Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Yongmin Hong
I believe you can find some 2FA application that isn't affiliated with Google 
(actually Google Authenticatir app doesn't require Google account to be linked. 
Tested on iOS and Android.)

Also, some desktop application (ie. 1password*) is 2FA compatible.

* Not Free/Open Source Software.
Yongmin H.

Sent from my iPhone
Please note that this address is list-only address and any non-mailing list 
mails will be treated as spam.
Please use

2016. 11. 12. 23:34 Vi to  작성:

> Actually I consider to be sensitive the google account linked to my mobile
> phone :|
> also lots of people might have no compatible devices.
> Vito
> 2016-11-12 15:30 GMT+01:00 Amir Ladsgroup :
>> There is no need to store phone number at all.
>> You need to install an app called "Google Authenticator" or similar ones.
>> Then you scan a QR code from a special page in Wikipedia. Then every time
>> you want to login, you need to give username, password and a short-lived
>> token the app gives you. See this for more details:
>> On Sat, Nov 12, 2016 at 5:38 PM Fæ  wrote:
>> Good point Vito,
>> I agree that mobile numbers are personal information. However, my
>> understanding of the two-factor process would be that it can set up so
>> that mobile numbers are *guaranteed* to never be logged or archived
>> and only stored in a constrained way for a verification number to be
>> issued. There are various ways of getting two-factor processes to
>> work, so methods that do not rely on mobile numbers may suit
>> volunteers that are worried about sending their mobile phone number to
>> any server in the USA, where there are always questions about secret
>> access and storage for government agencies.
>> We can require that guarantees are given and transparently assured for
>> how any personal information like this is handled by WMF implemented
>> software. It could even be an area that requires legally meaningful
>> assurance, or local processing to avoid, say, Europeans sending any
>> personal data to the USA.  ;-)
>> Fae
>>> On 12 November 2016 at 13:53, Vi to  wrote:
>>> My phone number is something I consider highly sensitive. Linking this
>> kind
>>> of data to my online identity would be an unacceptable risk for me.
>>> Vito
>>> 2016-11-12 13:37 GMT+01:00 Amir Ladsgroup :
 As far as I know 2FA is already implemented and mandatory for WMF staff
 accounts and wikitech accounts. https://phabricator.wikimedia.
>> org/T107605
 I emphasized on having 2fa for CUs, oversights and others with private
>> data
 Not sure what's blocking this.
 On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <
> I know it's been said many times, but two-factor authentication,
> for accounts with advanced privileges and optionally available for
> else, would seem to be a logical step.  It's not foolproof, but it
>> would
> a long way to making us less of a soft target.
> Cheers,
> Craig
>> On 12 November 2016 at 22:22, Fæ  wrote:
>> Do any of the volunteers contributing to this list have ideas for
>> changes that may make a significant difference to security?
>> Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the
>> process appearing to promote an organisation.[1] It was not the only
>> account compromised. This is being analysed, though as there are
>> security issues being examined, the analysis has not been made
>> public
>> so far; plus it's the weekend :-)
>> Over the last few years, there have improvements on account set-up
>> and
>> choice of passwords, along with user suggestions for better account
>> management. Users can also chose to use committed identities[2] to
>> make account recovery easier, and are encouraged to use more secure
>> passwords. Two-factor authentication,[3] such as using mobile phone
>> text messages, has been suggested a few times by volunteers, and
>> this
>> might be a good moment to encourage the WMF to have better
>> facilities
>> built into the projects. We could even make two-factor
>> identification
>> a requirement for trusted users, such as administrators, important
>> bots, and "high profile" accounts, where they may have special
>> rights
>> that could cause a fair amount of disruption if a hacked account
>> were
>> not identified quickly. Considering that some administrator accounts
>> can lie dormant for many months without the actual user monitoring

Re: [Wikimedia-l] "Wikipedia rocked by 'rogue editors' blackmail scam targeting small businesses and celebrities"

2015-09-03 Thread Yongmin Hong
2015. 9. 3. 오전 6:00에 "Trillium Corsage" 님이 작성:
> The Orangemoody network seems to have been providing a service: bring the
apparently self-submitted but failed drafts of articles of persons,
organizations, and businesses up to compliance with Wikipedia standards and
get them live, then accept a previously negotiated fee.

Using multiple account is violation of enwp policy (Sockpuppetry), and
undisclosed paid editing is in violation of wmf ToU. In any way, that's
no-no. And nobody owns the Wikipedia page, so you cannot delete the article
because 'subject did not paid the fee'.

-- Sent from Android --
Wikimedia-l mailing list, guidelines at: