Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Fri, Jul 24, 2009 at 2:24 AM, Tim Starlingtstarl...@wikimedia.org wrote: There's plenty of ways to attack watchlistr without fully compromising the server. The point is that a system that allowed stealing the logins of hundreds of Wikipedia users if you managed to compromise a third-party website run to unknown security standards is unacceptable. *Even* if it's set up so you really do have to be able to run arbitrary code as the web user to get the data -- and in this case security appeared to be even lower. Malice is also a concern in the general case, although it might not be a concern here. So any solution that allows either of the following is unacceptable: 1) The compromise of a(n additional) third-party party run to unknown security standards could result in many Wikipedia user accounts being taken over. 2) A third party becoming malicious could result in many Wikipedia user accounts being taken over. Hopefully my watchlist-reading code will be deemed acceptable. I'm reminded (by Domas, of course) that watchlists are actually a very expensive operation, so I wouldn't be entirely surprised if this gets $wgMiserModed away before or shortly after deployment, when users start requesting 400 wikis' watchlists every fifteen minutes. I wish there were some good solution to this. How do other sites handle giant numbers of users watching changes to zillions of pages? Throwing hardware at it? ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
Message from the developer. I will see if he's interested in subscribing, but a forward will do for now. Original Message Subject: Re: Watchlistr Date: Thu, 23 Jul 2009 11:20:19 -0500 From: Cody Jung funkyca...@gmail.com To: Tim Starling tstarl...@wikimedia.org Hey there Tim, Apologies, I am not actually sure how to post to a mailing list; if you would, could you post this for me? I completely understand the hesitation (and, indeed, the outright repulsion) to my application. Although I am confident in the security of Watchlistr, I realize that, out of the blue, it seems very suspicious. When I saw the post by MrZaius on the Wikipedia Bounty Board I thought to myself Why hasn't anyone done this before? It seems really easy to implement! Now I see why. Therefore, I would like to address several points brought up by the Wikitech-l mailing list users. I will start at the top of the thread and work down, address various comments as I go. To Sage Ross: Although I have very little editing experience, as far as the Wikimedia projects go, anyway, when I saw the request for a transwiki watchlist tool, I thought this is how I can help improve Wikipedia. This is something I _know_ how to do, and well. I want to assure everyone that my intentions were good (if not a little misguided), and I have no intention of phishing for anyone's accounts. To Michael Rosenthal: I have looked at gWatch, but the fundamental issue I see with it is the fact that you have to watch something twice -- you must manually enter pages to watch, and that just seems a little silly. To Gregory Maxwell and Aryeh Gregor: Until such time as my application can be a) proven trustworthy, or b) improved to *not* use passwords, I have removed all user accounts (all 4 of them...), and frozen registrations. I do, however, ask that you _please_ do not block the the IP addresses at the server level. I am on a shared hosting solution, and doing that could very well create issues with other users with my host. To help in the proving trustworthy, or else process, I have released the source code of Watchlistr - please take a look at it. You will see that I take the utmost care in securing user information. The wiki logins are encrypted with AES in our database. The key used to encrypt each user's login list is their site username, which is stored as a SHA1 hash in our database. If a cracker were to, somehow, gain access to the database, they would be left with a pile of garbage. Here's how the site works: User logs in - Their username is hashed and checked against the database, if it matches - we make a session with that username as a variable in it for later access. When the user accesses their aggregate watchlist for the first time each session, we take the username, decrypt the wiki list, and log them in to their sites. The cURL cookies that result are then stored above the web server, in a protected directory. The passwords do not get used for the rest of the session (the stored cookies are used instead). When the user logs out, the session is destroyed and the cURL cookiejar is deleted. As for the other solutions that were presented - I was really trying to create a cross-platform, cross-browser solution that would not hinge on one particular technology. Javascript would be great, but what if someone doesn't have JS enabled? OAuth and a read-only API would be close-to-ideal, but they currently don't work with/don't exist on the Wikimedia servers. I am, however, open to other workable solutions that are presented - let me know. Apologies once again for the uproar I have caused, Cody Jung Developer, Watchlistr On Wed, Jul 22, 2009 at 10:48 PM, Tim Starlingtstarl...@wikimedia.org wrote: Please comment on the wikitech-l discussion about whether or not to block watchlistr.com from Wikimedia servers: http://lists.wikimedia.org/pipermail/wikitech-l/2009-July/044238.html ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarl...