On Sun, Jul 26, 2009 at 9:22 AM, Andrew Garrett wrote:
> Some feedback:
> * I think you should create a new field class for preferences to allow
> the user to enter a token or press a button to have one generated.
> This would also allow you to add the link to the feed underneath.
> * I think you s
On 24/07/2009, at 2:34 AM, Aryeh Gregor wrote:
> On Thu, Jul 23, 2009 at 2:32 PM, Cody Jung
> wrote:
>> Wouldn't adding a salt fix this? They would have to have both the
>> username, the database, and the salt value to decrypt the wiki list.
>
> In other words, they would have to have access to
On Fri, Jul 24, 2009 at 2:24 AM, Tim Starling wrote:
> There's plenty of ways to attack watchlistr without fully compromising
> the server.
The point is that a system that allowed stealing the logins of
hundreds of Wikipedia users if you managed to compromise a third-party
website run to unknown s
Aryeh Gregor wrote:
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling wrote:
You know you could have changed that header to indicate who actually
wrote it. It's not against the laws of the internet.
>> To help in the "proving trustworthy, or else" process, I have released
>> the source code of Watc
On Thu, Jul 23, 2009 at 2:32 PM, Cody Jung wrote:
> Wouldn't adding a salt fix this? They would have to have both the
> username, the database, and the salt value to decrypt the wiki list.
In other words, they would have to have access to your server, nothing
more. No, it wouldn't fix it.
After
On 07/22/2009 06:39 PM, Aryeh Gregor wrote:
> On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lane wrote:
>> Check out how the Flickr API works. Users can give web and desktop
>> apps privileges (read/write/delete).
>>
>> It isn't really that bizarre of a concept.
>
> Read/write/delete access to what? The
On 07/22/2009 05:11 PM, Ryan Lane wrote:
> On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell wrote:
>> If it has your credentials it can impersonate you, which is bad.
>>
>> It addressed by making it possible for the site to generate access
>> cookies for particular resources which you could share.
On Thu, Jul 23, 2009 at 8:50 PM, Happy-melon wrote:
>
>
> "Aryeh Gregor"
> >
> wrote in message
> news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
> > On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling
> > wrote:
> >> To help in the "proving trustworthy, or else" process, I have re
"Aryeh Gregor" wrote in message
news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling
> wrote:
>> To help in the "proving trustworthy, or else" process, I have released
>> the source code of Watchlistr - please take a look at it. Yo
> On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling
wikimedia.org> wrote:
>
> They would only have to get the site usernames to decrypt the login
> info. They could get those the next time each user logs in, if
> they're not detected immediately. There's no way around this; if your
> program can lo
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling wrote:
> To help in the "proving trustworthy, or else" process, I have released
> the source code of Watchlistr - please take a look at it. You will see
> that I take the utmost care in securing user information. The wiki
> logins are encrypted with AES
Message from the developer. I will see if he's interested in
subscribing, but a forward will do for now.
Original Message
Subject: Re: Watchlistr
Date: Thu, 23 Jul 2009 11:20:19 -0500
From: Cody Jung
To: Tim Starling
Hey there Tim,
Apologies, I am not actually
On Thu, Jul 23, 2009 at 9:57 AM, Aryeh
Gregor wrote:
> On Wed, Jul 22, 2009 at 10:40 PM, Happy-melon wrote:
>> I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
>> sure how GM script distribution works, but can't a server put files in a
>> particular directory to have them
On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lane wrote:
> Check out how the Flickr API works. Users can give web and desktop
> apps privileges (read/write/delete).
>
> It isn't really that bizarre of a concept.
Read/write/delete access to what? The only cases where read access
would be relevant would b
2009/7/23 Ryan Lane :
> On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell wrote:
>> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
>> Meijssen wrote:
>>> Hoi,
>>> Would OpenID make a difference ? It seems to me that when you authenticate
>>> to both WMF projects and to this watchlistr, you would not expose
On Wed, Jul 22, 2009 at 7:30 PM, Aryeh
Gregor wrote:
> On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane wrote:
>> What about OpenID + OAuth?
>
> With MediaWiki support, there would be any number of ways to do it.
> Most obvious would be to just have a preference checkbox somewhere
> that would create a
On Thu, Jul 23, 2009 at 12:11 AM, Ryan Lane wrote:
> What about OpenID + OAuth?
With MediaWiki support, there would be any number of ways to do it.
Most obvious would be to just have a preference checkbox somewhere
that would create a secret magic URL that would allow unauthenticated
access to you
On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwell wrote:
> On Wed, Jul 22, 2009 at 4:41 PM, Gerard
> Meijssen wrote:
>> Hoi,
>> Would OpenID make a difference ? It seems to me that when you authenticate
>> to both WMF projects and to this watchlistr, you would not expose passwords
>> in the wrong pl
On Wed, Jul 22, 2009 at 7:07 PM, Sage Ross wrote:
> I'm not sure what to do about this; it seems like a good idea but a
> major security risk:
>
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikip
I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
sure how GM script distribution works, but can't a server put files in a
particular directory to have them be automatically suggested for
installation by Greasemonkey?
I know it's not a perfect or even nice solution, b
On Wed, Jul 22, 2009 at 4:41 PM, Gerard
Meijssen wrote:
> Hoi,
> Would OpenID make a difference ? It seems to me that when you authenticate
> to both WMF projects and to this watchlistr, you would not expose passwords
> in the wrong place. It seems to be also a solution of allowing Commons to
> aut
Hoi,
Would OpenID make a difference ? It seems to me that when you authenticate
to both WMF projects and to this watchlistr, you would not expose passwords
in the wrong place. It seems to be also a solution of allowing Commons to
authenticate in this way.
Thanks,
GerardM
2009/7/22 Sage Ross
On Wed, Jul 22, 2009 at 4:18 PM, David Gerard wrote:
> Mmm. So solving this properly would require solving many of the
> various consolidated/multiple watchlist bugs in MediaWiki itself,
> then.
Hm? No. Solving *this* involves having a sysadmin determine the source
of IP of the remote logins and s
2009/7/22 Michael Rosenthal :
> On Wed, Jul 22, 2009 at 9:59 PM, David Gerard wrote:
>> 2009/7/22 Sage Ross :
>>> http://www.watchlistr.com/ is a site that creates aggregate watchlists
>>> across multiple projects. See
>>> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_
>> your Wikimedia password into the watchlistr.com site. I have no
>> specific reason to think it's a scam, but if I was trying to phish
>> passwords I would do something like this.
> Would something on the toolserver be safe enough in these terms?
It would seem more trustworthy, but if i recall
The toolserver rules forbid that:
https://wiki.toolserver.org/view/Rules (#8)
However there is gWatch which works without authentication:
http://toolserver.org/~luxo/gwatch/login.php
On Wed, Jul 22, 2009 at 9:59 PM, David Gerard wrote:
> 2009/7/22 Sage Ross :
>
>> http://www.watchlistr.com/ is
2009/7/22 Sage Ross :
> http://www.watchlistr.com/ is a site that creates aggregate watchlists
> across multiple projects. See
> http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
> The user who made it has very little editing history, and the site
> aggregat
I'm not sure what to do about this; it seems like a good idea but a
major security risk:
http://www.watchlistr.com/ is a site that creates aggregate watchlists
across multiple projects. See
http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool
The user who made
28 matches
Mail list logo
