Admins desysopped

Four administrator accounts desysopped after hijacking, vandalism

On 7 May, 2007, four administrator accounts were desysopped as an emergency response after committing acts of vandalism including deleting the Main Page and blocking several other administrator accounts. The incident highlighted the need for improved individual and site-wide password security.

The four users, AndyZ, Jiang, Conscious, and Marine 69-71, used weak passwords that were cracked by an unknown person. Since the incidents, two admins (AndyZ, Marine 69-71) were resysopped after their identities were confirmed.

Incident reports

AndyZ

Admin AndyZ (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page with the edit summary, "My password is password!" Mark logged in to the account and changed the password, and emailed the user asking for an explanation. Late Monday evening, an IP user claiming to be AndyZ posted to the administrators' noticeboard and apologized. AZPR, a semi-bot account operated by AndyZ, also logged in and posted an unblock request at User talk:AndyZ [1]. As of this writing, AndyZ's main account is still indefinitely blocked pending verification of his identity. Because AndyZ had not edited under his usernames for over two months, checkuser verification of his account is not technically feasible (in keeping with Wikimedia's privacy policy). On 8 May, 2007, AndyZ was unblocked per this unblocking request by Thatcher131.

Checkuser evidence on the attacker, meanwhile, revealed that the deletion of the main page was done through an open proxy but that a block of Ryulong was made from an IP address used by BuickCenturyDriver (talk · contribs · deleted contribs · logs · filter log · block user · block log). As a result, BuickCenturyDriver was also indefinitely blocked. While it is possible that BuickCenturyDriver is the culprit behind the main page vandalism, it is also possible that he saw AndyZ's password exposed in the deletion log and decided to play a prank. BuickCenturyDriver has asked to be unblocked, and discussions are ongoing.

Jiang

Admin Jiang (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page and blocking Jimbo Wales. Jiang admitted on his user talk page that his password was "fuckyou", which is the 7th most commonly used password. Mark unblocked Jiang after Jiang e-mailed him from his registered e-mail address, and after a checkuser established that the vandal edits were made from an open proxy, but that Jiang's subsequent edits were made from his long-time IP address.

Conscious

Admin Conscious (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page and several other articles and blocking a dozen or so editors. As of this writing, Conscious has not made contact or requested to have his account unblocked. On May 11, 2007, Conscious was unblocked per this unblocking request by Thatcher131, and was re-sysoped.

Marine 69-71

Administrator Marine 69-71 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) (also known as Tony the Marine) was indefinitely blocked and desysopped after deleting the main page and blocking several editors. Marine 69-71 requested unblocking on his user talk page and admitted to using a weak password. Checkuser confirmed that the vandal edits were made from an open proxy, but that Marine's subsequent edits were made from his long-time IP address. After he confirmed that he had changed his password, and his son, AntonioMartin, confirmed that his father was in control of the account, he was unblocked and resysopped.

Eagle 101

A fifth administrator, Eagle 101 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA), also deleted the Main Page, but this was an accident caused by his browser locking up. He was desysopped but resysopped 3 minutes later after confirming that his account was not compromised.

Responses

Robdurbar?

Immediately following the incidents, some users questioned whether the attacks were related to Robdurbar's similar rampage, which was not the result of a hacking, but instead was an active and successful effort by banned user Robdurbar, a sockpuppet account of Wonderfool to gain adminship, in order to eventually create havoc (see archived story). However, checkuser Dmcdevit confirmed that the attacker was not related, saying, "I'm very sure Robdurbar isn't related. He's an actual rogue admin, with a university IP as well as his Tiscali ones. No open proxies."

Regaining Adminship

Normally, the decision of whether to restore adminship is left to the discretion of the bureaucrats. In discussions at the Bureaucrats' noticeboard, several bureaucrats have expressed a willingness to "reinstate the rights of any administrator who can demonstrate that the compromised account in fact belongs to him", as long as the editor also affirms that he or she is now using a strong password.

Other editors have expressed the feeling that administrators who compromised Wikipedia's security through a weak password may have lost the community's trust and should have to re-apply for adminship through RFA.

At the present time, only Marine 69-71 has been restored to administrator status.

Password Security

Several editors have called for increased password security. Although administrator accounts make an attractive target for vandals, any account with a weak password is vulnerable to being hijacked. Editors who do not already have a strong password should consider changing their password or risk permanently losing access to their accounts.

A new proposed policy, Wikipedia:Security, emphasizes personal responsibility for password security. It also discusses potential security weaknesses including weak passwords and packet sniffing, with recommendations on how to access Wikipedia securely. A bugzilla report has been filed requesting several security improvements, such as requiring newly registered users to select stronger passwords and limiting the number of times a user can attempt to log in with an incorrect password, to reduce the ability of crackers to use brute force methods of password cracking.

Lead developer Brion VIBBER has run a password cracker on all administrator accounts and invalidated the weak passwords of several additional admin accounts. These admins will have to reset their passwords by e-mail before logging in again. Wikipedia:Administrators has been amended to note the importance of strong passwords for administrators, bureaucrats, checkusers, stewards and oversighters. HighInBC has sent a mass e-mail to all administrators informing them of the situation and advising them to select strong passwords if they have not already done so.

