Wikipedia:Wikipedia Signpost/2010-08-02/From the editors Wikipedia:Wikipedia Signpost/2010-08-02/Traffic report Wikipedia:Wikipedia Signpost/2010-08-02/In the media
The release of the latest version of MediaWiki (Version 1.16) was announced this week (Wikimedia Techblog); a separate, minor update (Version 1.15.5) was also released for operators unwilling or unable to upgrade fully. Both versions were billed as fixing an important "data leakage vulnerability" (wikitech-l mailing list). The milestone has little inherent significance for Wikimedians, since Wikimedia Foundation wikis run their own version of the MediaWiki software, which is usually well ahead of the official release. MediaWiki was originally developed with Wikipedia in mind but is now in use in some form or other on a number of other popular sites, including the commercial wiki host Wikia. System administrators of these other installations are encouraged to upgrade, both for security reasons and to take advantage of features introduced since the 1.15 milestone, reached more than a year ago. However, Wikimedians can be hopeful that the release is a sign of strength in the development community.
The handling of user passwords on 150 websites was analysed in a recent study. Joseph Bonneau and Sören Preibusch, researchers from the University of Cambridge who conducted the study (The password thicket: technical and market failures in human authentication on the web, see also blog post and downloadable data), called it "the first large-scale empirical analysis of password implementations deployed on the Internet". Wikipedia received a "password security score" of 4 out of 10, falling short of the optimal score with respect to several evaluation criteria: the password selection advice does not prohibit dictionary words, a minimum length (>1) is not required, the use of numbers or symbols in the password is not enforced, federated identity services are not supported (although a MediaWiki extension for OpenID exists), the user list is not protected from probing (the list is intentionally available), and TLS is normally not used to protect password submissions (the password is sent in cleartext when logging in. However, the secure server provides encrypted connections).
Asked by The Signpost for comment, Sören Preibusch said:
| “ | Wikipedia exhibits a unique set of password practices [see "Clustering" on p. 28]. The site is doing a decent job in preventing password guessing by requiring captcha-solving after three attempts -- one of the lowest limits observed in the market. Creating a random new password instead of sending out the old password during password reset is another positive feature. However, Wikipedia makes it easy to probe usernames through the enrolment, log-in, and reset forms. Whilst this is a deliberate and documented practice, and usernames associated with administrative privileges are also available through published lists, it leads to a lower password score in our survey.
Much security could be gained by making encrypted transmission of the password the default. Imposing a minimum length is another low-hanging fruit. Similarly, a graphical password strength indicator could complement the ample password advice already available on the sign-up page. Given the technology-savvy population of Wikipedia account holders, HTTP Digest authentication may improve security without making TLS the default. Wikipedia's threat model and its specific motivations for deploying passwords, such as reputation-building and persistent display preferences, would seem to make OpenID a viable alternative to passwords. I think it is unfortunate that Wikipedia is not yet OpenID-enabled. |
” |
See also past Signpost coverage about password security on Wikipedia: Four administrator accounts desysopped after hijacking, vandalism, Administrator status restored to five accounts after emergency desysopping (about a 2007 incident which led to some changes in MediaWiki and the start of the page Wikipedia:Security), Blank passwords eliminated for security reasons (2006), Password security upgraded after Slashdot furor (2005, about an incident after which salted passwords were introduced).
In an unrelated announcement, research published by Qualys – a private software security firm – has shown that 19 in every 20 MediaWiki installations are running software old enough to include "serious vulnerabilities", compared with fewer than 1 in 20 Wordpress installations (Wikimedia Techblog). Developer Tim Starling (one of only a handful of paid MediaWiki programmers) explained the startling figure:
| “ | While WordPress's web-based upgrade utility certainly has a positive impact on security, I feel I should point out that what WordPress counts as a serious vulnerability does not align with MediaWiki’s definition of the same term. For instance, if a web-based user could execute arbitrary PHP code on the server, compromising all data and user accounts, we would count that as the most serious sort of vulnerability, and we would do an immediate release to fix it.... in WordPress, they count this as a feature, and all administrators can [execute such code].... If you are running MediaWiki in a CMS-like mode, with whitelist edit and account creation restricted, then I think it's fair to say that in terms of security, you're better off with MediaWiki.
However, the statistics presented by Qualys show that an alarming number of people are running versions of MediaWiki older than 1.14.1, which was the most recent fix for an XSS vulnerability exploitable without special privileges. There is certainly room for us to do better. |
” |
Note: not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.
xxlimit=max" in the API, broken by recent updates.Wikipedia:Wikipedia Signpost/2010-08-02/Essay Wikipedia:Wikipedia Signpost/2010-08-02/Opinion
The Toronto-based National Post has claimed that it has evidence that Defence Department computers in Ottawa are being used to "vandalize information on a Wikipedia site critical of the Conservative government's decision to spend billions on a new stealth fighter." This comes less than three weeks after The Signpost reported allegations in the British newspaper The Sunday Telegraph that Members of Parliament were removing evidence of scandals they had been involved in from their Wikipedia articles.
The National Post reported that nine attempts were made to alter Wikipedia's article on the Joint Strike Fighter (Lockheed Martin F-35 Lightning II), "including the removal of any information that was critical of the Harper government's plan to spend at least $16 billion on the new fighter aircraft. Defence Department computers were also used to insert insults, aimed at Liberal Leader Michael Ignatieff, into the Wikipedia Joint Strike Fighter page. Ignatieff has questioned the proposed purchase."
