Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

Inactive sysops + improving security

 

 

First page Previous page 1 2 3 Next page Last page  View All Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


benapetr at gmail

Apr 4, 2012, 12:43 AM

Post #1 of 51 (905 views)
Permalink
Inactive sysops + improving security

I have seen there is a lot of wikis where people are concerned about
inactive sysops. They managed to set up a strange rule where sysop
rights are removed from inactive users to improve the security.
However the sysops are allowed to request the flag to be restored
anytime. This doesn't improve security even a bit as long as hacker
who would get to some of inactive accounts could just post a request
and get the sysop rights just as if they hacked to active user.

For this reason I think we should create a new extension auto sysop
removal, which would remove the flag from all users who didn't login
to system for some time, and if they logged back, the confirmation
code would be sent to email, so that they could reactivate the sysop
account. This would be much simpler and it would actually make hacking
to sysop accounts much harder. I also believe it would be nice if
system sent an email to holder of account when someone do more than 5
bad login attemps, in order to be warned that someone is likely trying
to compromise their account.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 12:54 AM

Post #2 of 51 (883 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

More:

IP addresses which do N bad login attemps should be blocked from
accessing login page for Z minutes (You have done too many bad login
attempts, please wait 5 minutes before trying again)
This would help to avoid bots who try to compromise account by trying
random passwords

The target user should be notified according to their personal config
(They could specify if they want to be warned if someone is about to
compromise their account or not)

On Wed, Apr 4, 2012 at 9:43 AM, Petr Bena <benapetr [at] gmail> wrote:
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.
>
> For this reason I think we should create a new extension auto sysop
> removal, which would remove the flag from all users who didn't login
> to system for some time, and if they logged back, the confirmation
> code would be sent to email, so that they could reactivate the sysop
> account. This would be much simpler and it would actually make hacking
> to sysop accounts much harder. I also believe it would be nice if
> system sent an email to holder of account when someone do more than 5
> bad login attemps, in order to be warned that someone is likely trying
> to compromise their account.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jayvdb at gmail

Apr 4, 2012, 1:15 AM

Post #3 of 51 (877 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <benapetr [at] gmail> wrote:
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.
>
> For this reason I think we should create a new extension auto sysop
> removal, which would remove the flag from all users who didn't login
> to system for some time, and if they logged back, the confirmation
> code would be sent to email, so that they could reactivate the sysop
> account. This would be much simpler and it would actually make hacking
> to sysop accounts much harder. I also believe it would be nice if
> system sent an email to holder of account when someone do more than 5
> bad login attemps, in order to be warned that someone is likely trying
> to compromise their account.

What happens if the ex-sysop has lost access to their original email
address .. ?

--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


amir.aharoni at mail

Apr 4, 2012, 1:16 AM

Post #4 of 51 (923 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

2012/4/4 Petr Bena <benapetr [at] gmail>:
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.

There's no point in making technical solutions for problems which are
imaginary in the first place, just as you say. The English Wikipedia
community rejects the notion that sysop inactivity is a problem quite
firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
and some other projects do have such rules, and they are completely
pointless.

An account with sysop rights cannot do that much damage anyway.
Deleting a page does no more damage than deleting a paragraph in an
existent page, and the latter can be done by anybody; in fact,
deleting a page makes a lot more noise. The same goes for protection,
blocking and editing in the MediaWiki space - everything is easily
traceable and reversible, and in a functioning wiki community the
damage will be minimal.

--
Amir Elisha Aharoni · אָמִיר אֱלִישָׁע אַהֲרוֹנִי
http://aharoni.wordpress.com
‪“We're living in pieces,
I want to live in peace.” – T. Moore‬

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


p858snake at gmail

Apr 4, 2012, 1:19 AM

Post #5 of 51 (877 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <benapetr [at] gmail> wrote:
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.

Not all wikis blindly give the user their rights back when they do
this "theatrical" based security model.

