Re: [Haskell-cafe] Re: The site has been exploited (again)
gwern0: > > Ashley has made me admin; I've spent the last 1.5 hours deleting all > the vandalism and indef blocking the accounts. I have Recent Changes > in my RSS reader, so hopefully in the future there will be no greater > than 24 hours delay before vandalism is dealt with. A MW upgrade will > also help (eg. currently checkuser* seems to be unavailable). > > * http://www.mediawiki.org/wiki/Extension:CheckUser Thank you so much, Gwern! ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: The site has been exploited (again)
begin Gwern Branwen quotation: > Ashley has made me admin; I've spent the last 1.5 hours deleting all > the vandalism and indef blocking the accounts. I have Recent Changes > in my RSS reader, so hopefully in the future there will be no greater > than 24 hours delay before vandalism is dealt with. A MW upgrade will > also help (eg. currently checkuser* seems to be unavailable). > > * http://www.mediawiki.org/wiki/Extension:CheckUser Excellent! Putting aside what I said earlier about protection, which doesn't really work well with a single active admin, it may still be worth putting some protection in place to avoid a non-bot account maliciously sticking something like the goatse.cx pic on the home page of Haskell.org. The options I know of for doing this are the Patrolled Edits feature and the FlaggedRevs extension. Unfortunately, I don't think either of these can be applied only to a limited set of pages because of the MediaWiki team's asinine insistence that they'll never support per-page authorization mechanism properly. -md ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: The site has been exploited (again)
On Sun, Jul 11, 2010 at 2:28 PM, Mike Dillon wrote: > begin Mike Dillon quotation: >> Being that there is only one active admin on the Haskell.org wiki >> (User:Ashley Y), I believe the fact that this page is editable by any >> user is a policy decision to allow the community to contribute. The >> page could be protected, but then only two administrators could edit it >> (assuming John Peterson decided to become active again after two years >> of not working on the wiki): >> >> http://www.haskell.org/haskellwiki/?title=Special%3AListusers&group=sysop >> >> As for whether or not moving this particular wiki to a Haskell-based >> solution would be a good idea, I don't see it being a win. I don't know >> of any Haskell-based wikis that support MediaWiki syntax, so the effort >> would involve converting all the existing content to some other format. >> Being that MediaWiki's syntax is the most widespread wiki syntax at the >> moment, I don't see how that would do anything but make it harder for >> people to contribute. > > One more thing. On a wiki with active administrators, this user would > have been blocked. That hasn't happened. The last block was in August > 2009: > > http://www.haskell.org/haskellwiki/?title=Special%3ALog&type=block > > If there is not someone regularly watching the wiki at all times, it > would probably be prudent to protect some of the higher profile pages > once there are more admins able to edit them. > > -md Ashley has made me admin; I've spent the last 1.5 hours deleting all the vandalism and indef blocking the accounts. I have Recent Changes in my RSS reader, so hopefully in the future there will be no greater than 24 hours delay before vandalism is dealt with. A MW upgrade will also help (eg. currently checkuser* seems to be unavailable). * http://www.mediawiki.org/wiki/Extension:CheckUser -- gwern ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: The site has been exploited (again)
begin Mike Dillon quotation: > Being that there is only one active admin on the Haskell.org wiki > (User:Ashley Y), I believe the fact that this page is editable by any > user is a policy decision to allow the community to contribute. The > page could be protected, but then only two administrators could edit it > (assuming John Peterson decided to become active again after two years > of not working on the wiki): > > http://www.haskell.org/haskellwiki/?title=Special%3AListusers&group=sysop > > As for whether or not moving this particular wiki to a Haskell-based > solution would be a good idea, I don't see it being a win. I don't know > of any Haskell-based wikis that support MediaWiki syntax, so the effort > would involve converting all the existing content to some other format. > Being that MediaWiki's syntax is the most widespread wiki syntax at the > moment, I don't see how that would do anything but make it harder for > people to contribute. One more thing. On a wiki with active administrators, this user would have been blocked. That hasn't happened. The last block was in August 2009: http://www.haskell.org/haskellwiki/?title=Special%3ALog&type=block If there is not someone regularly watching the wiki at all times, it would probably be prudent to protect some of the higher profile pages once there are more admins able to edit them. -md ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: The site has been exploited (again)
begin Gour quotation: > On Sun, 11 Jul 2010 14:40:03 -0300 > >> "Felipe" == Felipe Lessa wrote: > > Felipe> As far as I know, haskell.org doesn't run on top of Haskell > Felipe> software. > > That's the point. ;) > > haskell.org should work on Haskell software in order to prevent such > things. This change had nothing to do with Haskell versus not Haskell and was not the result in an exploit in MediaWiki. The haskell.org wiki is set up to only allow logged-in users to edit pages. What appears to have happened is that someone created an account named "Buycliamox" and used it to make the edit in question: http://www.haskell.org/haskellwiki/?title=Special:Contributions&target=Buycilamox Now, unless this was a bot-created account, there is nothing that a newer version of Mediawiki would have helped. I believe newer versions either have CAPTCHA/reCAPTCHA built-in or available via a plugin. That could have helped prevent automated account creation, but you still have the problems of hijacked accounts if haskell.org were really a target for such things. I'd go with the most likely explanation in this case and assume that a person created this account and decided to be cute. Being that there is only one active admin on the Haskell.org wiki (User:Ashley Y), I believe the fact that this page is editable by any user is a policy decision to allow the community to contribute. The page could be protected, but then only two administrators could edit it (assuming John Peterson decided to become active again after two years of not working on the wiki): http://www.haskell.org/haskellwiki/?title=Special%3AListusers&group=sysop As for whether or not moving this particular wiki to a Haskell-based solution would be a good idea, I don't see it being a win. I don't know of any Haskell-based wikis that support MediaWiki syntax, so the effort would involve converting all the existing content to some other format. Being that MediaWiki's syntax is the most widespread wiki syntax at the moment, I don't see how that would do anything but make it harder for people to contribute. -md ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
[Haskell-cafe] Re: The site has been exploited (again)
On Sun, 11 Jul 2010 14:40:03 -0300 >> "Felipe" == Felipe Lessa wrote: Felipe> As far as I know, haskell.org doesn't run on top of Haskell Felipe> software. That's the point. ;) haskell.org should work on Haskell software in order to prevent such things. Sincerely, Gour -- Gour | Hlapicina, Croatia | GPG key: F96FF5F6 signature.asc Description: PGP signature ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: The site has been exploited (again)
On Sun, Jul 11, 2010 at 2:37 PM, Gour wrote: > This is not good advertisement for Haskell and maybe it's time to > deploy more-secure Haskell web apps/frameworks... As far as I know, haskell.org doesn't run on top of Haskell software. -- Felipe. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
[Haskell-cafe] Re: The site has been exploited (again)
On Sun, 11 Jul 2010 19:29:55 +0200 >> "Christopher" == wrote: Christopher> http://haskell.org/ Christopher> Christopher> It says "TO BUY Cilamox ONLINE", etc. This is not good advertisement for Haskell and maybe it's time to deploy more-secure Haskell web apps/frameworks... Sincerely, Gour -- Gour | Hlapicina, Croatia | GPG key: F96FF5F6 signature.asc Description: PGP signature ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe