| Revision as of 22:15, 24 November 2018 editXaosflux (talk | contribs)Edit filter managers, Autopatrolled, Bureaucrats, Importers, Interface administrators, Oversighters, Administrators83,952 edits →Level 1 desysop of Killiondude: re← Previous edit | Revision as of 22:18, 24 November 2018 edit undoKilliondude (talk | contribs)Extended confirmed users28,867 edits →Level 1 desysop of Killiondude: cmtNext edit → | ||
| Line 54: | Line 54: | ||
| ::Personally, I'd like to see 2FA mandatory for users with advanced rights on any project. --] <sup>] </sup> 21:52, 24 November 2018 (UTC) | ::Personally, I'd like to see 2FA mandatory for users with advanced rights on any project. --] <sup>] </sup> 21:52, 24 November 2018 (UTC) | ||
| :Hi ArbCom, please let us know at ] if access needs to be restored on this or any of the other users. While WMF T&S / stewards may unlock upon validating that the right "person is in control of the account" I'm seeing it as up to ArbCom to determine if they are satisfying the administrator policy for security requirements at: ]. Best regards, — ] <sup>]</sup> 22:15, 24 November 2018 (UTC) | :Hi ArbCom, please let us know at ] if access needs to be restored on this or any of the other users. While WMF T&S / stewards may unlock upon validating that the right "person is in control of the account" I'm seeing it as up to ArbCom to determine if they are satisfying the administrator policy for security requirements at: ]. Best regards, — ] <sup>]</sup> 22:15, 24 November 2018 (UTC) | ||
| How embarrassing. Ajraddatz helped me recover my account. My Misplaced Pages password ''was'' previously used with a few other sites, but has been the only one used anywhere on the web, that I can think of, for years now. I have a new, unique password now. I apologize for the inconvenience. ] (]) 22:18, 24 November 2018 (UTC) | |||
Revision as of 22:18, 24 November 2018
Shortcuts
|
 Archives |
|
Index 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 |
|
This page has archives. Sections older than 10 days may be automatically archived by Lowercase sigmabot III. |
Arbitration motion regarding Palestine-Israel articles
I don't touch this area, so I don't know what's changed. For the sake of people like me, would it be possible to say "Here are the differences..."? I'm meaning in general for arbitration decisions affecting an area (as opposed to decisions affecting one or a few users), like speed of light or tree shaping or India-Pakistan, not just Israel-Palestine. Nyttend (talk) 12:23, 23 November 2018 (UTC)
- The best place to view changes is on the case page. For example you can see each iteration of this restriction here which also has a link to the motion explaining the thoughts behind it Worm(talk) 12:37, 23 November 2018 (UTC)
Level 1 desysop of Esanchez7587
Another solid argument for better activity standards for admins. Before this incident this account was almost entirely inactive, but they made on token edit in April of this year and so escaped being desysopped beck in September. That had not previously used admin tools at all in 25 months. This already wasn't an admin account, our own ridiculously lax standards allowed this to happen. Beeblebrox (talk) 19:52, 22 November 2018 (UTC)
- Do we have a statistic about which type of accounts is more likely to be compromised or are we working off a gut feeling? Jo-Jo Eumerus (talk, contributions) 19:54, 22 November 2018 (UTC)
- Neither. Working off what just actually happened. Beeblebrox (talk) 20:00, 22 November 2018 (UTC)
- While I support the current activity proposal at
WP:VPPROWP:VPP, one is not a good sample size to work from. Is there a list of accounts that have been compromised at some point (whatever their current status) so that more data can be used to see if there are other common factors? Thryduulf (talk) 23:09, 22 November 2018 (UTC)- @Thryduulf: - Misplaced Pages:Former_administrators/reason/compromised. Nine in total, the accounts of Denelson83 and Esanchez7587 have both been compromised this year; the last one prior to these two was in 2012. Fish+Karate 09:38, 23 November 2018 (UTC)
- As I said on WP:VPPOL, this doesn't list people who recovered their accounts. Galobtter (pingó mió) 10:05, 23 November 2018 (UTC)
- @Thryduulf: - Misplaced Pages:Former_administrators/reason/compromised. Nine in total, the accounts of Denelson83 and Esanchez7587 have both been compromised this year; the last one prior to these two was in 2012. Fish+Karate 09:38, 23 November 2018 (UTC)
- While I support the current activity proposal at
- Neither. Working off what just actually happened. Beeblebrox (talk) 20:00, 22 November 2018 (UTC)
Level 1 desysop of Garzo
- May I suggest an emergency desysop of all admin-accounts that haven't been active during the past 6-8 months? One compromised admin-account per day is a bit too much, especially since the vandal who is doing it seems to have an above average knowledge about how to use the bits, enough to suggest that they may even be an ex-admin... - Tom | Thomas.W 20:31, 23 November 2018 (UTC)
- As I suggested yesterday, the WMF need to run a password scanner on all admins and emergency desysop any that are reasonably crackable. I know Beeblebrox wants this to happen, and we need to put pressure on them to do it. Ritchie333 20:38, 23 November 2018 (UTC)
- I wonder if this isn't tied to the mass-guessing attempts at passwords some months ago? If that's the case, then it's not outside the realm of possibility that these accounts were compromised then and are now being used as sleeper sockpuppets. —Jeremy v^_^v 20:41, 23 November 2018 (UTC)
- (edit conflict) I was about to suggest something of this sort. Many other sites that become aware of hackers in possession of the credentials of their accounts can and do initiate a forced password reset as a matter of sealing the breach. It stops being security paranoia when the attacks are actually happening and continuing to happen. Ivanvector (/Edits) 20:45, 23 November 2018 (UTC)
- If the vandal had access to the passwords of a number of inactive admin accounts already a few months ago, cracked them already back then and switched to better passwords, those compromised accounts would not be caught by scanning for substandard passwords, so I suggest also getting a list of inactive admin accounts that, in spite of being inactive, have replaced their passwords during the past few months... - Tom | Thomas.W 20:50, 23 November 2018 (UTC)
- Are logs kept of when passwords were changed? Thryduulf (talk) 21:17, 23 November 2018 (UTC)
- I would hope so, we log everything else.--v/r - TP 21:19, 23 November 2018 (UTC)
- Are logs kept of when passwords were changed? Thryduulf (talk) 21:17, 23 November 2018 (UTC)
- As I suggested yesterday, the WMF need to run a password scanner on all admins and emergency desysop any that are reasonably crackable. I know Beeblebrox wants this to happen, and we need to put pressure on them to do it. Ritchie333 20:38, 23 November 2018 (UTC)
- Hi all - just a vague note that we're working with the WMF security team to prevent future compromises like this, and some actions have already been taken. More info to follow eventually. No mass-desysops should be necessary at this time. As always, if you want to make sure your account is secure, use a unique password for Wikimedia and enable two-factor authentication. -- Ajraddatz (talk) 21:28, 23 November 2018 (UTC)
Level 1 desysop of Killiondude
- Killiondude was quite literally active the day immediately before. I'm starting to think that this and the mass-breach attempt in May are somehow connected. —Jeremy v^_^v 21:23, 24 November 2018 (UTC)
Well, this goes to show that activity standards are not in fact enough. (although I strongly support strengthening them) I don't know the details of how these breaches are happening but it would be nice to know that WP:STRONGPASS was enforceable in some meaningful way other than after an account has already been compromised. Beeblebrox (talk) 21:24, 24 November 2018 (UTC)
- I'm running on the theory that Killiondude either reused a password that he used on a website that did get pwned, or he got spearphished. —Jeremy v^_^v 21:26, 24 November 2018 (UTC)
- Personally, I'd like to see 2FA mandatory for users with advanced rights on any project. --Cameron11598 21:52, 24 November 2018 (UTC)
- Hi ArbCom, please let us know at WP:BN if access needs to be restored on this or any of the other users. While WMF T&S / stewards may unlock upon validating that the right "person is in control of the account" I'm seeing it as up to ArbCom to determine if they are satisfying the administrator policy for security requirements at: Misplaced Pages:Administrators#Security. Best regards, — xaosflux 22:15, 24 November 2018 (UTC)
How embarrassing. Ajraddatz helped me recover my account. My Misplaced Pages password was previously used with a few other sites, but has been the only one used anywhere on the web, that I can think of, for years now. I have a new, unique password now. I apologize for the inconvenience. Killiondude (talk) 22:18, 24 November 2018 (UTC)