> For this reason I think we should create a new extension auto sysop
> removal, which would remove the flag from all users who didn't login
> to system for some time,

There is already one that does this from memory (Without checking, E:LandLord)


> and if they logged back, the confirmation
> code would be sent to email, so that they could reactivate the sysop
> account.

Again, Just theatrical security, Most people tend to use the same
passwords everywhere, if this was the case for said Sysop, Their email
is also compromised. Also this would require wikis to have email
sending setup, as well as the user to have confirmed theirs.

> This would be much simpler and it would actually make hacking
> to sysop accounts much harder.

Not really, per my point above.

On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <benapetr [at] gmail> wrote:
> More:
>
> IP addresses which do N bad login attemps should be blocked from
> accessing login page for Z minutes (You have done too many bad login
> attempts, please wait 5 minutes before trying again)
> This would help to avoid bots who try to compromise account by trying
> random passwords

We already do this, I believe.

> The target user should be notified according to their personal config
> (They could specify if they want to be warned if someone is about to
> compromise their account or not)

Pointless user prefernce IMHO, we should just send them (for wikis
that have email setup) and probably inculde a note along the lines of
"You should consider making sure your password is secure, some handy
hints are…"

On Wed, Apr 4, 2012 at 6:16 PM, Amir E. Aharoni
<amir.aharoni [at] mail> wrote:
> There's no point in making technical solutions for problems which are
> imaginary in the first place, just as you say. The English Wikipedia
> community rejects the notion that sysop inactivity is a problem quite
> firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
> and some other projects do have such rules, and they are completely
> pointless.

En.Wiki does de-Sysop inactivtive accounts now.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 1:25 AM

Post #6 of 51 (876 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 10:15 AM, John Vandenberg <jayvdb [at] gmail> wrote:
> What happens if the ex-sysop has lost access to their original email
> address .. ?
>

If the sysop lost their email, they are in same troubles as if any
other user lost their email and forgot password. It simply shouldn't
happen.

On Wed, Apr 4, 2012 at 10:16 AM, Amir E. Aharoni
<amir.aharoni [at] mail> wrote:
> 2012/4/4 Petr Bena <benapetr [at] gmail>:
>> I have seen there is a lot of wikis where people are concerned about
>> inactive sysops. They managed to set up a strange rule where sysop
>> rights are removed from inactive users to improve the security.
>> However the sysops are allowed to request the flag to be restored
>> anytime. This doesn't improve security even a bit as long as hacker
>> who would get to some of inactive accounts could just post a request
>> and get the sysop rights just as if they hacked to active user.
>
> There's no point in making technical solutions for problems which are
> imaginary in the first place, just as you say. The English Wikipedia
> community rejects the notion that sysop inactivity is a problem quite
> firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
> and some other projects do have such rules, and they are completely
> pointless.
>
> An account with sysop rights cannot do that much damage anyway.
> Deleting a page does no more damage than deleting a paragraph in an
> existent page, and the latter can be done by anybody; in fact,
> deleting a page makes a lot more noise. The same goes for protection,
> blocking and editing in the MediaWiki space - everything is easily
> traceable and reversible, and in a functioning wiki community the
> damage will be minimal.

That isn't excuse to leave project open to damage. Security of
mediawiki users and their accounts should be important for us anyway.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


mwgrunny at gmail

Apr 4, 2012, 1:26 AM

Post #7 of 51 (883 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

>On 4 April 2012 18:19, K. Peachey <p858snake [at] gmail> wrote:
>>On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <benapetr [at] gmail> wrote:
>> More:
>>
>> IP addresses which do N bad login attemps should be blocked from
>> accessing login page for Z minutes (You have done too many bad login
>> attempts, please wait 5 minutes before trying again)
>> This would help to avoid bots who try to compromise account by trying
>> random passwords
>
>We already do this, I believe.

