Welcome – post issues of interest to administrators. |
---|
When you start a discussion about an editor, you must leave a notice on their talk page. Pinging is not enough. Sections inactive for over three days are archived by Lowercase sigmabot III.(archives, search)
Start a new discussion
|
You may {{Archive basics}} to |counter= 38
as Wikipedia:Closure requests/Archive 37 is larger than the recommended 150Kb.
This page has archives. Sections older than 6 days may be automatically archived by Lowercase sigmabot III when more than 3 sections are present. |
Use the closure requests noticeboard to ask an uninvolved editor to assess, summarize, and formally close a Wikipedia discussion. Do so when consensus appears unclear, it is a contentious issue, or where there are wiki-wide implications (e.g. any change to our policies or guidelines).
![](https://upload.wikimedia.org/wikipedia/commons/thumb/d/db/1ball.svg/40px-1ball.svg.png)
Do not list discussions where consensus is clear. If you feel the need to close them, do it yourself.
Move on – do not wait for someone to state the obvious. In some cases, it is appropriate to close a discussion with a clear outcome early to save our time.
![](https://upload.wikimedia.org/wikipedia/commons/thumb/e/e0/2ball.svg/40px-2ball.svg.png)
Do not post here to rush the closure. Also, only do so when the discussion has stabilised.
On the other hand, if the discussion has much activity and the outcome isn't very obvious, you should let it play out by itself. We want issues to be discussed well. Do not continue the discussion here.
There is no fixed length for a formal request for comment (RfC). Typically 7 days is a minimum, and after 30 days the discussion is ripe for closure. The best way to tell is when there is little or no activity in the discussion, or further activity is unlikely to change its result.
![](https://upload.wikimedia.org/wikipedia/commons/thumb/8/88/3_billiard_ball.svg/40px-3_billiard_ball.svg.png)
When the discussion is ready to be closed and the outcome is not obvious, you can submit a brief and neutrally worded request for closure.
Include a link to the discussion itself and the {{Initiated}} template at the beginning of the request. A helper script can make listing easier. Move discussions go in the 'other types' section.
![](https://upload.wikimedia.org/wikipedia/commons/thumb/a/a7/4ball.svg/40px-4ball.svg.png)
Any uninvolved editor may close most discussions, so long as they are prepared to discuss and justify their closing rationale.
Closing discussions carries responsibility, doubly so if the area is contentious. You should be familiar with all policies and guidelines that could apply to the given discussion (consult your draft closure at the discussions for discussion page if unsure). Be prepared to fully answer questions about the closure or the underlying policies, and to provide advice about where to discuss any remaining concerns that editors may have.
Non-admins can close most discussions. Admins may not overturn your non-admin closures just because you are not an admin, and this is not normally in itself a problem at reviews. Still, there are caveats. You may not close discussions as an unregistered user, or where implementing the closure would need tools or edit permissions you do not have access to. Articles for deletion and move discussion processes have more rules for non-admins to follow.
Technical instructions for closers
|
---|
Please append |
If you want to formally challenge and appeal the closure, do not start the discussion here. Instead follow advice at WP:CLOSECHALLENGE.
Other areas tracking old discussions
- Wikipedia:Requested moves#Elapsed listings
- Wikipedia:Articles for deletion/Old
- Wikipedia:Redirects for discussion
- Wikipedia:Categories for discussion/Awaiting closure
- Wikipedia:Templates for discussion#Old discussions
- Wikipedia:Miscellany for deletion#Old business
- Wikipedia:Proposed mergers/Log
- Wikipedia:Proposed article splits
Administrative discussions
Wikipedia:Administrators'_noticeboard/IncidentArchive1156#Boomerang_topic_ban_proposal_for_User:Hcsrctu
(Initiated 47 days ago on 9 May 2024) Ratnahastin (talk) 03:35, 28 May 2024 (UTC)
{{not done}}
Ratnahastin; ANI reports that have been archived will not be closed. ~~ AirshipJungleman29 (talk) 14:06, 9 June 2024 (UTC)- Restored the request because AirshipJungleman 29 has refused to clarify his above misleading response.[1] Ratnahastin (talk) 04:15, 18 June 2024 (UTC)
Wikipedia:Administrators' noticeboard/Incidents#Riposte97: time sink
(Initiated 3 days ago on 22 June 2024) Obvious consensus has formed for a community imposed topic ban from "Indigenous peoples of North America, broadly construed". Admin close required. TarnishedPathtalk 09:49, 24 June 2024 (UTC)
Place new administrative discussions above this line using a level 3 heading
Requests for comment
Talk:Brothers of Italy#RfC on neo-fascism in info box 3 (Effectively option 4 from RfC2)
(Initiated 77 days ago on 8 April 2024) Clear consensus for change but not what to change to. I've handled this RfC very badly imo. User:Alexanderkowal — Preceding undated comment added 11:50, 1 May 2024 (UTC)
Comment: The RfC tag was removed the same day it was started. This should be closed as a discussion, not an RfC. voorts (talk/contributions) 22:03, 18 May 2024 (UTC)
Talk:Mukokuseki#RfC on using the wording "stereotypically Western characteristics" in the lead
(Initiated 75 days ago on 11 April 2024) ☆SuperNinja2☆ TALK! 09:41, 21 May 2024 (UTC)
- See Talk:Mukokuseki#Close Plz 5/21/2024 Orchastrattor (talk) 20:34, 21 May 2024 (UTC)
Talk:Climate_change#RFC:_Food_and_health_section
(Initiated 69 days ago on 17 April 2024) This was part of DRN process (Wikipedia:Dispute_resolution_noticeboard/Archive_245#Climate_change). It is ready to be closed [2] [3]. Bogazicili (talk) 18:39, 11 June 2024 (UTC)
RFA2024, Phase II discussions
Hi! Closers are requested for the following three discussion:
- (Initiated 53 days ago on 2 May 2024) Administrator recall
- (Initiated 50 days ago on 5 May 2024) Designated RfA monitors
- (Initiated 50 days ago on 5 May 2024) Reminder of civility norms at RfA
Many thanks in advance! theleekycauldron (talk • she/her) 04:27, 17 June 2024 (UTC)
If re-requesting closure at WP:AN isn't necessary, then how about different various closers for cerain section(s)? I don't mind one or two closers for one part or another or more. --George Ho (talk) 17:39, 18 June 2024 (UTC)
Wikipedia:Reliable sources/Noticeboard/Archive 440#RfC: RFE/RL
(Initiated 48 days ago on 7 May 2024) Archived Request for Comment. 73.219.238.21 (talk) 23:32, 4 June 2024 (UTC)
Wikipedia talk:WikiProject Weather#Discussion -- New Proposal for layout of Tornadoes of YYYY articles
(Initiated 45 days ago on 10 May 2024) RFC outcome is fairly clear (very clear majority consensus), however, a non WikiProject Weather person should close it. I was the RFC proposer, so I am classified too involved to close. There were three “points” in the RFC, and editors supported/opposed the points individually. Point one and three had 3-to-1 consensus’ and point two had a 2-to-1 consensus. Just need a non WP:Weather person to do the closure. The Weather Event Writer (Talk Page) 14:39, 13 June 2024 (UTC)
Talk:Yasuke#RfC:_Should_the_view_that_Yasuke_was_a_samurai_be_added_to_the_article
(Initiated 34 days ago on 21 May 2024) It's a bit buried in a header designed to group similar discussions together (because there have been so many of them). I would like to request an experienced or admin closer, as this page has had a lot of new or WP:SPA accounts on it recently, so some more advanced weighting of the consensus here may be necessary. Loki (talk) 21:57, 22 June 2024 (UTC)
Wikipedia:Requests for adminship/2024 review/Phase II/Discussion-only period#Early close
(Initiated 25 days ago on 31 May 2024) Since it's an injunctive discussion, I was hoping someone could step in and close after I withdrew my own. Thanks! theleekycauldron (talk • she/her) 07:26, 18 June 2024 (UTC)
Talk:Greta Gerwig#Order of occupation in the lead
(Initiated 22 days ago on 2 June 2024) No new !votes in over a week. The RfC creator is claiming a no consensus outcome and I'm not sure I agree, but I am involved. ––FormalDude (talk) 06:08, 24 June 2024 (UTC)
Place new discussions concerning RfCs above this line using a level 3 heading
Deletion discussions
V | Mar | Apr | May | Jun | Total |
---|---|---|---|---|---|
CfD | 0 | 0 | 14 | 46 | 60 |
TfD | 0 | 0 | 0 | 11 | 11 |
MfD | 0 | 0 | 0 | 0 | 0 |
FfD | 0 | 0 | 0 | 0 | 0 |
RfD | 0 | 0 | 9 | 22 | 31 |
AfD | 0 | 0 | 0 | 2 | 2 |
Place new discussions concerning XfDs above this line using a level 3 heading
Other types of closing requests
Talk:Anti-Normanism#Requested move 22 May 2024
(Initiated 33 days ago on 22 May 2024). Should be closed by an uninvolved admin.--Berig (talk) 07:47, 16 June 2024 (UTC)
- Hi @Berig, does it really need an admin? Tom B (talk) 04:58, 19 June 2024 (UTC)
- After looking at it, I can see why an admin was requested, Tom B (talk) 14:52, 20 June 2024 (UTC)
Wikipedia:Village_pump_(policy)#Notifying_Wikiprojects_and_WP:CANVASS
(Initiated 28 days ago on 28 May 2024) Latest comment: 3 days ago, 79 comments, 37 people in discussion. Closing statement may be helpful for future discussions. Gråbergs Gråa Sång (talk) 10:29, 11 June 2024 (UTC)
Talk:Srebrenica massacre#Requested_move_2_June_2024
(Initiated 23 days ago on 2 June 2024), then relisted 10 June, Tom B (talk) 09:51, 17 June 2024 (UTC)
Wikipedia:Reliable sources/Noticeboard#Dani Cavallaro
(Initiated 21 days ago on 4 June 2024) A formal closure would be helpful to solidify consensus for future reference. Thanks! —TechnoSquirrel69 (sigh) 15:42, 16 June 2024 (UTC)
Place new discussions concerning other types of closing requests above this line using a level 3 heading
Pages recently put under extended-confirmed protection
Report
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Request for re-close of an old RfC (and closure of a disruptive RfC)
I would like to request a review of the closure of this RfC regarding the page Paul Singer (businessman). It was discussed with the closer here.
The previous RfC for this same issue (12/10/15) can be found here where consensus was established six months prior to the RfC in question. Between the two RfCs, the closer had created a number of discussions (possibly in violation of WP:FORUMSHOP) here: [4] [5] [6] [7]. These discussions failed to garner much attention and mostly reinforced the 12/10/15 consensus.
It must be noted that the RfC in question is rather old (29/04/16) and editors protested the closure since it was closed by the same editor who opened both the RfC itself and all other discussions, and was not necessarily reflective of consensus which does appear to reinforce that set out in the 12/10/15 RfC.
The improper close of the RfC would normally not be an issue, however, yet another RfC has opened, claiming that the last discussion was "inconclusive" and we must therefore have another discussion.
I would argue that this has all been incredibly disruptive considering the huge number of editors involved (36) in the prior 8 discussions from a 16/07/14 RfC to the 29/04/16 RfC is plenty of discussion for something which editors have considered relatively uncontroversial - 23 have been in favour of the current consensus and 6 against, with 7 somewhere in between. Furthermore, consensus has often not been respected in the rare points of calm between discussion, with some of the "6 against" editors making against-consensus edits and reversions.
This is a messy situation, but to conclude, I would like to request the evaluation of the close here and the closure of the current RfC, considering the arguements made by other editors at Talk:Paul Singer (businessman)#RfC is Nonsense. Thanks. SegataSanshiro1 (talk) 19:42, 26 August 2016 (UTC)
- The issue is bifurcated in the prior RfCs. There was a limited consensus that a company could be called a "vulture fund" but no consensus that a person should be described as a "vulture capitalist" in the lead of a BLP. My own position has always been that specific pejorative terms should only be used as opinions ascribed to the persons holding the opinions, and that use of pejoratives about individuals should very rarely be allowed at all. To that end, I suggest that reversing prior closes is inapt, and the claims made that the prior RfCs support calling a living person a "vulture" are incorrect. The company can have cites of opinions that it is a "vulture fund" cited and used as opinions, but the use of that pejorative as a statement of fact about a living person falls under WP:NPOV and WP:BLP. The current RfC has 6 editors specifically noting that the use of the pejorative in the lead about a person is wrong, 1 says the person is absolutely a "vulture capitalist", 1 asserts that every RfC supports calling the person a "vulture" and one says we should not have any more RfCs - that the issue is settled and we should call the living person a "vulture capitalist" in the lead on that basis. I rather that the current 6 to 3 opposition to use of the term in the lead indicates a substantial disagreement with the assertions made here, and the request that a close be overturned out of process. Collect (talk) 21:08, 26 August 2016 (UTC)
- There has been no RfC to discuss whether someone should be called a vulture. I myself have said in past discussions that doing so, especially in WP's voice, would be contrary to what this encyclopaedia is about. Please do not mis-represent my views - it's things like that which have made these constant ongoing RfCs so toxic. My view is that Singer is most notable (WP:DUE) for running a vulture fund - and there are indeed countless sources (WP:RS) which confirm this and thus this fact should be made clear in the lede. Claiming that mentioning his company in an article equates to WP calling someone a vulture is nonsense and not a new arguement - this is the same line those same editors took over and over again in these discussions to no avail. SegataSanshiro1 (talk) 21:32, 26 August 2016 (UTC)
- Note that I specify the issue at hand is with regard to using the pejorative with regard to the single living person in the lead. A number of sources have branded him a "vulture capitalist" as distinct from his role at EMC, which has been called a vulture fund.. The two catenated uses of the pejorative are different here - ne is with regard to how some have categorized the fund, the other as a personal pejorative in the lead about the person. Do you see that distinction? Especially when the single sentence uses the term "vulture" twice? Collect (talk) 23:09, 26 August 2016 (UTC)
- You also failed to mention 2 more editors who had been in favour of using the term vulture fund in the lede but refused to partake in this particular discussion since they have made it clear that there have already been to many. SegataSanshiro1 (talk) 21:39, 26 August 2016 (UTC)
- Again - the word "vulture" is used twice now in a single sentence in the lead - once with regard to opinions held about the fund (for which the prior RfC found the use of the opinion as opinion about the fund was allowable), and the second, the problematic one, with regard to the use of a pejorative about a living person in the lead of the BLP. Collect (talk) 23:09, 26 August 2016 (UTC)
- I am the creator of the most recent RfC. Frankly SegataSanshiro1 forced this RfC to happen in the first place by refusing to engage in talk page discussion on the vulture point. I would like to request that anyone participating in this discussion carefully read Wikipedia:Status quo stonewalling, and then refer directly to each of SegataSanshiro1's actions leading up to this RfC, and his actions in this one as well. Whatever SegataSanshiro may personally believe, a slur in a lead is Always A Very Big Deal, and not something to be brushed under the rug. As WP:Biographies of living people says, "we must get it right." It seems clear to me that several parties want to freeze an ongoing discussion at a point they find satisfying. Yvarta (talk) 21:51, 26 August 2016 (UTC)
- There has been no RfC to discuss whether someone should be called a vulture. I myself have said in past discussions that doing so, especially in WP's voice, would be contrary to what this encyclopaedia is about. Please do not mis-represent my views - it's things like that which have made these constant ongoing RfCs so toxic. My view is that Singer is most notable (WP:DUE) for running a vulture fund - and there are indeed countless sources (WP:RS) which confirm this and thus this fact should be made clear in the lede. Claiming that mentioning his company in an article equates to WP calling someone a vulture is nonsense and not a new arguement - this is the same line those same editors took over and over again in these discussions to no avail. SegataSanshiro1 (talk) 21:32, 26 August 2016 (UTC)
- I have been involved in these ongoing discussions for quite some time now. As I've stated before, using a pejorative to describe an individual on a BLP is unacceptable, especially in the lead. That being said, the previous RfC was closed once discussion went stale. There were ample opportunities and there was more than enough time to provide arguments. Once users agreed upon a version, which limited use of the term "vulture", the user who closed the RfC made the edits in question but was reverted and the term was included an additional three times.