It also reported that Wikipedia "traced the alterations to three computers owned by Defence Research and Development Canada's Ottawa offices." It was reported that a "spokesman for Defence Research and Development Canada (DRDC) said the attempts to alter the Wikipedia page were not part of a concerted effort to stifle debate on the proposed JSF purchase but inappropriate use of government computers by, as yet, an unidentified individual or individuals." Martin Champoux, DRDC's manager of public affairs, "said reminders will be sent to employees about government regulations regarding personal computer use."
An examination by The Signpost confirmed that an IP removed content, claiming in the edit summary that the information removed was "irrelevent [sic] and political and is inconsistent with entries for other countries that all have similar politics associated to the purchase". The edit was reverted, and the IP told to gain consensus on the article's talk page. The same IP then removed content multiple times (here, here, here, here, here). Then the same IP appeared to change tactic, introducing biased content (here) and attacking opposition Liberal Party Leader Michael Ignatieff (here). The article was then semi-protected.
The IP address is registered to Canadian Department of National Defence, and has now been blocked "for a short time".
On June 19, the wedding of Victoria, Crown Princess of Sweden, and Daniel Westling drew half a million visitors to Stockholm, Sweden. Among the roughly 2,300 accredited media representatives covering the events were two Wikimedians, whose accreditation had been obtained with help from the Swedish and German Wikimedia chapters. One of them, User:Prolineserver, last week described his experience in a blog post (in German) for Wikimedia Deutschland. Apart from the royal family, the events presented opportunities for portraying the guests of honor, who numbered more than a thousand. Some of these guests still await identification on the photographs now at Commons. Apart from the two accredited Wikimedians, other users took pictures; according to Wikimedia Sverige[1] "at least 10 persons have uploaded 277 photos and videos to Commons". The GLAMorous tool shows that many photos from the wedding are already in use on several Wikipedias, and received a significant number of page views in June alone.
In a recent press release (English version), Wikimedia Italia voiced strong concerns about a bill that was being discussed before the Italian Chamber of Deputies, having already been approved by the Senate. According to the Italian chapter, the bill would extend a stringent right of reply to all websites, imposing restrictions they believe "will damage the Italian participation to the Internet and especially Wikipedia".
| “ | Based on the current formulation of the bill, rectifications are compulsory and non-commentable. Anybody who considers that his dignity is being damaged by any information (even if true) presented in the encyclopedia would have the right to get that information adjusted according to his wish.
Rectifications have 'to be published within forty-eight hours from the request, with the same graphical layout, the same accessibility and the same visibility of the news they refer to', and without any further comments, on penalty of a fine between 7,500 and 12,500 euros [$9,750–$16,250]. This has two main effects. First, the encyclopedia could possibly not ensure a neutral point of view, because it would have to include unmodifiable, uncommentable opinions even in absence of a reliable source, in opposition to verifiable facts. In addition, since Wikipedia has no editorial board, it would be impossible for any single person to ensure timely publication of the rectification, so that the bill would expose Wikipedia and its users to the risk of strong economic penalties. |
” |
As noted a few days later by Wikimedia Italia, the vote on the bill appears to have been postponed until September.
Last month, three English-language chapter reports were released, in which Wikimedia chapters across the globe describe their recent activities.
Wikimedians at the Italian chapter started their "Wikimedia News" bulletin with an editorial describing the results of a survey on what readers think of Wikimedia Italia. The organization will soon open its own office in Rome, thanks to an "agreement between the Department of Culture of the Municipality of Rome, the Libraries of the City of Rome and the association Liber Liber". Apart from "video editing, e-book digitizing/layout and audio editing for the creation of audiobooks", the location will be used "to host civil service volunteers and interns, to organize courses and cultural events, in collaboration with the adjacent library "Vaccheria Nardi", which has large rooms with multimedia stations, area conferences, and of course reading rooms (the structure as a whole has three buildings)".
Wikimedia Sverige (Wikimedia Sweden) announced in their June 2010 report that they have sponsored a photohunt in the middle of Sweden (Bergslagssafari). Thus far, this has resulted in the uploading of pictures to Commons and media attention. Planning has begun for a similar event in the south of Sweden in September.
Wikimedia Deutschland's monthly Chapter Report for June 2010 mentioned preparations for a new phase of its school project, which educates pupils about the proper use of Wikipedia. The report described the Chapter's support for digitization projects on Wikisource, and mentioned discussions about its "community budget" and various political activities. Preparations for the Wikipedia academy, which will be held in November 2010, are taking shape. The main context of this year's event is the Year of Science 2010 "Future of Energy". At the event, the "Zedler-Medaille" (Zedler Medal) for a high-quality encyclopedia article in German will be awarded for the fourth time. This is a collaboration of Wikimedia Deutschland with an academic publisher and a scholarly society.
Wikipedia:Wikipedia Signpost/2010-08-02/Serendipity Wikipedia:Wikipedia Signpost/2010-08-02/Op-ed Wikipedia:Wikipedia Signpost/2010-08-02/In focus
The Arbitration Committee opened no cases this week, leaving two open.
Wikipedia:Wikipedia Signpost/2010-08-02/Humour
