A couple new security features for Wikipedia.. and concerns

[Kumioko]

The WMF has implemented a couple new security related features that probably should have been implemented a long time ago.

- The first change will notify people if someone tries to access their account. Per here: https://lists.wikimedia.org/pipermail/w ... 88368.html

"If someone tries and fails to log in to your account from a device or an IP address that hasn’t logged into your account recently, then you’ll get an on-wiki notification at the first attempt. For a familiar device or IP address, you’ll get an on-wiki notification after 5 failed logins. This is on by default, but you can turn it off in your preferences; you can also turn on email notifications."

Of course this appears to be a positive change that will improve security, but I wonder how long till someone starts abusing this and login pinging people with remote attempts to access their account. It also seems to me that if the system is smart enough to notify someone, then it's probably also logging that info somewhere of what IP attempts to access what account, especially if the login fails. So there are some pretty major security concerns and it seems Fae already had these concerns and brought them up here: https://lists.wikimedia.org/pipermail/w ... 88493.html. He was assured that only those with shell access can see these logs and they are only retained for 90 days.

It's rather curious to me the retention of these logs corresponds to the retention for checkusers data. It makes me wonder if this is at least in part to make it easier to align this data to the checkuser logs in the future. Arguably, if someone is attempting to login to people's accounts remotely, then someone should know about that right?

- The second change allows people to turn off pings for specific people. So, if you are an editor and don't want to be pinged by an admin or troll, just disable it so they can't. Not to be confused with disabling ping completely, this is specific and allows it to function other than those exceptions you don't want it too.

[Flip Flopped]

Surely someone has already abused the ping resulting from a failed log-in attempt. There's going to be a permanent record of everyone who has forgotten their WP password and used five tries to get back into their account.

The WMF has terrible security. Do other large companies preserve the IP address associated with a failed log-in?

[Kumioko]

I would assume that you are correct. I would be interested to know how many people attempt to access admin or functionary accounts, even generic non user specific numbers of the X attempts to access admin accounts variety.

To be honest I would be pretty surprised if someone out there wasn't checking the inactive admin accounts for common passwords like P@ssword, drowss@P, Wikipedia, [Username]1 and things like that. Almost guaranteed to get a couple hits on easy ones eventually with a little patience. No I have not tried it!

[suckadmin]

To be honest I would be pretty surprised if someone out there wasn't checking the inactive admin accounts for common passwords like P@ssword, drowss@P, Wikipedia, [Username]1 and things like that. Almost guaranteed to get a couple hits on easy ones eventually with a little patience. No I have not tried it!

Hopefully that person would be the admins of the website and it would be a process that would reject the using of such easy to guess passwords in the first place.

A long long time ago on one of my early internet accounts the admin ran a password audit and I guess there were so many bad passwords on the server that he actually wrote me to thank me for apparently using one that was not easily guessable.

[Flip Flopped]

To be honest I would be pretty surprised if someone out there wasn't checking the inactive admin accounts for common passwords like P@ssword, drowss@P, Wikipedia, [Username]1 and things like that. Almost guaranteed to get a couple hits on easy ones eventually with a little patience. No I have not tried it!

Hopefully that person would be the admins of the website and it would be a process that would reject the using of such easy to guess passwords in the first place.

A long long time ago on one of my early internet accounts the admin ran a password audit and I guess there were so many bad passwords on the server that he actually wrote me to thank me for apparently using one that was not easily guessable.

OurMine hackers took over a number of admin accounts on WP less than a year ago. I think the passwords were re-used from other sites that had been compromised in hacks. I don't think there are any restrictions on what passwords admins can use on WP. At the time of the hack there were strong suggestions to have admins and other WP functionaries use two-factor authentication. They didn't mandate using 2F at the time, but they may have recently.

[Kumioko]

There have been several occasions in the past where Wikipedia folks or the WMF had to change the policy due to bad passwords. They didn't used to disallow using things like password, username as password, Wikipedia, etc. but now there are a number of things like that which are disallowed.

For a while, there was a way to do a SQL injection through the Wikipedia search box that allowed access to the Username and password table, then they made it harder by encrypting it then they found that it was easy to determine through a simple hash algorithm what the passwords were, etc. So it's more than possible to figure it out, all it takes is a little determination and patience.

[suckadmin]

all it takes is a little determination and patience.

The linux server at this place I had been freelancing at crashed and it was revealed that somebody had for a long time been trying to breakin with a script that was just attempting logins every few hours.

[ericbarbour]

It's rather curious to me the retention of these logs corresponds to the retention for checkusers data. It makes me wonder if this is at least in part to make it easier to align this data to the checkuser logs in the future. Arguably, if someone is attempting to login to people's accounts remotely, then someone should know about that right?

Not only has checkuser data been abused and misused, there is an ongoing rumor that the WMF cheerfully passes all their editor account information to the NSA, because "TERROR". Yes, the wonderful US gubbmint thinks that terrorists might be editing Wikipedia, so they receive lots of goodies from Wikimedia, supposedly at no charge. Good luck proving any of this. The little Jimboogers will NEVER admit this goes on, and they have plenty of blindly-loyal supporters who will help them to WP:DENY everything.

[Kumioko]

all it takes is a little determination and patience.

The linux server at this place I had been freelancing at crashed and it was revealed that somebody had for a long time been trying to breakin with a script that was just attempting logins every few hours.

It is extremely common...much more so than people think and surprisingly easy to do and notoriously hard to detect. Most sites do not log the search criteria and those that do don't check it enough.

[Kumioko]

It's rather curious to me the retention of these logs corresponds to the retention for checkusers data. It makes me wonder if this is at least in part to make it easier to align this data to the checkuser logs in the future. Arguably, if someone is attempting to login to people's accounts remotely, then someone should know about that right?

Not only has checkuser data been abused and misused, there is an ongoing rumor that the WMF cheerfully passes all their editor account information to the NSA, because "TERROR". Yes, the wonderful US gubbmint thinks that terrorists might be editing Wikipedia, so they receive lots of goodies from Wikimedia, supposedly at no charge. Good luck proving any of this. The little Jimboogers will NEVER admit this goes on, and they have plenty of blindly-loyal supporters who will help them to WP:DENY everything.

My guess is, if the NSA is doing this they have shell access direct to the Wikimedia servers and just search it directly using some generic account rather than "asking" for the data. With that said, there isn't really that much reliable data they could glean. I mean sure they could see how many people are editing for some IP rage in a middle eastern desert or be able to monitor how many times the article for the Anarchist cookbook got read, but that doesn't really give them much useful information.

This would also explain why the WMF has denied the vast majority of data requests (at least the ones they are required/allowed to report). If they give the organization direct access to the information then technically they could legally answer they didn't give them the data...they just pull it themselves. Since the WMF have the labs server and Quarry, it would be fairly easy to just give them the access and let them go hunting for their own data. Especially if that individual were say, an admin or functionary with the access already. I mean really, how hard would it be for the WMF to hire someone working for the NSA as an intern or contractor for a few months, give them access and then just let them keep it when they leave. The WMF rarely removes access to most things when people leave the WMF and a lot continue to participate in functionary type roles once they leave. AlexZ for example is still king of the IRC channels after being given the access when he worked at the WMF.

Of course that is bordering on conspiracy theory nuttery...but it is entirely possible even if the WMF didn't even realize they were doing it.