- SegataSanshiro1's antics on Singer's page has gotten out of control and his motive on the page is clear. Now that consensus on the newest RfC is shifting highly in favor of removing the slur from the lead, SegataSanshiro1 is grasping at straws to get the previous RfC reviewed. If SegataSanshiro1 had an issue with how the previous RfC was closed, why didn't he follow through with an secondary discussion after this one went stagnant? After realizing consensus is shifting, not in his favor, he wants to call this new productive RfC "disruptive". Also, after the last RfC was closed, an admin came in and suggested a new RfC so do not throw out WP:FORUMSHOPPING accusations. Meatsgains (talk) 02:39, 27 August 2016 (UTC)
- Meatsgains, consensus is not shifting as you cannot establish consensus in a discussion which half of the editors can't even take seriously. You have been at the heart of this whole drama. Every time there was an RfC or discussion and consensus was established to use the term, you actively went about making against-consensus edits and other highly disruptive behaviour (which myself and other editors have called you out on time and time again) such as misrepresenting the results of other discussions, claiming sources weren't reliable when they were and even making up terminology like "distressed securities funds" to avoid using actual terminology. You are the only editor who has been involved in every single one of these discussions - very possessive behaviour all in all and along with the other things, you should have been sanctioned and barred from editing on that page.
- Still, you continue to misrepresent what happened. There were five editors (myself included) who have said that this RfC is daft. If that were not the case, I wouldn't have opened this discussion on the noticeboard. I'm not going to let you make me lose it again, so please stop referring to me - I want absolutely nothing to do with you, and I know I shouldn't be addressing editors directly, but I really want to make that absolutely clear. Something hypothetical you might want to think about though:
- After you've rolled the dice so many times trying to prevent WP:RS from an article and failed miserably, let's say that now after 8 or so attempts at getting your way you finally do. How seriously do you think other editors would take that consensus? Would they simply carry on doing as they wished to the page regardless as you have? Would they simply call another RfC in three months time and pretend the others never happened as you have? I very much doubt I'll stick around after this because I'm sick of this page, but I have a feeling you will, and if you do and you carry on acting as you have, you will be doing this for years. Please don't answer me. SegataSanshiro1 (talk) 03:09, 27 August 2016 (UTC)
- I have weighed in on this on multiple occasions and will do my best to promptly summarize my opinion on the topic. The original dispute over the use of the term vulture has been over the derogatory nature of the term on vulture fund’s page. Subsequent discussions have taken place regarding the general use of the term, however the scope of the debate later concentrated on the term’s use in a BLP, specifically Paul Singer’s page. Some editors, whom I will not name, act as if they wp:own the article and have done everything in their power to keep vulture fund and vulture capitalist in the article. Some users have actually made the argument that "vulture" is not derogatory whatsoever (one even argued that it should be taken as a compliment. No reasonable and neutral arbitrator could disagree with the fact that “vulture fund” is a slur, invented by people who are deeply opposed to their entirely legal investments. Comatmebro User talk:Comatmebro 17:05, 27 August 2016 (UTC)
Reverted 1 edit by Collect (talk): You're hardly the person to close this RfC... is a splendid example of grotesque snark. I did not "close the RfC" and that snark is ill-suited for rational discussion. In addition, I left in the "vulture" opinion about EMC, and note that the lead is supposed to be in summary style. I am concerned that this sort of snark is poisonous to any discussion, and ask that any editor who feels such personal attacks should be used should get the aitch away from here. Collect (talk) 21:32, 27 August 2016 (UTC)
- Collect, it's quite understandable that a number of editors are very much on edge considering this has been discussed to death and the conduct of a couple of editors in particular. I think what Nomoskedasticity meant by that remark is that you were making edits about something which was being discussed... Were you not one of those supporting an RfC after all?
- From my own personal perspective, I think mentioning his main business area is running a culture fund, then including other references to him specifically in some sort of criticism section would be ideal. That and removing references to philanthropy from the lede as per WP:UNDUE. SegataSanshiro1 (talk) 22:18, 27 August 2016 (UTC)
- Comment: first of all I wish to state my astonishment at not being pinged when I was directly involved with one of the RfCs called into question. SegataSanshiro1's guerilla antics are indeed widespread and grave. I do not care about user behaviour at this stage, however, merely the state of Singer's biography. Said RfC was indeed improperly closed by myself, after which I requested admin intervention to reopen it (or closed by an uninvolved user - note I did so per WP:BOLD and because a determination was indeed agreed upon). This request was speedily rejected by KrakatoaKatie together with its corresponding ANI post, so I think it's safe to assume there is no interest in rekindling old fires. Attempts at mediation about this issue also failed. Regarding consensus, I counted at least 7 new voices in the current discussion, all offering interesting new insights (DGG, Collect, Elinruby, FuriouslySerene, Snow_Rise, Chris Hallquist, and Yvarta); there is strong indication at least some parties are willing to compromise. Some are under the impression consensus is a simple vote tally. I call into question this vehement ownership of the Paul Singer article. Every time any editor makes a serious attempt at a copy edit (no matter how minor), a concerted effort by the same bunch of editors reverses all possible changes. Just look at the edit history. Serious and pragmatic comments aimed at stemming this dreadlock are conveniently brushed aside, such as DGG's - "It's appropriate to use it in the article, since there is good sourcing, but it is not appropriate to use it in the lede. Ledes should be relatively neutral". If civil discussion cannot come about and admin action is required, so be it, but it does set a sad precedent. We had originally copy edited the lede back in October, trimming the use of "vulture" down to a single mention. This was of course then reverted maniacally even though discussion had concluded in that precise path. I don't see why a reasonable review of each instance of the word's use cannot take place. FoCuS contribs; talk to me! 22:59, 27 August 2016 (UTC)
- Focus, this wasn't intended to be "guerilla antics" - we had actually discussed a re-close prior to this and you were involved, together with a number of other editors who I did not ping since I figured they would not want to be dragged into this again - I take it you're a page watcher anyway and I mentioned this discussion on the talk page. I also never had a problem with you being WP:BOLD and closing the discussion (in fact if I recall correctly, me and other editors were all for it), what myself and other editors had a problem with was the closing remarks, in particular "the RfC question was not unequivocally answered" when in reality it had, for the nth time that it is appropriate to use this particular word in this particular article - that's beyond discussion at this point. To this day, I agree with the path of compromise we embarked on, what I did not agree with was the sheer amount of forums this was taken to and the manner in which the discussion was closed. To be honest, that close made me question your good faith and took away any desire on my part to be collaborative.
- The issue with these discussions is that they're never clear, we're never discussing on a point by point basis since one or two editors (should be fairly obvious who) take these discussions as an attempt to remove all mention of the terminology, digging in their heels until we're back in 2014 again discussing whether we should censor it entirely (again, always the same editors). All the while, creating serious NPOV issues by removing statements backed up by RS and adding in things which are UNDUE in an attempt to whitewash. If that stops, then I'm sure normal discussion could ensue and general anger levels could be drastically reduced along with the tedium. I have already said that I'm of the opinion that "vulture capitalist" should be discussed, but that's hardly going to happen if we still have editors claiming a vulture fund is not a thing, and the very presence of the term (what Singer is most notable for, if I may add) equates to Wikipedia calling a living person a vulture. That's not new, that's not productive and you're as aware of that as I am. SegataSanshiro1 (talk) 23:46, 27 August 2016 (UTC)
- It was a middle of the road close. . There is a distinction between someone being personally a vulture, which implies that he acts in that manner in all his activities or is of that personality type, and running a fund that shares some similar characteristics and goes by the common name of vulture fund. We cannot avoid using the full term, because even those sources that endorse the profession use it as a matter of course. But we can try to avodi personalizing things that don't need personalizing, especially things that some people are likely to consider highly negative. DGG ( talk ) 03:30, 28 August 2016 (UTC)
- And to the point - any BLP which stresses the use of "vulture" seventeen times is likely to be perceivable as making a point in itself. I just do not understand the concept that name-calling is something Wikipedia should actively pursue, and that editors who even remove a single use from the lead are somehow evil here. Argh. Collect (talk) 12:46, 28 August 2016 (UTC)
- It doesn't appear 17 times. I only see 6 mentions in the article itself and one of them was actually about an antisemitic cartoon - the rest are mentions in references. --Lemongirl942 (talk) 12:49, 28 August 2016 (UTC)
- That's INCREDIBLY misleading. Most of those are references, hence more reason to include it. Of the 6 ACTUAL uses, none of them are in WP's voice. SegataSanshiro1 (talk) 14:29, 28 August 2016 (UTC)
- @SegataSanshiro1: You keep claiming that "Singer is most notable for" his "vulture fund". This is your own opinion. Do a google news search and tell us how many pages you have to dig through before coming across a page that uses the slur? This is a false assumption, which you have consistently done throughout this dispute. Meatsgains (talk) 17:10, 28 August 2016 (UTC)
- Stop pinging me. This isn't my own opinion and vulture fund is not a slur, it's the name of a type of fund that buys debt at discount prices and attempts to sue for 100% payment. As much as you pretend it isn't, you should remember this since you were involved in multiple discussions where you pretended that there was consensus that it was a slur when there wasn't - you were called out on it multiple times: [8] [9]. You also made a no-consensus page move from vulture fund to "distressed securities fund" despite there being no sources to validate such naming and in clear violation of WP:COMMONNAME - you should also remember this since there were two discussions, both on the talk page and at WP:W2W which undid that rather stealthy move and established rather firmly that vulture funds are indeed a thing and that is indeed what they are called, while Singer's EMC is one of the most prolific. Why have you consistently misrepresented information and lied to other editors? There's plenty more examples where you have been called out on doing this, want me to give more? Meatsgains, you are the only editor (along with Comatmebro, actually) who has been involved in every discussion to do with Singer, vulture funds and Elliott Management Corporation and consistently used some very dodgy tactics to get your way, ranging from ignoring consensus and making edits regardless to protecting all these pages like a hawk (or vulture, more appropriately?) and claiming sources aren't reliable based on your own opinions. I'm still shocked you're still around and you haven't been sanctioned. SegataSanshiro1 (talk) 18:19, 28 August 2016 (UTC)
- "This isn't my own opinion and vulture fund is not a slur" - Yes it is and yes it is. Also, do not dilute this discussion with attacking me. Meatsgains (talk) 20:15, 28 August 2016 (UTC)
- Stop pinging me. This isn't my own opinion and vulture fund is not a slur, it's the name of a type of fund that buys debt at discount prices and attempts to sue for 100% payment. As much as you pretend it isn't, you should remember this since you were involved in multiple discussions where you pretended that there was consensus that it was a slur when there wasn't - you were called out on it multiple times: [8] [9]. You also made a no-consensus page move from vulture fund to "distressed securities fund" despite there being no sources to validate such naming and in clear violation of WP:COMMONNAME - you should also remember this since there were two discussions, both on the talk page and at WP:W2W which undid that rather stealthy move and established rather firmly that vulture funds are indeed a thing and that is indeed what they are called, while Singer's EMC is one of the most prolific. Why have you consistently misrepresented information and lied to other editors? There's plenty more examples where you have been called out on doing this, want me to give more? Meatsgains, you are the only editor (along with Comatmebro, actually) who has been involved in every discussion to do with Singer, vulture funds and Elliott Management Corporation and consistently used some very dodgy tactics to get your way, ranging from ignoring consensus and making edits regardless to protecting all these pages like a hawk (or vulture, more appropriately?) and claiming sources aren't reliable based on your own opinions. I'm still shocked you're still around and you haven't been sanctioned. SegataSanshiro1 (talk) 18:19, 28 August 2016 (UTC)
- @SegataSanshiro1: You keep claiming that "Singer is most notable for" his "vulture fund". This is your own opinion. Do a google news search and tell us how many pages you have to dig through before coming across a page that uses the slur? This is a false assumption, which you have consistently done throughout this dispute. Meatsgains (talk) 17:10, 28 August 2016 (UTC)
- That's INCREDIBLY misleading. Most of those are references, hence more reason to include it. Of the 6 ACTUAL uses, none of them are in WP's voice. SegataSanshiro1 (talk) 14:29, 28 August 2016 (UTC)
- It doesn't appear 17 times. I only see 6 mentions in the article itself and one of them was actually about an antisemitic cartoon - the rest are mentions in references. --Lemongirl942 (talk) 12:49, 28 August 2016 (UTC)
- And to the point - any BLP which stresses the use of "vulture" seventeen times is likely to be perceivable as making a point in itself. I just do not understand the concept that name-calling is something Wikipedia should actively pursue, and that editors who even remove a single use from the lead are somehow evil here. Argh. Collect (talk) 12:46, 28 August 2016 (UTC)
Thank you, DGG; that's a fair representation of my basic thoughts as well. As I just posted on the Singer talk page, we're trying to discuss the use of "vulture" as a descriptor of a human being. "Vulture" is as such a charged word in the sense that we're liable to annex this valued meaning to a word that is used in the context of a business endeavour. Handling a vulture fund is not the same as BEING a vulture. I am utterly amazed people fail to see that. The previous close was precisely that, a "middle of the road close". The "vulture fund" practices are thoroughly discussed throughout the article in the context of what quality sources have to say about the matter. Using the term through a personal angle by making a de facto generalisation in an article's lede is another story, and I believe we were making some progress back in October in this regard. I would very much like to see us return to that stage and come up with a neutral and balanced solution. FoCuS contribs; talk to me! 21:17, 28 August 2016 (UTC)
- Agree that handling a vulture fund does not equate to being a vulture - that's the main flawed premise that has been holding this back. I still disagree that the close was "middle of the road", since using vulture terminology does not violate NPOV (the question raised in the RfC) since it is WP:DUE - only a tiny, tiny number of people have said that all reference to vultures should be gone from the article. The Samsung affair and other criticism (such as "vulture capitalist") needs to go in a criticism section rather than the lede - Singer has received enough criticism from multiple sources to warrant one. Vulture fund, on the other hand, should remain firmly in the lede - that's what he's known for and what a large chunk of the article is about. I know you have argued that he has other investments, but that's akin to leaving out the Iraq war in Tony Blair's page. SegataSanshiro1 (talk) 22:30, 28 August 2016 (UTC)
- Yet again you are wildly, amazingly off topic. There is already an RfC discussing this issue, in case you forgot, and a talk page to discuss general improvements. This discussion, SegataSanshiro, you started to determine if the RfC creations are inappropriate. As you seem to have forgotten, I would like to remind you that you reverted my lead change on the grounds that I needed to first discuss, and now you are trying to shut that very discussion down - that, or apparently force it to stagnate by repeating the same arguments while ignoring the arguments of others. As far as I am concerned, you specifically continue to stonewall and disrupt a natural consensus building process. You are either nearing either an epiphany (i.e. that this is not a battle you are trying to win), or nearing a topic ban. Yvarta (talk) 23:45, 28 August 2016 (UTC)
- Not me specifically. There have been five editors (including me) who have questioned the validity of this RfC. SegataSanshiro1 (talk) 15:47, 30 August 2016 (UTC)
- Yet again you are wildly, amazingly off topic. There is already an RfC discussing this issue, in case you forgot, and a talk page to discuss general improvements. This discussion, SegataSanshiro, you started to determine if the RfC creations are inappropriate. As you seem to have forgotten, I would like to remind you that you reverted my lead change on the grounds that I needed to first discuss, and now you are trying to shut that very discussion down - that, or apparently force it to stagnate by repeating the same arguments while ignoring the arguments of others. As far as I am concerned, you specifically continue to stonewall and disrupt a natural consensus building process. You are either nearing either an epiphany (i.e. that this is not a battle you are trying to win), or nearing a topic ban. Yvarta (talk) 23:45, 28 August 2016 (UTC)
- Comment I am not opposed to having an administrator re-close a previous RFC if the stated consensus was incorrect (I was the one who suggested coming to AN on the Singer talk page as SegatSanshiro continues to question it), just for the sake of clarity and any subsequent discussions. I do not support closing the current RFC though. I don't see it as disruptive as opinion is clearly divided and the issue is contentious, the previous RfC was over 4 months ago and the closing and consensus is disputed, so getting new editors involved to seek consensus should be a good thing (I only joined this discussion thanks to this most recent RfC). As for my opinion about the underlying issue, I've already posted to the RfC and it may not be relevant here, but I believe that mainstream reliable sources do not refer to Singer as a "vulture." He is called a hedge fund manager by these sources. Therefore the term vulture should only be used when it is ascribed to a specific person or entity (i.e., his critics). My reading of the current RfC and previous ones is that most editors agree with that position. FuriouslySerene (talk) 17:30, 30 August 2016 (UTC)
- Comment I have never edited this article and am in this because the RfC bot asked me to give my opinion. The person who started the RfC however has repeatedly told me I am off-topic when I try to explain the BLP policy. As best I can tell however the person's argument is that the appellation is inappropriate because Singer is a living person, and they appear to be ready to repeat this argument indefinitely. I would also like to mention that while I personally believe that "vulture capitalist" is a specialized bit of vocabulary that is not particularly pejorative, the current wording does not use it in wikipedia's voice either, which many of the comments on this seem to assume. It says he has been called a vulture capitalist and provides no less than nine sources for the statement. I believe we should remove the weasel wording and explicitly quote one or more people. I would agree with the idea expressed at one point of balancing out concerns about due weight, assuming that is what they are, by adding other details of his business dealings. However as far as I can tell there are no such details; Singer seems to be a specialist in this type of transaction, and to have been for decades. Elinruby (talk) 20:07, 30 August 2016 (UTC)
- Explaining BLP policy is not off topic - however, long accusations of COI (without basis) and facts focused on Singer's details are very off topic to this particular RfC, as I've pointed out that many businessmen have similar, nigh identical press coverage concerning the "vulture" phrase. If you would like to start another RfC on a different nuance or topic, you are welcomed to. Yvarta (talk) 14:41, 4 September 2016 (UTC)
- Heh. The heart of my point is that Singer is a public figure and therefore under WP:PUBLICFIGURE it matters very much whether the statement is true. As for my COI concerns, well, normally we don't comment on editors but your actions do suggest one in my opinion, yes. You are very concerned, astonishingly concerned, with the PR of this billionaire, shrug. I didn't actually start with that assumption, mind; I just told you it was ok to be a paid editor if you declared yourself as such. But you say you are not, so. AGF. You *still* never ever answer any other editors questions, and dismiss them as irrelevant unless they support your desired outcome. Elinruby (talk) 12:39, 8 September 2016 (UTC)
- Explaining BLP policy is not off topic - however, long accusations of COI (without basis) and facts focused on Singer's details are very off topic to this particular RfC, as I've pointed out that many businessmen have similar, nigh identical press coverage concerning the "vulture" phrase. If you would like to start another RfC on a different nuance or topic, you are welcomed to. Yvarta (talk) 14:41, 4 September 2016 (UTC)
- Comment - Anyone look at the nominator's (i.e. Yvarta's) edit history? Yvarta, this looks like it was not your first account. Who were you editing as prior to this account? NickCT (talk) 14:30, 4 September 2016 (UTC)
- Comment - This RfC makes for a dramatic read. My perception of things, after also skimming the older RfCs linked about halfway through, is that the prior RfCs were imperfectly framed, and as a result conversations were bogged down by arguments over whether Singer himself was a vulture, not whether vulture should be a descriptor in any lead at all. The RfC certainly has broader implications than one biography, as the overall precedent on Wikipedia most definitely favors avoiding such descriptors in bio leads. Has anyone else been able to find a biography or corporation with an animal slur used in the intro? I tried with several creative search phrases, and have so far utterly failed. This RfC is far from perfect as well, but I do applaud its attempt to focus the issue away from Singer. Most constructive so far, in my opinion, is that the argument that excluding vulture from the lead equals censorship has been debunked several times. Leads are certainly not required to include every detail of a criticism section, and per prior arguments, any concept that could be carried across by "vulture" could also be carried across with an alternate explanation.