@wikimedia.org wrote: To help in the proving trustworthy, or else process, I have released the source code of Watchlistr - please take a look at it. You will see that I take the utmost care in securing user information. The wiki logins are encrypted with AES in our database. The key used to encrypt each user's login list is their site username, which is stored as a SHA1 hash in our database. If a cracker were to, somehow, gain access to the database, they would be left with a pile of garbage. They would only have to get the site usernames to decrypt the login info. They could get those the next time each user logs in, if they're not detected immediately. There's no way around this; if your program can log in as the users, so can an attacker who's able to subvert your program. As for the other solutions that were presented - I was really trying to create a cross-platform, cross-browser solution that would not hinge on one particular technology. Javascript would be great, but what if someone doesn't have JS enabled? OAuth and a read-only API would be close-to-ideal, but they currently don't work with/don't exist on the Wikimedia servers. I am, however, open to other workable solutions that are presented - let me know. I would suggest you apply for a toolserver account: https://wiki.toolserver.org/view/Account_approval_process Once you have a toolserver account, I'd be willing to work with you to arrange for some form of direct access to all wikis' watchlist tables (I'm a toolserver root). You then wouldn't need to possess any login info. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarling at wikimedia.org wrote: They would only have to get the site usernames to decrypt the login info. They could get those the next time each user logs in, if they're not detected immediately. There's no way around this; if your program can log in as the users, so can an attacker who's able to subvert your program. Wouldn't adding a salt fix this? They would have to have both the username, the database, and the salt value to decrypt the wiki list. I would suggest you apply for a toolserver account: https://wiki.toolserver.org/view/Account_approval_process Once you have a toolserver account, I'd be willing to work with you to arrange for some form of direct access to all wikis' watchlist tables (I'm a toolserver root). You then wouldn't need to possess any login info. I attempted to apply for a toolserver account, but it appears that the server at http://toolserver.org/accountrequest is down (as of 1:27pm CDT). ~Cody ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
Aryeh Gregor simetrical+wikil...@gmail.com wrote in message news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com... On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarl...@wikimedia.org wrote: To help in the proving trustworthy, or else process, I have released the source code of Watchlistr - please take a look at it. You will see that I take the utmost care in securing user information. The wiki logins are encrypted with AES in our database. The key used to encrypt each user's login list is their site username, which is stored as a SHA1 hash in our database. If a cracker were to, somehow, gain access to the database, they would be left with a pile of garbage. They would only have to get the site usernames to decrypt the login info. They could get those the next time each user logs in, if they're not detected immediately. There's no way around this; if your program can log in as the users, so can an attacker who's able to subvert your program. Or, since the set of registered Wikimedia users is both vastly smaller than the superset of all possible usernames (remember it's restricted to users with a global login AFAICT), and readily accessible through a high-throughput API, a brute-force attack would be, if not trivial, certainly extremely feasible. As for the other solutions that were presented - I was really trying to create a cross-platform, cross-browser solution that would not hinge on one particular technology. Javascript would be great, but what if someone doesn't have JS enabled? OAuth and a read-only API would be close-to-ideal, but they currently don't work with/don't exist on the Wikimedia servers. I am, however, open to other workable solutions that are presented - let me know. I would suggest you apply for a toolserver account: https://wiki.toolserver.org/view/Account_approval_process Once you have a toolserver account, I'd be willing to work with you to arrange for some form of direct access to all wikis' watchlist tables (I'm a toolserver root). You then wouldn't need to possess any login info. This looks like a *much* more acceptable system. Although how would you authenticate without collecting proscribed data...? --HM ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 8:50 PM, Happy-melon happy-me...@live.com wrote: Aryeh Gregor simetrical+wikil...@gmail.comsimetrical%2bwikil...@gmail.com wrote in message news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com... On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarl...@wikimedia.org wrote: To help in the proving trustworthy, or else process, I have released the source code of Watchlistr - please take a look at it. You will see that I take the utmost care in securing user information. The wiki logins are encrypted with AES in our database. The key used to encrypt each user's login list is their site username, which is stored as a SHA1 hash in our database. If a cracker were to, somehow, gain access to the database, they would be left with a pile of garbage. They would only have to get the site usernames to decrypt the login info. They could get those the next time each user logs in, if they're not detected immediately. There's no way around this; if your program can log in as the users, so can an attacker who's able to subvert your program. Or, since the set of registered Wikimedia users is both vastly smaller than the superset of all possible usernames (remember it's restricted to users with a global login AFAICT), and readily accessible through a high-throughput API, a brute-force attack would be, if not trivial, certainly extremely feasible. As for the other solutions that were presented - I was really trying to create a cross-platform, cross-browser solution that would not hinge on one particular technology. Javascript would be great, but what if someone doesn't have JS enabled? OAuth and a read-only API would be close-to-ideal, but they currently don't work with/don't exist on the Wikimedia servers. I am, however, open to other workable solutions that are presented - let me know. I would suggest you apply for a toolserver account: https://wiki.toolserver.org/view/Account_approval_process Once you have a toolserver account, I'd be willing to work with you to arrange for some form of direct access to all wikis' watchlist tables (I'm a toolserver root). You then wouldn't need to possess any login info. This looks like a *much* more acceptable system. Although how would you authenticate without collecting proscribed data...? Let the user prove account ownership by a talk page edit. This was the way Interiot used in his old edit counter... (is this one still active?) Marco -- VMSoft GbR Nabburger Str. 15 81737 München Geschäftsführer: Marco Schuster, Volker Hemmert http://vmsoft-gbr.de ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On 07/22/2009 05:11 PM, Ryan Lane wrote: On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwellgmaxw...@gmail.com wrote: If it has your credentials it can impersonate you, which is bad. It addressed by making it possible for the site to generate access cookies for particular resources which you could share. I.e. generate a code that gives someone read only access to my watchlist. What about OpenID + OAuth? In theory yes, I'd like to support that sort of thing. (For those unfamiliar: this would allow third party tools or sites to request limited access on a user's behalf, without exposing the user's password credentials to that third-party tool. The user would need to agree to exactly which information would be provided to the tool, and would be able to revoke the access in the future. This is broadly similar to the authorization for Flickr API clients and Facebook apps, but lots of sites are transitioning from their older proprietary protocols for this to OpenID+OAuth.) -- brion ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On 07/22/2009 06:39 PM, Aryeh Gregor wrote: On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lanerlan...@gmail.com wrote: Check out how the Flickr API works. Users can give web and desktop apps privileges (read/write/delete). It isn't really that bizarre of a concept. Read/write/delete access to what? The only cases where read access would be relevant would be what, watchlist and preferences, pretty much? At the moment, yes. However additional information is likely to end up existing in the future; some more social features (friend graph, mentor/mentee relationships, private messaging) would have obvious benefits to making new-user workflow smoother. -- brion ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 2:32 PM, Cody Jungfunkyca...@gmail.com wrote: Wouldn't adding a salt fix this? They would have to have both the username, the database, and the salt value to decrypt the wiki list. In other words, they would have to have access to your server, nothing more. No, it wouldn't fix it. After some discussion in #wikimedia-toolserver, Duesentrieb pointed out that a) this issue would be solved if MediaWiki just allowed RSS feeds for watchlists, and b) it would probably take less work for me to add that feature to MediaWiki than to develop an authentication framework that would allow users to securely permit toolserver apps access to their watchlists. MrZ-man helpfully pointed out that the API already supports watchlist feeds, so I was able to hack on support for token-based authentication pretty easily: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/53703 Major limitations right now are 1) the default is an empty string, which means don't use, so it's opt-in; 2) the URL for the feed isn't actually output anywhere. Watchlist aggregators should now be easy to set up, plus people can just use their favorite feed reader. On Thu, Jul 23, 2009 at 6:47 PM, Brion Vibberbr...@wikimedia.org wrote: At the moment, yes. However additional information is likely to end up existing in the future; some more social features (friend graph, mentor/mentee relationships, private messaging) would have obvious benefits to making new-user workflow smoother. I hope MediaWiki doesn't start tacking on random social networking features, though! ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
The toolserver rules forbid that: https://wiki.toolserver.org/view/Rules (#8) However there is gWatch which works without authentication: http://toolserver.org/~luxo/gwatch/login.php On Wed, Jul 22, 2009 at 9:59 PM, David Gerarddger...@gmail.com wrote: 2009/7/22 Sage Ross ragesoss+wikipe...@gmail.com: http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool The user who made it has very little editing history, and the site aggregates watchlists across multiple projects, but requires inputting your Wikimedia password into the watchlistr.com site. I have no specific reason to think it's a scam, but if I was trying to phish passwords I would do something like this. Would something on the toolserver be safe enough in these terms? - d. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
