The Wikipedia Signpost
The Wikipedia Signpost
Single-Page View Archives



Volume 3, Issue 20 14 May 2007 About the Signpost

(← Prev) 2007 archives (Next →)

Administrator status restored to five accounts after emergency desysopping User committed identities provide protection against account hijacking
Academic journals multiply their analyses of Wikipedia WikiWorld comic: "Ubbi dubbi"
Features and admins The Report on Lengthy Litigation

Home  |  Archives  |  Newsroom  |  Tip Line Shortcut : WP:POST/A

SPV

Administrator status restored to five accounts after emergency desysopping

Last week the Signpost reported that four administrator accounts which had used weak or insecure passwords were indefinitely blocked and desysopped after they were hijacked by an unknown person who cracked the password.

This week, a fifth administrator account was temporarily hijacked by the same vandal, although it was restored to the user's control a few hours later. All four of the original administrator accounts have been unblocked and resysopped. Mangojuice has proposed a method by which editors may place encrypted identifying information about themselves on their user pages, so they can easily confirm their identity in case of future password attacks (see related story).

KnowledgeOfSelf

On Tuesday, 8 May, KnowledgeOfSelf (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) reported (via an alternate account ActWonActToo) that he had been logged out of his account and his password and e-mail address had been changed. Commenters on the Administrators' noticeboard were initially split on whether to accept the claim, but when KnowledgeOfSelf uploaded an obscene image with a deceptive name, the account was immediately blocked and desysopped. Checkuser confirmed that ActwonActToo was KnowledgeOfSelf, and that the account had been hijacked by the same user who was responsible for hijacking four other administrator accounts the day before. KnowledgeOfSelf stated that he had used a strong password [1] [2], so the method of hijacking remains unknown. KnowledgeOfSelf was able to identify himself to Brion VIBBER, who reset the account password to enable KnowledgeOfSelf to retake control about 5 hours later. Bureaucrat Raul654 restored his administrator privileges.

AndyZ

AndyZ (talk · contribs · deleted contribs · logs · filter log · block user · block log) was blocked and desysopped on Monday, 7 May, after his password was compromised and his account used for vandalism. AndyZ was unblocked on Tuesday, after establishing his identity to Mark. His administrator rights were restored on Wednesday.

Jiang

Jiang (talk · contribs · deleted contribs · logs · filter log · block user · block log), who was also blocked and desysopped Monday morning, was unblocked Monday evening, 7 May and resysopped Thursday evening, 10 May.

Marine 69-71

Marine 69-71 (talk · contribs · deleted contribs · logs · filter log · block user · block log) was unblocked and resysopped on Monday, May 7, a few hours after the hijacking.

Conscious

Conscious (talk · contribs · deleted contribs · logs · filter log · block user · block log) was unblocked and resysopped Thursday after checkuser confirmed that he was still in control of his account.

BuickCenturyDriver

Finally, the indefinite block on BuickCenturyDriver (talk · contribs · deleted contribs · logs · filter log · block user · block log) was lifted three days after the incident, based on an apology and on checkuser evidence that he was responsible for blocking Ryulong from AndyZ's account but was not the culprit behind the attack.

See also


SPV

User committed identities provide protection against account hijacking

In the wake of last week's report of five administrator accounts being hijacked by having their passwords cracked, Mangojuice (with the help of several others) has proposed a method that editors can use to identify themselves as the original account holder to regain control of a hijacked account. At this writing, about 300 users have confirmed their identities using this method.

What is it?

Template:User committed identity gives editors a way to later prove that they are the person who was in control of their account on the day the template was placed. This is done by putting a public commitment to a secret string on the user page so that, in the unlikely event that their account is compromised, they can convince someone else that they are the real person behind the username, even if the password has been changed by the hijacker.

