Re: [Wikimedia-l] Editor safety and anonymity: ending IP address exposure?

[Gergo Tisza]

On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber 
wrote:

> 1) Eliminate IP address exposure for non-logged-in editors. Those editors
> should be either given a random, truly anonymous identifier, or required to
> create a pseudonym as a login.
>

I filed https://phabricator.wikimedia.org/T133452 for that a while ago (but
then never got around to expand it). It would be technically
challenging but would unlock many interesting possibilities, such as proper
targeting of welcome messages / warning templates / thanks, blocking
anonymous editors without blocking the (possibly shared) IP they use, or
the ability to claim recent anonymous edits when you register.
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] (no subject)

[Pine W]

As a reminder: IRC is governed by Freenode. Channels can have their own
rules, and there are widely varying systems of internal governance for
Wikimedia IRC channels. I think it's important to note that WMF and the
Wikimedia community are guests on Freenode, and I'm uncomfortable with the
proposition to extend a WMF policy into IRC channels without explicit
consent from the ops of those channels; it seems to me that the TCC would
be a per-channel opt-in on IRC, not a WMF blanket standard.

Speaking more generally, I am wary of WMF encroachment into what I should
be fundamentally community-governed spaces. I have not heard a lot of
objections from the community to the proposed technical code of conduct,
and I've heard some arguments for and against the rationale for having it;
my main concern is that I would prefer that the final document be ratified
through community-led processes.

Thanks,

Pine


On Thu, Nov 17, 2016 at 5:34 PM, Matthew Flaschen 
wrote:

> On 11/17/2016 04:57 PM, C. Scott Ananian wrote:
>
>> I would love to have a broader discussion about communication in the
>> projects more generally.  As you know, we currently have a few mechanisms
>> (and please correct any mischaracterizations in the below):
>>
>
> As people may know, we are working on a Code of conduct for technical
> spaces.
>
> It will cover on-wiki communication in the technical spaces (including
> talk pages), technical mailing lists, technical IRC channels, and
> Phabricator (including Conpherence).
>
> There are some existing guidelines in place.  It's a very fragmented
> picture (most guidelines only apply to one form of communication (e.g.
> IRC), and sometimes only a single IRC channel), which is part of what the
> tech CoC will improve.  I also don't necessarily endorse these older
> guidelines.
>
>   * Conversation in the Talk: namespace (either in raw wikitext or Flow)
>>  - This is archived, and presumably subject to same code of conduct
>> guidelines as parent wiki.  It is public. Anonymous/IP editors are
>> allowed.
>>
>
> Worth remembering that many important projects don't *have* a code of
> conduct or equivalent, and on those that do, it's often not enforced.
>
>   * Echo
>>  - Unarchived transient notifications, very restricted by design.
>> Could
>> be made more general (but see below).
>>
>
> Right, this not a user-user communication system (though it will notify
> you *of* user-user communications, sometimes with snippets included).
>
>   * Phabricator
>>  - Archived task-oriented discussions, leaving to a desired outcome.
>> Anonymous participation disallowed.  Search possible in theory; in
>> practice
>> the implementation is quite limited.  Some (security-sensitive)
>> conversations can be private, but (AFAIK) an ordinary user does not have a
>> means to create a private conversation.  I'm not aware of an explicit code
>> of conduct.
>>
>
> Conpherence allows either public or private conversations.
>
> There are currently guidelines (https://www.mediawiki.org/wik
> i/Bug_management/Phabricator_etiquette). The Code of Conduct for
> technical spaces will cover Phabricator as well.
>
> We have no comprehensive code of conduct/mechanisms to combat harassment,
>> vandalism, and abuse.  Harassment or vandalism which is stopped in one
>> communication mechanism can be transferred to another with impunity.  IRC
>> in particular is seen as a space where (a) private discussions can happen
>> (good), but (b) there are no cops or consequences.
>>
>
> Yeah, I agree this is an issue, and is why the technical code of conduct
> will have one central reporting place (so you always know where to report,
> and they can consider multi-space harassment).
>
> This is important stuff.  Thank you for talking and thinking about it.
>
> Matt Flaschen
>
>
> ___
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wik
> i/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] Funds Dissemination Committee Recommendations for Round 1 2016-2017

[Risker]

Dear Wikimedians,


The Funds Dissemination Committee (FDC) meets twice a year to make
recommendations about how to effectively allocate movement funds to achieve
the Wikimedia movement's mission, vision, and strategy.  This is now the
9th round of allocations made by the FDC, and we met in person from
November 13-17 in San Francisco to deliberate on 11 proposals submitted
this round. We would like to thank all of the participating organizations
for the hard work they put into this round’s proposals.


