Message from the developer. I will see if he's interested in subscribing, but a forward will do for now.
-------- Original Message -------- Subject: Re: Watchlistr Date: Thu, 23 Jul 2009 11:20:19 -0500 From: Cody Jung <funkyca...@gmail.com> To: Tim Starling <tstarl...@wikimedia.org> Hey there Tim, Apologies, I am not actually sure how to post to a mailing list; if you would, could you post this for me? I completely understand the hesitation (and, indeed, the outright repulsion) to my application. Although I am confident in the security of Watchlistr, I realize that, out of the blue, it seems very suspicious. When I saw the post by MrZaius on the Wikipedia Bounty Board I thought to myself "Why hasn't anyone done this before? It seems really easy to implement!" Now I see why. Therefore, I would like to address several points brought up by the Wikitech-l mailing list users. I will start at the top of the thread and work down, address various comments as I go. To Sage Ross: Although I have very little editing experience, as far as the Wikimedia projects go, anyway, when I saw the request for a transwiki watchlist tool, I thought "this is how I can help improve Wikipedia. This is something I _know_ how to do, and well." I want to assure everyone that my intentions were good (if not a little misguided), and I have no intention of phishing for anyone's accounts. To Michael Rosenthal: I have looked at gWatch, but the fundamental issue I see with it is the fact that you have to "watch" something twice -- you must manually enter pages to watch, and that just seems a little silly. To Gregory Maxwell and Aryeh Gregor: Until such time as my application can be a) proven trustworthy, or b) improved to *not* use passwords, I have removed all user accounts (all 4 of them...), and frozen registrations. I do, however, ask that you _please_ do not block the the IP addresses at the server level. I am on a shared hosting solution, and doing that could very well create issues with other users with my host. To help in the "proving trustworthy, or else" process, I have released the source code of Watchlistr - please take a look at it. You will see that I take the utmost care in securing user information. The wiki logins are encrypted with AES in our database. The key used to encrypt each user's login list is their site username, which is stored as a SHA1 hash in our database. If a cracker were to, somehow, gain access to the database, they would be left with a pile of garbage. Here's how the site works: User logs in -> Their username is hashed and checked against the database, if it matches -> we make a session with that username as a variable in it for later access. When the user accesses their aggregate watchlist for the first time each session, we take the username, decrypt the wiki list, and log them in to their sites. The cURL cookies that result are then stored above the web server, in a protected directory. The passwords do not get used for the rest of the session (the stored cookies are used instead). When the user logs out, the session is destroyed and the cURL cookiejar is deleted. As for the other solutions that were presented - I was really trying to create a cross-platform, cross-browser solution that would not hinge on one particular technology. Javascript would be great, but what if someone doesn't have JS enabled? OAuth and a read-only API would be close-to-ideal, but they currently don't work with/don't exist on the Wikimedia servers. I am, however, open to other workable solutions that are presented - let me know. Apologies once again for the uproar I have caused, Cody Jung Developer, Watchlistr On Wed, Jul 22, 2009 at 10:48 PM, Tim Starling<tstarl...@wikimedia.org> wrote: > Please comment on the wikitech-l discussion about whether or not to > block watchlistr.com from Wikimedia servers: > > http://lists.wikimedia.org/pipermail/wikitech-l/2009-July/044238.html > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
