see a
> session from the time you logged in to a friend's computer). This type of
> interface can also be used, for better or worse, to track typical behavior
> of the user, so that if a user often logs in from a specific IP address
> range (e.g., their home computer in the UK), a user session that comes
> from a vastly different IP address range (e.g., a mobile device in
> Australia) can be flagged and reported to the user. Or, in the case of
> two-factor authentication, a "suspicious" login attempt can be required to
> go through additional verification. These types of systems are common for
> Gmail accounts and some credit card accounts.
>
> Regarding a user seeing a list of his or her own active sessions and
> corresponding information, there was, and there likely still is,
> considerable opposition to this idea. It's akin to a "self-CheckUser"
> feature (which I think we should separately support) and there were
> concerns that we would help vandals, sockpuppets, and other bad users.
>
> Some links:
>
> * https://www.mediawiki.org/wiki/?curid=117743
> * https://www.mediawiki.org/wiki/?curid=156161
> * https://phabricator.wikimedia.org/T387
> * https://phabricator.wikimedia.org/T29242
>
> MZMcBride
-- 
fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,