Task https://phabricator.wikimedia.org/T150605
I have raised the above task for the WMF to publish an appropriate summary of the behind the scenes analysis of the recent hack of accounts and the claimed copying of the English Wikipedia database (presumably user account tables). The request summary is pasted below for those that don't want to read the detail, though I recommend that technically minded volunteers subscribe to it on Phabricator -- "This is a request for a report of the analysis of the OurMine hack to be published. It is understood that a non-public investigation is necessary, but it also makes sense to be transparent about events and as quickly as possible. This will provide an 'official' public assurance of the steps being taken by the WMF to make the systems more secure. Volunteers have rapidly responded by promoting two-factor authentication, as well as working collegiately on guidance for volunteers. A report of the behind the scenes analysis would aid these efforts and ensure that if wider changes of passwords or the roll-out of 2FA to non-sysop accounts makes sense, that these can be discussed within the community in a positive way. It is likely that volunteer discussions will continue and this will be reported in the Signpost next week, so timing a report in the next few days would be helpful in ensuring factual reporting." Thanks, Fae On 12 November 2016 at 23:34, MZMcBride <z...@mzmcbride.com> wrote: > Fæ wrote: >>Do any of the volunteers contributing to this list have ideas for >>changes that may make a significant difference to security? > > When you log in, you're given a user session. This session, along with > local Web browser HTTP cookies, allows you to stay logged in and > authenticated as you browse and edit a wiki. We've previously discussed > the ability for a user to see all of his or her account's active sessions, > similar to what other sites (GitHub, Facebook, Google) already allow. > > This type of interface lets a user see his or her own active sessions, > originating IP addresses and User-Agent strings, and sometimes the > interface allows destroying all or some sessions (e.g., if you see a > session from the time you logged in to a friend's computer). This type of > interface can also be used, for better or worse, to track typical behavior > of the user, so that if a user often logs in from a specific IP address > range (e.g., their home computer in the UK), a user session that comes > from a vastly different IP address range (e.g., a mobile device in > Australia) can be flagged and reported to the user. Or, in the case of > two-factor authentication, a "suspicious" login attempt can be required to > go through additional verification. These types of systems are common for > Gmail accounts and some credit card accounts. > > Regarding a user seeing a list of his or her own active sessions and > corresponding information, there was, and there likely still is, > considerable opposition to this idea. It's akin to a "self-CheckUser" > feature (which I think we should separately support) and there were > concerns that we would help vandals, sockpuppets, and other bad users. > > Some links: > > * https://www.mediawiki.org/wiki/?curid=117743 > * https://www.mediawiki.org/wiki/?curid=156161 > * https://phabricator.wikimedia.org/T387 > * https://phabricator.wikimedia.org/T29242 > > MZMcBride -- fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
