• Welcome to NIWA Community Forums.
 

A sad state of security.

Started by Maxite, December 14, 2010, 01:33:29 AM

Previous topic - Next topic

Maxite

I was feeling bored today, so I decided to do a quick test on some very basic security between the NIWA wikis:
How much access would an anonymous person have to the front pages of the various NIWA wikis? Prudent security suggests that wikis should keep their front pages (and all templates related to their front pages) secured and unable to be edited by strangers. Here are my results, which are shocking:

Animal Crossing Wiki:
Secure.

Bulbapedia:
Secure.

Donkey Kong Wiki:
Main page open to editing, along with all templates used by the main page.

Golden Sun Universe:
Main page open to editing, along with all templates used by the main page.

Lylat Wiki:
Secure.

Super Mario Wiki:
Secure.

Metroid Wiki:
Secure.

Nintendo Wiki:
Secure.

Pikipedia:
Templates used by main page can be edited.

Pikcanon-NOT:
Templates used by main page can be edited.

SmashWiki:
Templates used by main page can be edited.

Strategy Wiki:
Secure.

Wars Wiki:
Secure.

WikiBound:
Secure.

WiKirby:
Secure.

Zelda Wiki:
Secure.

This is frankly terrible: over one quarter of our wikis allow anonymous users to edit their main pages in some fashion. I think we should strive for better security standards than the ones we are seeing here.

HavocReaper48

#1

Unnecessary protection for unvandalized material is abusing and a waste of powers. Why protect what's already safe? For the time being.

...were you that IP on Template:News today, by any chance?

Toomai

Why wouldn't we allow non-admins to add to the News or "Did you know" sections? We'll protect them if we have problems; if we have no problems there's no reason to restrict legitimate edits.
oeuf

Maxite

You don't have to prevent people from contributing to news and similar: Most of the other wikis I saw that do lock down their templates do have open talk pages for those pages.

While I guess the saying "If it ain't broke, don't fix it" can apply, I also feel that "Better safe than sorry" applies more. Ultimately it is each wiki's individual decision on how they want to secure things, and what they want to leave open. My personal opinion is that front pages should be secured, since any vandalism to those pages will be the first thing that guests to your wiki will see.

Garrett

I'd suggest that embedded templates and images should be protected on a case-by-case basis (starting with anon protection, which weeds out the lazier vandals, and moving up if needed). Any pages for news or whatever that are meant to be updated by the community as a whole (rather than just the staff) should be protected against registered users as a last resort (possibly only temporarily if possible).

This is useful information either way, of course, and you may wish to forward it to the staff of these wikis to see whether they wish to do anything about it. If nothing else it will give them an idea of where to be watching for future vandalism to occur. :)

Maxite

Quote from: Garrett on December 14, 2010, 02:45:13 AM
I'd suggest that embedded templates and images should be protected on a case-by-case basis (starting with anon protection, which weeds out the lazier vandals, and moving up if needed). Any pages for news or whatever that are meant to be updated by the community as a whole (rather than just the staff) should be protected against registered users as a last resort (possibly only temporarily if possible).

This is useful information either way, of course, and you may wish to forward it to the staff of these wikis to see whether they wish to do anything about it. If nothing else it will give them an idea of where to be watching for future vandalism to occur. :)

All of my testing was done anonymously (not logged in or on any account). I wouldn't be opposed to leaving those pages open to editing by registered member (as I noticed some of them were when I was doing some testing). But to leave your main pages open to any random person on the internet seems a bit too extreme.

Again, this is up to each individual wiki to set their own policies. I just think that the bar should be set a wee bit higher than what it currently is.

Jake

#6
Quote from: Maxite on December 14, 2010, 01:33:29 AM
Animal Crossing Wiki:
Templates used by main page can be edited.
Cascading protection, my friend. Actually the smarter approach as opposed to just protecting everything as we go along. (You never know when someone will forget something.) Next time try to be a bit more thorough in your research. ;)

Maxite

#7
Quote from: Jake on December 14, 2010, 03:23:34 AM
Quote from: Maxite on December 14, 2010, 01:33:29 AM
Animal Crossing Wiki:
Templates used by main page can be edited.
Cascading protection, my friend. Actually the smarter approach as opposed to just protecting everything as we go along. (You never know when someone will forget something.) Next time try to be a bit more thorough in your research. ;)

Ack, that is my bad. I did random checking, otherwise I went with "edit" or "protected" status. It wasn't until later that I started doing more thorough checking. Updated the main post after verifying. I've since rechecked the others to verify that the information is accurate.

