Re: [Wikimedia-l] Information on "Multiple failed attempts to log in" emails

2018-08-25 Thread Dennis During
Wouldn't disclosure in a public forum of any details of such an attack
potentially inform the attackers and would-be imitators of the success or
lack thereof of the attack, of its methods, and of detection and cleanup
methods?

On Sat, Aug 25, 2018 at 12:21 PM, Fæ  wrote:

> Dear Security group of the Wikimedia Foundation,
>
> The community has been patiently waiting for *113 days* for an
> analysis to be published for the login attack of 3 May 2018.
>
-- 
Dennis C. During
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 


Re: [Wikimedia-l] Information on "Multiple failed attempts to log in" emails

2018-08-25 Thread
Dear Security group of the Wikimedia Foundation,

The community has been patiently waiting for *113 days* for an
analysis to be published for the login attack of 3 May 2018.

The community has been waiting for *650 days* (that's around one year
and 10 months) for an analysis of the OurMine hack to be published.

We are repeatedly, and at times rudely, advised by WMF employees to
raise Phabricator tickets for these types of task, which now appears
to be deliberately bad advice if the tickets can remain open but
languish as "Needs Triage" and ignored by the WMF for a period of
years or indefinitely until the community conveniently forgets about
them.

The OurMine hack was an important breach of Wikimedia project
security, and though the precise details may not be smart to make
public as this might risk becoming guidance for future hackers, nobody
can object to a potted summary and analysis of how severe the attack
was, and what types of steps the WMF has taken to ensure this will
never be repeated.

Links
1. https://phabricator.wikimedia.org/T193846 Publish analysis of
sustained login attack of 3 May 2018
2. https://phabricator.wikimedia.org/T150605 Publish an analysis of
the OurMine hack (11 November 2016)

Thank you for helping out with better community communication,
Fae
-- 
fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae

On Fri, 4 May 2018 at 10:40, Fæ  wrote:
>
> On 4 May 2018 at 01:27, John Bennett  wrote:
> > Hello,
> >
> > Many of you may have been receiving emails in the last 24 hours warning you
> > of "Multiple failed attempts to log in" with your account. I wanted to let
> > you know that the Wikimedia Foundation's Security team is aware of the
> > situation, and working with others in the organization on steps to decrease
> > the success of attacks like these.
> >
> > The exact source is not yet known, but it is not originating from our
> > systems. That means it is an external effort to gain unauthorized access to
> > random accounts. These types of efforts are increasingly common for
> > websites of our reach. A vast majority of these attempts have been
> > unsuccessful, and we are reaching out personally to the small number of
> > accounts which we believe have been compromised.
> >
> > While we are constantly looking at improvements to our security systems and
> > processes to offset the impact of malicious efforts such as these, the best
> > method of prevention continues to be the steps each of you take to
> > safeguard your accounts. Because of this, we have taken steps in the past
> > to support things like stronger password requirements,[1] and we continue
> > to encourage everyone to take some routine steps to maintain a secure
> > computer and account. That includes regularly changing your passwords,[2]
> > actively running antivirus software on your systems, and keeping your
> > system software up to date.
> >
> > My team will continue to investigate this incident, and report back if we
> > notice any concerning changes. If you have any questions, please contact
> > the Support and Safety team (susa{{@}}wikimedia.org).
> >
> > John Bennett
> > Director of Security, Wikimedia Foundation
> >
> > [1] https://meta.wikimedia.org/wiki/Password_strength_requirements
> > [2] https://meta.wikimedia.org/wiki/Special:ChangePassword
> > ___
> > Wikimedia-l mailing list, guidelines at: 
> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
> > https://meta.wikimedia.org/wiki/Wikimedia-l
> > New messages to: Wikimedia-l@lists.wikimedia.org
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
> > 
>
> Thanks for the update.
>
> Could you please follow up with a public report about incident and the
> analysis. There is plenty of data available in the public domain, and
> an awful lot of users have been affected, there seems no special
> reason to keep the basic analysis a secret even if some
> behind-the-scenes changes might need to remain unpublished. I have
> raised this as a Phabricator ticket as a prompt.[1]
>
> By the way, the Wikimedia user community is still waiting for the
> promised report on the OurMine hack of 11th November 2016. Could you
> get on with it please? Leaving users hanging for more than a year for
> analysis to get published is not a good look for the WMF, it leaves us
> wondering if this type of standard analysis gets done properly or
> not.[2]
>
> Links
> 1. https://phabricator.wikimedia.org/T193846 Publish analysis of
> sustained login attack of 3 May 2018
> 2. https://phabricator.wikimedia.org/T150605 Publish an analysis of
> the OurMine hack
>
> Thanks
> Fae
> --
> fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 

[Wikimedia-l] Books & Bytes – Issue 29, June – July 2018

2018-08-25 Thread UY Scuti
*Books & Bytes – Issue 29, June – July 2018*
Highlights:

   - New partners 
   - Economic & Political Weekly
   
   - Wikimania
- Wikimedia and Libraries User Group update
- Global branches update
- Bytes in brief

*Arabic, Chinese, Hindi, Italian** and *French* versions of Books & Bytes
are now available in meta!*
Read the full newsletter at
https://meta.wikimedia.org/wiki/The_Wikipedia_Library/Newsletter/June-July_2018

For more updates, follow us on Twitter ,
Facebook  and join the Facebook
group 

The Wikipedia Library Team
http://meta.wikimedia.org/wiki/The_Wikipedia_Library

Books & Bytes is a bi-monthly newsletter of The Wikipedia Library, focusing
on recent, ongoing and upcoming activities and events in TWL and relevant
topic areas. Read our previous newsletters here
 and
subscribe
!
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 


[Wikimedia-l] Recognition of the Wikimedians of Tamazight User Group

2018-08-25 Thread Kirill Lokshin
Hi everyone!

I'm very happy to announce that the Affiliations Committee has recognized
[1] the Wikimedians of Tamazight User Group [2] as a Wikimedia User Group.
The group aims to promote the use of Wikimedia projects by Tamazight
speakers, to help Tamazight speakers learn how to edit Wikimedia projects,
and to organize gatherings of Tamazight-speaking Wikimedians.

Please join me in congratulating the members of this new user group!

Regards,
Kirill Lokshin
Chair, Affiliations Committee

[1]
https://meta.wikimedia.org/wiki/Affiliations_Committee/Resolutions/Recognition_Wikimedians_of_Tamazight_User_Group
[2] https://meta.wikimedia.org/wiki/Wikimedians_of_Tamazight_User_Group
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 


[Wikimedia-l] Recognition of the Wikimedians for Offline Wikis User Group

2018-08-25 Thread Kirill Lokshin
Hi everyone!

I'm very happy to announce that the Affiliations Committee has recognized
[1] the Wikimedians for Offline Wikis User Group [2] as a Wikimedia User
Group. The group aims to consolidate and support the development and
deployment of offline snapshots of wiki knowledge in schools, clinics, and
rural communities.

Please join me in congratulating the members of this new user group!

Regards,
Kirill Lokshin
Chair, Affiliations Committee

[1]
https://meta.wikimedia.org/wiki/Affiliations_Committee/Resolutions/Recognition_of_Wikimedians_for_Offline_Wikis_User_Group
[2] https://meta.wikimedia.org/wiki/Wikimedians_for_offline_wikis
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,