[Wikitech-l] Inactive sysops + improving security
Petr Bena
inactive sysops. They managed to set up a strange rule where sysop
rights are removed from inactive users to improve the security.
However the sysops are allowed to request the flag to be restored
anytime. This doesn't improve security even a bit as long as hacker
who would get to some of inactive accounts could just post a request
and get the sysop rights just as if they hacked to active user.
For this reason I think we should create a new extension auto sysop
removal, which would remove the flag from all users who didn't login
to system for some time, and if they logged back, the confirmation
code would be sent to email, so that they could reactivate the sysop
account. This would be much simpler and it would actually make hacking
to sysop accounts much harder. I also believe it would be nice if
system sent an email to holder of account when someone do more than 5
bad login attemps, in order to be warned that someone is likely trying
to compromise their account.
_______________________________________________
Wikitech-l mailing list
Wikit...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Petr Bena
IP addresses which do N bad login attemps should be blocked from
accessing login page for Z minutes (You have done too many bad login
attempts, please wait 5 minutes before trying again)
This would help to avoid bots who try to compromise account by trying
random passwords
The target user should be notified according to their personal config
(They could specify if they want to be warned if someone is about to
compromise their account or not)
John Vandenberg
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.
>
> For this reason I think we should create a new extension auto sysop
> removal, which would remove the flag from all users who didn't login
> to system for some time, and if they logged back, the confirmation
> code would be sent to email, so that they could reactivate the sysop
> account. This would be much simpler and it would actually make hacking
> to sysop accounts much harder. I also believe it would be nice if
> system sent an email to holder of account when someone do more than 5
> bad login attemps, in order to be warned that someone is likely trying
> to compromise their account.
What happens if the ex-sysop has lost access to their original email
address .. ?
--
John Vandenberg
Amir E. Aharoni
> I have seen there is a lot of wikis where people are concerned about
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.
There's no point in making technical solutions for problems which are
imaginary in the first place, just as you say. The English Wikipedia
community rejects the notion that sysop inactivity is a problem quite
firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
and some other projects do have such rules, and they are completely
pointless.
An account with sysop rights cannot do that much damage anyway.
Deleting a page does no more damage than deleting a paragraph in an
existent page, and the latter can be done by anybody; in fact,
deleting a page makes a lot more noise. The same goes for protection,
blocking and editing in the MediaWiki space - everything is easily
traceable and reversible, and in a functioning wiki community the
damage will be minimal.
--
Amir Elisha Aharoni · אָמִיר אֱלִישָׁע אַהֲרוֹנִי
http://aharoni.wordpress.com
“We're living in pieces,
I want to live in peace.” – T. Moore
K. Peachey
> inactive sysops. They managed to set up a strange rule where sysop
> rights are removed from inactive users to improve the security.
> However the sysops are allowed to request the flag to be restored
> anytime. This doesn't improve security even a bit as long as hacker
> who would get to some of inactive accounts could just post a request
> and get the sysop rights just as if they hacked to active user.
Not all wikis blindly give the user their rights back when they do
this "theatrical" based security model.
> For this reason I think we should create a new extension auto sysop
> removal, which would remove the flag from all users who didn't login
> to system for some time,
There is already one that does this from memory (Without checking, E:LandLord)
> and if they logged back, the confirmation
> code would be sent to email, so that they could reactivate the sysop
> account.
Again, Just theatrical security, Most people tend to use the same
passwords everywhere, if this was the case for said Sysop, Their email
is also compromised. Also this would require wikis to have email
sending setup, as well as the user to have confirmed theirs.
> This would be much simpler and it would actually make hacking
> to sysop accounts much harder.
Not really, per my point above.
On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <bena...@gmail.com> wrote:
> More:
>
> IP addresses which do N bad login attemps should be blocked from
> accessing login page for Z minutes (You have done too many bad login
> attempts, please wait 5 minutes before trying again)
> This would help to avoid bots who try to compromise account by trying
> random passwords
We already do this, I believe.
> The target user should be notified according to their personal config
> (They could specify if they want to be warned if someone is about to
> compromise their account or not)
Pointless user prefernce IMHO, we should just send them (for wikis
that have email setup) and probably inculde a note along the lines of
"You should consider making sure your password is secure, some handy
hints are…"
On Wed, Apr 4, 2012 at 6:16 PM, Amir E. Aharoni
<amir.a...@mail.huji.ac.il> wrote:
> There's no point in making technical solutions for problems which are
> imaginary in the first place, just as you say. The English Wikipedia
> community rejects the notion that sysop inactivity is a problem quite
> firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
> and some other projects do have such rules, and they are completely
> pointless.
En.Wiki does de-Sysop inactivtive accounts now.
Petr Bena
> What happens if the ex-sysop has lost access to their original email
> address .. ?
>
If the sysop lost their email, they are in same troubles as if any
other user lost their email and forgot password. It simply shouldn't
happen.
On Wed, Apr 4, 2012 at 10:16 AM, Amir E. Aharoni
<amir.a...@mail.huji.ac.il> wrote:
> 2012/4/4 Petr Bena <bena...@gmail.com>:
>> I have seen there is a lot of wikis where people are concerned about
>> inactive sysops. They managed to set up a strange rule where sysop
>> rights are removed from inactive users to improve the security.