- Note to whoever closes this RfC: However long this discussion needs to continue, I would like to note that there is obviously not a clear consensus in favor of keeping vulture in the lead, even though the reverts apparently leading to this discussion were founded entirely on the argument that prior RfCs had reached consensus. As such, I would like to note that all three of those reverts have been proven to have been without basis, even if they were done in good faith. A number of contributors, several of obvious neutrality and experience, have agreed that a slur of denigration is inappropriate in a lead when applied to a person or company, especially since both the criticism and the neologism can be fully explained with neutral and more conservative words. As such, the argument that there is a violation of the neutral tone mandated by WP:BLPSTYLE is at the very least plausible, however this consensus concludes itself. Until that time, however, the assessment that biography leads must be treated with extra delicacy is absolutely correct, and I agree with Yvarta's bold action to remove "vulture" when he/she did, just like I would have agreed with a decision to remove "rat" or "loan shark" or "pig." Basically, until something is settled, there is currently no consensus', and I believe "vulture" should be again removed until consensus is reached and the barn is built.Bbmusicman (talk) 00:24, 15 September 2016 (UTC)
- Here are examples of why I answered as I did, if anyone is interested:
- My point is that when derogatory information *is true* then we are not required to pretend it's not there.
- - btw, for a dispassionate take on what a vulture capitalist actually is. I think people should read vulture fund and vulture capitalist -- nothing there about animals. Hope that helps. Elinruby (talk) 00:36, 8 October 2016 (UTC)
- I highly encourage you to take some good examples to the RfC, where contributors can see them (this discussion isn't linked on that talk page anymore, after archiving). I'm a bit confused by your examples, though? Shrimp isn't very deragatory, except perhaps to a very short and insecure person, and "dictator" is actually a relatively neutral, especially compared to synonyms such as "tyrant" or "monster" or "fiend." Other phrases, like "mass-murderer," also have negative connotation, but they are clinical and exact, without cartoonish connotation making the phrases more loaded than necessary. Perhaps other examples? Yvarta (talk) 22:41, 10 October 2016 (UTC)
- Note to whoever closes this RfC: However long this discussion needs to continue, I would like to note that there is obviously not a clear consensus in favor of keeping vulture in the lead, even though the reverts apparently leading to this discussion were founded entirely on the argument that prior RfCs had reached consensus. As such, I would like to note that all three of those reverts have been proven to have been without basis, even if they were done in good faith. A number of contributors, several of obvious neutrality and experience, have agreed that a slur of denigration is inappropriate in a lead when applied to a person or company, especially since both the criticism and the neologism can be fully explained with neutral and more conservative words. As such, the argument that there is a violation of the neutral tone mandated by WP:BLPSTYLE is at the very least plausible, however this consensus concludes itself. Until that time, however, the assessment that biography leads must be treated with extra delicacy is absolutely correct, and I agree with Yvarta's bold action to remove "vulture" when he/she did, just like I would have agreed with a decision to remove "rat" or "loan shark" or "pig." Basically, until something is settled, there is currently no consensus', and I believe "vulture" should be again removed until consensus is reached and the barn is built.Bbmusicman (talk) 00:24, 15 September 2016 (UTC)
- Observations: (1) SegataSanshiro1, who opened this AN thread and who has written more than double the amount of text of the article than any other editor [10], is Argentinian (as noted on his userpage) and has a very strong POV and agenda about the article, since Singer's most controversial debt-funds are Argentinian. (2) In my opinion FoCuSandLeArN should not have closed the previous WP:RfC (nor should he have made the edit[s] presumed to be "consensus" -- at the very least, another editor should have made any edits springing from the RfC), since he started the RfC and has also been involved in the contentious debate(s). One can withdraw an RfC one has started, but one cannot close it. Only an uninvolved editor can formally close an RfC. See WP:Requests for comment#Ending RfCs. (3) That said, SegataSanshiro1 has opened this AN thread in a very non-neutral, POV manner, and as Meatsgains commented above, SegataSanshiro1 had no problem with FoCuSandLeArN's 5-month-old close until now. (4) What seems to need to happen is for an uninvolved administrator to look at and close the current RfC that is now on the talk page awaiting closure. (5) I believe Collect, a neutral and highly experienced editor, has encapsulated the issue well in his three comments above. Softlavender (talk) 03:04, 9 October 2016 (UTC)
- {{Do not archive until}} added. Please remove the {{Do not archive until}} tag after the review is closed. (I am adding this because RfC closure reviews frequently have been archived prematurely without being resolved.) Cunard (talk) 06:24, 8 September 2016 (UTC)
Self-nominations for the 2016 English Wikipedia Arbitration Committee elections are open
Self-nominations for the 2016 English Wikipedia Arbitration Committee elections are officially open. The nomination period runs from Sunday 00:00, 6 November (UTC) until Tuesday 23:59, 15 November 2016 (UTC). Editors interested in running should review the eligibility criteria listed at the top of Wikipedia:Arbitration Committee Elections December 2016/Candidates then create a candidate page following the instructions there. --Floquenbeam (talk) 00:43, 7 November 2016 (UTC)
- Come on bros, I know I'm a fatass but I can't fill 7 seats all by myself. ;) ☺ · Salvidrim! · ✉ 22:15, 7 November 2016 (UTC)
- I suspect many Americans are a wee bit distracted with another election you may have heard about. If our major cities aren't all on fire tomorrow I expect folks will be more willing to think about this. Beeblebrox (talk) 21:46, 8 November 2016 (UTC)
- Oh hey Salvidrim why did you only call on the bros? did you forget the sisters? — Diannaa 🍁 (talk) 01:43, 11 November 2016 (UTC)
- Whatever gender or nongender you identify with you can still be my fucking bro. ☺ · Salvidrim! · ✉ 01:46, 11 November 2016 (UTC)
- Okay I am chill with that.
— Diannaa 🍁 (talk) 02:11, 11 November 2016 (UTC)
- Okay I am chill with that.
- Whatever gender or nongender you identify with you can still be my fucking bro. ☺ · Salvidrim! · ✉ 01:46, 11 November 2016 (UTC)
Note: Nominations are closing in less than an hour and a half. There are currently 9 standing candidates running for 7 open seats. (For comparison, last year had 20 candidates for 9 open seats.) Mz7 (talk) 22:41, 15 November 2016 (UTC)
Compromised accounts
In the last few hours both user:Jimbo Wales and user:Legoktm have had their accounts compromised, seemingly by the same group, and used to vandalise the Main page and other articles. I would suggest any admins with weak passwords change them. Stephen 13:22, 12 November 2016 (UTC)
- Another hacked account: AlisonW (talk · contribs). I would advise all admins to either change their password to a strong one and enable Two-factor authentication. Don't know how they're doing it, maybe Brute-force attack. --Jules (Mrjulesd) 19:11, 12 November 2016 (UTC)
- Another hacked admin has just been blocked. The hacker, who is from the hacking group OurMine seems to be blocking Zzuuzz with the admin accounts they get control of. How is this even happening? Also, will two factor authentication be enabled for extended confirmed users as well as admin's? Class455 (talk) 19:36, 12 November 2016 (UTC)
- They seem to love me as I've blocked most of the hacked accounts. My guess, if it's their usual MO, is that they're reusing passwords hacked by others from other sites. It's probably no coincidence that most of the compromised accounts are likely to have had WMF email addresses. It's important (if not using 2fa) to use a Wikipedia password that's never been used anywhere else. -- zzuuzz (talk) 19:44, 12 November 2016 (UTC)
- That would make sense, strong passwords if reused on multiple sites are no longer strong. So far six accounts seem to have been hit: four admin accounts and two non-admin accounts. --Jules (Mrjulesd) 19:52, 12 November 2016 (UTC)
- I've blocked five myself, and I know of three that I haven't. Like I say, most but not all of them seem to be WMF employees. -- zzuuzz (talk) 20:04, 12 November 2016 (UTC)
- This is the real me, and thanks to those who've been picking up the violated accounts. As one of my very oldest accounts the WP password was weaker than my others, but no longer (thanks to Ajraddatz for releasing me) FYI, every site I use has an individual password and WP did not reuse one from anywhere else, thus it was either brute force (was only nine characters - now 24 random) or backend access. My money's on the brute force. --AlisonW (talk) 21:01, 12 November 2016 (UTC)
- Well that's interesting, if it was a brute force attack this can be prevented by various countermeasures, as for only allowing a limited number of attempted logins over a certain time period; see Brute-force attack#Countermeasures. I wonder if any countermeasures are in place? --Jules (Mrjulesd) 21:42, 12 November 2016 (UTC)
- Yes we do have countermeasures against brute force attacks (max 5 logins every 5 minutes, and no more than 150 attempts every 48 hours. We also keep a record of every failed login attempt). However at this time we do not believe this was a bruteforce attack. Most of the victims seem to have shared passwords across multiple sites. We are still in the process of investigating. BWolff (WMF) (talk) 23:43, 12 November 2016 (UTC)
- "no more than 150 attempts every 48 hours" seems _very_ excessive. If someone has got it wrong even three times I would expect / require them to do a reset. 525 attempts per week is just asking to be brute-forced. I would strongly propose a substantial decrease in those numbers. --AlisonW (talk) 00:17, 13 November 2016 (UTC)
- To give some idea, a password three letters long constrained to only the English letters would take 26 weeks to tray all combinations and expect to succeed on average in 13 weeks. Add one more letter and that time rises to 6 years. One more to five and it's 145 years. At six the chance of any success in a human lifetime is low. Dictionary attacks using either dictionaries or known lists of passwords and attacks using credentials stolen from other sites are more of a concern. Dictionary and known list attacks still take a long time with the current limit. Known email/password attacks are far easier and not likely to be blocked by rate limits at an individual account level. You can protect against those threats by using different email addresses and passwords. On the email side I normally use a different email address for every site and place I do things with and passwords I don't discuss my practices. An easy password approach is to have a base password and put something about the site somewhere within it. So you might have a base password like 1.z'€A and use 1.zwikimedia'€A as a login password to WMF servers. Since email and password are then different for every site your account won't be compromised by automated attacks using stolen details. High value targets like Jimbo can still be affected by human or intelligence agency analysis and attack. € is the euro currency symbol, available on many keyboards via an Alt Gr + 4 key combination or just directly in some countries or devices. I included it as an example of a character not in the traditional English language that will greatly increase brute force attack time. Jamesday (talk) 02:36, 13 November 2016 (UTC)
- There is a problem with this method. If hackers discover from another site that your base password is 1.z'€A and they're looking to break your wikimedia password, it won't take long to come up with the correct combination of 1.zwikimedia'€A. Base passwords, and twiddling numbers tagged onto the end of it, are not a great security device unless you add a lot of extra work. -- zzuuzz (talk) 09:37, 13 November 2016 (UTC)
- To give some idea, a password three letters long constrained to only the English letters would take 26 weeks to tray all combinations and expect to succeed on average in 13 weeks. Add one more letter and that time rises to 6 years. One more to five and it's 145 years. At six the chance of any success in a human lifetime is low. Dictionary attacks using either dictionaries or known lists of passwords and attacks using credentials stolen from other sites are more of a concern. Dictionary and known list attacks still take a long time with the current limit. Known email/password attacks are far easier and not likely to be blocked by rate limits at an individual account level. You can protect against those threats by using different email addresses and passwords. On the email side I normally use a different email address for every site and place I do things with and passwords I don't discuss my practices. An easy password approach is to have a base password and put something about the site somewhere within it. So you might have a base password like 1.z'€A and use 1.zwikimedia'€A as a login password to WMF servers. Since email and password are then different for every site your account won't be compromised by automated attacks using stolen details. High value targets like Jimbo can still be affected by human or intelligence agency analysis and attack. € is the euro currency symbol, available on many keyboards via an Alt Gr + 4 key combination or just directly in some countries or devices. I included it as an example of a character not in the traditional English language that will greatly increase brute force attack time. Jamesday (talk) 02:36, 13 November 2016 (UTC)
- "no more than 150 attempts every 48 hours" seems _very_ excessive. If someone has got it wrong even three times I would expect / require them to do a reset. 525 attempts per week is just asking to be brute-forced. I would strongly propose a substantial decrease in those numbers. --AlisonW (talk) 00:17, 13 November 2016 (UTC)
- Yes we do have countermeasures against brute force attacks (max 5 logins every 5 minutes, and no more than 150 attempts every 48 hours. We also keep a record of every failed login attempt). However at this time we do not believe this was a bruteforce attack. Most of the victims seem to have shared passwords across multiple sites. We are still in the process of investigating. BWolff (WMF) (talk) 23:43, 12 November 2016 (UTC)
- Well that's interesting, if it was a brute force attack this can be prevented by various countermeasures, as for only allowing a limited number of attempted logins over a certain time period; see Brute-force attack#Countermeasures. I wonder if any countermeasures are in place? --Jules (Mrjulesd) 21:42, 12 November 2016 (UTC)
- This is the real me, and thanks to those who've been picking up the violated accounts. As one of my very oldest accounts the WP password was weaker than my others, but no longer (thanks to Ajraddatz for releasing me) FYI, every site I use has an individual password and WP did not reuse one from anywhere else, thus it was either brute force (was only nine characters - now 24 random) or backend access. My money's on the brute force. --AlisonW (talk) 21:01, 12 November 2016 (UTC)
- I've blocked five myself, and I know of three that I haven't. Like I say, most but not all of them seem to be WMF employees. -- zzuuzz (talk) 20:04, 12 November 2016 (UTC)
- That would make sense, strong passwords if reused on multiple sites are no longer strong. So far six accounts seem to have been hit: four admin accounts and two non-admin accounts. --Jules (Mrjulesd) 19:52, 12 November 2016 (UTC)
- They seem to love me as I've blocked most of the hacked accounts. My guess, if it's their usual MO, is that they're reusing passwords hacked by others from other sites. It's probably no coincidence that most of the compromised accounts are likely to have had WMF email addresses. It's important (if not using 2fa) to use a Wikipedia password that's never been used anywhere else. -- zzuuzz (talk) 19:44, 12 November 2016 (UTC)
- Another hacked admin has just been blocked. The hacker, who is from the hacking group OurMine seems to be blocking Zzuuzz with the admin accounts they get control of. How is this even happening? Also, will two factor authentication be enabled for extended confirmed users as well as admin's? Class455 (talk) 19:36, 12 November 2016 (UTC)
- Well, as this is not a brute force attack (as mentioned above), and not one borne out of the yahoo email leaks (again, as Alison mentions above, hers was a unique password), it is imperative that the Foundation is open to the fact that someone may have hacked our own servers and takes preventive action immediately, including forcing every password of registered users to be changed immediately (well, Amazon, Yahoo, Facebook keep buying leaked passwords from the white/darkweb and force users whose passwords seem to be available on the net to change their passwords; thus can the WMF too). Lourdes 03:14, 13 November 2016 (UTC)
- I think we may be missing some details still. Some useful information would be if the comprised accounts were done so via password resets or not. Right in the middle of all of this someone at 188.50.20.119 tried to password reset my account. — xaosflux Talk 04:00, 13 November 2016 (UTC)
- You got a reset? That's nothing... try having a really simple user name. — Scott • talk 17:34, 14 November 2016 (UTC)
- We are still investigating the issue. We are of course considering all possibilities, however at this time we do not believe that anyone "hacked our own servers" (for a variety of reasons). Lets not panic folks. BWolff (WMF) (talk) 04:13, 13 November 2016 (UTC)
- Of course, the intention is not to create panic. It's just to suggest a judicious move to inform all users (or at least all administrators immediately) that such an incident has occurred with multiple administrators including the co-founder and that they should take steps to secure their passwords. All this at the Foundation's discretion of course. There's no gain saying that in the technology driven world, such things do happen. What's important to know is if there's a procedure set by the Foundation to handle such episodes, or is the same handled on an as-is-where-is basis (which is not what I'm saying is happening in this case)? This would go a long way in ensuring users like I do not feel that there is no formal procedure in place to handle such situations. Thanks. Lourdes 04:32, 13 November 2016 (UTC)
- We do not have the full picture, and probably neither does the IT staff at WMF yet either. If it's brute force, it will show in the logs. Going by Alison's comment, it is not a re-use of passwords (though multiple methods could have been used). If it is email interception, it will show a reset of the password. Maybe someone at WMF traced the attack and found the vulnerability, but cannot disclose it until it has been fixed.
