Printable Version of Topic

Posted by: CrazyGameOfPoker

It seems like either some admins have gone rouge rogue, or even worse someone's cracking into their accounts.

First it was http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#AndyZ_gone_rogue who made a very "special" http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=&user=AndyZ&page=Main+Page, and another special http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=block&user=AndyZ&page=User%3ARyulong before finally being caught and desysopped.

As people were trying to figure out what exactly happened (Dmdevit apparently posted AndyZ's IP address as part of checkuser on AN/I, but I can't find the diff), a more sinister plot was brewing...

Apparently the devious cracker (or perhaps a copycat), found another http://en.wikipedia.org/wiki/User:Jiang to get into. Apparently he decided to one up the main page image vandal, by http://en.wikipedia.org/w/index.php?title=MediaWiki:Sitenotice&diff=prev&oldid=128931866 that are on every page with Goatse. (Well he also http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=&user=Jiang&page= and deleted the Main Page again, but that's small fish)

In order to calm the populace, it seems that http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#Password_cracker_to_be_run_over_admin_accounts_shortly in order to find admins with weak passwords.

Meanwhile one has to wonder if this particular reign of terror is going to continue.

Posted by: Somey

And as usual, http://en.wikipedia.org/w/index.php?title=User_talk%3AJiang&diff=128940386&oldid=128940001.

Well, I'd just like to say that I myself trust Jiang implicitly, and not only with the bit, but also the halter, the stirrups, and possibly even the lead rope.

I heard a rumor that his password was actually "jiang"...

Posted by: taiwopanfob

If it is possible to run a client-side password cracker against Wikipedia without an alarm going off somewhere, then there are problems than can not be fixed by simply changing passwords. More than likely someone is just trying a quick sweep with a very small number of highly likely passwords, and has scored a number of hits. Wasn't everyone poo-pooing this a while back re: dormant admin accounts?

Posted by: gomi

Here's what I don't understand: the password cracker could do much more damage if he/she compromised the account, changed the password, changed the email address, and then did nothing, or even better, acted normally, banning a few vandals here and there, voting in an AFD or RFA or whatever. There would be nothing (or at least very little) the compromised admin could do to re-take the account. Sigh.

Posted by: Somey

Now that this has happened, somebody could also study an inactive admin's contribs for a while, then e-mail a bunch of active admins saying that he'd used a weak password and that the real admin is an impostor. Then there'd always be this vague suspicion following the real admin around like a cloud... They could ALL be impostors...!

I'll bet a good 25 percent of the admins probably use the term "lovecabal" for a password.

Posted by: Uly

That assumes the cracker was out to cause damage.

History seems to have shown that security exploiters are more interested in highly visible pranks than in stealthy damage.

Posted by: Rootology

Got another pwned admin account:

http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=&user=Conscious&page=

This is just absurd and silly now.

Posted by: Somey

What was he doing, just blocking people at random? I mean, if the guy can program a bot to guess passwords, can't he program one to block all the other admins in under 60 seconds, so they don't have time to react? Or something?

C'mon, whoever you are! Can't you just save one account to do something really useful with, like start a huge wheel war with JoshuaZ, or maybe just mass-revert everything Jayjg and SlimVirgin have done since, well, Day One?

Not that he's likely to be reading this...

Come to think of it, this is starting to reach media-attention proportions, isn't it?

Posted by: Rootology

Not until he/she/it does something more than just troll Wikipedia, probably, unless it continues going on for a decent amount of time. It's all back alley Wikipedia stuff that will get cornholed once the WP:ANI archives cycle. If only it could http://www.joeszilagyi.com/2007/05/07/wikipedia-admins-go-on-rampage/ to the blogosphere...

Posted by: CrazyGameOfPoker

Actually Somey, admins are able to use block/protect/delete when they're still blocked, so it wouldn't have an effect if he blocked all the administrators.

Certainly would be hilarious.

Posted by: The Joy

If the hacker gets into the more prominent accounts, like JoshuaZ, Danny, or Jimbo, then it will most definitely get that way.

Posted by: Somey

Dang, they think of everything, don't they?

I've got to get that MediaWiki test-bed installation done ASAP, so that I'll write about these things without sounding like a numbskull.

Posted by: Rootology

http://en.wikipedia.org/w/index.php?title=Special:Log&type=&user=Marine+69-71&page=&pattern=&limit=500&offset=0 one got haxxed.

Posted by: Unrepentant Vandal

Well chaps, I must admit that when this story broke I was very amused, and quickly got someone even less gainfully employed than myself to write a program to test these things. I can now report that the ten most inactive admins (from the list of wikipedian admins) do not have any of the 760 most commonly used passwords which I found on the net somewhere. None of them had any of these passwords, unfortunately.

If the person *is* reading this, please change the password of any remaining compromised accounts to aardvark, it would make these searches a lot quicker.