>> However the sysops are allowed to request the flag to be restored
>> anytime. This doesn't improve security even a bit as long as hacker
>> who would get to some of inactive accounts could just post a request
>> and get the sysop rights just as if they hacked to active user.
>
> There's no point in making technical solutions for problems which are
> imaginary in the first place, just as you say. The English Wikipedia
> community rejects the notion that sysop inactivity is a problem quite
> firmly, and it does just fine. Meta, Commons, my home Hebrew Wikipedia
> and some other projects do have such rules, and they are completely
> pointless.
>
> An account with sysop rights cannot do that much damage anyway.
> Deleting a page does no more damage than deleting a paragraph in an
> existent page, and the latter can be done by anybody; in fact,
> deleting a page makes a lot more noise. The same goes for protection,
> blocking and editing in the MediaWiki space - everything is easily
> traceable and reversible, and in a functioning wiki community the
> damage will be minimal.
That isn't excuse to leave project open to damage. Security of
mediawiki users and their accounts should be important for us anyway.
Grunny
>>On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <bena...@gmail.com> wrote:
>> More:
>>
>> IP addresses which do N bad login attemps should be blocked from
>> accessing login page for Z minutes (You have done too many bad login
>> attempts, please wait 5 minutes before trying again)
>> This would help to avoid bots who try to compromise account by trying
>> random passwords
>
>We already do this, I believe.
I believe it's covered through this:
https://www.mediawiki.org/wiki/Manual:$wgPasswordAttemptThrottle
Petr Bena
> On Wed, Apr 4, 2012 at 5:43 PM, Petr Bena <bena...@gmail.com> wrote:
>> I have seen there is a lot of wikis where people are concerned about
>> inactive sysops. They managed to set up a strange rule where sysop
>> rights are removed from inactive users to improve the security.
>> However the sysops are allowed to request the flag to be restored
>> anytime. This doesn't improve security even a bit as long as hacker
>> who would get to some of inactive accounts could just post a request
>> and get the sysop rights just as if they hacked to active user.
>
> Not all wikis blindly give the user their rights back when they do
> this "theatrical" based security model.
>
>> For this reason I think we should create a new extension auto sysop
>> removal, which would remove the flag from all users who didn't login
>> to system for some time,
>
> There is already one that does this from memory (Without checking, E:LandLord)
>
>
>> and if they logged back, the confirmation
>> code would be sent to email, so that they could reactivate the sysop
>> account.
>
> Again, Just theatrical security, Most people tend to use the same
> passwords everywhere, if this was the case for said Sysop, Their email
> is also compromised. Also this would require wikis to have email
> sending setup, as well as the user to have confirmed theirs.
>
That's the problem of user if they use same password, but I believe
that any users with any sense for security don't do that, sysops could
be instructed to use different password than in their email.
>> This would be much simpler and it would actually make hacking
>> to sysop accounts much harder.
>
> Not really, per my point above.
>
It would per my point above your point.
> On Wed, Apr 4, 2012 at 5:54 PM, Petr Bena <bena...@gmail.com> wrote:
>> The target user should be notified according to their personal config
>> (They could specify if they want to be warned if someone is about to
>> compromise their account or not)
>
> Pointless user prefernce IMHO, we should just send them (for wikis
> that have email setup) and probably inculde a note along the lines of
> "You should consider making sure your password is secure, some handy
> hints are…"
>
What is pointless on that, I believe many users would like to be
informed that they are target of some hacker. Even providing
information to identify them (to checkuser for example) like ip
address, would be usefull to eliminate them somehow. If they don't
like it, they can turn it off.
Thomas Morton
> > Again, Just theatrical security, Most people tend to use the same
> > passwords everywhere, if this was the case for said Sysop, Their email
> > is also compromised. Also this would require wikis to have email
> > sending setup, as well as the user to have confirmed theirs.
> >
>
> That's the problem of user if they use same password, but I believe
> that any users with any sense for security don't do that, sysops could
> be instructed to use different password than in their email.
>
> >> This would be much simpler and it would actually make hacking
> >> to sysop accounts much harder.
> >
> > Not really, per my point above.
> >
>
> It would per my point above your point.
>
The problem here is that it doesn't really discuss how a sysop account has
been compromised; via the email account? Via some more direct method?
As pointed out it is somewhat security theatre.
Besides; you're looking for a problem to fit the solution. On English
Wikipedia compromised accounts are, in themselves, rare occurrences. And
compromised sysop accounts rarer (read; I've never seen one!).
We discussed this at length when implementing the age-desysoping, and
agreed it wasn't an entirely failsafe method against compromise. But it
does provide a level of scrutiny to a returning sysop; and really that is
all that is needed. The amount of damage a compromised sysop account could
do isn't critical and they can be stopped relatively easily - if they have
scrutiny.
This is the best form of security.
Tom
Petr Bena
which would be running for a long time. Since user would never know
their account is being cracked, they would likely never bother with
making their password more strong, neither report it somewhere. If I
was an inactive sysop and I received a message that someone has done
500 000 login attempts over night, I would likely ask some bureaucrat
to remove my sysop flag, since I don't even need it.
That's not possible now.
Regarding the hacked accounts, there were some in past, there was
evidence of that on english wikipedia AFAIK. I still don't see "damage
is not so big" as reason to drop work on improving the security.