Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On 08/07/2014 09:58 AM, Casey Brown wrote: One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator. There are also open source versions of this (including one on F-Droid). Both text messaging and Android are pretty widely deployed, including in non-western countries. In a lot of places, mobile is more widely deployed than desktop, so I think there are a lot of people who could take advantage of two-factor authentication. It helps that the app versions (e.g. Google Authenticator) do not even require Internet access. Matt ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
Thanks for the good news about OATH. Are WMF staff required to use some form of authentication in addtion to a password for their email and other sensitive accounts? Now might be a good time to look at the security of staff account access. I would think about requiring Google's standard two factor authentication via password and cell phone. Of course mobile phone security should also be considered. Encrypting all mobile phones (and other mobile devices like tablets and laptops) used for Foundation business would be good as well. Pine Pine On Aug 7, 2014 2:04 PM, Chris Steipp cste...@wikimedia.org wrote: On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo tylerro...@gmail.com wrote: In terms of external authentication, we need Extension:OpenID to catch up to the OpenID standard in order to do that. In terms of two-factor, I have like eight patches for Extension:OATHAuth attempting to make it production-worthy. https://gerrit.wikimedia.org/r/132783 Nice! I hadn't realized you had got so far on this. Maybe Ryan and I can get those merged in... To address Risker's comment, OATH is an open standard with lots of tools to generate the tokens, so you can use a secure token if you want to be more secure, or a browser plugin if you're just worried about someone stealing your password (which would significantly help our threat model in countries where we can't force https). Client TLS certificates are sadly really hard to manage in any sort of secure way, when you don't control the end user's machines. -- Tyler Romeo 0x405D34A7C86B42DF From: svetlana svetl...@fastmail.com.au Reply: Wikimedia developers wikitech-l@lists.wikimedia.org Date: August 6, 2014 at 7:57:12 To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
I think we should start looking at alternative authentication systems especially for high risk accounts. There are several variations on the theme of one-time passwords that I think could bd explored. Pine On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com wrote: On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
As someone with one of those high risk accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a high risk account given the opportunities that they have. Risker/Anne On 7 August 2014 07:59, Pine W wiki.p...@gmail.com wrote: I think we should start looking at alternative authentication systems especially for high risk accounts. There are several variations on the theme of one-time passwords that I think could bd explored. Pine On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com wrote: On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
Do you have anything specific in mind? Hard to say how feasible something is/evaluate without being more specific. Most non-password alternatives that I can think of (e.g. Having public private key pairs or something) have the problem that they can't really be integrated well enough into a web browser based environment that folks other than the most technical of users find them an acceptable burden. --bawolff On 8/7/14, Pine W wiki.p...@gmail.com wrote: I think we should start looking at alternative authentication systems especially for high risk accounts. There are several variations on the theme of one-time passwords that I think could bd explored. Pine On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com wrote: On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, Aug 7, 2014 at 9:49 AM, Risker risker...@gmail.com wrote: As someone with one of those high risk accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a high risk account given the opportunities that they have. Risker/Anne +1. I'm lazy and wouldn't want the burden of remembering more than password123 as my password (same password I use everywhere, again, I'm lazy) -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thursday, August 7, 2014, Brian Wolff bawo...@gmail.com wrote: Do you have anything specific in mind? Hard to say how feasible something is/evaluate without being more specific. Most non-password alternatives that I can think of (e.g. Having public private key pairs or something) have the problem that they can't really be integrated well enough into a web browser based environment that folks other than the most technical of users find them an acceptable burden. --bawolff I've long wondered about that. Are there really no browser based public key based solutions? Are there any fundamental reasons why that is like that other than that it never got implemented, or never became popular? It seems like the right solution for the password problem. -Martijn On 8/7/14, Pine W wiki.p...@gmail.com javascript:; wrote: I think we should start looking at alternative authentication systems especially for high risk accounts. There are several variations on the theme of one-time passwords that I think could bd explored. Pine On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com javascript:; wrote: On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au javascript:; wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, 7 Aug 2014, at 19:50, Martijn Hoekstra wrote: On Thursday, August 7, 2014, Brian Wolff bawo...