Note that there is nothing that Wikipedia can do about this, in the long term, without substantial redesign. They can brute force the current admins and enforce password change. It would be almost impossible to do this for all current users. An intelligent cracker will be looking for future admins to try. Even if number of logins is restricted, just try 5 logins for each user. Restrict it by IP and distributed computing is your friend. Remember to monitor new users, and keep a database of those whose passwords you obtain for future use, etc etc.

I'm not sure whether I should post the program or not, but at the moment I'm leading towards no.

Posted by: The Joy

Not Tony the Marine! This is madness! Absolute madness! What is this person's agenda? Is he a disgruntled former Wikipedian or something? Or some crazed prankster?

Posted by: Rootology

$10 says Cplot! Does anyone raise $15 for Willy?

Posted by: The Joy

Is this related to the Robdurber admin going rogue? I think they proved that banned user Wonderfool was using that account.

How long will it take before the Community starts blaming one of us on WR for this fiasco?

Update: Tony the Marine's been unblocked and exonerated. He'll get his admin bit back soon. But who will fall next?

Posted by: Unrepentant Vandal

Methinks GNAA or something... Dictionary attack is one of the oldest tricks in the book, and it would appear that it takes about ten or fifteen minutes to write the software to do this.

Posted by: Somey

My guess is he's upset about the supposedly "NPOV" coverage of Sony's PlayStation_3 sixth-generation videogame console.

One can hardly blame him...


Well, he's indef-blocked Jimbo twice now, so he at least knows that much about what's going on... In fact, this makes four times for ol' Jimbo. Pretty soon he's going to be branded a "recurring bannee."

This is the most fun we've had in months!

Posted by: Rootology

From a Mediawiki technology standpoint, short of rushing new logon related code into production, there really isn't anything they can do at this point. They can't block all open proxies until they're used against WP. The bodies will keep falling until there are no more crap passwords for accounts. Given that this is now getting more attention, it's only a matter of time till "veteran" non-admin accounts are harvested for trolling and vandalism next. And I have to agree with Cyde on one point: you have a crap password, it's your own fault for anything bad happening. You might as well make your banking PIN number "1234".

Posted by: Somey

Uh-oh... I'd better change my banking PIN number!

Actually, wasn't that gag used in Spaceballs?

Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Later...
President Skroob: [enters after the interrogation of King Roland] Well? Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet: 1 2 3 4 5.
President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet: Yes, sir!
President Skroob: And change the combination on my luggage!

Posted by: Unrepentant Vandal

If they have any sense they will suspend logins until the problem is fixed.

Posted by: The Joy

Dark Helmet: "The password's '12345'? That's stupid! That's like a combination for some idiot's luggage!"

President Screwb: "What's the password?"

Spaceball officer: "12345, sir!"

President Screwb: "That's the same combination as my luggage!"

From the movie Spaceballs.

Sorry, I couldn't resist!

Update: Ah, Somey! You caught me, as they say on WP, in an Edit Conflict! Now the joke is lost!

Posted by: Somey

Sorry... I could just get rid of mine...

Posted by: Rootology

"The encyclopedia that anyone some people can edit!"

Posted by: JohnA

And they say that good entertainment doesn't come for free...

Oh and to Wikipedians watching - no it wasn't me. Not sure about Somey though...

Posted by: Cedric

Hmmmmmm. Jeff Merkey suddenly shows back up on WP, and a short time later multiple admin accounts get hacked. Coincidence . . . ?

Posted by: Uly

Merkey's been active with other Wikimedia projects (and on the foundation-l list) for quite some time. It's not like he just recently rediscovered Wikipedia.

Posted by: The Joy

No worries. Great minds think alike!

With regard to passwords, I think I'm like a whole lot of people who just use the same simple password for pretty much anything when I should be using different, highly complicated passwords for every single thing.

Now, why are people blaming the admins who lost their accounts to this interloper when its the hacker's fault for hacking into their accounts?

I take it if they ever find the hacker, he'll be in a heap of legal trouble?

Posted by: Uly

I should say so. This would carry jail time in Flordia, if Wikimedia can get the DA to play along.

Posted by: Unrepentant Vandal

It may come under the computer misuse act here, but I wouldn't be sure. I think that the fact Wikipedia invites anyone to edit it would make the case much more complex. Certainly there wouldn't be a problem with straight vandalism.

Posted by: BobbyBombastic

identifying the individuals is the other problem. and the harm done is not all that great. im sure wikipatriots are calling for prison time.

btw, these incidents display why anonymity of admins may not be such a good idea. {{unblock|OMG THIS IS NOT THE HAX0R UNBLOCK PLZ}} just doesn't work. pushing admins to identify their account names with their real names should ensue more hilarity. especially considering sockpuppet admins, people with conflict of interests, etc. at this points, it seems disclosing this information to the Foundation would be better than nothing.

Posted by: the fieryangel

If I were an admin, I'd be sort of embarassed to have people find out that my password was http://en.wikipedia.org/wiki/User_talk:Jiang#Blocked, but I guess that that's not a big deal at WP with people like Makemi spouting the "F" word even in discussions about Opera...

