The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...
Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).
But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.
Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.
But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.
> Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review.
True, but there aren't very many interface administrators. It looks like there are only 137 right now [0], which I agree is probably more than there should be, but that's still a relatively small number compared to the total number of active users. But there are lots of bots/duplicates in that list too, so the real number is likely quite a bit smaller. Plus, most of the users in that list are employed by Wikimedia, which presumably means that they're fairly well vetted.
There shouldn't be any interface admins as such. There should be an enforced review process for changes to global JavaScript so stuff like this can't happen.
I'm sure there are Google engineers who can push changes to prod and bypass CI but that isn't a normal way to handle infra.
Those are the English Wikipedia-only users, but you also need to include the "global" users (which I think were the source of this specific compromise?). Search this page [0] for "editsitejs" to see the lists of global users with this permission.
The worm is a two year old script from the Russian Wiki that was grabbed randomly for a test by a stupid admin running unsandboxed with full privileges, so no.
> Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).
You're mixing up events. Superprotect is unrelated to the IAdmin separation from normal admin. The two are separated by many years and basically totally unrelated.
> Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
Disabled at which level?
Browsers still allow for user scripts via tools like TamperMonkey and GreaseMonkey, and that's not enforceable (and arguably, not even trivially visible) to sites, including Wikipedia.
As I say that out loud, I figure there's a separate ecosystem of Wikipedia-specific user scripts, but arguably the same problem exists.
Wikipedia admins are not IT admins, they're more like forum moderators or admins on a free phpBB 2 hosting service in 2005. They don't have "admin" access to backend systems. Those are the WMF sysadmins.
The article criticizes doxxing but well-known Wikipedia editors doxx each other all the time... There's a site called Wikipediocracy that's been around for 20 years and an Arbitrator (Wiki's Supreme Court) was suspended for leaking secret deliberations to the "private" section of the forum—just make an account and you can see it too.
According to that Arbitrator, Wikimedia gave a legal opinion that he violated the law in doing so:
"Well, I got a result today: the ombuds commisssion found that I did indeed violate the access to nonpublic data policy, and has issued a final warning to me. Apparently mailing list comments are, "under a contemporary understanding of privacy law and the policies in question," nonpublic data on the same level as CU data or supressed libel."
Wasn't the first time he did it either... Officially, community guidelines only apply on the site itself. Once you get into the Discords or forums, doxxing is common and tolerated. Admins and arbitrators are happy to participate on those forums under their Wikipedia usernames because they feel like they need doxx to take action against those trying to harm Wikipedia. And because it (usually) isn't them doing the doxxing, it's ok. There's even an "alt-right identification thread" where established editors can request doxxing from people who don't link their accounts onwiki.
Generally this targets newer editors who aren't in a clique yet. e.g. The person who made "Wikipedia and Antisemitism" got doxxed. Once you get to a certain level, you are expected to participate in these "offwiki" forums to get anything done.
Some people try to complain about it but it doesn't end well. Generally you don't want to fuck with them because by the time you find out about Wikipediocracy, you've already revealed too much and are doxxable. & unlike nation-state actors they have inside information and understand the site.
If you do choose to edit Wikipedia, use a burner email and only edit during the same one or two hours of the day so they can't track timezones. & don't post any photos or information on where you live nor attend meetups.
There are some good people but once you get deeply involved it is a toxic community. Sorry for the rant but it pisses me off whenever people talk about how great the Wikipedia community is as someone who's into the internal shit. it's the worst place to get involved in "free culture".
Hi. I was an arbitrator who voted to suspend that arbitrator. There was no doxxing involved, which anyone can verify. Barely anything else in your comment is correct either. Doxxing is an issue but from where I sit it's much worse from people outside Wikipedia.
This comment is farcical. Supposing you are right and that there was "no doxxing involved", it's still impossible for an outsider like most of us here, to verify it. Especially if there is such a thing as non-public discourse of any kind.
It is not a transparent organization, and it does not even pay lip service to the effort of transparency. It is large enough of an organization that it is an absurd claim, on its face, that there are not cliques and factions who would do such things if it were at all possible.
You investigated yourselves and found no evidence of wrongdoing.
When I said anyone can verify it, I meant it; go make an account on wikipediocracy, go to the "Wikimedian Folks Too Embarrassing for Public Viewing" forums, and go through the posts by that user.
Quite to the contrary, it's a very transparent organization because edit histories are public. It would be trivial to link to any instances of doxxing on the project, unless they don't exist, which they don't. Wikipediocracy doesn't count when talking about Wikipedia doxxing.
> It would be trivial to link to any instances of doxxing on the project, unless they don't exist
Please don't pretend as if people having a discussion at this level are unaware of the facilities available for permanent deletion on Wikipedia (the so-called "oversight").
> Wikipediocracy doesn't count when talking about Wikipedia doxxing.
"Wikipedia doxxing" clearly means doxxing performed by and/or against Wikipedians, not necessarily on Wikipedia's actual domains. Especially if you're using the term to refer to GP, which states:
> The article criticizes doxxing but well-known Wikipedia editors doxx each other all the time...
So unless you can demonstrate that these Wikipedia editors don't post on Wikipediocracy, then yes it obviously does count. "Wikipedia editors doxxing each other" doesn't stop being "Wikipedia editors doxxing each other" just because of where it's posted.