@gmail.com wrote: Do you have anything specific in mind? Hard to say how feasible something is/evaluate without being more specific. Most non-password alternatives that I can think of (e.g. Having public private key pairs or something) have the problem that they can't really be integrated well enough into a web browser based environment that folks other than the most technical of users find them an acceptable burden. --bawolff I've long wondered about that. Are there really no browser based public key based solutions? [...] -Martijn certfp authentication ? ex. https://freenode.net/certfp/certfp-chatzilla.shtml svetlana ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
I've long wondered about that. Are there really no browser based public key based solutions? Are there any fundamental reasons why that is like that other than that it never got implemented, or never became popular? It seems like the right solution for the password problem. -Martijn I think TLS has a feature where the client can also provide a certificate, in order to use certificates to authenticate users. I've never heard of a site actually using it. --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On 7 August 2014 10:49, Chad innocentkil...@gmail.com wrote: On Thu, Aug 7, 2014 at 9:49 AM, Risker risker...@gmail.com wrote: As someone with one of those high risk accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a high risk account given the opportunities that they have. Risker/Anne +1. I'm lazy and wouldn't want the burden of remembering more than password123 as my password (same password I use everywhere, again, I'm lazy) Oh I have no problem with regular forced password changes, say quarterly or so; I'm used to that in other contexts. But not a one-time password, which will actually increase risk because people will choose keep me logged in to avoid having to get a new password every time they want to log in. These tend also to be solutions coming from moneyed countries, and some of these things involve technology that is not globally available. Risker/Anne ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Aug 7, 2014, at 6:01, Brian Wolff bawo...@gmail.com wrote: I've long wondered about that. Are there really no browser based public key based solutions? Are there any fundamental reasons why that is like that other than that it never got implemented, or never became popular? It seems like the right solution for the password problem. -Martijn I think TLS has a feature where the client can also provide a certificate, in order to use certificates to authenticate users. I've never heard of a site actually using it. I'd have to research the particulars, but I've seen many government/corporate sites use TLS for user authentication with the Apache HTTP Server or JBoss. I know we bounced the client certs off of CAs and CRLs on the server for authentication, but don't remember how we shared the distinguished name (DN) with the higher level program (e.g. PHP) for authorization. I'll see what I can find. --Shawn ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
Hm... and I am a lazy hacker, so now when you told us your password, could you please give me your username as well so that I don't have to search it? Thanks! :P On Thu, Aug 7, 2014 at 11:49 AM, Chad innocentkil...@gmail.com wrote: I'm lazy and wouldn't want the burden of remembering more than password123 as my password (same password I use everywhere, again, I'm lazy) -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
nevermind, I just figured out that I can edit almost anything on wikipedia even without password... what a hacker am I! BTW: those with high-risk accounts should use strong passwords, which could be very safe at some point. I once suggested some security enhancements that wouldn't impact users at all, but they weren't supported much with reason that sounded to me like nobody cares about security on projects like wikipedia On Thu, Aug 7, 2014 at 12:59 PM, Petr Bena benap...@gmail.com wrote: Hm... and I am a lazy hacker, so now when you told us your password, could you please give me your username as well so that I don't have to search it? Thanks! :P On Thu, Aug 7, 2014 at 11:49 AM, Chad innocentkil...@gmail.com wrote: I'm lazy and wouldn't want the burden of remembering more than password123 as my password (same password I use everywhere, again, I'm lazy) -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
Oh I have no problem with regular forced password changes, say quarterly or so; I'm used to that in other contexts. But not a one-time password, which will actually increase risk because people will choose keep me logged in to avoid having to get a new password every time they want to log in. I believe there's some research to suggest that quarterly password changes decrease overall security. I personally would not like having to do that. These tend also to be solutions coming from moneyed countries, and some of these things involve technology that is not globally available. I'm not sure what you mean by that. --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On 7 August 2014 12:04, Brian Wolff bawo...@gmail.com wrote: Oh I have no problem with regular forced password changes, say quarterly or so; I'm used to that in other contexts. But not a one-time password, which will actually increase risk because people will choose keep me logged in to avoid having to get a new password every time they want to log in. I believe there's some research to suggest that quarterly password changes decrease overall security. I personally would not like having to do that. These tend also to be solutions coming from moneyed countries, and some of these things involve technology that is not globally available. I'm not sure what you mean by that. A lot of the solutions normally bandied about involve things like two-factor identification, which has the additional password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. I stick to my strong passwords and also subscribe to the xkcd password theory.[1] Risker/Anne [1] https://www.xkpasswd.net/c/index.cgi ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