- Anyways, changing passwords is security theater at that point.
- <rant>In any case, if the password database was properly managed and salted the compromise will have limited effect. That should be the bare minimum of password database management but I guess that if Yahoo does not have the money to do it, the WMF cannot be expected to pay for it. </rant> TigraanClick here to contact me 17:47, 14 November 2016 (UTC)
- I think we may be missing some details still. Some useful information would be if the comprised accounts were done so via password resets or not. Right in the middle of all of this someone at 188.50.20.119 tried to password reset my account. — xaosflux Talk 04:00, 13 November 2016 (UTC)
- It is not security theater to change your password if you have used it on multiple websites. If you have used your password on multiple websites, please change your password. If you have used the same password for a very long time, we also strongly encourage you to change it (Common trend among attacked accounts is they used the same password for a very long time). BWolff (WMF) (talk) 20:23, 14 November 2016 (UTC)
Two-Factor Authentication now available for admins
Hi,
TOTP based two-factor authentication is now available for all administrators, crats, CU, and OS. I highly recommend you enable this from Special:Preferences - it provides an extra layer of security besides passwords. You can use an app on your phone like Google Authenticator to manage the codes, and if you don't have a smart phone, there are other alternatives that run on laptops. Please be careful and write down the scratch codes though - if you get locked out of your account because you lose your 2fa, it may not be possible to recover your account. I would appreciate if others could help disseminate this information to other admins/crats/CU/OS. I'll work on creating some documentation about this once I'm no longer scrambling. Thanks, Legoktm (talk) 15:14, 12 November 2016 (UTC)
- Thanks, Legoktm, I assume that you're using it yourself now? ;) I've forwarded a link to this to the Functionaries email list as well. —DoRD (talk) 15:47, 12 November 2016 (UTC)
- I'm passing it around the IRC areas, and letting my Commons colleagues know. Nick (talk) 15:56, 12 November 2016 (UTC)
- Could @Legoktm: or somebody else please explain this in terms suitable for the stupider admin demographic? I see the link "Enable two-factor authentication" in my prefs, but I hesitate to click on it. Will something irreversible happen if I do? Will I have to remember and somehow use (?) my "scratch codes" (?) forever more? Bishonen | talk 16:23, 12 November 2016 (UTC).
- Everytime you log on with a password you will also have to enter your 2FA code from your authentication device. The scratch codes are one time logon codes in case you loose your device. — xaosflux Talk 16:27, 12 November 2016 (UTC)
- (edit conflict) Nope. I once clicked it on Commons, didn't activate it there, and opened a new browser (say, Firefox) and tried to log in there. Success. — regards, Revi 16:27, 12 November 2016 (UTC)
- You said you didn't activate it? You have to activate it, then it should be active on all projects using central auth. — xaosflux Talk 16:34, 12 November 2016 (UTC)
- Yes, I didn't activate it. (I'm replying to "but I hesitate to click on it. Will something irreversible happen if I do?" of Bishonen.) — regards, Revi 16:40, 12 November 2016 (UTC)
- If you click on the link, there are still steps you have to go through to activate 2fa. It is also possible to deactivate it if you decide you don't want to use it. —DoRD (talk) 17:12, 12 November 2016 (UTC)
- What happens when an user with 2FA enabled loose sysop/CU/OS/etc rights? Is 2FA still enabled? --Thibaut120094 (talk) 17:25, 12 November 2016 (UTC)
- My understanding is that if a user loses their eligibility to use 2FA (e.g. by losing any and all groups that granted it to them) then it will remain enabled, but they will no longer be able to access the special pages for managing OATH, so they won't be able to disable 2FA. --Alex Monk (WMF) (talk) 18:32, 12 November 2016 (UTC)
- What happens when an user with 2FA enabled loose sysop/CU/OS/etc rights? Is 2FA still enabled? --Thibaut120094 (talk) 17:25, 12 November 2016 (UTC)
- If you click on the link, there are still steps you have to go through to activate 2fa. It is also possible to deactivate it if you decide you don't want to use it. —DoRD (talk) 17:12, 12 November 2016 (UTC)
- Yes, I didn't activate it. (I'm replying to "but I hesitate to click on it. Will something irreversible happen if I do?" of Bishonen.) — regards, Revi 16:40, 12 November 2016 (UTC)
- You said you didn't activate it? You have to activate it, then it should be active on all projects using central auth. — xaosflux Talk 16:34, 12 November 2016 (UTC)
This is good information, I suggest we massmessage the enwiki admins - will give it a day for any comments first; if anyone wants to help write up the massmessage text, feel free to drop a template below! — xaosflux Talk 16:36, 12 November 2016 (UTC)
- What where and how is "my authentication device"? On my non-existent smartphone? I'm frankly not sure it sounds like something I want. I log in and out quite a lot [inexplicable coughing fit] and would rather not add extra hassle to the procedure. Anyway, I have a pretty strong password. And, while I respect WP:BEANS, is it known or suggested that the recent hackery attacked weak passwords? (Was Jimbo's 1234..?) Bishonen | talk 16:41, 12 November 2016 (UTC).
I notice admin socks apparently can't use it. (I don't have an "Enable two-factor authentication" link.) But shouldnt they be able to? Suppose somebody hacked me or Bishzilla and started making statements with our authority seemingly behind it. Unfortunate to say the least. darwinbish BITE ☠ 16:43, 12 November 2016 (UTC).
- Striking out. You're not allowed in Wikipedia space! However, to be serious, is there a reason everybody can't have it? Bishonen | talk 16:45, 12 November 2016 (UTC).
- There's currently phab:T100375 about the user interface of the feature, and open questions as to what the procedure might be for resetting accounts for users who lose their device and their one-time scratch codes. Anomie⚔ 18:17, 12 November 2016 (UTC)
It is written that we cannot lose our scratch codes, as the account cannot be restored without them. If we do lose them however, can't we identify ourselves to stewards, much like written in here? Bharel (talk) 16:54, 12 November 2016 (UTC)
- You need a root DB user to do that. We stewards don't have such access. If I am right those single-use codes serve as TOPT tokens just in case you loose your token generator device. To prove the identity of an account, My guess is that I'd continue sticking to a committed identity. Corrections welcome. Regards, MarcoAurelio (talk) 17:22, 12 November 2016 (UTC)
- If you loose your scratch codes and your 2fa device, and you can prove who you are beyond doubt (What "beyond doubt" means I'm not sure, but I guess committed identity is a good choice), then a developer will remove the 2fa from your account. However, please don't loose your scratch codes. BWolff (WMF) (talk) 17:58, 12 November 2016 (UTC)
- The scratch codes are HOTP rather than TOTP, although the distinction doesn't make any difference to you as an end user. Anomie⚔ 18:17, 12 November 2016 (UTC)
How does this work for people who are admins on another project, but not this one - will the TFA be global? Andy Mabbett (Pigsonthewing); Talk to Andy; Andy's edits 17:11, 12 November 2016 (UTC)
- Presumably, with SUL, once activated on any project, it will be active everywhere. —DoRD (talk) 17:14, 12 November 2016 (UTC)
- Yes it works globally and it is also available for admins on other projects. --Thibaut120094 (talk) 17:23, 12 November 2016 (UTC)
- Yes. I activated on Commons, and when I was logging in to enwiki (where I don't have sysop bit) I was asked to submit. — regards, Revi 17:24, 12 November 2016 (UTC)
How will this work with WP:AWB? --Rschen7754 17:41, 12 November 2016 (UTC)
- Good question. I've opened phab:T150582. Regards, MarcoAurelio (talk) 17:50, 12 November 2016 (UTC)
- Wanted page Help:Two-factor authentication - anyone with good experience in writing up Help pages :D — xaosflux Talk 18:07, 12 November 2016 (UTC)
- Excellent news. I would also support mass messaging administrators about this. Are there plans for expanding access to all users sometime in the future? Mz7 (talk) 19:08, 12 November 2016 (UTC)
- I think that 2FA should definitely be extended to Edit Filter Managers as they can screw things up mightily as well. BethNaught (talk) 19:12, 12 November 2016 (UTC)
FWIW: This may be compromised email accounts (shared passwords possibly) - I got notice of a password recovery email that I did not initiate. — xaosflux Talk 19:24, 12 November 2016 (UTC)
- @Xaosflux: Could we get that mass message sent out ASAP? More accounts are getting compromised, left and right... — MusikAnimal talk 19:27, 12 November 2016 (UTC)
- Awesome initiative! I suggest adding Board members, stewards, arbitrators, and soon propagate to other projects. Pundit|utter 19:54, 12 November 2016 (UTC)
- I don't understand why us lowly users don't get access to this extra layer of security. Does this mean I need to go through an RfA, just so I can use 2FA? Doesn't sound quite fair.—cyberpowerChat:Limited Access 19:58, 12 November 2016 (UTC)
- @Cyberpower678: All in due time. They were/are working on it for everyone. It was rolled out early for people with advanced permissions in light of the circumstances. Once they have the infrastructure and the protocols to help the people who get locked out of their accounts (which will happen) it will be rolled out to everyone. --Majora (talk) 20:04, 12 November 2016 (UTC)
- Makes sense. I'm fortunately a sysop on the testwiki so I can activate mine from there.—cyberpowerChat:Limited Access 20:06, 12 November 2016 (UTC)
- @Cyberpower678: All in due time. They were/are working on it for everyone. It was rolled out early for people with advanced permissions in light of the circumstances. Once they have the infrastructure and the protocols to help the people who get locked out of their accounts (which will happen) it will be rolled out to everyone. --Majora (talk) 20:04, 12 November 2016 (UTC)
A good bit of the above would make a good start of a FAQ for the help page, if someone is interested in doing that. —DoRD (talk) 20:24, 12 November 2016 (UTC)
- I wrote a quick blog post about this, corrections earnestly welcomed. Anyone else remember Tubgirl in the site notice in 2007? - David Gerard (talk) 20:23, 12 November 2016 (UTC)
- Talk:Main Page/Archive 98#Who the hell put encylopedia my ass on the page?????? 53 seconds I'll never forget. -- zzuuzz (talk) 20:29, 12 November 2016 (UTC)
- @David Gerard: In regards to your comment about fobs in your blog post - In the long term, we would actually like to support physical tokens as an option people could enable (e.g. U2F). See phab:T150565. BWolff (WMF) (talk) 21:02, 12 November 2016 (UTC)
- I'll add that then :-) It's useful that these days everyone carries a suitable token device around with them, of course ... - David Gerard (talk) 09:11, 13 November 2016 (UTC)
- I have 2 questions. What to do if you lose access to appliction on your phone? And how to authorize via API if you have two-factor authorisation.--Anatoliy (Talk) 20:57, 12 November 2016 (UTC)
- When you enable 2FA you are given a number of one time use codes to print out and keep in a safe place. If you loose both the app and these extra codes, you are then locked out of your account (Similar to if you totally lose your password and recovery email. If you can prove who you are, a developer can restore your account to you, but you must have strong proof). BWolff (WMF) (talk) 21:02, 12 November 2016 (UTC)
- As for the API: You can use action=clientlogin for interactive login, or OAuth (preferred) or BotPasswords for automated login. Anomie⚔ 22:57, 12 November 2016 (UTC)
- Question: Before someone complains, it note of the Google Authenticator used in the 2FA service "Previous versions of the software were open-sourced but subsequent releases are proprietary." Does anyone else feel we will get 'issues' because of that? I know it is only a service, but somehow it feels wrong to be closed source. --AlisonW (talk) 21:37, 12 November 2016 (UTC)
- This is fantastic. It was very easy to implement for my own account. Great work! Mkdwtalk 01:35, 13 November 2016 (UTC)
- Question/comments When I first read about this security layer on mailing list, I felt really interested. Now, I am not feeling that much interested. a) My main issue is I don't have a smartphone with scanning feature. Looks like I have to add those long codes manually. b) These tokens will never be shown again. -- I have not enabled it still, but everytime I am refreshing the page I am getting same 5 codes. Does it mean, these tokens will never be shown again after I enable it? c) I am using Google 2 Step Verification for many years now. I find it easier to use where they send code to your phone, backup phone, and finally you have an option to add recovery code. Anyway, thanks for enabling this feature. We needed better protection options/ --Tito Dutta (talk) 02:35, 13 November 2016 (UTC)
- Shouldn't 2fa be available to bots? Compromised bots could do bad things which would not be easily noticed (because their edits are marked as a bot edit). And maybe also for filemovers, since they could easily vandalize a lot of pages with just one filemove (using a gadget). Pokéfan95 (talk) 02:52, 13 November 2016 (UTC)
- 2FA does not make sense for bots, since the idea is to authenticate through separate systems, but a bot does not have separate systems. Bots are encouraged to use the bot password feature though. BWolff (WMF) (talk) 04:18, 13 November 2016 (UTC)
- @BWolff (WMF): For the most part, bots should be using OAuth or BotPasswords already to limit their exposure, that is why 2FA for the main account shouldn't be an issue. Older bots that don't support oauth or botpasswords would have a problem trying to use 2FA though. — xaosflux Talk 04:19, 13 November 2016 (UTC)
- 2FA does not make sense for bots, since the idea is to authenticate through separate systems, but a bot does not have separate systems. Bots are encouraged to use the bot password feature though. BWolff (WMF) (talk) 04:18, 13 November 2016 (UTC)
- Two-factor-authentication is a welcome addition, certainly. I'll echo-paraphrase a post above ... I don't have a smartphone at present. I'm wondering if this is 3rd-generation 2FA technology; most 2FA I've seen involves the use of text messages as the second factor for 2nd gen. 1st gen 2 factor is based on, like, RSA hard tokens or, more recently, soft token applications. I look forward to the manual which explains in less technical terms how to take advantage if you are not a smartphone user. Thank you for taking this forward - it is a step in the right direction. --User:Ceyockey (talk to me) 03:03, 13 November 2016 (UTC)
- If you don't have a "smart" phone, but your phone still supports java apps (I think that's called a "feature" phone), you can use http://totpme.sourceforge.net/ BWolff (WMF) (talk) 04:16, 13 November 2016 (UTC)
- Google's 2-step verification is user-friendly and allows users to lock it onto their home PC so they can skip the dual stage, and only need to type in a password, though would continue to require two stage for any other machine. Wikipedia's 2-step is a little off-putting, and doesn't appear to allow locking onto a chosen machine, so two stage verification would always be needed, even on a secure home PC. I should image there would be a number of admins who would not be using Wikipedia's 2-step because it appears difficult to implement, insists on 2 stage verification every time, and would permanently lock you out of your account if you make a common human error of losing things. I think it would make sense to implement a more flexible and user-friendly two stage verification - even if that makes it slightly less safe. Better to have a 95% safe verification system that 100% of admins use, than a 100% safe verification system that only 5% of admins use. SilkTork ✔Tea time 12:30, 13 November 2016 (UTC)
- Just a thought - is this going to be made compulsory for admins? If not, then I fear it might not help much, because those admins more conscious about security and more likely to adopt it are already more likely to be using more secure passwords that better resist brute-force attacks (which is very likely what's happened here). Those who aren't too hot on security and who are likely to be the ones with weaker passwords won't be as keen to adopt 2FA. (I've been involved in password security issues for a long time in one way or another, and my biggest lesson is that appealing to people to voluntarily do things better is usually doomed to failure.) Boing! said Zebedee (talk) 13:14, 13 November 2016 (UTC)