> When I said anyone can verify it, I meant it; go make an account on wikipediocracy, go to the "Wikimedian Folks Too Embarrassing for Public Viewing" forums, and go through the posts by that user.
It looks to me like the top-level commenter already did exactly this, and found the exact opposite of what you imply we'd find.
My thesis is that
Wikipedianon's comment implies Wikipedia editors (specifically, "well-known" editors and "admins") doxx each other all the time, but that's hilariously wrong. Doxxing mostly comes from assholes outside the community, such as those who post on Wikipediocracy.
Yes, on-project doxxing gets OS'd but it also results in discussions and bans which can be reviewed. And from those you can easily determine that it's truly rare.
When I said to go to the forums, that was unfortunately unclear wording; I meant it's trivial to verify that Beeblebrox didn't doxx anyone in his postings.
Others use accounts linked to their onwiki personas to ask for doxx. e.g. AndyTheGrump is a well-known user who posts in the "alt-right identification thread" about someone they dislike and getting a quick response. Here's AndyTheGrump asking for doxx on a user named "BlueGraf".
Also, the poster "Wikipedianon" makes Tu Quoque fallacies. The fact that some Wikipedia editors have engaged in doxxing of others doesn't make it less of a problem for the government to do so.
Unsurprisingly, "Wikipedianon" is a hit-and-run profile created just for this post, AFAICT.
it's a hit-and-run because I don't want to get doxxed.
I dont want a world in which Trump regulates Wikipedia but pretending it's sunshine and rainbows is a joke at this point.
And the person you're replying to is strawmanning. I never said Beeblebrox doxxed anyone, just that they leaked secret information on a doxxing forum in violation of Wikipolicy and possibly privacy law.
Beeblebrox leaked internal mailing list messages to a forum known for doxxing in violation of the NDA they signed.
i know that Beeblebrox did not doxx anyone and I said that in my comment. my point is leaking information to a doxxing forum sends the wrong message and is dangerous.
Maybe you should create an account and look at the "Wikimedian Folks Too Embarrassing for Public Viewing" forum and get back to me. Or do something about it before the Trump administration uses this as an excuse to censor enwiki. Either way here are some excerpts if you don't want to.
From the first page, here's an active editor (iii, known as jps or ජපස) doxxing someone about UFOs. I took out the names to be polite but it's all there:
"Is [username 1] (T-C-L) an alt account of [username 2] (T-C-L)?
For those who are not aware, [username2] is the name of an account used by one [redacted] on various platforms up until about 2024 when he more or less abandoned them. That account also was involved in the ongoing game of accusing [redacted] (T-H-L) of being [redacted] (T-C-L) which is about as fairly ludicrous an attempt at matching a Wikipedia username as I've ever seen.
Anyway, I feel like maybe he thought "If [__] can do it, so can I." And maybe that's the origin of the VPP.
Oh, this is about UFOs. Yeah, I'm in the shit. Maybe someone can link to some other stuff for you to read, but I just want to drop this here because I have nowhere else I get to speculate on these matters and everyone loves a good conspiracy theory data dump from time to time "
Here's the thread "Who is Wikipedia editor i.am.qwerty"
"I.am.a.qwerty (T-C-L) gathered up a bunch of those articles and some earlier material to create Wikipedia and antisemitism..."
It goes on:
"But who is I.am.a.qwerty? Let's suppose, just for the sake of argument, that I.a.am.a.qwerty is a PhD student named [real name]. Specifically, this [real name]:"
"[real name] is a PhD candidate [major] at [university name]. He received his BA (Hons) in [major] from [university]. Previously [real name] received his rabbinical ordination from the [other school] in [location] in [year]. [real name] is also the [job title] at [organization]."
I can't imagine any other community tolerating its members going on KiwiFarms and encouraging doxxing of other community members, so long as they didn't technically engage in it. But Wikipedia does.
To be absolutely, 100% clear: your position is that someone who writes on the Internet, a statement of the form:
> Let's suppose, just for the sake of argument, that [username] is a PhD student named [real name]. Specifically, this [real name]:"
> "[real name] is a PhD candidate [major] at [university name]. He received his BA (Hons) in [major] from [university]. Previously [real name] received his rabbinical ordination from the [other school] in [location] in [year]. [real name] is also the [job title] at [organization]."
is not "doxxing"?
Let's suppose, just for the sake of argument, that I find that patently absurd.
I think I've agree with you on this one. Even on Wikipedia there's a ton of pages like SPI pages which can be indistinguishable from actual malicious doxxings.
Not to mention that there a whole load of #MeToo scandals which would doom Wikipedia if exposed to the media.
The Wikipedia community takes a cavalier attitude towards security. Any user with "interface administrator" status can change global JavaScript or CSS for all users on a given Wiki with no review. They added mandatory 2FA only a few years ago...
Prior to this, any admin had that ability until it was taken away due to English Wikipedia admins reverting Wikimedia changes to site presentation (Mediaviewer).
But that's not all. Most "power users" and admins install "user scripts", which are unsandboxed JavaScript/CSS gadgets that can completely change the operation of the site. Those user scripts are often maintained by long abandoned user accounts with no 2 factor authentication.
Based on the fact user scripts are globally disabled now I'm guessing this was a vector.
The Wikimedia foundation knows this is a security nightmare. I've certainly complained about this when I was an editor.
But most editors that use the website are not professional developers and view attempts to lock down scripting as a power grab by the Wikimedia Foundation.