I think a two-way-authentification is the first, good step to increase the security for account authentification, like wikitech still use it. But it's still a user decision to activate i tor not? Freundliche Grüße / Kind regards Florian -Ursprüngliche Nachricht- Von: wikitech-l-boun...@lists.wikimedia.org [mailto:wikitech-l-boun...@lists.wikimedia.org] Im Auftrag von Risker Gesendet: Donnerstag, 7. August 2014 10:50 An: Wikimedia developers Betreff: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords As someone with one of those high risk accounts, one time passwords would be more likely to make me drop those permissions. Any administrator has a high risk account given the opportunities that they have. Risker/Anne On 7 August 2014 07:59, Pine W wiki.p...@gmail.com wrote: I think we should start looking at alternative authentication systems especially for high risk accounts. There are several variations on the theme of one-time passwords that I think could bd explored. Pine On Aug 6, 2014 11:05 PM, Brian Wolff bawo...@gmail.com wrote: On Aug 6, 2014 8:57 AM, svetlana svetl...@fastmail.com.au wrote: On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything The solution to stolen credentials is to combine all credentials so that a single credential can control everything? --bawolff ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, Aug 7, 2014 at 6:01 AM, Brian Wolff bawo...@gmail.com wrote: I think TLS has a feature where the client can also provide a certificate, in order to use certificates to authenticate users. I've never heard of a site actually using it. Indeed. https://www.mediawiki.org/wiki/Extension:SSLClientAuthentication *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote: A lot of the solutions normally bandied about involve things like two-factor identification, which has the additional password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator. I'm not sure we can make any of these extra protections *required* without a lot of discussion, but giving people the option will certainly help. Wikimedians are usually a pretty geeky and paranoid bunch, so I think a good amount of people would take advantage of additional security features. This is especially true given how many people use https://en.wikipedia.org/wiki/Template:User_committed_identity on enwiki, something I've never really understood the point of. :-) -- Casey Brown (Cbrown1023) caseybrown.org ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown li...@caseybrown.org wrote: On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote: A lot of the solutions normally bandied about involve things like two-factor identification, which has the additional password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator. Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used anywhere else, since if you lose your device you'd lose your account. Supporting two factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which is common). Getting this flow to work in a way that actually adds any security benefit is difficult. See the amount of effort Google has gone through for this. Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them. We should take basic account security seriously, but we shouldn't go overboard. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
There are good reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels. Pine On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane rlan...@gmail.com wrote: On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown li...@caseybrown.org wrote: On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote: A lot of the solutions normally bandied about involve things like two-factor identification, which has the additional password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator. Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used anywhere else, since if you lose your device you'd lose your account. Supporting two factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which is common). Getting this flow to work in a way that actually adds any security benefit is difficult. See the amount of effort Google has gone through for this. Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them. We should take basic account security seriously, but we shouldn't go overboard. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Thu, Aug 7, 2014 at 11:27 AM, Pine W wiki.p...@gmail.com wrote: There are good reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels. WMF uses gmail; they should force-require the use of two factor authentication for their employees if they care about that. Restricted IRC channels also don't have anything to do with Wikimedia wiki account security (and IRC security is a joke anyway, so if we're really relying on that to be secure, shame on us). - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