I believe it's covered through this:
https://www.mediawiki.org/wiki/Manual:$wgPasswordAttemptThrottle
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 1:33 AM

Post #8 of 51 (882 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 10:19 AM, K. Peachey <p858snake [at] gmail> wrote:
> On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <benapetr [at] gmail> wrote:
>> I have seen there is a lot of wikis where people are concerned about
>> inactive sysops. They managed to set up a strange rule where sysop
>> rights are removed from inactive users to improve the security.
>> However the sysops are allowed to request the flag to be restored
>> anytime. This doesn't improve security even a bit as long as hacker
>> who would get to some of inactive accounts could just post a request
>> and get the sysop rights just as if they hacked to active user.
>
> Not all wikis blindly give the user their rights back when they do
> this "theatrical" based security model.
>
>> For this reason I think we should create a new extension auto sysop
>> removal, which would remove the flag from all users who didn't login
>> to system for some time,
>
> There is already one that does this from memory (Without checking, E:LandLord)
>
>
>> and if they logged back, the confirmation
>> code would be sent to email, so that they could reactivate the sysop
>> account.
>
> Again, Just theatrical security, Most people tend to use the same
> passwords everywhere, if this was the case for said Sysop, Their email
> is also compromised. Also this would require wikis to have email
> sending setup, as well as the user to have confirmed theirs.
>

That's the problem of user if they use same password, but I believe
that any users with any sense for security don't do that, sysops could
be instructed to use different password than in their email.

>> This would be much simpler and it would actually make hacking
>> to sysop accounts much harder.
>
> Not really, per my point above.
>

It would per my point above your point.

> On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <benapetr [at] gmail> wrote:
>> The target user should be notified according to their personal config
>> (They could specify if they want to be warned if someone is about to
>> compromise their account or not)
>
> Pointless user prefernce IMHO, we should just send them (for wikis
> that have email setup) and probably inculde a note along the lines of
> "You should consider making sure your password is secure, some handy
> hints are"
>

What is pointless on that, I believe many users would like to be
informed that they are target of some hacker. Even providing
information to identify them (to checkuser for example) like ip
address, would be usefull to eliminate them somehow. If they don't
like it, they can turn it off.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


morton.thomas at googlemail

Apr 4, 2012, 1:39 AM

Post #9 of 51 (885 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

>
> > Again, Just theatrical security, Most people tend to use the same
> > passwords everywhere, if this was the case for said Sysop, Their email
> > is also compromised. Also this would require wikis to have email
> > sending setup, as well as the user to have confirmed theirs.
> >
>
> That's the problem of user if they use same password, but I believe
> that any users with any sense for security don't do that, sysops could
> be instructed to use different password than in their email.
>
> >> This would be much simpler and it would actually make hacking
> >> to sysop accounts much harder.
> >
> > Not really, per my point above.
> >
>
> It would per my point above your point.
>


The problem here is that it doesn't really discuss how a sysop account has
been compromised; via the email account? Via some more direct method?

As pointed out it is somewhat security theatre.

Besides; you're looking for a problem to fit the solution. On English
Wikipedia compromised accounts are, in themselves, rare occurrences. And
compromised sysop accounts rarer (read; I've never seen one!).

We discussed this at length when implementing the age-desysoping, and
agreed it wasn't an entirely failsafe method against compromise. But it
does provide a level of scrutiny to a returning sysop; and really that is
all that is needed. The amount of damage a compromised sysop account could
do isn't critical and they can be stopped relatively easily - if they have
scrutiny.

This is the best form of security.

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 1:47 AM

Post #10 of 51 (879 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

The accounts could be compromised just using a brute force attacks
which would be running for a long time. Since user would never know
their account is being cracked, they would likely never bother with
making their password more strong, neither report it somewhere. If I
was an inactive sysop and I received a message that someone has done
500 000 login attempts over night, I would likely ask some bureaucrat
to remove my sysop flag, since I don't even need it.