Several additional security measures have been added to the MediaWiki software or will be added in the near future:

See also

+ Add a comment

Discuss this story

These comments are automatically transcluded from this article's talk page. To follow comments, add the page to your watchlist. If your comment has not appeared here, you can try purging the cache.
==TOR==

Probably should mention that Jayg is cracking down on TOR nodes because of this; previously most of them were being softblocked, but he's hardblocking all of them. --Gwern (contribs) 03:32 8 May 2007 (GMT)

Maybe. On the other hand admin accounts are not subject to IP blocks, so can't someone use tor with an admin account? Thatcher131 03:36, 8 May 2007 (UTC)[reply]
I don't know. That sounds about right, but I don't know for sure. On the other hand, if that is true, that would suggest the hardblocks are even more pointless than I've been saying to Jayg. --Gwern (contribs) 04:23 8 May 2007 (GMT)
I think this would be good for an article next week after some time to digest. There are a lot of people who favor hard blocks for a number of reasons. Probably should not be shoehorned here at last minute. Thatcher131 03:40, 8 May 2007 (UTC)[reply]
It's no less last minute than the rest of the stuff, I'd say. But I do have an ulterior motive in suggesting it, as I've learned that you need to jump on these things early before 'consensus' and inertia build up. --Gwern (contribs) 04:23 8 May 2007 (GMT)
That's a big mistake. Tor is a necessity in places where Wikipedia is blocked. Blocking all tor access effectively prohibits a billion or so people from editing/reading the site. — BRIAN0918 • 2007-05-09 15:39Z

"My password is password!"

I was lucky enough to see the first incident (the User:AndyZ one) in progress, and saw that fateful edit summary shortly after creation. I naturally thought "Ah. A compromised account is running wild; and the hacker has set the password so anybody can join in. I wonder how many will?"

Obviously there's a lot of evidence that User:BuickCenturyDriver did just that. But how many others did? I would imagine lots of others, no? During the minutes between "My password is password!" and the point where User:Mark took control of the account, how many IP addresses all over the place logged on? This seems like a prime bit of news for the newspaper! Inquiring minds want to know. Doops | talk 00:36, 9 May 2007 (UTC)[reply]

As far as I know from the checkuser evidence that has been described, BuickCentury was the only cat killed by curiosity. All the rest of the IP evidence points to one cracker behind all the attacks. Jiang's password was not revealed until later, by him, and Marine and Conscious' passwords have never beeb revealed. Thatcher131 03:13, 9 May 2007 (UTC)[reply]
That's amazing. You'd think there'd be handfuls! How soon did Mark change the password? Doops | talk 03:39, 9 May 2007 (UTC)[reply]
I don't know. It could have been any time after the account was blocked and desysopped. Incidentally, I will be writing a followup article for next week to cover developements after this issue was finalized. Thatcher131 03:44, 9 May 2007 (UTC)[reply]
It took about a minute after I saw that to log out, log in and change the password. Apparently as soon as a password is changed, it logs out all other computers logged in on that account. Luckily it seems nobody got around to do any damage beyond what has been described. Chances are, not a whole lot of passing randoms know how to get to the deletion log to find out the deletion summary. - Mark 06:05, 9 May 2007 (UTC)[reply]
AndyZ has since been unblocked. This should be reflected in the Signpost article. I would change it, but I am generally quite awful at wording things like that. --Dreaded Walrus t c 13:10, 9 May 2007 (UTC)[reply]
Oh, wait. I should have read the full thing before posting here. I just saw the "as of this writing" bit and jumped straight in here. --Dreaded Walrus t c 13:20, 9 May 2007 (UTC)[reply]

Dire warnings in Wikipedia:Administrators no longer current

I wrote that text on Wikipedia:Administrators thinking it was the way things would go. Then Brion did something different. I've reworded the text accordingly - David Gerard 11:56, 9 May 2007 (UTC)[reply]

This is my first Signpost article so I don't know if its supposed to be like a newspaper that doesn't change once its printed or whether it should be updated, and for how long after publication. I'll look at WP:Admins and think about toning down the article. Thatcher131 12:23, 9 May 2007 (UTC)[reply]
Signpost articles are more like newspaper articles than mainstream wiki articles - they are rarely edited to reflect developments of substance after the date of publication (although minor amendments are often made - this is a wiki, after all). -- ALoan (Talk) 10:14, 10 May 2007 (UTC)[reply]

BuickCenteryDriver

The part on him is inaccurate since he was now unblocked after an apology and the AFG of 4 admins. Sodaplayer talk contrib ^_^ 22:40, 10 May 2007 (UTC)[reply]

There will be a followup story next week, this is more like a newspaper and at the time it was written he was blocked. Thatcher131 22:42, 10 May 2007 (UTC)[reply]

A useful userbox

This user has a
Strong Password.
--One Salient Oversight 07:56, 12 May 2007 (UTC)[reply]



       

The Signpost · written by many · served by Sinepost V0.9 · 🄯 CC-BY-SA 4.0