There are sensitive communications over IRC such as harassment investigations, although hopefully not to the degree that sensitive info goes over email. I use what is advertised as a secure method of accessing IRC, but that is still probably much weaker than end-to-end email encryption. We could look into a more secure messaging system, but my top concern is the security of staff email, Google Docs, staff accounts with access to un-sanitized analytics data. I would start there, followed by Arbcom/CU/OS wiki and email accounts, and probably IRC last. Pine On Thu, Aug 7, 2014 at 11:34 AM, Ryan Lane rlan...@gmail.com wrote: On Thu, Aug 7, 2014 at 11:27 AM, Pine W wiki.p...@gmail.com wrote: There are good reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels. WMF uses gmail; they should force-require the use of two factor authentication for their employees if they care about that. Restricted IRC channels also don't have anything to do with Wikimedia wiki account security (and IRC security is a joke anyway, so if we're really relying on that to be secure, shame on us). - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
My staff email is boring. You're more than welcome to break in. -Chad On Aug 7, 2014 7:27 PM, Pine W wiki.p...@gmail.com wrote: There are good reasons people would target checkuser accounts, WMF staff email accounts, and other accounts that have access to lots of private info like functionary email accounts and accounts with access to restricted IRC channels. Pine On Thu, Aug 7, 2014 at 11:21 AM, Ryan Lane rlan...@gmail.com wrote: On Thu, Aug 7, 2014 at 6:58 AM, Casey Brown li...@caseybrown.org wrote: On Thu, Aug 7, 2014 at 8:10 AM, Risker risker...@gmail.com wrote: A lot of the solutions normally bandied about involve things like two-factor identification, which has the additional password coming through a separate route (e.g., gmail two-factor ID sends a second password as a text to a mobile) and means having more expensive technology) or using technology like dongles that cannot be sent to users in certain countries. Actually, most modern internet implementations use the TOTP algorithm open standard that anyone can use for free. https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm One of the most common methods, other than through text messages, is the Google Authenticator App that anyone can download for free on a smart phone. https://en.wikipedia.org/wiki/Google_Authenticator. Yep. This. It's already being used for high-risk accounts on wikitech.wikimedia.org. It's not in good enough shape to be used anywhere else, since if you lose your device you'd lose your account. Supporting two factor auth also requires supporting multiple ways to rescue your account if you lose your device (and don't write down your scratch tokens, which is common). Getting this flow to work in a way that actually adds any security benefit is difficult. See the amount of effort Google has gone through for this. Let's be a little real here, though. There's honestly no good reason to target these accounts. There's basically no major damage they can do and there's very little private information accessible to them, so attackers don't really care enough to attack them. We should take basic account security seriously, but we shouldn't go overboard. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo tylerro...@gmail.com wrote: In terms of external authentication, we need Extension:OpenID to catch up to the OpenID standard in order to do that. In terms of two-factor, I have like eight patches for Extension:OATHAuth attempting to make it production-worthy. https://gerrit.wikimedia.org/r/132783 Nice! I hadn't realized you had got so far on this. Maybe Ryan and I can get those merged in... To address Risker's comment, OATH is an open standard with lots of tools to generate the tokens, so you can use a secure token if you want to be more secure, or a browser plugin if you're just worried about someone stealing your password (which would significantly help our threat model in countries where we can't force https). Client TLS certificates are sadly really hard to manage in any sort of secure way, when you don't control the end user's machines. -- Tyler Romeo 0x405D34A7C86B42DF From: svetlana svetl...@fastmail.com.au Reply: Wikimedia developers wikitech-l@lists.wikimedia.org Date: August 6, 2014 at 7:57:12 To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
In terms of external authentication, we need Extension:OpenID to catch up to the OpenID standard in order to do that. In terms of two-factor, I have like eight patches for Extension:OATHAuth attempting to make it production-worthy. https://gerrit.wikimedia.org/r/132783 -- Tyler Romeo 0x405D34A7C86B42DF From: svetlana svetl...@fastmail.com.au Reply: Wikimedia developers wikitech-l@lists.wikimedia.org Date: August 6, 2014 at 7:57:12 To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. What steps do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else? andre from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l signature.asc Description: Message signed with OpenPGP using AMPGpg ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords. This issue is relevant to WMF and thematic organization staff email accounts, on-wiki accounts especially those with CU/OS and Arbcom roles, and other sensitive Wikimedia credentials. This issue also relevant to staff and volunteer accounts with third party services like Google Docs, Gmail, Skype, etc that are used to conduct Wikimedia related activities. Pine [1] http://mobile.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