Koroku

Wikimon is registered users only, so we're safe. :D And I think the main page is Admin-only....

Multi Rang

Ya see, if some edits something, theres a page tha shows you that opage before the pages, so you could just go there and copy n paste everything.

tacopill

Quote from: Multi Rang on December 19, 2010, 09:54:23 PM
Ya see, if some edits something, theres a page tha shows you that opage before the pages, so you could just go there and copy n paste everything.

Which page would that be, o Wiki Guru.







SnorlaxMonster

Quote from: tacopill on December 19, 2010, 11:19:43 PM
Quote from: Multi Rang on December 19, 2010, 09:54:23 PM
Ya see, if some edits something, theres a page tha shows you that opage before the pages, so you could just go there and copy n paste everything.

Which page would that be, o Wiki Guru.
I think what Multi Rang is saying is that you can use the history to go back to the page before it was vandalized.

tacopill

Quote from: SnorlaxMonster on December 20, 2010, 02:02:40 AM
Quote from: tacopill on December 19, 2010, 11:19:43 PM
Quote from: Multi Rang on December 19, 2010, 09:54:23 PM
Ya see, if some edits something, theres a page tha shows you that opage before the pages, so you could just go there and copy n paste everything.

Which page would that be, o Wiki Guru.
I think what Multi Rang is saying is that you can use the history to go back to the page before it was vandalized.

Yes, but i think a point of this thread is to ensure you don't have to act on a vandalism of the main page.....kind of looks bad for those seconds it wasn't reversed.

I think.







SnorlaxMonster

Yeah, nobody wants to deal with vandalism on their main page. If nobody notices it and changes it (for example, noone is online), it can be incredibly damaging to the wiki's reputation. In my opinion, all main pages should be, at the very least, autoconfirmed protected. Templates do not matter as much, but cascading protection on the main page is a good idea.

Oh, and all policy pages should be protected. We can't have normal-level users (even those with good intentions) changing policies. They require discussion to change.

tacopill

Quote from: SnorlaxMonster on December 20, 2010, 11:43:29 AM
Yeah, nobody wants to deal with vandalism on their main page. If nobody notices it and changes it (for example, noone is online), it can be incredibly damaging to the wiki's reputation. In my opinion, all main pages should be, at the very least, autoconfirmed protected. Templates do not matter as much, but cascading protection on the main page is a good idea.

Oh, and all policy pages should be protected. We can't have normal-level users (even those with good intentions) changing policies. They require discussion to change.

Ooo! i like that.

I should do that on LW/WB/etc.







Jake

Quote from: tacopill on December 20, 2010, 06:30:31 PM
Quote from: SnorlaxMonster on December 20, 2010, 11:43:29 AM
Yeah, nobody wants to deal with vandalism on their main page. If nobody notices it and changes it (for example, noone is online), it can be incredibly damaging to the wiki's reputation. In my opinion, all main pages should be, at the very least, autoconfirmed protected. Templates do not matter as much, but cascading protection on the main page is a good idea.

Oh, and all policy pages should be protected. We can't have normal-level users (even those with good intentions) changing policies. They require discussion to change.

Ooo! i like that.

I should do that on LW/WB/etc.

It's also worth noting that if you set up a custom namespace for policies, you can automatically have every page in it protected via LocalSettings.php. We don't do that on ACF, but I thought I would point it out for any wikis that would like that functionality.

tacopill

Quote from: Jake on December 20, 2010, 08:45:27 PM
Quote from: tacopill on December 20, 2010, 06:30:31 PM
Quote from: SnorlaxMonster on December 20, 2010, 11:43:29 AM
Yeah, nobody wants to deal with vandalism on their main page. If nobody notices it and changes it (for example, noone is online), it can be incredibly damaging to the wiki's reputation. In my opinion, all main pages should be, at the very least, autoconfirmed protected. Templates do not matter as much, but cascading protection on the main page is a good idea.

Oh, and all policy pages should be protected. We can't have normal-level users (even those with good intentions) changing policies. They require discussion to change.

Ooo! i like that.

I should do that on LW/WB/etc.

It's also worth noting that if you set up a custom namespace for policies, you can automatically have every page in it protected via LocalSettings.php. We don't do that on ACF, but I thought I would point it out for any wikis that would like that functionality.

Thank you for the info.

In case anyone is wondering, Please look here for the information.

If i am reading that correctly, i think you maybe able to do what is talked about in the link for the project namespace as well....