Our recommendations for Round 1 2016-2017 on the annual plan grants to the
Wikimedia Foundation Board of Trustees have now been posted on Meta.[1] The
Board will review our deliberations and make a decision by January 1, 2017.


We received grant requests for approximately USD 3,467,000 this round
(including two requests for two-year funding). Before we met, committee
members reviewed all of the proposals and documents submitted.  We were
assisted in this review with input from the FDC staff assessments which
included analysis on impact, finances, and programs, as well as community
comments on the proposals.


As you may know, there is a formal process to submit complaints or appeals
about these recommendations. Here are the steps for both:


Any organization that would like to submit an appeal on the FDC’s Round 1
recommendation should submit it to the Board representatives to the FDC by
23:59 UTC on 8 December 2016 in accord with the appeal process outlined in
the FDC Framework [2]. A formal appeal to challenge the FDC’s
recommendation should be in the form of a 500-or-fewer word summary
directed to the two non-voting WMF Board representatives to the FDC,
Dariusz Jemielniak and Guy Kawasaki. The appeal should be submitted
on-wiki, and must be submitted by the Board Chair of a funding-seeking
applicant. The Wikimedia Foundation Board will publish its decision on this
and all recommendations by January 1, 2017.


Anyone can file a complaint about the FDC process [3] with the Ombudsperson
at any time. The complaint should be submitted on wiki, as well. The
Ombudsperson will publicly document the complaint, and investigate as
needed.



On behalf of the FDC,


Anne Clin / Risker

FDC Chair


[1]
https://meta.wikimedia.org/wiki/Grants:APG/FDC_recommendations/2016-2017_round_1

[2]
https://meta.wikimedia.org/wiki/Grants:APG/Appeals_to_the_Board_on_the_recommendations_of_the_FDC

[3]
https://meta.wikimedia.org/wiki/Grants:APG/Complaints_about_the_FDC_process
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] (no subject)

[Matthew Flaschen]

On 11/17/2016 04:57 PM, C. Scott Ananian wrote:

I would love to have a broader discussion about communication in the
projects more generally.  As you know, we currently have a few mechanisms
(and please correct any mischaracterizations in the below):


As people may know, we are working on a Code of conduct for technical 
spaces.


It will cover on-wiki communication in the technical spaces (including 
talk pages), technical mailing lists, technical IRC channels, and 
Phabricator (including Conpherence).


There are some existing guidelines in place.  It's a very fragmented 
picture (most guidelines only apply to one form of communication (e.g. 
IRC), and sometimes only a single IRC channel), which is part of what 
the tech CoC will improve.  I also don't necessarily endorse these older 
guidelines.



  * Conversation in the Talk: namespace (either in raw wikitext or Flow)
 - This is archived, and presumably subject to same code of conduct
guidelines as parent wiki.  It is public. Anonymous/IP editors are allowed.


Worth remembering that many important projects don't *have* a code of 
conduct or equivalent, and on those that do, it's often not enforced.



  * Echo
 - Unarchived transient notifications, very restricted by design.  Could
be made more general (but see below).


Right, this not a user-user communication system (though it will notify 
you *of* user-user communications, sometimes with snippets included).



  * Phabricator
 - Archived task-oriented discussions, leaving to a desired outcome.
Anonymous participation disallowed.  Search possible in theory; in practice
the implementation is quite limited.  Some (security-sensitive)
conversations can be private, but (AFAIK) an ordinary user does not have a
means to create a private conversation.  I'm not aware of an explicit code
of conduct.


Conpherence allows either public or private conversations.

There are currently guidelines 
(https://www.mediawiki.org/wiki/Bug_management/Phabricator_etiquette). 
The Code of Conduct for technical spaces will cover Phabricator as well.



We have no comprehensive code of conduct/mechanisms to combat harassment,
vandalism, and abuse.  Harassment or vandalism which is stopped in one
communication mechanism can be transferred to another with impunity.  IRC
in particular is seen as a space where (a) private discussions can happen
(good), but (b) there are no cops or consequences.


Yeah, I agree this is an issue, and is why the technical code of conduct 
will have one central reporting place (so you always know where to 
report, and they can consider multi-space harassment).


This is important stuff.  Thank you for talking and thinking about it.