How it works

An editor chooses a secret string; this is a group of words and numbers or a phrase known only to the account holder. The secret string can be any length; a good string will contain at least 15 characters and include unique information that only the account holder would know, such as a phone number or private e-mail address (not the address associated with your wikipedia account). The secret string is then processed through a cryptographic hash function such as SHA-2 (SHA-512, SHA-384, ...) or SHA-3 to generate a unique hash value or commitment. The commitment is placed somewhere in the editor's User space. If the account is compromised or hijacked, the editor provides the secret string to a trusted administrator or a developer, who verifies that the secret string matches the commitment value. Because the hash function is "one-way", it is impossible to calculate backwards to find a string value matching a given hash value, and the odds of a random string having the same hash value (a Hash collision) is negligible. Therefore, knowing the string that produces a given value is very strong evidence that the person giving the string is the person who originally published it. Once the string is verified, the developers can reset the password to allow the original account holder to regain control.

Alternatively, a user could create a PGP keypair and place the public key on their user page, and then prove their identity by using the private key to sign any message the challenger wants signed. However, this requires more technical competence, and it is necessary to ensure the private key file is well-protected (it is no longer a simple message, although it can of course be encrypted with a passphrase).

Example

For example, User:DonaldDuck1 chooses a "secret string" that includes the names and birthdate of his nephews. His string is,

Hewey, Dewey and Louie, October 17, 1937.


However, if DonaldDuck1 has mentioned his family on Wikipedia, this might be too easily guessed. A useful variation would be


Hewey October Dewey 17 Louie 1937. Egg salad is murder!


Using this web site to calculate the SHA-512 hash value produces


b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42


User:DonaldDuck1 would then put the hash value on his user page using Template:User committed identity like this:

{{user committed identity|b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42|SHA-512}}

which looks like this:

Committed identity: b43f3e39de3f501217144badfc64687a2f516d5d1205d89e51c003715f8609adfbd085afcac3839f7d1008d185e4ab0040edecf62671dbf66a825823e7d3ad42 is a SHA-512 commitment to this user's real-life identity.

In the event that DonaldDuck1's account is compromised or hijacked, he can e-mail the string to the Wikimedia Foundation office. If the hash value of the string matches the hash value previously posted on his user page, he will have proven that he is the rightful account owner.

Notes

  • Do not lose your secret string.
  • Although the template defaults to SHA-512, any cryptographic hash function can be used. See this web site [dead link] for information on alternatives.
  • Your secret string should not be easily guessable based on what you have publicly revealed about yourself. For example, if you use your real name on Wikipedia, your address or telephone number might be guessable, so be sure to make part of your string an unguessable secret.
  • This is not a substitute for using a strong password on your account. It is better to never have your account stolen in the first place.


Resources


SPV

Academic journals multiply their analyses of Wikipedia

Coverage of Wikipedia in academic and peer-reviewed publications has proliferated in recent weeks, as researchers continue to take an interest in studying the project and its implications, both for the Ivory Tower and the general public.

First Monday, a peer-reviewed electronic journal focusing on Internet subjects, has covered Wikipedia before, but its April issue included three (out of eleven total) articles devoted to the project. HP Labs researchers Dennis M. Wilkinson and Bernardo A. Huberman wrote Assessing the value of cooperation in Wikipedia, a statistical analysis of article quality based on the number of edits and distinct editors. They concluded that on average, Wikipedia articles improve in quality over time, with increased edits and collaboration between participants.

Also included were a pair of pieces from Anselm Spoerri: Visualizing the Overlap between the 100 Most Visited Pages on Wikipedia for September 2006 to January 2007 and What is Popular on Wikipedia and Why? Spoerri, a Rutgers University professor who developed the searchCrystal visualization tool, used this and data about the most visited Wikipedia articles to consider the popularity of different subjects over time. He pointed out that entertainment topics tend to be the most popular overall, and that a handful of topics related to sexuality have a "timeless" appeal while the popularity of other topics fluctuates.

Meanwhile, articles in the May issues of two more journals took on the challenge of arguing in favor of Wikipedia, despite its dubious reputation in some academic circles (such as the questions about the suitability of citing Wikipedia in student papers). In keeping with their contrarian stance, both articles were titled with allusions to the subtitle of Dr. Strangelove. The American Historical Association journal Perspectives included Christopher Miller's Strange Facts in the History Classroom: Or How I learned to Stop Worrying and Love the Wiki(pedia), while The Heroic Age, a journal of Early Medieval Northwestern Europe, carried If I were "You": How Academics Can Stop Worrying and Learn to Love "the Encyclopedia that Anyone Can Edit" by Daniel Paul O'Donnell of the University of Lethbridge.