Oh, and if you have any doubts about YOUR password, you can try http://davidgerard.co.uk/notes/

come on, y'all trust him, doncha???

Posted by: Alkivar

not quite accurate. Admins while blocked cannot edit, protect or delete pages while blocked. They can still block/unblock however. They can also unblock themselves.

Posted by: LamontStormstar

A lot of other organizations have a multitude of different security options in place just to keep this sort of thing from happening. Sitekeys to prevent phishing sites Various verification stuff like making people confirm their identity if the site can't recognize their computer by past cookies. But even before that, even Windows to my knowledge has stuff where it can prevent you from using a simple password and can force you to change it all the time.

Wikipedia instead has the manpower people watching the site nonstop.

As for the controversy of if admins who let their accounts be compromised be allowed status back, I think that they probably should have several months of suspension before letting them back.

Posted by: Unrepentant Vandal

Why?

/it's perfectly credible they didn't appreciate the severity of hteir actions.

Posted by: michael

Willy was just an immature page move vandal. He also apparently repented nad contributed positively for a time, but his legacy is continued by the legion sof imposters. Cplot...he was just an annoying 9/11 conspirast, who also employed extremely effective tactics to be able to create a whole ton of accounts. Neither says password cracker to me.

Posted by: Rootology

I agree, I was joking. I like GNAA guess, but who knows.

Posted by: JTM

As to the identity of the hacker I just have two words:

Brian Peppers.

That is all.

Posted by: LamontStormstar

Well it's more like you screw up at work, you get at least a reprimand. Tiime off would be something instead of "you're all forgiven for having an easily guessed password that let goatse get on the site notice"

Posted by: SirFozzie

That's amazing.. I have the same combination on my luggage!

(spaceballs mode off)

Posted by: BobbyBombastic

Brian Peppers himself, or agents acting on Brian Peppers behalf? another main page deletion with the message FREE BRIAN PEPPERS would go down in internet history as very awesome.

Posted by: Kato

Tony Sidaway has described these compromised admins - including the impeccable Tony The Marine who is one of the last decent contributors - as "stupid", "lazy", "feckless" "negligent" and "dumber than rock". Cyde has described them as "heinous" and "untrustworthy".

How long is this site going to tolerate these high profile sociopaths like Cyde and Sidaway? How pungent does the site need to get before it collapses under the weight of these odious creeps?

Posted by: Rootology

People with many friends have WP:NPA immunity, until they try to bloody the nose of someone with an equally large group of friends. That's why Giano was able to help drive Sidaway and Martin back from adminiship, if I could understand that mess clearly. The problem is that unless/until people with serious authority on-Wiki (ArbCom, Jimbo) go out of their way to say, "No one gets immunity," some insulation due to tenure, edit count, adminship, or other nonsensical reasons will occur. That's what drove me batty enough to try to get admin recall working at one point (a doomed venture, obviously). To hammer home the point that admins in and of themselves have no more or less value than anyone else in a system of that scale. People *SHOULD* be treated like anonymous cogs in the Wikipedia clockwork; it's the only way to ensure total fairness and impartiality.

Human ego, all the way from bottom to top, and top to bottom, will never allow this. I still believe that such ego reasons will eventually be what takes out Wikipedia, if anything ever could. In what final form, I've no idea. But it will all derive and spawn from that in the end. Terrible, pseudo-endorsed attitudes from people like Sidaway and Cyde are just harbingers of this, at this point.

Out of all the policies on Wikipedia, CIVIL/NPA should be mercilessly enforced on-Wiki, and on the IRC channels, like a shiv in the gut or a bullet in the back of the head. Mercilessly, with no middleground or leeway. Be nice, or get the hell out. It's lax and haphazard social classist enforcement has led in my opinion to many of the more deep-rooted and subversive problems there. I'd bet that anyone aiming to enforce it firmly would be not long for adminship or authority, either, due to those same ingrained ideals of 'freedom to slag people' that is dressed up as 'expression'.

Posted by: Kato

I'm in complete agreement. Once weird figures like Cyde and Sidaway - who contribute next to nothing on content and seem to merely be in it for the drama and power politics - have reached the stage where they are openly insulting genuine contributors like Tony the Marine with immunity, then it is time for serious measures.

Recently, Sidaway kept a low profile. The productivity on those tedious admin pages improved marginally because of this (though readers were still treated with excerpts from Cyde's loathsome people skills).

The return of these ghouls is about as welcome as the Dementors to Hogwarts, whose description on wikipedia is apt: "soul sucking fiends.. who grow like fungi in the darkest, dankest places, creating a dense, chilly fog."

As stated elsewhere, the site needs to be rid of these turbulent twerps if it has any hope of improving.

Posted by: Nathan

I agree wholeheartedly.

Posted by: JohnA

I think you mean "impunity"?

Posted by: Kato

I meant "immunity" (see previous post by rootology "NPA:immunity") but impunity works just as well to describe the situation where certain editors are allowed to be as obnoxious as they like.