On Fri, Jul 24, 2009 at 2:24 AM, Tim Starlingtstarl...@wikimedia.org wrote:
There's plenty of ways to attack watchlistr without fully compromising
the server.
The point is that a system that allowed stealing the logins of
hundreds of Wikipedia users if you managed to compromise a third-party
Message from the developer. I will see if he's interested in
subscribing, but a forward will do for now.
Original Message
Subject: Re: Watchlistr
Date: Thu, 23 Jul 2009 11:20:19 -0500
From: Cody Jung funkyca...@gmail.com
To: Tim Starling tstarl...@wikimedia.org
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarl...@wikimedia.org wrote:
To help in the proving trustworthy, or else process, I have released
the source code of Watchlistr - please take a look at it. You will see
that I take the utmost care in securing user information. The wiki
logins are
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarling at
wikimedia.org wrote:
They would only have to get the site usernames to decrypt the login
info. They could get those the next time each user logs in, if
they're not detected immediately. There's no way around this; if your
program
Aryeh Gregor simetrical+wikil...@gmail.com wrote in message
news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
On Thu, Jul 23, 2009 at 1:37 PM, Tim Starlingtstarl...@wikimedia.org
wrote:
To help in the proving trustworthy, or else process, I have released
the source code
On Thu, Jul 23, 2009 at 8:50 PM, Happy-melon happy-me...@live.com wrote:
Aryeh Gregor
simetrical+wikil...@gmail.comsimetrical%2bwikil...@gmail.com
wrote in message
news:7c2a12e20907231051s638dd2f9v399ac2a79e185...@mail.gmail.com...
On Thu, Jul 23, 2009 at 1:37 PM, Tim
On 07/22/2009 05:11 PM, Ryan Lane wrote:
On Wed, Jul 22, 2009 at 3:49 PM, Gregory Maxwellgmaxw...@gmail.com wrote:
If it has your credentials it can impersonate you, which is bad.
It addressed by making it possible for the site to generate access
cookies for particular resources which you
On 07/22/2009 06:39 PM, Aryeh Gregor wrote:
On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lanerlan...@gmail.com wrote:
Check out how the Flickr API works. Users can give web and desktop
apps privileges (read/write/delete).
It isn't really that bizarre of a concept.
Read/write/delete access to
On Thu, Jul 23, 2009 at 2:32 PM, Cody Jungfunkyca...@gmail.com wrote:
Wouldn't adding a salt fix this? They would have to have both the
username, the database, and the salt value to decrypt the wiki list.
In other words, they would have to have access to your server, nothing
more. No, it
The toolserver rules forbid that:
https://wiki.toolserver.org/view/Rules (#8)
However there is gWatch which works without authentication:
http://toolserver.org/~luxo/gwatch/login.php
On Wed, Jul 22, 2009 at 9:59 PM, David Gerarddger...@gmail.com wrote:
2009/7/22 Sage Ross
your Wikimedia password into the watchlistr.com site. I have no
specific reason to think it's a scam, but if I was trying to phish
passwords I would do something like this.
Would something on the toolserver be safe enough in these terms?
It would seem more trustworthy, but if i recall
On Wed, Jul 22, 2009 at 4:18 PM, David Gerarddger...@gmail.com wrote:
Mmm. So solving this properly would require solving many of the
various consolidated/multiple watchlist bugs in MediaWiki itself,
then.
Hm? No. Solving *this* involves having a sysadmin determine the source
of IP of the
Hoi,
Would OpenID make a difference ? It seems to me that when you authenticate
to both WMF projects and to this watchlistr, you would not expose passwords
in the wrong place. It seems to be also a solution of allowing Commons to
authenticate in this way.
Thanks,
GerardM
2009/7/22 Sage Ross
I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
sure how GM script distribution works, but can't a server put files in a
particular directory to have them be automatically suggested for
installation by Greasemonkey?
I know it's not a perfect or even nice solution,
On Thu, Jul 23, 2009 at 1:02 AM, Ryan Lanerlan...@gmail.com wrote:
Check out how the Flickr API works. Users can give web and desktop
apps privileges (read/write/delete).
It isn't really that bizarre of a concept.
Read/write/delete access to what? The only cases where read access
would be
On Thu, Jul 23, 2009 at 9:57 AM, Aryeh
Gregorsimetrical+wikil...@gmail.com wrote:
On Wed, Jul 22, 2009 at 10:40 PM, Happy-melonhappy-me...@live.com wrote:
I have a Greasemonkey script that does this, IMO, very nicely. I'm not 100%
sure how GM script distribution works, but can't a server put
16 matches
Mail list logo