Miller wrote about his experience using Wikipedia as an instructional tool for a history course he taught at Carroll College. In this he took a different approach from many other instructors, who might assign their students to edit Wikipedia articles directly and evaluate their efforts based on the record this creates. Instead, Miller wanted his class to compare Wikipedia articles with other encyclopedias and ultimately consider how the process of creating encyclopedic content relates to knowledge. While surprised that many students were largely ignorant of Wikipedia at the outset, he expressed satisfaction that their understanding matured over the course of the semester.

O'Donnell riffed on Time magazine's designation of "You" as the Person of the Year for 2006, to focus on the tension between amateur and professional participation. He concluded that alternatives to Wikipedia are unlikely to gain much traction, and that academic professionals therefore should feel an obligation to use their expertise in improving its content, as a sort of community service. O'Donnell argued that "Wikipedians themselves are aware of the dangers posed to the enterprise by the inclusion of fringe theories, poor research, and contributions by people with insufficient disciplinary expertise."

Another recent Wikipedia-related feature was an interview of Jimmy Wales conducted by National Endowment for the Humanities chair Bruce Cole, appearing in the NEH journal Humanities. Cole also explored the amateur-professional issue, like O'Donnell, among other topics. One of his comments mentioned that he had been a contributor to the Encyclopædia Britannica; in contrast, Wikipedia illustrated how, "There are probably lots of people out there who know as much about my subject, who may not be in the academy."


SPV

WikiWorld comic: "Ubbi dubbi"

WikiWorld is a weekly comic, carried by the Signpost, that highlights a few of the fascinating but little-known articles in the vast Wikipedia archives. The text for each comic is excerpted from one or more existing Wikipedia articles. WikiWorld offers visual interpretations on a wide range of topics: offbeat cultural references and personality profiles, obscure moments in history and unlikely slices of everyday life - as well as "mainstream" subjects with humorous potential. The comic can now be found on cartoon site Humorous Maximus.

Cartoonist Greg Williams developed the WikiWorld project in cooperation with the Wikimedia Foundation, and is releasing the comics under the Creative Commons Attribution ShareAlike 2.5 license for use on Wikipedia and elsewhere.



(← Prev)
Signpost archives
(Next →)


SPV

Features and admins

Administrators

Fourteen users were granted admin status via the Requests for Adminship process this week: Eyrian (nom), DGG (nom), William Pietri (nom), Slumgum (nom), MastCell (nom), BigrTex (nom), Moreschi (nom), MZMcBride (nom), David Fuchs (nom), Pastordavid (nom), Rettetast (nom), Dekimasu (nom), CattleGirl (nom), and Searchme (nom).

Bots

Eleven bots were approved to begin operating this week: BotCompuGeek (task request), Le Pied-bot (task request), QualiaBot (task request), Android Mouse Bot (task request), NedBot (task request), GeorgeMoneyBot (task request), StatisticianBot (task request), Sumibot (task request), PolarBot (task request), Mr.Z-bot (task request), and Android Mouse Bot 2 (task request).

Six bots were approved to begin another task this week: VeblenBot (task request) (task request 2), MetsBot (task request), Kingbotk (task request), MetsBot (task request), Gnome (Bot) (task request), and MartinBotIII (task request).

Five articles were promoted to featured status last week: Guinea pig (nom), Mendip Hills (nom), Tulsa, Oklahoma (nom), Toronto Raptors (nom), and Ben Gurion International Airport (nom).

Four articles were de-featured last week: The Simpsons (nom), GNU/Linux naming controversy (nom), Quantum computer (nom), and Attack on Pearl Harbor (nom).

Five lists were promoted to featured status last week: List of birds of Nicaragua (nom), The Simpsons (season 8) (nom), 2001 NFL Draft (nom), 1888-1889 New Zealand Native football team matches (nom), and 2003 NBA Draft (nom).