- In the near future, it will not be compulsory for admins. In the long term - its a possibility. However, we will not do that without having an extensive discussion/rfc on wiki. BWolff (WMF) (talk) 19:29, 13 November 2016 (UTC)
- OK, thanks. Boing! said Zebedee (talk) 23:14, 13 November 2016 (UTC)
- In the near future, it will not be compulsory for admins. In the long term - its a possibility. However, we will not do that without having an extensive discussion/rfc on wiki. BWolff (WMF) (talk) 19:29, 13 November 2016 (UTC)
I keep getting "Failed to validate two-factor credentials" when I hit Submit with the code from Google Authenticator and "Wikimedia:<my name>" .... anybody else having this problem? - DavidWBrooks (talk) 17:07, 13 November 2016 (UTC)
- Did you use "Wikimedia:DavidWBrooks" or "Wikimedia:<my name>"? De728631 (talk) 18:04, 13 November 2016 (UTC)
- "Wikimedia:DavidWBrooks" - not sure why I wrote it the other way. - DavidWBrooks (talk) 21:06, 13 November 2016 (UTC)
- DavidWBrooks The name is actually just a label for your device, and does not actually "do" anything as far as I can tell (e.g. I enrolled a second device and put WikiPEDIA instead of WikiMEDIA, but still get the same codes). The two-factor secret key is important, check your entry for things like ZERO vs "O" mismatches. — xaosflux Talk 00:16, 14 November 2016 (UTC)
- "Wikimedia:DavidWBrooks" - not sure why I wrote it the other way. - DavidWBrooks (talk) 21:06, 13 November 2016 (UTC)
- Why don't I have the option to receive an email when my password or other critical information has changed? That seems common sense for security. I don't use mobile devices as admin, so this seems to be a lot more pain than gain. A second "different" password would be simpler and more effective, particularly since uptake would be higher and the learning curve is zero. Dennis Brown - 2¢ 19:52, 13 November 2016 (UTC)
It'd be nice to see this implemented for our bots as well, unless it already is and I missed the memo.«»Who?¿? 23:53, 13 November 2016 (UTC)
- What about us admins who don't have smart phones (call me old-fashioned but I have a phone for phoning, a camera for taking photographs with, and a laptop for computing). I'm pretty sure that my password is secure. Should there be any attempt to force admins to use this, I for one will be voicing my opposition to such proposal. Mjroots (talk) 16:12, 14 November 2016 (UTC)
- There are ways to run 2FA apps on a standard computer (though this can weaken the security model 2FA is meant to support). Chrome users can run the GAuth addin; it is possible to get an Android virtual machine on Windows to run the android-based Google Authenticator app within it. There's probably more similar methods too. --MASEM (t) 16:32, 14 November 2016 (UTC)
Update: People in the Edit filter managers group can now also enable 2FA. BWolff (WMF) (talk) 20:25, 14 November 2016 (UTC)
Quick question : does enabling 2FA mean it is reasonably safe to log into an administrator account on a public PC, such as in a library, school or airport? I know many admins have alt accounts specifically for this purpose? Ritchie333 (talk) (cont) 13:34, 16 November 2016 (UTC)
- @Ritchie333: I suppose as long as you don't select
Keep me logged in
or if you explicitly log out you should be safe from having someone log in, as they will be presented with the 2FA challenge (more on that). However, I think the main reason admins are twitchy about logging into public computers is the possibility of keyloggers/other unsavoury software making a record of your password. It's still not the best idea, but it is slightly safer -- samtar talk or stalk 13:42, 16 November 2016 (UTC)- Hmm. Recent account compromises suggest that many admins are following security practices significantly worse than logging into shared computers. If the computer was maliciously controlled, the attacker could steal your session cookie and then continue using your account on other computers (This applies regardless of if you check the remember my password. In fact, since the computer is not yours, someone could have modified it to always check the box even without it being shown as checked). Of course the counter argument, is probability wise, how likely is it that someone has modified that computer, and cares about your wikipedia account (As opposed to people's bank accounts)? Someone could also modify the computer to record your password (2FA would mean that they can't use that password to log in, but attacker having your password is in a significantly better position than one without your password, even with 2FA enabled). I would recommend against logging in on shared computers if your account is sensitive. If you do ever log in on a shared computer, you should probably at a bare minimum have 2FA enabled and be browsing in "incognito" mode, which will make you mildly safer, but ultimately not that much safer. BWolff (WMF) (talk) 15:45, 16 November 2016 (UTC)
Mass message draft
I've drafted a short message that could be sent out to administrators. @Xaosflux and MusikAnimal, and others, do you have any additional suggestions?
If all looks well, I can send it out shortly. Mike V • Talk 19:54, 12 November 2016 (UTC)
- What is "TOTP"? Jo-Jo Eumerus (talk, contributions) 19:57, 12 November 2016 (UTC)
- @Mike V: I would also add the recommendation to enable 2FA on their email account, if possible. The issue here as I understand it is they're getting passwords that were leaked from other sites, so we should make sure our admins know to use a unique password for their WM account and their email account — MusikAnimal talk 19:58, 12 November 2016 (UTC)
- @Jo-Jo Eumerus: TOTP is short for Time-based one-time password. In a nutshell, to log-in you enter your password and an additional code that changes frequently (usually every 30 seconds). @MusikAnimal: After,
... your account will not be recoverable.
I could add "Furthermore, you are encouraged to utilize a unique password and two-factor authentication for the email account associated with your Wikimedia account. This measure will assist in safeguarding your account from malicious password resets." Mike V • Talk 20:09, 12 November 2016 (UTC)- Sounds good :) Thanks! — MusikAnimal talk 20:10, 12 November 2016 (UTC)
- @Jo-Jo Eumerus: TOTP is short for Time-based one-time password. In a nutshell, to log-in you enter your password and an additional code that changes frequently (usually every 30 seconds). @MusikAnimal: After,
- @Mike V: I would also add the recommendation to enable 2FA on their email account, if possible. The issue here as I understand it is they're getting passwords that were leaked from other sites, so we should make sure our admins know to use a unique password for their WM account and their email account — MusikAnimal talk 19:58, 12 November 2016 (UTC)
- "Authentication device"? I don't use apps and am liable to change computer at a moment's notice. Also I edit from different IPs at times. I don't use a smartphone for anything much online except finding out where 'here' is, and how to get 'there'. (In fact, a lot of my phone use is done on a stupidphone...) My password at WP isn't used anywhere else, and nor is my email PW. If someone will give me a link for this confirmation of identity thing, I'll do that, but I think I'm more likely to lock myself out using this other thing. Peridon (talk) 21:01, 12 November 2016 (UTC)
- @Peridon: Full instructions for creating a committed identity are in the template documentation for Template:Committed identity. In short, you take a bunch of non-public verifiable information about yourself, turn it into a random string using a cryptographic hash function, and then post it on your userpage. If you ever need to confirm that you are the same person who put the committed identity on your userpage, you would send the information to a trusted user, who would put it through the same hash function and compare the results. -- AntiCompositeNumber (Leave a message) 21:22, 12 November 2016 (UTC)
- @AntiCompositeNumber: Thanks for that - I'll look into it tomorrow, As to the other thing, I hope that by then someone will have a definitive version of what it's about in language that people like Bishonen and I can understand. And I too don't trust a Google involvement. I haven't got a password with them, and I don't intend to give them one. Peridon (talk) 22:08, 12 November 2016 (UTC)
- I just set up 2FA after my account got compromised earlier today. Much easier than I expected, in fact! Thanks. --AlisonW (talk) 21:09, 12 November 2016 (UTC)
Whenever I have implemented two-factor authentication in the past, I've always done it by providing my phone number. Is there a reason why this is being done by Google Authenticator? I don't use my phone to log in. I log in from a laptop. The impression I get from the Google Authenticator article is that you have to be logging in from the mobile device. Or will logging in from any device generate a code sent to your phone? I am sure that is what actually happens, but am double-checking here first, as the Wikipedia article is not clear, has a 'citation needed' tag, and shouldn't be relied on anyway... Carcharoth (talk) 21:35, 12 November 2016 (UTC)
- @Carcharoth: Sites such as Yahoo Mail that send you a code via text message, that you use to login, are simply inplementing the same 'standard' without requiring you to generate the codes locally. You can actually configure a code generator for Yahoo Mail, and it will produce the same codes that they send you by text. Google Authenticator is simply one 'implementation' of this software... any compliant generator will work (I use the Amazon one). Reventtalk 21:40, 12 November 2016 (UTC)
- Thank you. My concern is that the Google Authenticator requires Android 2.1 or higher to be installed. I have recently had a problem with upgrading What's App on my phone, and the upgrade process keeps failing. I wouldn't want to be locked into relying on upgrades on my phone to the Google Authenticator app to be able to access Wikipedia. To be clear, can the process of generating codes be transferred from device to device if one of them fails for some reason? Carcharoth (talk) 21:44, 12 November 2016 (UTC)
- @Carcharoth: TOTP code generation is dependent on the 'account name', 'secret key', and 'time of day'. You can simultaneously generate identical codes on any number of programs or devices if configured with the same information. Print out the 'enable two-factor authentication' page, with that information, and secure it physically... you can then use it to configure a new device. Reventtalk 21:50, 12 November 2016 (UTC)
- Thank you. My concern is that the Google Authenticator requires Android 2.1 or higher to be installed. I have recently had a problem with upgrading What's App on my phone, and the upgrade process keeps failing. I wouldn't want to be locked into relying on upgrades on my phone to the Google Authenticator app to be able to access Wikipedia. To be clear, can the process of generating codes be transferred from device to device if one of them fails for some reason? Carcharoth (talk) 21:44, 12 November 2016 (UTC)
Just to make this clear to people, since there seems to be a widespread misunderstanding. You do NOT need a smartphone to use this, you merely need a TOTP code generator. There are physical devices that do this, Windows and MacOS applications, and multiple addons for Google Chrome. The 'manual' configuration information displayed on the confirmation page, where your scratch codes are located, can be used to configure any number of devices/programs to produce the codes... any properly configured TOTP code generator, with a synchronized clock, will produce identical and synchronized codes. If you lose your device, but still have the configuration information, you can configure another one to produce a valid code (though your login is no longer secure, since you no longer possess all copies of your code generator). Reventtalk 21:37, 12 November 2016 (UTC)
- Does that mean you can generate codes on the same device that you use to login with? That is a security hole, surely? THe whole point is to separate this between different devices, isn't it? Login on one device. Get authentication codes on the other device. But then many people log in from all devices these days. Carcharoth (talk) 21:47, 12 November 2016 (UTC)
- @Carcharoth: You 'can', but obviously should not. Reventtalk 21:52, 12 November 2016 (UTC)
- (e/c) Yes. Remember that you still need access to that actual device in that case. Whereas before you did not. That is an extra barrier. It's even better if you use two devices, but it's not the most important aspect of 2FA. 2FA is about "something you know" (password) AND "something you have" (a unique key on a device). Having just one iis not enough. That's what makes it safer than just the password. —TheDJ (talk • contribs) 21:56, 12 November 2016 (UTC)
- @Carcharoth: You 'can', but obviously should not. Reventtalk 21:52, 12 November 2016 (UTC)
- Just enabled it and it seems to work just fine. Also for the many people using the word "loose" above, it's actually "lose". Jauerbackdude?/dude. 21:46, 12 November 2016 (UTC)
- So, let's see.. "experimental", "must have an app", "Google <whatever>", "scan a QR code" " if <this and that> you will totally be locked out of your account". Other than be being insane, why would I want such a thing? I do not have a smartphone (yes I read that we do not need one, still...), I do not trust "Google <whatever>" to have anything to do with my passwords or anything (yes, I do use some Google stuff, but the less the better), I do not trust Wikimedia if you're pushing me into Google arms either... What "recent events"? All my passwords are unique and pretty much scrambled ones. Why should I use a Google thingy that will eventually lock me out? (I am not saying I will not, I am saying the current information scares me more of the TOTP - starting from using weird acronyms on messages... - than from any hacker :) - Nabla (talk) 21:54, 12 November 2016 (UTC)
- @Nabla: "Google Authenticator" is just one software implementation of this. You can use Microsoft Authenticator, if you want, or any other TOTP code generator (including an open source one). They will all produce identical, synchronized codes if properly configured. There are 'keychain' devices as well, though they tend to suffer from time drift and have to be resynchronized. The protocol involved is an IETF standard, not a Google product. Reventtalk 21:59, 12 November 2016 (UTC)
- Thank you, Revent. I appreciate you trying to help. I hope you understand that replying with a few more "weird words", helps little :-) 'keychain' devices? IETF standard? Can't technical people talk in a way that only-mildly-technical people like me understand? :-) Please do not take me the wrong way, I know you and others mean well, but the current explanation is simply too strange. Damn... I use two-factor authentication already, to access my bank online, and it is way simpler than this. Or at least it feels like simpler, maybe is just the explanation that is still making things too complicated. I would suggest a couple of improvements for the help page. A simple one: the link to "others" links to a non existing page (named Google something - so the alternatives to Google are... Google, so the help pages says :-) or not). A not so simple one: provide step by step instructions on how to set it up without a smartphone. I presume quite a few people will not do something that may block us out, unless we are mostly sure it will work. Again, thanks for the effort, please keep improving it - Nabla (talk) 22:23, 12 November 2016 (UTC) PS: Went to check the activation page. It states "Step 1 - Download a mobile app for two-factor authentication (such as Google Authenticator) on to your phone." If there are alternatives, please someone explain them. Weird as it may seem not everybody has a smartphone... - Nabla (talk) 22:31, 12 November 2016 (UTC)
- @Nabla: TOTP = Time-based One-time Password Algorithm. IETF = Internet Engineering Task Force.
- A 'keychain device' would be a physical device, that you hang on your key chain, like one of these. Any TOTP 'implementation', properly configured (with the account name and secret key shown on the 'enable' page) will produce identical valid keys.
- There are also four or five different extensions to Google Chrome that do it, and Windows/MacOS software, but as mentioned above programming the device you use to actually login (your computer) to generate the codes is insecure.