your Wikimedia password into the watchlistr.com site. I have no specific reason to think it's a scam, but if I was trying to phish passwords I would do something like this. Would something on the toolserver be safe enough in these terms? It would seem more trustworthy, but if i recall correctly it is explicity forbidden to ask for user passwords on the toolserver. (Which is why Magnus jumped through hoops the create his TUSC thingie) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Wed, Jul 22, 2009 at 4:18 PM, David Gerarddger...@gmail.com wrote: Mmm. So solving this properly would require solving many of the various consolidated/multiple watchlist bugs in MediaWiki itself, then. Hm? No. Solving *this* involves having a sysadmin determine the source of IP of the remote logins and scrambling the password of every account which has logged in through it. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
Hoi, Would OpenID make a difference ? It seems to me that when you authenticate to both WMF projects and to this watchlistr, you would not expose passwords in the wrong place. It seems to be also a solution of allowing Commons to authenticate in this way. Thanks, GerardM 2009/7/22 Sage Ross ragesoss+wikipe...@gmail.comragesoss%2bwikipe...@gmail.com I'm not sure what to do about this; it seems like a good idea but a major security risk: http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool The user who made it has very little editing history, and the site aggregates watchlists across multiple projects, but requires inputting your Wikimedia password into the watchlistr.com site. I have no specific reason to think it's a scam, but if I was trying to phish passwords I would do something like this. -Sage Ross (User:Ragesoss) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100% sure how GM script distribution works, but can't a server put files in a particular directory to have them be automatically suggested for installation by Greasemonkey? I know it's not a perfect or even nice solution, but it might help reduce the incentive for this sort of thing. Well, you *could* give your login credentials to this unafiliated unknown site, or you could just install this WMF-endorsed script on your open source Firefox extension... isn't a very difficult decision... --HM Sage Ross ragesoss+wikipe...@gmail.com wrote in message news:40c6a93a0907221207l9ab78fcy20635588c5671...@mail.gmail.com... I'm not sure what to do about this; it seems like a good idea but a major security risk: http://www.watchlistr.com/ is a site that creates aggregate watchlists across multiple projects. See http://en.wikipedia.org/w/index.php?title=Wikipedia:Bounty_board#Transwiki_watchlist_tool The user who made it has very little editing history, and the site aggregates watchlists across multiple projects, but requires inputting your Wikimedia password into the watchlistr.com site. I have no specific reason to think it's a scam, but if I was trying to phish passwords I would do something like this. -Sage Ross (User:Ragesoss) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lanerlan...@gmail.com wrote: Check out how the Flickr API works. Users can give web and desktop apps privileges (read/write/delete). It isn't really that bizarre of a concept. Read/write/delete access to what? The only cases where read access would be relevant would be what, watchlist and preferences, pretty much? I don't think we'd want this for editing, or admin-only stuff like viewing deleted pages. Preferences probably don't have a serious use-case, and if we're only left with watchlists, special-casing is the way to go. On Thu, Jul 23, 2009 at 1:18 AM, Brianna Laugherbrianna.laug...@gmail.com wrote: I was thinking that the only private data you can really access via the API is watchlist, so it's barely worth it, but then I thought that for 3rd party apps using the write API, you would definitely want to have an option for a user to use their existing Wiki*edia accounts It may not be able to take over their accounts, but it could still edit pages as them, which amounts to the same thing for many practical purposes. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Watchlistr.com, an outside site that asks for Wikimedia passwords
On Thu, Jul 23, 2009 at 9:57 AM, Aryeh Gregorsimetrical+wikil...@gmail.com wrote: On Wed, Jul 22, 2009 at 10:40 PM, Happy-melonhappy-me...@live.com wrote: I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100% sure how GM script distribution works, but can't a server put files in a particular directory to have them be automatically suggested for installation by Greasemonkey? Greasemonkey will try and install any file which ends in .js and includes a few special words. Where is this script? I couldnt find it on userscripts.org or here: http://en.wikipedia.org/wiki/Wikipedia:Tools/Greasemonkey_user_scripts Greasemonkey is far from ideal. It only works on the computer you install it on, and only works for Firefox users. That depends on how complex the script is; it could be turned into a bookmarklet, and many other browsers support user-scripts. http://en.wikipedia.org/wiki/Greasemonkey -- John Vandenberg ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l