That's not possible now.

Regarding the hacked accounts, there were some in past, there was
evidence of that on english wikipedia AFAIK. I still don't see "damage
is not so big" as reason to drop work on improving the security.

On Wed, Apr 4, 2012 at 10:39 AM, Thomas Morton
<morton.thomas [at] googlemail> wrote:
>>
>> > Again, Just theatrical security, Most people tend to use the same
>> > passwords everywhere, if this was the case for said Sysop, Their email
>> > is also compromised. Also this would require wikis to have email
>> > sending setup, as well as the user to have confirmed theirs.
>> >
>>
>> That's the problem of user if they use same password, but I believe
>> that any users with any sense for security don't do that, sysops could
>> be instructed to use different password than in their email.
>>
>> >> This would be much simpler and it would actually make hacking
>> >> to sysop accounts much harder.
>> >
>> > Not really, per my point above.
>> >
>>
>> It would per my point above your point.
>>
>
>
> The problem here is that it doesn't really discuss how a sysop account has
> been compromised; via the email account? Via some more direct method?
>
> As pointed out it is somewhat security theatre.
>
> Besides; you're looking for a problem to fit the solution. On English
> Wikipedia compromised accounts are, in themselves, rare occurrences. And
> compromised sysop accounts rarer (read; I've never seen one!).
>
> We discussed this at length when implementing the age-desysoping, and
> agreed it wasn't an entirely failsafe method against compromise. But it
> does provide a level of scrutiny to a returning sysop; and really that is
> all that is needed. The amount of damage a compromised sysop account could
> do isn't critical and they can be stopped relatively easily - if they have
> scrutiny.
>
> This is the best form of security.
>
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jayvdb at gmail

Apr 4, 2012, 2:03 AM

Post #11 of 51 (876 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 6:25 PM, Petr Bena <benapetr [at] gmail> wrote:
> On Wed, Apr 4, 2012 at 10:15 AM, John Vandenberg <jayvdb [at] gmail> wrote:
>> What happens if the ex-sysop has lost access to their original email
>> address .. ?
>>
>
> If the sysop lost their email, they are in same troubles as if any
> other user lost their email and forgot password. It simply shouldn't
> happen.

It does happen.

It's a significant problem if it is an ordinary user, but they can
always create a new account and assert that they are the old user and
nobody really cares.

It's a major issue if it is a sysop, because it can be very hard to
verify the identity of someone claiming to be a sysop, so 'crats and
arbcom and the community try and find a web of trust that extends back
in time. Not fun.

Also, you might want to query the databases to see how many admins
don't have an email address set. I wouldn't be surprised if there are
a few. IMO any that dont have an email set should have their sysop
bit removed.

--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


wikiposta at gmail

Apr 4, 2012, 2:09 AM

Post #12 of 51 (879 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

2012/4/4 John Vandenberg <jayvdb [at] gmail>

>
> Also, you might want to query the databases to see how many admins
> don't have an email address set. I wouldn't be surprised if there are
> a few. IMO any that dont have an email set should have their sysop
> bit removed.
>
>
Would it be a crazy idea to modify the software so that new admins, 'crats
etc. can be inaugurated only if they have a confirmed e-mail? While the
"unit-radius" useres can happily edit without it, this would not be a great
expectation towards "clerks".

--
Binris
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 2:12 AM

Post #13 of 51 (876 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

Actually sysops could be just required to have the email set in the
project guidelines. If they don't do that and their account expire,
they lost the sysop. I don't see it as a big deal. I hope that sysops
are clever enough to at least be able to follow their own rules.