Matt Flaschen

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] (no subject)

[C. Scott Ananian]

On Thu, Nov 17, 2016 at 5:32 PM, Andrew Lih  wrote:

> Love it or hate it, Facebook as a way of linking together Wikimedians
> across languages is a big plus (eg. projects like #100wikidays).
>

Ooh, man, you're pushing my hot button topics!  I proposed
https://phabricator.wikimedia.org/T149666 for the dev summit; my "big
picture" vision here is that we start using our machine translation tools
to tie our projects more tightly together, so we feel more like "one
project aided by a bunch of babel fish" and less like "a thousand separate
projects, each in their own tower".

So, bringing it back to chat -- and perhaps Shadow Namespaces (
https://phabricator.wikimedia.org/T149666) -- one goal might be to build
discussions into our platform in a way which can be cross-platform, with
integrated machine translation aids to allow near-seamless multilingual
conversations, thereby bridging barriers between our communities.  Of
course the vandalism and anti-harassment and user filter tools would need
to be multilingual in the same way...
  --scott

-- 
(http://cscott.net)
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Recognition of WikiDonne

[Sydney Poore]

WooHoo!! Glad to have you in the Wikimedia affiliate family!

Sydney Poore
User FloNight
Co-Founder
WikiWomen,
Kentucky Wikimedians,
WikiConference North America
User Groups

Sydney Poore
User:FloNight





On Thu, Nov 17, 2016 at 2:29 PM, Maor Malul  wrote:
> Dear all,
>
> It is my pleasure to announce, on behalf of the Affiliations Committee, the
> recognition of another Wikimedia User Group: WikiDonne [1]
>
> As the name indicates, their area of focus is content related to women
> across the different Wikimedia projects, especially in Italian. They also
> look to cooperate with other affiliates and especially with those focused on
> the same topic, such as WikiWomen and WikiMujeres, and are already
> cooperating with other external entities :-)
>
> Welcome!!
>
> 1: https://meta.wikimedia.org/wiki/WikiDonne
>
>
> --
> "*Jülüjain wane mmakat* ein kapülain tü alijunakalirua jee wayuukanairua
> junain ekerolaa alümüin supüshuwayale etijaanaka. Ayatashi waya junain."
> Maor Malul
> Socio, A.C. Wikimedia Venezuela | RIF J-40129321-2 | www.wikimedia.org.ve
> 
> Member, Wikimedia Israel | www.wikimedia.org.il 
> Chair, Wikimedia Foundation Affiliations Committee
> Phone: +972-52-4869915
> Twitter: @maor_x
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] (no subject)

[C. Scott Ananian]

On Tue, Nov 15, 2016 at 3:36 AM, John Mark Vandenberg 
wrote:

> On Mon, Nov 14, 2016 at 11:37 PM, Dariusz Jemielniak 
> wrote:
> > Until we have better tech available, I want to assure you that I want to
> be
> > available, and apart from Meta, I gladly offer IRC or video
> conversations,
> > or other media, to whoever feels it may be useful (let's track this
> > committment of mine in the old-fashioned way for now).
>
> Rather than IRC or video, which both have significant problems for
> this type of open engagement, perhaps WMF could install a modern group
> chat system, like Zulip, or another Slack-like tool.
>
> The enthusiasm for Discourse hasnt resulted in any significant adoption.
> I venture to suggest that this is because it isnt mobile friendly, and
> doesnt integrate with MediaWiki authentication.
> Their app is little more than a web-browser (and the WMF labs instance
> doesnt support the necessary API anyway.)
> https://phabricator.wikimedia.org/T124691
> https://phabricator.wikimedia.org/T150733
>
> I've created a task about this problem for GCI and Outreachy which are
> about to start:
>
> https://phabricator.wikimedia.org/T150732
>
> I see Slack is being used by Portuguese Wikipedia
>
> https://pt.wikipedia.org/wiki/Wikip%C3%A9dia:Slack
>
> It would be good to hear their opinion on this tool?
>

I would love to have a broader discussion about communication in the
projects more generally.  As you know, we currently have a few mechanisms
(and please correct any mischaracterizations in the below):

 * Conversation in the Talk: namespace (either in raw wikitext or Flow)
- This is archived, and presumably subject to same code of conduct
guidelines as parent wiki.  It is public. Anonymous/IP editors are allowed.

 * Echo
- Unarchived transient notifications, very restricted by design.  Could
be made more general (but see below).

 * Conversation on mailing lists
- Also archived, often moderated.  Public, although you can always send
an unarchived private reply email to a particular sender.  Anonymity is
harder here, although possible with some effort.  Code of conduct is
"whatever the moderator will allow, if there is a moderator."