One topic was promoted to featured status last week: Love. Angel. Music. Baby. (nom).

Two portals were promoted to featured status this month: Portal:Scotland (nom), and Portal:Solar System (nom).

No sounds were promoted to featured status last week.

The following featured articles were displayed last week on the Main Page as Today's featured article: Mars, Hovhannes Bagramyan, Campbell's Soup Cans, Minnesota, Eurovision Song Contest, Baby Gender Mentor, and Cell nucleus.

The following featured pictures were displayed last week on the Main Page as picture of the day: Thomas Edison, Striated Pardolate, Polar Map of Jupiter, L'Hemisferic, Pāhoehoe lava, Morteratsch Glacier, and Thermodynamic temperature.

One picture was de-featured last week: Image:Baseball_pitching_motion_2004.jpg (nom)

Seven pictures were featured last week:


SPV

The Report on Lengthy Litigation

The Arbitration Committee opened two cases this week, and closed one case. The committee is also voting on whether to lift Dmcdevit's ban on Koavf (talk · contribs) without a full hearing.

Closed cases

  • Falun Gong: A case regarding the conduct of various editors on the Falun Gong article. Olaf Stephanos and Asdfg12345 allege that Samuel Luo has edit-warred in removing pro-Falun Gong material from the article, while Luo, Tomananda and others allege that Stephanos, Asdfg and others have edit-warred (including page blanking) in removing anti-Falun Gong material. In the final decision, Falun Gong is placed on article probation, Mcconn is placed on revert parole, and Samual Luo and Tomananda are banned from editing articles related to Falun Gong or their talk pages.

New cases

  • Abu badali: A case alleging that Abu badali (talk · contribs) has disruptively tagged non-free images for deletion, even when a valid fair-use justification exists, and has harassed editors who have complained about this behavior.

Evidence phase

  • Piotrus: A case involving administrator Piotrus (talk · contribs) and other editors on Eastern Europe related articles. Multiple parties accuse others of edit warring, incivility, unethical behavior and biased editing. (An earlier arbitration case, Piotrus-Ghirla, was dismissed without prejudice in part due to inactivity of Ghirlandajo (talk · contribs), who was listed a party in the new case.)
  • TingMing: A case involving the actions of TingMing (talk · contribs). Ideogram (talk · contribs) alleges that he has engaged in "controversial edits", edit warring, incivility, and possibly sockpuppetry. TinMing denies the allegations, and alleges incivility on the part of Ideogram.

Voting

  • Zeq-Zero0000: A case involving the actions of Zeq (talk · contribs) and Zero0000 (talk · contribs). Zero alleges that Zeq has engaged in POV-pushing, while Zeq alleges that Zero has misused administrative tools in blocking him, the case in particular involving the question of whether probations, article bans, etc. can be enforced by involved admins. The arbitrators have considered several different versions of a principle covering to what degree involved administrators may enforce probation; none yet has majority support. A majority of the arbitrators have voted to advise Zero0000 not to take further administrative actions against Zeq, including enforcement of probation, and to admonish Zero0000 that editors who are not restricted in their editing of a page or area are entitled to be accorded good faith and be treated with respect and courtesy. Arbitrator Fred Bauder proposed banning Zeq from editing articles related to the Israel-Palestine conflict, but no other arbitrator has voted in support.

Motion for unblock of Koavf

  • Koavf (talk · contribs) was blocked indefinitely on 10 November, 2006 by administrator Dmcdevit (talk · contribs) for editing warring, disruptive editing and exhausting the community's patience, following a discussion on the administrators' noticeboard. Koavf contacted the arbitration committee by e-mail, and after a discussion on the closed ArbCom mailing list, arbitrator Flcelloguy (talk · contribs) made a motion on the main Requests for arbitration page to unblock Koavf and place him on revert parole, without opening and considering a full arbitration case. The motion currently has the support of four arbitrators (out of 6 needed for a majority).


  NODES
admin 24
Association 1
COMMUNITY 3
INTERN 2
Note 2
Project 4
todo 6
twitter 6
USERS 4