On Wed, Apr 4, 2012 at 11:09 AM, Binris <wikiposta [at] gmail> wrote:
> 2012/4/4 John Vandenberg <jayvdb [at] gmail>
>
>>
>> Also, you might want to query the databases to see how many admins
>> don't have an email address set. I wouldn't be surprised if there are
>> a few. IMO any that dont have an email set should have their sysop
>> bit removed.
>>
>>
> Would it be a crazy idea to modify the software so that new admins, 'crats
> etc. can be inaugurated only if they have a confirmed e-mail? While the
> "unit-radius" useres can happily edit without it, this would not be a great
> expectation towards "clerks".
>
> --
> Binris
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jayvdb at gmail

Apr 4, 2012, 2:16 AM

Post #14 of 51 (881 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 7:12 PM, Petr Bena <benapetr [at] gmail> wrote:
> Actually sysops could be just required to have the email set in the
> project guidelines. If they don't do that and their account expire,
> they lost the sysop. I don't see it as a big deal. I hope that sysops
> are clever enough to at least be able to follow their own rules.

Rules? which rules. There are seven projects which have multiple
languages, and over 282 languages. Good luck updating all their
policies, and talking to all the sysops who arnt complying with the
policy, etc.

--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 2:21 AM

Post #15 of 51 (881 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

I don't say this would be enabled for all projects, it could be a
replacement of that weird policy for removal of inactive sysops they
created on few wikis, including english wikipedia. It would be just a
slightly better solution for same problem as they have right now. If
they don't want to update any policies they don't need to have it
installed, of course.

On Wed, Apr 4, 2012 at 11:16 AM, John Vandenberg <jayvdb [at] gmail> wrote:
> On Wed, Apr 4, 2012 at 7:12 PM, Petr Bena <benapetr [at] gmail> wrote:
>> Actually sysops could be just required to have the email set in the
>> project guidelines. If they don't do that and their account expire,
>> they lost the sysop. I don't see it as a big deal. I hope that sysops
>> are clever enough to at least be able to follow their own rules.
>
> Rules? which rules. There are seven projects which have multiple
> languages, and over 282 languages. Good luck updating all their
> policies, and talking to all the sysops who arnt complying with the
> policy, etc.
>
> --
> John Vandenberg
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


morton.thomas at googlemail

Apr 4, 2012, 2:23 AM

Post #16 of 51 (883 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On 4 April 2012 10:21, Petr Bena <benapetr [at] gmail> wrote:

> I don't say this would be enabled for all projects, it could be a
> replacement of that weird policy for removal of inactive sysops they
> created on few wikis, including english wikipedia. It would be just a
> slightly better solution for same problem as they have right now. If
> they don't want to update any policies they don't need to have it
> installed, of course.
>
>
Way to get the projects on side... calling the policy weird ;)

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 2:28 AM

Post #17 of 51 (885 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

Indeed :-)

But if I didn't think it's weird, I wouldn't start this. I am always
trying to find a solution from programmer point of view for a problems
which community sometimes try to solve "by hand".

On Wed, Apr 4, 2012 at 11:23 AM, Thomas Morton
<morton.thomas [at] googlemail> wrote:
> On 4 April 2012 10:21, Petr Bena <benapetr [at] gmail> wrote:
>
>> I don't say this would be enabled for all projects, it could be a
>> replacement of that weird policy for removal of inactive sysops they
>> created on few wikis, including english wikipedia. It would be just a
>> slightly better solution for same problem as they have right now. If
>> they don't want to update any policies they don't need to have it
>> installed, of course.
>>
>>
> Way to get the projects on side... calling the policy weird ;)
>
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


morton.thomas at googlemail

Apr 4, 2012, 2:31 AM

Post #18 of 51 (877 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On 4 April 2012 10:28, Petr Bena <benapetr [at] gmail> wrote:

> Indeed :-)
>
> But if I didn't think it's weird, I wouldn't start this. I am always
> trying to find a solution from programmer point of view for a problems
> which community sometimes try to solve "by hand".
>
>
From a security perspective (my speciality) there really isn't a lot of a
difference between the two proposals in terms of the problems they face.

Except that the current process requires a certain "human" involvement, and
scrutiny. Which is usually the best security mechanism.

