Task https://phabricator.wikimedia.org/T150605

I have raised the above task for the WMF to publish an appropriate
summary of the behind the scenes analysis of the recent hack of
accounts and the claimed copying of the English Wikipedia database
(presumably user account tables). The request summary is pasted below
for those that don't want to read the detail, though I recommend that
technically minded volunteers subscribe to it on Phabricator --

"This is a request for a report of the analysis of the OurMine hack to
be published. It is understood that a non-public investigation is
necessary, but it also makes sense to be transparent about events and
as quickly as possible. This will provide an 'official' public
assurance of the steps being taken by the WMF to make the systems more
secure. Volunteers have rapidly responded by promoting two-factor
authentication, as well as working collegiately on guidance for
volunteers. A report of the behind the scenes analysis would aid these
efforts and ensure that if wider changes of passwords or the roll-out
of 2FA to non-sysop accounts makes sense, that these can be discussed
within the community in a positive way. It is likely that volunteer
discussions will continue and this will be reported in the Signpost
next week, so timing a report in the next few days would be helpful in
ensuring factual reporting."


On 12 November 2016 at 23:34, MZMcBride <z...@mzmcbride.com> wrote:
> Fæ wrote:
>>Do any of the volunteers contributing to this list have ideas for
>>changes that may make a significant difference to security?
> When you log in, you're given a user session. This session, along with
> local Web browser HTTP cookies, allows you to stay logged in and
> authenticated as you browse and edit a wiki. We've previously discussed
> the ability for a user to see all of his or her account's active sessions,
> similar to what other sites (GitHub, Facebook, Google) already allow.
> This type of interface lets a user see his or her own active sessions,
> originating IP addresses and User-Agent strings, and sometimes the
> interface allows destroying all or some sessions (e.g., if you see a
> session from the time you logged in to a friend's computer). This type of
> interface can also be used, for better or worse, to track typical behavior
> of the user, so that if a user often logs in from a specific IP address
> range (e.g., their home computer in the UK), a user session that comes
> from a vastly different IP address range (e.g., a mobile device in
> Australia) can be flagged and reported to the user. Or, in the case of
> two-factor authentication, a "suspicious" login attempt can be required to
> go through additional verification. These types of systems are common for
> Gmail accounts and some credit card accounts.
> Regarding a user seeing a list of his or her own active sessions and
> corresponding information, there was, and there likely still is,
> considerable opposition to this idea. It's akin to a "self-CheckUser"
> feature (which I think we should separately support) and there were
> concerns that we would help vandals, sockpuppets, and other bad users.
> Some links:
> * https://www.mediawiki.org/wiki/?curid=117743
> * https://www.mediawiki.org/wiki/?curid=156161
> * https://phabricator.wikimedia.org/T387
> * https://phabricator.wikimedia.org/T29242
> MZMcBride
fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae

Wikimedia-l mailing list, guidelines at: 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to