- You will be unable to enable two factor authentication without 'proving' that you have a valid method to generate codes. The valid code changes approximately every minute. Scanning a QR code simply saves typing the configuration information (the secret key is a quite long alphanumeric code) into the code generator to program it. Reventtalk 23:01, 12 November 2016 (UTC)
- Thank you, Revent. I appreciate you trying to help. I hope you understand that replying with a few more "weird words", helps little :-) 'keychain' devices? IETF standard? Can't technical people talk in a way that only-mildly-technical people like me understand? :-) Please do not take me the wrong way, I know you and others mean well, but the current explanation is simply too strange. Damn... I use two-factor authentication already, to access my bank online, and it is way simpler than this. Or at least it feels like simpler, maybe is just the explanation that is still making things too complicated. I would suggest a couple of improvements for the help page. A simple one: the link to "others" links to a non existing page (named Google something - so the alternatives to Google are... Google, so the help pages says :-) or not). A not so simple one: provide step by step instructions on how to set it up without a smartphone. I presume quite a few people will not do something that may block us out, unless we are mostly sure it will work. Again, thanks for the effort, please keep improving it - Nabla (talk) 22:23, 12 November 2016 (UTC) PS: Went to check the activation page. It states "Step 1 - Download a mobile app for two-factor authentication (such as Google Authenticator) on to your phone." If there are alternatives, please someone explain them. Weird as it may seem not everybody has a smartphone... - Nabla (talk) 22:31, 12 November 2016 (UTC)
- @Nabla: "Google Authenticator" is just one software implementation of this. You can use Microsoft Authenticator, if you want, or any other TOTP code generator (including an open source one). They will all produce identical, synchronized codes if properly configured. There are 'keychain' devices as well, though they tend to suffer from time drift and have to be resynchronized. The protocol involved is an IETF standard, not a Google product. Reventtalk 21:59, 12 November 2016 (UTC)
- Is there a way to do it like in Gmail where you can just select an option to "remember this device" and not have to do the authentication every time? ~Awilley (talk) 22:27, 12 November 2016 (UTC)
- That's a good point. What if we set it up with cookies to remember the device? Perhaps if you've activated the new two-factor login process for your account, it could avoid requiring the additional steps whenever you log in with the device in question: you'd only need the additional steps when you're setting up the cookie in the first place, or when you're logging in from a different device. Nyttend (talk) 22:43, 12 November 2016 (UTC)
- I think it would be very useful if someone would simply give the steps required to log in after this is activated. A simple, non-technical list. To log in, you will do A, B, C. - Nunh-huh 11:17, 13 November 2016 (UTC)
- @Nunh-huh: It's simple.
- A. Go to login screen. B. Enter 'normal' username and password, hit "Log in" (as normal) C. Look at your 'device', and enter the token (it's a six digit number). Hit 'continue login'.
- That's it. Reventtalk 12:38, 13 November 2016 (UTC)
- Well, thanks for that; I think adding that to the message of availability might be prudent. So it will work just like, say, Google does now? The cell phone rings, and the number is there? I don't have to open an application and ask it for the code? - Nunh-huh 16:36, 13 November 2016 (UTC)
- No, you need an application either on your phone (preferred) or on your computer that generates the token string for you. It's not automated, so you need to activate this app yourself each time you want to log in to get a new token. De728631 (talk) 17:37, 13 November 2016 (UTC)
- So then the actual sequence would be: A. Go to login screen. B. Enter 'normal' username and password, hit "Log in" (as normal) C. Find your smartphone (or other device-I imagine it could be the computer proper, so perhaps no finding involved). D. unlock it. E. open an authorizing-app. F. Look at your 'device', and enter the token (it's a six digit number). Hit 'continue login'? - Nunh-huh 22:42, 13 November 2016 (UTC)
- It's worth noting, though, that these apps have basically 'no' user interface beyond showing codes... tap on phone... look, code. Moments. Reventtalk 17:55, 13 November 2016 (UTC)
- Sure, but as I said above, I recently suffered from an app that failed to upgrade properly and probably needs reinstalling in some way. Having to do that is a pain, and ties you into the app. You need both the mobile phone and the app to work. When receiving a text message with the code, you only need the phone to work (assuming it can receive text messages). It is like having to launch an app each time you want to make a phone call or send a text message, or each time you think someone is trying to contact you. The question I would have is whether this app launches in the background each time the phone is switched on, and waits there waiting for the signal to generate a code (similar to the way incoming phone calls and text messages work without needed to actively switch those functions on). If you have to physically launch the app each time (similar to using online banking fobs), rather than it activating itself by a signal received from the site in question, and there is no way to have a 'home' device where you only use TFA infrequently, then that is a deal-breaker for me (I don't mind using TFA on other devices). I do have a PGP public key. Carcharoth (talk) 20:31, 13 November 2016 (UTC)
- And on the other hand, if it sits in the background, how much battery life will it eat up? -Nunh-huh 22:42, 13 November 2016 (UTC)
- Yes you "launch" the application. I installed it on 2 android phones (same key and codes on each), one is a $20 disposable type - it gives me my code in less time then it takes to unlock the phone. Please note, if you edit from the same secure device and "remember me" - you will not be getting prompted for this unless you try to perform a security action such as changing your email or password. — xaosflux Talk 22:54, 13 November 2016 (UTC)
- Yes, but for some people that will be a barrier too far. The good thing is that if people try it and find it is too much hassle, they can disable it again. Carcharoth (talk) 23:11, 13 November 2016 (UTC)
- Instead of a smartphone, you can also use a local program on your PC/laptop. For those who don't like Google software, e. g. WinAuth is a free open-source app that doesn't even need to be installed. You download it onto your desktop and launch it only when you need to log in. De728631 (talk) 14:33, 14 November 2016 (UTC)
- Sure, but as I said above, I recently suffered from an app that failed to upgrade properly and probably needs reinstalling in some way. Having to do that is a pain, and ties you into the app. You need both the mobile phone and the app to work. When receiving a text message with the code, you only need the phone to work (assuming it can receive text messages). It is like having to launch an app each time you want to make a phone call or send a text message, or each time you think someone is trying to contact you. The question I would have is whether this app launches in the background each time the phone is switched on, and waits there waiting for the signal to generate a code (similar to the way incoming phone calls and text messages work without needed to actively switch those functions on). If you have to physically launch the app each time (similar to using online banking fobs), rather than it activating itself by a signal received from the site in question, and there is no way to have a 'home' device where you only use TFA infrequently, then that is a deal-breaker for me (I don't mind using TFA on other devices). I do have a PGP public key. Carcharoth (talk) 20:31, 13 November 2016 (UTC)
- No, you need an application either on your phone (preferred) or on your computer that generates the token string for you. It's not automated, so you need to activate this app yourself each time you want to log in to get a new token. De728631 (talk) 17:37, 13 November 2016 (UTC)
- Well, thanks for that; I think adding that to the message of availability might be prudent. So it will work just like, say, Google does now? The cell phone rings, and the number is there? I don't have to open an application and ask it for the code? - Nunh-huh 16:36, 13 November 2016 (UTC)
- Too complicated - While I applaud this idea, implementing it should not require reading more information than is contained in the entire United States constitution, scattered over several pages. Can't it be more simple just to figure out? As noted (in probably several hundred words), not everybody connects here via smartphone. Not everybody wants to read through "...if A does not apply....you can do B....or you can do C...or" and then on and on and one. The first and ONLY thing that comes up under Preferences/Enable two-factor authentication are instructions for a mobile app. I don't know if I enabled it or not - but didn't click on submit - but there is a place there that gives me the secret key numbers and scratch tokens..and then says to enter a code from a mobile phone. Oh, give me a break. If your account has been compromised, you're already stressed. Why does this have to be more complicated than Einstein's theory of relativity? Just give us a simple bulleted list of instructions that work the same for all systems across the board. Please. — Maile (talk) 14:17, 16 November 2016 (UTC)
- I think this is a very good point. I'm going to use the analogy with accessing my bank account online (as I did below) because it's similar; the bank provides me with a security device I use for authentication, and went over it with me when I first got it in order to confirm I understood it. Or, to give you another analogy, if I think my back door is a bit weak and easily breakable by a burglar, I might phone a locksmith out to have a look at it. The point is that I don't need to think about how to set the security up when I can pay for somebody to do it for me. Obviously that's not practical here, so I think we need to accept that 2FA just isn't going to work for some people and anyone who thinks it's "simple" needs to do a bit of hallway usability testing with newbies to cancel the inverse-Dunning–Kruger effect they're experiencing. Ritchie333 (talk) (cont) 16:06, 16 November 2016 (UTC)
- @Maile66: Please feel free to email me directly if you'd like any help, but I'm trying to de-tech WP:2FA a little at Wikipedia:Simple 2FA. I've also found a windows based TOTP client which you may find helpful -- samtar talk or stalk 16:15, 16 November 2016 (UTC)
This is a content dispute and should be discussed at Talk:Artur Aleksanyan. No admin action needed. De728631 (talk) 17:59, 13 November 2016 (UTC)
- The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
Anonymous user removes the information from the article based on the source in defiance of WP:NPV[11][12] claiming that it contributes nothing to the article however this is about the official reaction to the act of the subject of article. I don't want to initiate edit warring and ask administrators to return the relevant information and protect the article. --Interfase (talk) 17:07, 12 November 2016 (UTC)
- This is an obvious content dispute and nothing requiring admin action, but I'll note in passing that nobody is going to be sanctioned for removing the gibberish
Azerbaijan's Ministry of Youth and Sports evaluated the Armenian wrestler’s action as country’s attempt to overuse of winner and bring politics to sports-ground
from an article. ‑ Iridescent 20:33, 12 November 2016 (UTC)
OTRS recruitment
Hey. As always, the Volunteer Response Team could use some new agents to help process emails. The OTRS team handles incoming emails related to all aspects of the project. Without going into specifics, I've handled everything from donations of free text for use on Wikipedia, to helping an article subject combat widespread sockpuppetry aimed at defaming them, to explaining how a potential new editor can make their first edits and become a part of our community. The work of the OTRS team is incredibly important, but it's also a nice change-of-pace from the typical activities I do on the project.
We're especially in need of new agents who can handle permissions emails, meaning the emails donating free images and text for use on Wikipedia or other Wikimedia projects. It's extremely helpful if you have administrator rights on enwiki or Commons, but this is not necessary. It's also very helpful if you have a strong knowledge of copyright, acceptable licenses on Wikipedia, and how works enter the public domain. Please feel free to message me if you don't have that experience but would be interested in acquiring it.
If you're interested in helping out, you can read more at Wikipedia:Volunteer Response Team and meta:OTRS/Volunteering. Please note that there are a couple hard requirements to be an OTRS agent. At a bare minimum, you must be 16 years of age or older, willing to identify yourself to the Wikimedia Foundation, and willing to sign and uphold a confidentiality agreement.
Please feel free to contact me with any questions. I'm especially interested to hear from anyone who might be interested in helping with the permissions queues, even if you currently lack knowledge of copyright and licensing. Thank you! ~ Rob13Talk 01:49, 13 November 2016 (UTC)
- Note: I'm not an OTRS administrator, nor do I speak for them. ~ Rob13Talk 01:49, 13 November 2016 (UTC)
- I thought you didn't have to identify any more since they brought in the new confidentiality agreement? BethNaught (talk) 10:52, 13 November 2016 (UTC)
- Do this, folks. It's rewarding. You meet some great people. I have emails I cherish from Ronald Neame, for example. Also I got Christmas cards from Michael Winner and signed photos from Olga Korbut. You can help real people who are impacted by Wikipedia in real ways, sometimes you can help fascinating people upload images or add content that is a genuine asset to the project. I no longer do OTRS but I miss the daily interaction with real-world readers. Guy (Help!) 00:18, 14 November 2016 (UTC)
- I got a free lunch from the staff at The Minories, Colchester. Ritchie333 (talk) (cont) 16:11, 16 November 2016 (UTC)
SuperDuperJew
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
How to deal with this user's edit? — Preceding unsigned comment added by 2001:DA8:201:3504:6893:7032:8AC3:D4A (talk) 03:05, 13 November 2016 (UTC)
I request the page protection
I request the Administrators to protect the page Ilias Psinakis from edits by Winkelvi. He /she, without even reading, reverted the page contents to the old version, which was improved afterwards taking into account the relevant requirements. Each and every content of the page is confirmed by reliable sources. This user many times before harassed the page. Please, help! LS 11:51, 13 November 2016 (UTC) — Preceding unsigned comment added by LanaSimba (talk • contribs)
- No. This is a content dispute, please discuss at the talk page of the article.--Ymblanter (talk) 12:12, 13 November 2016 (UTC)
- I note also that LanaSimba has a long history of editwarring and "ownership" on that article and repeatedly removes maintenance tags without fixing the problems . I have now added {{copyedit}}. After her latest revert it is full of grammatical and lexical errors. LanaSimba's editing pattern as an SPA and the promotional style often correlate strongly with a major conflict of interest. I strongly urge her to read Wikipedia:Conflict of interest. and if it applies, to follow the guidelines there scrupulously. Voceditenore (talk) 12:29, 13 November 2016 (UTC)
- Voceditenore Please help to correct the page as a native English speaker, if you can. — Preceding unsigned comment added by LanaSimba (talk • contribs) 12:35, 13 November 2016 (UTC)
- LanaSimba, the maintenance tag will attract copy editors to fix the problem. I will be away for the next 10 days. However, the article is also plagued with unencyclopedic puffery. So far, you have resisted all attempts to copyedit it to an acceptable form. You also removed Winkelvi's comment [13] from Talk:Ilias Psinakis. That is completely unacceptable. I have restored it. I strongly suggest more admin eyes on this article. Voceditenore (talk) 12:41, 13 November 2016 (UTC)
- Voceditenore I never resisted any reasonable edits and all of them are duly considered and applied in the recent version. I resisted deletion of known and publicly confirmed facts (each substantiated by relevant links in the text). As for templates, sorry.. you are right. — Preceding unsigned comment added by LanaSimba (talk • contribs) 12:50, 13 November 2016 (UTC)
- LanaSimba, the maintenance tag will attract copy editors to fix the problem. I will be away for the next 10 days. However, the article is also plagued with unencyclopedic puffery. So far, you have resisted all attempts to copyedit it to an acceptable form. You also removed Winkelvi's comment [13] from Talk:Ilias Psinakis. That is completely unacceptable. I have restored it. I strongly suggest more admin eyes on this article. Voceditenore (talk) 12:41, 13 November 2016 (UTC)
- Voceditenore Please help to correct the page as a native English speaker, if you can. — Preceding unsigned comment added by LanaSimba (talk • contribs) 12:35, 13 November 2016 (UTC)
- I note also that LanaSimba has a long history of editwarring and "ownership" on that article and repeatedly removes maintenance tags without fixing the problems . I have now added {{copyedit}}. After her latest revert it is full of grammatical and lexical errors. LanaSimba's editing pattern as an SPA and the promotional style often correlate strongly with a major conflict of interest. I strongly urge her to read Wikipedia:Conflict of interest. and if it applies, to follow the guidelines there scrupulously. Voceditenore (talk) 12:29, 13 November 2016 (UTC)
I have copyedited the article somewhat and added a few tags here and here as appropriate. If LanaSimba wants to play silly that's his business. But he should heed the advice of seasoned editors if he wants the article to be the best it can be. Iadmc (Jubileeclipman) (talk) 13:37, 13 November 2016 (UTC) PS LanaSimba sign by adding ~~~~ after comments.
- Iadmc (Jubileeclipman) I really appreciate your contributions! Thank you! And I will follow your advice LS 14:35, 13 November 2016 (UTC)
Dear administrators Winkelvi again reverted the page, discarding Iadmc' edits and deleting many facts and links, previously confirmed. I treat this nothing more than Vandalism and Harassment.LS 14:35, 13 November 2016 (UTC) — Preceding unsigned comment added by LanaSimba (talk • contribs)
- He did not revert wholesale. He further edited the article for neutral point of view and appropriate encyclopedic tone and style. In my view it's a vast improvement. and any further changes should be discussed on the talk page. Voceditenore (talk) 15:25, 13 November 2016 (UTC)
Diannaa Abuse of administrative privileges
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
Abuse of administrative privileges
Administrator Diannaa, while notifying me of a content dispute regarding MikeSAdams(columnist), and asking for a rewrite of the final paragraph, instead chose to obliterate all of my edits to the page from the Wikipedia History. Her deletes centered on a paragraph tangential to the dispute, concealed in the edit summary. Only by carefully reading the summary did I find that she deleted sourced content from the page.
Ordinarily I'd not take this up here - but obliterating the wiki record to prevent restoration of content is not what her job as an administrator should be. Anyways, I've restored the content that she deleted, as well as editing the page. I am bringing up this complaint so that the early history may be restored.
https://en.wikipedia.org/w/index.php?title=Mike_Adams_(columnist)&action=history
Diffs are above. You can clearly see she removed a full page of edits from the Wikipedia history of the page.