A determined attacker is going to be able to break through either process;
but in the current setup their subsequent actions are likely to be noticed.

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jayvdb at gmail

Apr 4, 2012, 2:32 AM

Post #19 of 51 (876 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On Wed, Apr 4, 2012 at 7:28 PM, Petr Bena <benapetr [at] gmail> wrote:
> Indeed :-)
>
> But if I didn't think it's weird, I wouldn't start this. I am always
> trying to find a solution from programmer point of view for a problems
> which community sometimes try to solve "by hand".

But the community isn't complaining about this being time consuming.
Where they desysop inactive sysops, it is a social community exercise
and your technical solution is probably not going to have the same
effect. On English Wikisource we have annual reconfirmations and we
use our brains to gauge whether a sysop is likely to return soon. The
security aspect is only a small part of it.

--
John Vandenberg

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 2:39 AM

Post #20 of 51 (927 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

I see a lot of differences:

The current process needs to be done by hand, which isn't just
annoying, but also not fail safe, some accounts might be overlooked,
etc. Bureaucrats can mislick or forget. The email account is likely
much more safe than wikimedia account, the google for example offers a
lot of security measures we don't, because they don't follow "hacking
user wouldn't do much damage" philosophy. And I guess many other
providers do the same. Hacking to two accounts would be much harder
than hacking one, given to that once the first account is hacked, the
user would be immediately notified in email (hacker would have very
limited time to hack to email box as well).

I don't say it's necessary, I definitely understand that getting a
sysop can't cause big problems and it's unlike it would happen
frequently. But I think this automated system is a better solution
than what the wikis started with.

On Wed, Apr 4, 2012 at 11:31 AM, Thomas Morton
<morton.thomas [at] googlemail> wrote:
> On 4 April 2012 10:28, Petr Bena <benapetr [at] gmail> wrote:
>
>> Indeed :-)
>>
>> But if I didn't think it's weird, I wouldn't start this. I am always
>> trying to find a solution from programmer point of view for a problems
>> which community sometimes try to solve "by hand".
>>
>>
> From a security perspective (my speciality) there really isn't a lot of a
> difference between the two proposals in terms of the problems they face.
>
> Except that the current process requires a certain "human" involvement, and
> scrutiny. Which is usually the best security mechanism.
>
> A determined attacker is going to be able to break through either process;
> but in the current setup their subsequent actions are likely to be noticed.
>
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


morton.thomas at googlemail

Apr 4, 2012, 2:48 AM

Post #21 of 51 (879 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

>
> The current process needs to be done by hand, which isn't just

annoying, but also not fail safe, some accounts might be overlooked,
> etc. Bureaucrats can mislick or forget.


Certainly automatic de-sysoping after a certain inactivity would be useful;
an extension that does the notifications and ultimately the de-sysoping
would be useful to automate the community approved process, don't get me
wrong on that front, I like the idea!


> The email account is likely
> much more safe than wikimedia account,


Not a good premise to take; email accounts are high value targets (as
opposed to a Wikipedia account, which has relatively low general value).
So although they are harder to crack (to a point) they are also more
worthwhile targets.

So an email account is a significant risk.

And an account without an email address added could be argued to be
*more*secure.

the google for example offers a
> lot of security measures we don't, because they don't follow "hacking
> user wouldn't do much damage" philosophy.


It's largely security theatre; except the two factor authentication (which
is actually useful). Our accounts simple aren't that valuable, which is why
actual security of that form isn't really a good option. What you proposed
is only really a stopgap.


> And I guess many other
> providers do the same. Hacking to two accounts would be much harder
> than hacking one, given to that once the first account is hacked, the
> user would be immediately notified in email (hacker would have very
> limited time to hack to email box as well).
>

Realistically, and in my experience, this is not the case. You're relying
on the user to respond, or being in a position to respond - which is the
critical failing of the proposal.