 * Conversation on IRC
- Deliberately not archived.  Intended for casual conversation and
informal negotiation.  Public, although not searchable after the fact
(unless you keep a private log).  Anonymity is fairly easy -- in fact, it
can be quite difficult to associate IRC nicks with on-wiki identities even
if all parties are willing.  No code of conduct, although there are ops who
can boot you (sometimes).

 * Phabricator
- Archived task-oriented discussions, leaving to a desired outcome.
Anonymous participation disallowed.  Search possible in theory; in practice
the implementation is quite limited.  Some (security-sensitive)
conversations can be private, but (AFAIK) an ordinary user does not have a
means to create a private conversation.  I'm not aware of an explicit code
of conduct.

 * OTRS
- Similar to Phabricator, except that by default all conversations are
private to OTRS staff and the submitter.  I'm not aware of an explicit code
of conduct, although this is mitigated by the fact that the conversations
are not public which limits the possibility of abuse.

 *  Slack on ptwiki, apparently?

 *  Conpherence as part of Phabricator.  (I don't have enough experience
with the last two to categorize them.)

We are missing currently missing:

  * Conversations anchored to specific editing tasks, like "comments" in
google docs.

  * Integrated conversation associated with an editing session (like the
integrated chat in google docs)

  * Integrated real-time chat -- like IRC, but anchored to on-wiki
identities, so I can send a "you still around and editing?" message before
reverting or building on a recent change.

  * Workflow-oriented chat.  Like the task-oriented chat in Phabricator,
but integrated with on-wiki activities such as patrolling or admin tasks.

  * Probably other forms of conversation!

WHAT'S EVEN MORE IMPORTANT, THOUGH:

We have no comprehensive code of conduct/mechanisms to combat harassment,
vandalism, and abuse.  Harassment or vandalism which is stopped in one
communication mechanism can be transferred to another with impunity.  IRC
in particular is seen as a space where (a) private discussions can happen
(good), but (b) there are no cops or consequences.

This is not really just a question of installing .
This is a challenge to the community to do the hard work of figuring out
our social contracts and what sort of conversations we want to support and
enable, which sorts of abuse we want to control, and what sorts of filters
to give users.

We can easily go too far -- I recommend reading
http://www.nytimes.com/2016/11/05/opinion/what-were-missing-while-we-obsess-over-john-podestas-email.html
for context.  A global panopticon [1] where no one can hold private
conversation is equally 

Re: [Wikimedia-l] Recognition of WikiConference North America

[Leigh Thelmadatter]

How do you sign up to be a member of the group?


From: Wikimedia-l  on behalf of Maor 
Malul 
Sent: Thursday, November 17, 2016 12:36:07 PM
To: Wikimedia Mailing List
Subject: [Wikimedia-l] Recognition of WikiConference North America

Dear all,

I am pleased to announce the recognition of another Wikimedia User
Group, this time based in the USA: WikiConference North America [1]

At the end of WikiConference North America 2016, celebrated last month
in San Diego, the organizing team announced the creation of a permanent
group that will focus on the planning and hosting of WikiConference
North America in future years, as well as documenting best practices and
experiences learned with other affiliates planning and hosting
conferences and similar events. And some outreach, too :-)

Welcome!

1: https://meta.wikimedia.org/wiki/WikiConference_North_America


--
"*Jülüjain wane mmakat* ein kapülain tü alijunakalirua jee wayuukanairua
junain ekerolaa alümüin supüshuwayale etijaanaka. Ayatashi waya junain."
Maor Malul
Socio, A.C. Wikimedia Venezuela | RIF J-40129321-2 |
www.wikimedia.org.ve 
Member, Wikimedia Israel | www.wikimedia.org.il 

Chair, Wikimedia Foundation Affiliations Committee
Phone: +972-52-4869915
Twitter: @maor_x
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] Recognition of WikiConference North America

[Maor Malul]

Dear all,

I am pleased to announce the recognition of another Wikimedia User 
Group, this time based in the USA: WikiConference North America [1]


At the end of WikiConference North America 2016, celebrated last month 
in San Diego, the organizing team announced the creation of a permanent 
group that will focus on the planning and hosting of WikiConference 
North America in future years, as well as documenting best practices and 
experiences learned with other affiliates planning and hosting 
conferences and similar events. And some outreach, too :-)


Welcome!

1: https://meta.wikimedia.org/wiki/WikiConference_North_America


--
"*Jülüjain wane mmakat* ein kapülain tü alijunakalirua jee wayuukanairua 
junain ekerolaa alümüin supüshuwayale etijaanaka. Ayatashi waya junain."