Thank you for your time. Benkenobi18 (talk) 21:52, 13 November 2016 (UTC)
- Well, all these revisions did contain a copyright violation, and are thus copyright violations themselves. No "abuse" of anything there. Also, if someone removes an edit you made, merely reverting them is seldom well advised, especially when you don't use edit summaries. Jo-Jo Eumerus (talk, contributions) 21:55, 13 November 2016 (UTC)
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
This is probably nothing, but I think that a mention is in order. I reviewed User:Libertarian Macedonian/sandbox and tried to move it to Draft:Igor Janev. I was unable to move it because the title had been salted. I inserted a comment in the draft to that effect. If it were approved, admin action would be needed to unsalt it. I then commented that the second half of the Biography was a philosophical handwave. (Well, I tried to be kind. I thought it was mumbo-jumbo.) The author then posted to my talk page: "Hi Robert, I am new here. Can you tell me should I continue with submission of draft on Igor Janev or just remove the text. Thanks!" They then posted, "Does "protection" mean that only admins can create art. or what? " Well, the answer to that is yes. The author then blanked the sandbox and posted RETIRED banners to their user page and talk page. Other than that, the editor’s contribution has been a rant on User talk:Jimbo Wales. I have the editor watchlisted. This is probably just a passing tantrum. Robert McClenon (talk) 03:02, 14 November 2016 (UTC)
- This is the prolific Igor Janev spammer back again. I have reported it at WP:Sockpuppet investigations/Operahome. JohnCD (talk) 21:29, 14 November 2016 (UTC)
Bot mistake help
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
Hi, my bot User:GreenC bot made a mistake in a bunch of articles today. List of articles effected. Is there an admin tool or method to revert the edits other than manually? I'll re-run the bot on the pages after the revert. (the mistake was using MDY instead of DMY in certain cases). -- GreenC 03:50, 14 November 2016 (UTC)
In progress Checking. — xaosflux Talk 04:21, 14 November 2016 (UTC)
- Green Cardamom is this all of these pages, or just the ones on a certain date ("...articles today")? Some of these haven't been edited since 11NOV2016. — xaosflux Talk 04:24, 14 November 2016 (UTC)
- Hi xaosflux. Yes all the articles in the list. Most edits were made today, but some from the trial period and right after the approval. -- GreenC 04:30, 14 November 2016 (UTC)
In progress — xaosflux Talk 04:32, 14 November 2016 (UTC)
- Not all going to be simple, I've got Fluxbot working though the list supervised - only doing rollback where your bot is the last editor, and where there was another editor before it. See output so far on User:Green Cardamom/yes/2. The lines with * need manual cleanup. — xaosflux Talk 04:43, 14 November 2016 (UTC)
- I can do the manuals. Looks like Fluxbot is getting the bulk of it. thanks! Good to know there is a tool for this situation. The problem was the bot was checking for
|df=y
but not|df=yes
, a silly oversight on my part but fortunately the bot keeps a local cache of the original articles so it was easy to identify those effected (out of 20,000). -- GreenC 05:04, 14 November 2016 (UTC)
- I can do the manuals. Looks like Fluxbot is getting the bulk of it. thanks! Good to know there is a tool for this situation. The problem was the bot was checking for
- Not all going to be simple, I've got Fluxbot working though the list supervised - only doing rollback where your bot is the last editor, and where there was another editor before it. See output so far on User:Green Cardamom/yes/2. The lines with * need manual cleanup. — xaosflux Talk 04:43, 14 November 2016 (UTC)
- Hi xaosflux. Yes all the articles in the list. Most edits were made today, but some from the trial period and right after the approval. -- GreenC 04:30, 14 November 2016 (UTC)
- Green Cardamom is this all of these pages, or just the ones on a certain date ("...articles today")? Some of these haven't been edited since 11NOV2016. — xaosflux Talk 04:24, 14 November 2016 (UTC)
Done Green Cardamom Job completed, there are 66 pages that need to be reviewed manually listed here: User:Green Cardamom/yes/2. — xaosflux Talk 05:36, 14 November 2016 (UTC)
- User:Xaosflux thanks again. The 66 are done, and the bot is re-processing the list. -- GreenC 05:48, 14 November 2016 (UTC)
Eyes on Stephen Bannon please
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
I'm not about to get involved with any article related to the election or American politics any time soon, but the editing on this has gone pretty crazy for the last few hours. Lots of potentially defamatory stuff happening, lots of IPs involved. Someone with thicker skin than I might want to help slam on the brakes. (I come from a long line of cowards, I admit it.) Tony Fox (arf!) 05:21, 14 November 2016 (UTC)
- This is definitely a major target right now. Someone should consider semi-protecting the page. Dustin (talk) 05:24, 14 November 2016 (UTC)
Extended-confirmed protection of Litfire Publishing
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
CambridgeBayWeather has applied extended-confirmed protection to Litfire Publishing. This is in response to the repeated addition of defamatory material by a single (autoconfirmed) user.
My understanding is that in this situation it would be more appropriate to block the account... if it reached that point.
They have been warned twice. They haven't edited since the last warning. I think it would make sense to leave it at that for now. If they do come back with another, similar edit, then it is time for a block.
If new accounts are created after that, semi protection is sufficient... unless it looks like someone is repeatedly creating throw-away accounts and getting them autoconfirmed... in which case ECP would be appropriate.
I thought I should bring it up here for discussion. That's what we are supposed to do with any slightly controversial applications of ECP, right?
Yaris678 (talk) 18:15, 14 November 2016 (UTC)
- The account in question is not even autoconfirmed so I'm going to drop to semi. Discussion of the user can continue. BethNaught (talk) 18:42, 14 November 2016 (UTC)
- This is a mixed bag. A rather new account, User:Awareauthors continues to add a negative claim about the sales tactics of Litfire Publishing, which is interesting though it may not be reliably sourced. Then there is another editor who has been removing that and calling it vandalism.
- Litfire Publishing (edit | talk | history | links | watch | logs)
- Awareauthors (talk · contribs · deleted contribs · logs · filter log · block user · block log)
- Asipulako (talk · contribs · deleted contribs · logs · filter log · block user · block log)
- The negative critique is from a group called Writer Beware which is covered here on Wikipedia in this section Science Fiction and Fantasy Writers of America#Writer Beware. If that makes their web site a reliable source (at least for their own opinion) there might be a way to get a toned-down quote from them into the article, and not violate BLP or anything. Part of the charge against Litfire Publishing is that they are connected to Author Solutions. We know from our article on the latter that Author Solutions have been sued for some of their practices. Both Litfire and Author Solutions offer their services to authors who want to self-publish. Though Awareauthors (talk · contribs) could be an SPA it looks as though Asipulako (talk · contribs) is a normal editor, though relatively new, with 54 edits so far. His removal of the negative content was probably just intended as normal article cleanup. I have notified both editors of the discussion here. Awareauthors may be the newly-registered incarnation of Special:Contributions/174.62.219.161 though that is not a problem. I hope that one or both of the opposing editors will join this discussion. If so, ECP may not be needed and we can use talk to settle this in the normal way. EdJohnston (talk) 19:25, 14 November 2016 (UTC)
- I must have clicked on the wring protection level in the box. CambridgeBayWeather, Uqaqtuq (talk), Sunasuttuq 20:45, 14 November 2016 (UTC)
- Thanks for the note on my talk page. The first edit was from an IP:174.62.219.161 here. Then I asked to add back with a RS here but my edit was reverted. I then asked to discuss on talk page[14] but the user kept reverting and inserting defamatory content and even reported me of vandalism here. I think it can be business competition since the user is only interested on this article and keep adding the content as soon as the protection expired. I leave it to you as you are much experienced editors. Thank you. Asipulako (talk) 06:47, 15 November 2016 (UTC)
- I think this page Victoria Strauss may be connected. The article lacks credible sources and doesn't seem to meet the notability guidelines. I found another organization "The Write Agenda"[15]. The neutrality of all these articles including Litfire Publishing and Science Fiction and Fantasy Writers of America should be checked.Asipulako (talk) 07:01, 15 November 2016 (UTC)
- I must have clicked on the wring protection level in the box. CambridgeBayWeather, Uqaqtuq (talk), Sunasuttuq 20:45, 14 November 2016 (UTC)
- This is a mixed bag. A rather new account, User:Awareauthors continues to add a negative claim about the sales tactics of Litfire Publishing, which is interesting though it may not be reliably sourced. Then there is another editor who has been removing that and calling it vandalism.
Compromised account?
![](https://upload.wikimedia.org/wikipedia/commons/thumb/e/ea/Purple_arrow_down.svg/20px-Purple_arrow_down.svg.png)
I found an account that had been inactive for a while and suddenly had a new edit from an apparent "hacker" that seems to have broken into the account. The hack statement threatened death and stated what is possibly the account holders name. the accounts contribs, the talk page -glove- (talk) 18:39, 14 November 2016 (UTC)
- For the meantime I've just blanked and revdel'ed the content of the userpage and talkpage, but I have to step out so feel free to take whatever other action seems necessary. ☺ · Salvidrim! · ✉ 19:11, 14 November 2016 (UTC)
- While it does not appear that this account is related to the compromised accounts over the weekend, given recent events, please ping me (on wiki, or better on irc [nickname bawolff]) if any more compromised accounts are discovered over the next several days, so that we can investigate if they are related to the incident. BWolff (WMF) (talk) 20:30, 14 November 2016 (UTC)
- User indef blocked. Beeblebrox (talk) 20:41, 14 November 2016 (UTC)
- Not being able to see what the threat said, I inquire to admins, is this the kind of thing that warrants an email to emergency
wikimedia.org? And if so, has someone already sent said email? — PinkAmpers&(Je vous invite à me parler) 19:38, 15 November 2016 (UTC)
- Not being able to see what the threat said, I inquire to admins, is this the kind of thing that warrants an email to emergency
- User indef blocked. Beeblebrox (talk) 20:41, 14 November 2016 (UTC)
- While it does not appear that this account is related to the compromised accounts over the weekend, given recent events, please ping me (on wiki, or better on irc [nickname bawolff]) if any more compromised accounts are discovered over the next several days, so that we can investigate if they are related to the incident. BWolff (WMF) (talk) 20:30, 14 November 2016 (UTC)
Legal noises on Talk:Shiva Ayyadurai, redux
Following on from this discussion, we have this edit, which claims not to be a threat but then goes into detail over how we are all certain to be sued.
(It also quacks exactly like the previous talk page edits by YatesByron & hence is arguably NOTHERE...) Pinkbeast (talk) 04:38, 15 November 2016 (UTC)
SPI Clerk note: As you say, at first glance it seems like a WP:DUCK quack, but KrakatoaKatie's CU result was
Unrelated. ☺ · Salvidrim! · ✉ 04:57, 15 November 2016 (UTC)
- Let's have Bbb23 look at it to make sure I didn't interpret the data incorrectly. Katietalk 12:59, 15 November 2016 (UTC)
- I looked at only the technical characteristics of the two accounts, not their behavior. I'm also not commenting on any relationship to the sock master, just comparing the two accounts to each other. In my view, the two accounts are
Inconclusive but
Possible. YatesByron is using the equivalent of a proxy server, which hides their true location. If I were deciding whether to block them as being the same person, I would focus on behavior.--Bbb23 (talk) 13:31, 15 November 2016 (UTC)
- I looked at only the technical characteristics of the two accounts, not their behavior. I'm also not commenting on any relationship to the sock master, just comparing the two accounts to each other. In my view, the two accounts are
- Let's have Bbb23 look at it to make sure I didn't interpret the data incorrectly. Katietalk 12:59, 15 November 2016 (UTC)
- Is this the 'I invented email despite it being in use for at least 10 years previously' rubbish still going on? Only in death does duty end (talk) 13:09, 15 November 2016 (UTC)
- So, ah, quacking aside, do we think it's a legal threat? Pinkbeast (talk) 00:58, 16 November 2016 (UTC)
A new user right for New Page Patrollers
Hi Administrators' noticeboard.
A new user group, New Page Reviewer, has been created in a move to greatly improve the standard of new page patrolling. The user right can be granted by any admin at PERM. It is highly recommended that admins look beyond the simple numerical threshold and satisfy themselves that the candidates have the required skills of communication and an advanced knowledge of notability and deletion. Admins are automatically included in this user right.
It is anticipated that this user right will significantly reduce the work load of admins who patrol the performance of the patrollers. However,due to the complexity of the rollout, some rights may have been accorded that may later need to be withdrawn, so some help will still be needed to some extent when discovering wrongly applied deletion tags or inappropriate pages that escape the attention of less experienced reviewers, and above all, hasty and bitey tagging for maintenance. User warnings are available here but very often a friendly custom message works best.
If you have any questions about this user right, don't hesitate to join us at WT:NPR. (Sent to all admins).MediaWiki message delivery (talk) 13:48, 15 November 2016 (UTC)
Could you please delete this edit and hide the edit summary. An IP wrote a personal attack against me in the edit summary, but no private information was leaked. Emir of Wikipedia (talk) 15:38, 15 November 2016 (UTC)
- I was wondering if you could please hide the edit summary for this edit too. Emir of Wikipedia (talk) 17:08, 15 November 2016 (UTC)
- @Emir of Wikipedia: These would fall under the "not "ordinary" incivility, personal attacks or conduct accusations" clause of the Revdel criteria; it's not so bad as to require revision deletion in my opinion. Sam Walton (talk) 19:36, 15 November 2016 (UTC)
- @Samwalton9: Would the first edit come under #3 of the CRD? The edit had no value to the article, and likely its' only purpose was to put in a edit summary concerning me. Emir of Wikipedia (talk) 19:40, 15 November 2016 (UTC)
- Warned the IP about personal attacks and what is not "vandalism", but I agree with Sam that it doesn't warrant revdeletion. Miniapolis 23:09, 15 November 2016 (UTC)
- The IP address you warned had been hopped off too, the current one is User talk:2607:FB90:1E0A:4EE6:0:30:F809:8501. This hopping has been going on for about a month now I think, and it's why I believe it is not ordinary incivility but prolonged. Emir of Wikipedia (talk) 23:15, 15 November 2016 (UTC)
- Warned the IP about personal attacks and what is not "vandalism", but I agree with Sam that it doesn't warrant revdeletion. Miniapolis 23:09, 15 November 2016 (UTC)
- @Samwalton9: Would the first edit come under #3 of the CRD? The edit had no value to the article, and likely its' only purpose was to put in a edit summary concerning me. Emir of Wikipedia (talk) 19:40, 15 November 2016 (UTC)
- @Emir of Wikipedia: These would fall under the "not "ordinary" incivility, personal attacks or conduct accusations" clause of the Revdel criteria; it's not so bad as to require revision deletion in my opinion. Sam Walton (talk) 19:36, 15 November 2016 (UTC)
This bot is not using the correct formatting with regards to dates. Example: Green Party of Canada (edit | talk | history | protect | delete | links | watch | logs | views). I brought the issue to the attention of the bot operator [16] who is essentially saying sorry, SOL. Fix it yourself with your own bot. Me-123567-Me (talk) 21:40, 15 November 2016 (UTC)
- This should probably be at the WP:Bot owners' noticeboard - or a notification should be sent there to draw their attention here. Mike1901 (talk) 22:09, 15 November 2016 (UTC)
- Yeah, I'd prefer to answer this at the WP:Bot owners' noticeboard. -- GreenC 22:16, 15 November 2016 (UTC)
- Started a new thread Wikipedia:Bot_owners'_noticeboard#.7B.7Bwebarchive.7D.7D_merge. -- GreenC 22:23, 15 November 2016 (UTC)
- Yeah, I'd prefer to answer this at the WP:Bot owners' noticeboard. -- GreenC 22:16, 15 November 2016 (UTC)
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
I am not sure what has happened but our main help page Help:Contents has been deleted and so have the redirects to this page even the portal redirect. Not sure whats going on here but this page is view many times an hour and link in our main side bar on the left. Need this restored asap!!!!!--Moxy (talk) 01:24, 16 November 2016 (UTC)
- Looks fine to me. What are you seeing when you visit it? ansh666 01:41, 16 November 2016 (UTC)
- Never mind, a vandal was redirecting the page, it's now been full-protected. ansh666 01:43, 16 November 2016 (UTC)
- Compromised adim account User:Maury Markowitz ...others they seem to be working on the problem. Guy in the section below got blocked by this FAKE admin. -- Moxy (talk) 01:48, 16 November 2016 (UTC)
- One of the compromised accounts changed the content model of the Main Page (see mw:Help:ChangeContentModel), an idea I've never heard of before. I'm looking to test it on a sandbox page and then revert myself. This is just a note to demonstrate that I am in control of my account; please don't think that I've been compromised because I'm doing something that a vandal just did. Nyttend (talk) 03:27, 16 November 2016 (UTC)
- And an edit with my alternate account (it uses a password that I don't use anywhere else) to demonstrate that yes, this is the real me. Nyttend backup (talk) 03:29, 16 November 2016 (UTC)
- And a reminder that the test is complete. You won't see me editing the Main Page, Donald Trump, or anywhere else, unless it's an actual thing that can be improved. Nyttend (talk) 03:31, 16 November 2016 (UTC)
- Have you ever read WP:BEANS? -- The Voidwalker Whispers 03:33, 16 November 2016 (UTC)
- Compromised adim account User:Maury Markowitz ...others they seem to be working on the problem. Guy in the section below got blocked by this FAKE admin. -- Moxy (talk) 01:48, 16 November 2016 (UTC)
- Never mind, a vandal was redirecting the page, it's now been full-protected. ansh666 01:43, 16 November 2016 (UTC)
Yet another admin has just been hacked and globally locked. I was skeptical but really, all admins need to start using 2FA ASAP. Beeblebrox (talk) —Preceding undated comment added 05:10, 16 November 2016 (UTC)
There is an urgent issue.