When we do pen tests often we will make notifications of some sort appear
in front of users to see how they respond to them - and often the response
is confusion, not concern. Remember; the large part of the WM community is *
not* technical.

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


benapetr at gmail

Apr 4, 2012, 4:31 AM

Post #22 of 51 (922 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

Ok, your reply makes a lot of sense. However problem is that how users
get more "hats" they are usually more afraid of loosing them :-) and
would probably like to have an option to protect from attackers (I
don't really know but I hope that people with some extra flags are
trying to have a secure password at least). The account is getting
more valuable and for example account of some stewards might be a good
target for hackers. The question is how these people can defend
themselves when the philosophy is "we don't need strong security
because user accounts aren't valuable / can't do much damange to site"
- when their account is compromised, they will surely have the flags
revoked permanently, that's likely not what they want. So at some
point, having more security measures which could be opt-in for people
who do care about their account, in opposite of people whom account
isn't interesting for hackers would make some point too. Given that
there are thousands of sysops on big projects, I guess they would
welcome to have this feature. (Not that I care, personally, I was just
interested in implementing that to mediawiki)

On Wed, Apr 4, 2012 at 11:48 AM, Thomas Morton
<morton.thomas [at] googlemail> wrote:
>>
>> The current process needs to be done by hand, which isn't just
>
> annoying, but also not fail safe, some accounts might be overlooked,
>> etc. Bureaucrats can mislick or forget.
>
>
> Certainly automatic de-sysoping after a certain inactivity would be useful;
> an extension that does the notifications and ultimately the de-sysoping
> would be useful to automate the community approved process, don't get me
> wrong on that front, I like the idea!
>
>
>> The email account is likely
>> much more safe than wikimedia account,
>
>
> Not a good premise to take; email accounts are high value targets (as
> opposed to a Wikipedia account, which has relatively low general value).
> So although they are harder to crack (to a point) they are also more
> worthwhile targets.
>
> So an email account is a significant risk.
>
> And an account without an email address added could be argued to be
> *more*secure.
>
> the google for example offers a
>> lot of security measures we don't, because they don't follow "hacking
>> user wouldn't do much damage" philosophy.
>
>
> It's largely security theatre; except the two factor authentication (which
> is actually useful). Our accounts simple aren't that valuable, which is why
> actual security of that form isn't really a good option. What you proposed
> is only really a stopgap.
>
>
>> And I guess many other
>> providers do the same. Hacking to two accounts would be much harder
>> than hacking one, given to that once the first account is hacked, the
>> user would be immediately notified in email (hacker would have very
>> limited time to hack to email box as well).
>>
>
> Realistically, and in my experience, this is not the case. You're relying
> on the user to respond, or being in a position to respond - which is the
> critical failing of the proposal.
>
> When we do pen tests often we will make notifications of some sort appear
> in front of users to see how they respond to them - and often the response
> is confusion, not concern. Remember; the large part of the WM community is *
> not* technical.
>
> Tom
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


morton.thomas at googlemail

Apr 4, 2012, 4:37 AM

Post #23 of 51 (874 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

>
> Ok, your reply makes a lot of sense. However problem is that how users
> get more "hats" they are usually more afraid of loosing them :-) and
> would probably like to have an option to protect from attackers (I
> don't really know but I hope that people with some extra flags are
> trying to have a secure password at least).


Not a bad aim - I didn't intend to be outright discouraging :)


> The account is getting
> more valuable and for example account of some stewards might be a good
> target for hackers.


Yes; Steward accounts are a whole different matter - I'd say they have a
much higher level of risk if compromised.


> The question is how these people can defend
> themselves when the philosophy is "we don't need strong security
> because user accounts aren't valuable / can't do much damange to site"
> - when their account is compromised, they will surely have the flags
> revoked permanently, that's likely not what they want. So at some
> point, having more security measures which could be opt-in for people
> who do care about their account, in opposite of people whom account
> isn't interesting for hackers would make some point too. Given that
> there are thousands of sysops on big projects, I guess they would
> welcome to have this feature. (Not that I care, personally, I was just
> interested in implementing that to mediawiki)


As above; not a bad aim.