Maor Malul
Socio, A.C. Wikimedia Venezuela | RIF J-40129321-2 | 
www.wikimedia.org.ve 

Member, Wikimedia Israel | www.wikimedia.org.il 
Chair, Wikimedia Foundation Affiliations Committee
Phone: +972-52-4869915
Twitter: @maor_x
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

[Wikimedia-l] Recognition of WikiDonne

[Maor Malul]

Dear all,

It is my pleasure to announce, on behalf of the Affiliations Committee, 
the recognition of another Wikimedia User Group: WikiDonne [1]


As the name indicates, their area of focus is content related to women 
across the different Wikimedia projects, especially in Italian. They 
also look to cooperate with other affiliates and especially with those 
focused on the same topic, such as WikiWomen and WikiMujeres, and are 
already cooperating with other external entities :-)


Welcome!!

1: https://meta.wikimedia.org/wiki/WikiDonne


--
"*Jülüjain wane mmakat* ein kapülain tü alijunakalirua jee wayuukanairua 
junain ekerolaa alümüin supüshuwayale etijaanaka. Ayatashi waya junain."

Maor Malul
Socio, A.C. Wikimedia Venezuela | RIF J-40129321-2 | 
www.wikimedia.org.ve 

Member, Wikimedia Israel | www.wikimedia.org.il 
Chair, Wikimedia Foundation Affiliations Committee
Phone: +972-52-4869915
Twitter: @maor_x
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikitech-l] Update on WMF account compromises

[Pine W]

Good point about MITM doing script injection, which I hadn't fully
considered. I'm not sure that going to HTTPS would solve everything (e.g.
that alone wouldn't prevent the origin site from reading passwords that
someone enters into the tool, and HTTPS is not foolproof) but it would
indeed be a big step in the right direction to avoid MITM.

I wonder (looking at the WMF people in the room) how quickly could WMF
deploy a password strength checking tool to the Wikimedia sites? That won't
solve all of the problems but it would be a step in the right direction.



Pine


On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo  wrote:

> On Thu, Nov 17, 2016 at 12:28 PM, Pine W  wrote:
>
> > 1. If you don't trust that strength testing site (which is fine), choose
> > another. I did a couple of quick checks on that site; while it's entirely
> > possible that I missed something, it appeared to me that the site was not
> > sending passwords over the Internet, whether in the clear or encrypted.
> The
> > use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
> > the first place.
> >
>
> Or use a password manager that has a local built-in password strength tool,
> that way you don't risk being MiTMed by an HTTP site.
>
> In general, as mentioned, you should simply not enter your password on any
> website that is not the site the password belongs to. For my full-time job,
> employees have a Chrome extension where accidentally type your password on
> any website (even if it's not in a text box) you're required to reset it.
>
> *-- *
> Regards,
>
> *Tyler Romeo*
> 0x405d34a7c86b42df
> https://parent5446.nyc
> ___
> Wikitech-l mailing list
> wikitec...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] [Wikitech-l] Update on WMF account compromises

[Pine W]

I'm not sure that I agree with that assessment *of password strength
testing tools* (not humans), for a couple of reasons.

0. Weak passwords are a huge problem, and may be closely related to the
weakness that the attackers are currently using to compromise Wikimedia
accounts. As far as I know, Wikimedia currently has no internal way to deal
with that problem. We *should* have a way to deal with that problem, but it
seems to me that using a tool that I recommended is the lesser of two evils
at the moment. In the long run, it would be much better if Wikimedia had an
internal tool to validate the strength of users' passwords and block
passwords that fall below a certain strength level.

1. If you don't trust that strength testing site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely
possible that I missed something, it appeared to me that the site was not
sending passwords over the Internet, whether in the clear or encrypted. The
use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in
the first place.

Do you have a better solution in mind to deal with the immediate problem of
weak passwords, besides 2FA which is not available to everyone?



Pine


On Thu, Nov 17, 2016 at 12:08 AM, Antoine Musso  wrote:

> Le 16/11/2016 à 19:19, Pine W a écrit :
> >
> > (0) Consider testing your password strength with a tool like
> > http://www.testyourpassword.com/; be sure that the tool you use does not
> > send your chosen password over the Internet and instead tests it locally.
>
> By using an online testing tool, you are effectively breaking the very
> first rule:
>
>  DO NOT GIVE OUT YOUR PASSWORD.  EVER.
>
> Using that site is exactly like sharing your password with a random
> stranger in the world.  Even if you trusted that website, and audited
> the code at a given point in time, you have no guarantee the site hasn't
> changed or that it is not collecting passwords.
>
>
>
>
> --
> Antoine "hashar" Musso
>
>
> ___
> Wikitech-l mailing list
> wikitec...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,