One good idea would be to enforce some sort of minimum password standard -
that can help with brute force attack vectors.

Tom
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


dgerard at gmail

Apr 4, 2012, 4:39 AM

Post #24 of 51 (879 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

On 4 April 2012 09:39, Thomas Morton <morton.thomas [at] googlemail> wrote:

> Besides; you're looking for a problem to fit the solution. On English
> Wikipedia compromised accounts are, in themselves, rare occurrences. And
> compromised sysop accounts rarer (read; I've never seen one!).


There was a noteworthy incident a while ago, which pressed home the
need for admins to have non-crappy passwords:

http://davidgerard.co.uk/notes/2007/05/07/tubgirl-is-love/


- d.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


lists at nadir-seen-fire

Apr 4, 2012, 4:53 AM

Post #25 of 51 (923 views)
Permalink
Re: Inactive sysops + improving security [In reply to]

Something on password rate limits has been on my mind ever since watching
one of the Security Now episodes.
Rather than cut-off rate limits isn't it a better experience to use
something with a slow exponential/compound increase

Think about the case where the user has forgotten their password, they
remember its probably one of 6 passwords and they don't want to bother
resetting the password.
They start trying out their passwords, but once they it that last password
and are thinking (right, this HAS to be the one I used) they get hit with
an error saying that all of a sudden they have to wait 5 whole minutes.

Something instead based on increasing wait time a bit each time seams like
if tuned right could be a better experience.

- By the time the user hits their 5th password the wait time may have
reached 1min.
- That last password is only a tiny bit more than the wait they just had.
- It's still secure, brute forcing takes a lot of tries. So even though we
don't punish bots much for their first few tries, as they continue it just
gets worse and worse for them. By the time they hit a mere 100 they could
be waiting a half-hour before they can continue instead of simply 5min.
- Wait times below a certain threshold (one that the first 5 or so tries
would be below) could be either ignored or handled with sleep() so that
instead of forcing a discouraging error message on a user and making the
user do time tracking (something that is trivial for bots, so this is an
unhelpful negative to user experience) the login page only feels like it's
a little sluggish.

--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]

On Wed, 04 Apr 2012 00:54:58 -0700, Petr Bena <benapetr [at] gmail> wrote:
> More:
>
> IP addresses which do N bad login attemps should be blocked from
> accessing login page for Z minutes (You have done too many bad login
> attempts, please wait 5 minutes before trying again)
> This would help to avoid bots who try to compromise account by trying
> random passwords
>
> The target user should be notified according to their personal config
> (They could specify if they want to be warned if someone is about to
> compromise their account or not)
>
> On Wed, Apr 4, 2012 at 9:43 AM, Petr Bena <benapetr [at] gmail> wrote:
>> I have seen there is a lot of wikis where people are concerned about
>> inactive sysops. They managed to set up a strange rule where sysop
>> rights are removed from inactive users to improve the security.
>> However the sysops are allowed to request the flag to be restored
>> anytime. This doesn't improve security even a bit as long as hacker
>> who would get to some of inactive accounts could just post a request
>> and get the sysop rights just as if they hacked to active user.
>>
>> For this reason I think we should create a new extension auto sysop
>> removal, which would remove the flag from all users who didn't login
>> to system for some time, and if they logged back, the confirmation
>> code would be sent to email, so that they could reactivate the sysop
>> account. This would be much simpler and it would actually make hacking
>> to sysop accounts much harder. I also believe it would be nice if
>> system sent an email to holder of account when someone do more than 5
>> bad login attemps, in order to be warned that someone is likely trying
>> to compromise their account.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

First page Previous page 1 2 3 Next page Last page  View All Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.