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
I have been blocked by a malicious user, using the account of User:Maury Markowitz. Be aware of their recent edits. 2602:306:3B46:1600:D571:80BF:4917:795D (talk)MgWd —Preceding undated comment added 01:27, 16 November 2016 (UTC)
- And your account is...? Ian.thomson (talk) 01:30, 16 November 2016 (UTC)
Account globally locked with no warning and no information on what to do
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
I try to logon today to be told my password is invalid; when I get a new one I get told my account has been "globally locked" with no explanation as to why, no information as to how to unlock it and nothing at all in the help link. When I look at my talk page I am told I should contact admins & stewards I know privately, which is none. How am I supposed to get my account unlocked with no clear information whatsoever? — Preceding unsigned comment added by Timrollpickering (talk • contribs) 10:23, 17 November 2016 (UTC)
- Your account appears to have been compromised, as it was used to make vandalism-like edits to the main page. Please email the stewards at "stewards-at-wikimedia.org" for information on how to proceed. (As an aside, please be careful not to sign posts as an IP if you don't want your location known to a large number of people. I've asked an oversighter to suppress that bit of info.) ~ Rob13Talk 10:29, 16 November 2016 (UTC)
- Now unlocked and trying to make sense of the 2FA page. Tim 13:59, 16 November 2016 (UTC) — Preceding unsigned comment added by Timrollpickering (talk • contribs)
Admin accounts still getting compromised
Hi all - little surprised this hasn't been posted a little more...prominently.. but there are still administrator accounts getting compromised, and you should be taking action to prevent your account being used maliciously. More information on the actual incident can be found here on Commons and a more recent update here.
- Related discussion at WP:BN referencing how to deal with these compromised accounts
To help defend against these compromises please consider;
- Changing your password - Krebs has a great article on the "dos and donts" here
- Enabling two-factor authentication - see above and read this simple guide
- Using a unique password for Wikipedia
- Creating a committed identity
I think I speak for the community when I say this is important, and we need to overcome whatever hold it is these malicious actors have over our credentials. Thank you -- samtar talk or stalk 13:24, 16 November 2016 (UTC)
- Yeah this is a pretty big deal. Can we initiate a forced reset of all admin passwords? Ivanvector (Talk/Edits) 13:34, 16 November 2016 (UTC)
- This would be a nuisance to those who have already changed their passwords. The linked e-mail states "Please change your password, if you haven't already changed it in the last week." Espresso Addict (talk) 22:35, 16 November 2016 (UTC)
Couple of comments. 1. I would strongly recommend the WMF immediately attempt to crack every administrator password via a simple dictionary / rainbow table attack and desysop everyone they get hold of. This is a standard security procedure that is perfectly acceptable. 2. The instructions WP:2FA have got to be super-duper simple that I can do with my brain turned off. "First you must have or install a Time-based One-time Password Algorithm (TOTP) client" - that means I want a direct link to the Apple or Google store that works. The current instructions point to Google Authenticator, an article littered with {{fact}}
tags which I normally take to mean "everything in this article is suspicious and may be false". Great. I do not want to have spend time fiddling around with apps on my phone when I get it wrong, while simultaneously trying to deal with my kids who can do it with their eyes shut. You must not run the risk of people thinking it's too much hassle and not bothering. Remember, it is not a requirement to be good with computers or programming languages to become an administrator. Ritchie333 (talk) (cont) 13:46, 16 November 2016 (UTC)
- (edit conflict) Point taken - I've updated the 2FA instructions with some Google Play/iTunes App store links and will try to rewrite some of the guide -- samtar talk or stalk 13:50, 16 November 2016 (UTC)
- Okay, I've got 2FA turned on. One more thing, Special:OATH needs to be done on the local wiki where you have administrator rights, the instructions tried to log me in to Meta, where I don't have admin rights. All that said, once I had the app, scanned the code and put the key in, it didn't seem to be any more onerous than accessing internet banking, so my fears are a little alleviated. But we should still make the instructions as good as we can get. How can I help in this area? Ritchie333 (talk) (cont) 14:01, 16 November 2016 (UTC)
(edit conflict)The 2FA instructions still don't work. I have installed Google Authenticator but "Special:OATH" is a link to an "Unauthorized" page. Admins on a Wikipedia are not automatically admins on Meta-Wiki and so this system simply doesn't work. Also it is not a "mobile phone" but a "smart phone". The two terms mean different things. Tim 14:05, 16 November 2016 (UTC)
- (Solved it thanks to User:Ritchie333 but these instructions are all over the place. Tim 14:07, 16 November 2016 (UTC) ) — Preceding unsigned comment added by Timrollpickering (talk • contribs)
- (edit conflict × 2) Well I've made an edit-request for the watchlist notice which needs a helpful admin to move over. Other than changing/clarifying the Special:OATH link, is there anything else which could do with some clarification? Personally Ivanvector's suggestion to force-reset everyone's passwords is the next step if we see any other compromises -- samtar talk or stalk 14:08, 16 November 2016 (UTC)
- Moved the watchlist notice. Katietalk 14:25, 16 November 2016 (UTC)
- Cheers Katie, and good idea with the committed identity -- samtar talk or stalk 14:29, 16 November 2016 (UTC)
- Moved the watchlist notice. Katietalk 14:25, 16 November 2016 (UTC)
- (edit conflict × 2) Well I've made an edit-request for the watchlist notice which needs a helpful admin to move over. Other than changing/clarifying the Special:OATH link, is there anything else which could do with some clarification? Personally Ivanvector's suggestion to force-reset everyone's passwords is the next step if we see any other compromises -- samtar talk or stalk 14:08, 16 November 2016 (UTC)
- I'll update the help page on meta to state that is needs to be enrolled from wiki you are admin on. — xaosflux Talk 16:35, 16 November 2016 (UTC)
- I have updated Wikipedia:Simple 2FA as best I can to document what worked for me today, but I can't do much else unless without more testing. Ritchie333 (talk) (cont) 18:00, 16 November 2016 (UTC)
- May I make another, somewhat late, suggestion? Include a second suggestion besides Google authenticator. Google is banned in some countries, such as China. Heimstern Läufer (talk) 10:21, 17 November 2016 (UTC)
- I have updated Wikipedia:Simple 2FA as best I can to document what worked for me today, but I can't do much else unless without more testing. Ritchie333 (talk) (cont) 18:00, 16 November 2016 (UTC)
General discussion
To save people visiting this section from the watchlist notice, I've moved a block of discussion down here -- samtar talk or stalk 15:06, 16 November 2016 (UTC)
- UK and EU law does not allow for the WMF (or anyone else for that matter) to forcibly attempt to crack user or admin accounts on Wikipedia. Force-reset the passwords yes, actively crack the account passwords no. There are ways a systems administrator can identify weakly passworded accounts (running the hashed PW against known blah blah blah), but these do no extend to actually identifying the password, as to test it is correct would require logging into it and opening them up to all sorts of data laws regarding accessing private accounts without permission. Consider this a friendly warning before someone starts getting bright ideas about doing their own pre-emptive cracking. Only in death does duty end (talk) 14:11, 16 November 2016 (UTC)
- That aside (and yes, it wouldn't be a good idea for anyone to try that) - all we expect is our admins to reset their passwords if they haven't already, and strongly consider enabling two-factor authentication. If possible I'd like to see that watchlist notice get done, as some other editors may wish to reset their passwords also - it wasn't just administrator accounts which details were supposedly gained, but its fairly obvious which can cause more damage -- samtar talk or stalk 14:18, 16 November 2016 (UTC)
- IANAL, but the ToU specify that any legal claim one might have against the WMF is subject to California law. If that doesn't suffice, WMF should add a clause to the password security section allowing cracking audits for priviledged accounts. BethNaught (talk) 14:21, 16 November 2016 (UTC)
- Its a long and detailed discussion but the short version is 'The TOU do not protect the WMF or individual editors/admins in this situation'. If you want a longer explanation pop a note on my talkpage. Only in death does duty end (talk) 14:32, 16 November 2016 (UTC)
- And one can well imagine why such laws are necessary. "Hey, it's our site, (we're the bank, the local community org, Wikimedia) let's hack into everybody's account. And as long as we're there...hmmm...let's see if those accounts lead us to access on a person's computer....hmmm...the sky's the limit." — Maile (talk) 14:47, 16 November 2016 (UTC)
- I'm not saying it's a good or a bad idea to run a password-cracker program (which I know has been done before), but anything the WMF did in this regard they would do in California through individuals based in California, and I suspect that any objection based on laws of other countries would simply be disregarded. Newyorkbrad (talk) 14:52, 16 November 2016 (UTC)
- And one can well imagine why such laws are necessary. "Hey, it's our site, (we're the bank, the local community org, Wikimedia) let's hack into everybody's account. And as long as we're there...hmmm...let's see if those accounts lead us to access on a person's computer....hmmm...the sky's the limit." — Maile (talk) 14:47, 16 November 2016 (UTC)
- Its a long and detailed discussion but the short version is 'The TOU do not protect the WMF or individual editors/admins in this situation'. If you want a longer explanation pop a note on my talkpage. Only in death does duty end (talk) 14:32, 16 November 2016 (UTC)
We aren't doing anything dumb like storing the 'password strength' value in the database, are we? If we are, please contact me. I understand we use PBKDF2 for password storage, which wouldn't be my preference (I prefer bcrypt), but is reasonable provided we are using a reasonable number of iterations. OWASP's Password Storage Cheat Sheet is useful, and this stackoverflow question implies Wikipedia should be using 256,000 iterations as of 2016 (64,000 in 2012, doubling every year, so two doublings). The rule of thumb is to target roughly 1 second of CPU time; I haven't run tests to ensure that's the case. But, given some of the accounts have apparently been hacked while using strong passwords, it's very likely Wikipedia's password storage isn't the source of the compromise, even if we are using a stupidly low number of iterations. --Yamla (talk) 15:03, 16 November 2016 (UTC)
- The attackers appear to have a password dump from a different website. They do not appear to be bruteforcing/dictionary attacking passwords directly from our db (either online, or trying to reverse our password hashes), as they are only successfully compromising about one in every 10 accounts they tried. Thus password strength is irrelevant in this attack (That said, please use strong passwords to protect against other potential attackers), the problem is users using the same password on other insecure websites. Do not share your passwords among multiple websites. Please enable 2FA. Thank you. BWolff (WMF) (talk) 15:11, 16 November 2016 (UTC)
- In the light of the newest batch of compromised accounts, is it worth doing another mailshot round to admins? I ignored the first message as it seemed to skimp over the real reason for sending it and made me think (as I'm sure other admins did) "well of course my account is doing to be compromised!", only to change my mind like Beeblebrox after seeing more cracks. Just a paraphrase of "please change your password ASAP" should be enough - something as simple and idiot proof as you can get it. That TRP had no idea why his account was locked (despite getting the mailshot) suggests the previous mailshot did not work. Ritchie333 (talk) (cont) 15:23, 16 November 2016 (UTC)
- Clearly worth doing - I believe from a message on Xaosflux's talk that there are discussions of some sort relating to this. I appreciate the possible PR issues and understand why the softly softly approach is needed, but its clear that unless we get a grip on this situation now we're just going to be playing catch-up. Thankfully its eased up, but the attempts are still ongoing, so it will happen again at some point -- samtar talk or stalk 15:29, 16 November 2016 (UTC)
- In the light of the newest batch of compromised accounts, is it worth doing another mailshot round to admins? I ignored the first message as it seemed to skimp over the real reason for sending it and made me think (as I'm sure other admins did) "well of course my account is doing to be compromised!", only to change my mind like Beeblebrox after seeing more cracks. Just a paraphrase of "please change your password ASAP" should be enough - something as simple and idiot proof as you can get it. That TRP had no idea why his account was locked (despite getting the mailshot) suggests the previous mailshot did not work. Ritchie333 (talk) (cont) 15:23, 16 November 2016 (UTC)
- For admins, we certainly can send another enwiki massmessage - suggest they change their passwords and consider enrolling in WP:2FA. There is a MMList here that can be used: Wikipedia:Administrators/Message_list. If this needs to go out to all editors, then we will need a banner campaign (and likely not limited to enwiki!) - or enwiki can put up a sitenotice for logged in users (mass message or watchlist will not be as effective for contacting all editors). — xaosflux Talk 16:28, 16 November 2016 (UTC)
- Last time something like this happened we initiated a new policy, WP:STRONGPASS that should have made an attack like this impossible. This was supposed to be a binding policy on all administrators, but apparently a number of them, including Jimbo, ignored it. It was widely advertised at the time. Beeblebrox (talk) 16:39, 16 November 2016 (UTC)
- Password strength is totally orthogonal to the issue being exploited in this attack. The strongest password in the world is useless if you reuse it on other websites that the attacker has access to. BWolff (WMF) (talk) 16:41, 16 November 2016 (UTC)
- (edit conflict) @Beeblebrox: as much as having a strong password is important, unfortunately here it would not have helped - the attackers likely gained access to password dumps leaked from earlier hacks of other services (such as the Adobe hack earlier this year) and tried them on Wikipedia. It appears a number of editors and admins have been re-using passwords, which is why this attack worked. The key thing here is to change your password, use a unique password for Wikipedia and consider enabling 2FA -- samtar talk or stalk 16:44, 16 November 2016 (UTC)
- I guess we didn't specify that since it seems so basic we shouldn't have to tell admins not to use their facebook password or whatever. It does appear to be mostly users who used their real names, making it easy to tie the two accounts. Beeblebrox (talk) 16:49, 16 November 2016 (UTC)
- This serious security breach has reminded me why I've always refused to register with WP:UTRS. The registration page says "Warning: Do not use the Labs Project (this site) if you do not agree to the following: information shared with the Labs Project, including usernames and passwords, will be made available to volunteer administrators and may not be treated confidentially". I wonder how many UTRS admins use the same passwords as their Wikipedia accounts? Boing! said Zebedee (talk) 16:56, 16 November 2016 (UTC)
- Please do not use your wikipedia name/password with stuff on tool labs. Anyone is allowed to create a tool, so the password can go to anybody. All new tools should use OAuth for authentication, which stops tools from needing your password. BWolff (WMF) (talk) 17:38, 16 November 2016 (UTC)
- Obviously people shouldn't, no, but a UTRS system in which passwords are not confidential is asking for trouble - I was staggered when I found out about it. But can you at least confirm that UTRS was not the source of the current hack? Boing! said Zebedee (talk) 17:43, 16 November 2016 (UTC)
- Please do not use your wikipedia name/password with stuff on tool labs. Anyone is allowed to create a tool, so the password can go to anybody. All new tools should use OAuth for authentication, which stops tools from needing your password. BWolff (WMF) (talk) 17:38, 16 November 2016 (UTC)
- I think we return to the WP:NOTSUICIDE argument. The community has a right to protect itself. Admin accounts, if compromised, can do damage. A forced reset and mandatory 2-factor should be the minimum response, especially considering how many inactive admins we have on the books. Audits (although controversial) should be considered. Chris Troutman (talk) 17:19, 16 November 2016 (UTC)
- Wikipedia talk:Password strength requirements#RFC November 2016 let's just make this policy. Beeblebrox (talk) 17:14, 16 November 2016 (UTC)
- Audits were approved by the community in the RFC that led to the STRONGPASS. As far as I know they have never been done though. Maybe now's the time? It's been a local policy for about a year and was adopted as a global policy as well. WMF staff were active in the global discussion at meta so they are well aware of it. Beeblebrox (talk) 17:23, 16 November 2016 (UTC)
- Is there any technical reason that TFA has not been enabled for either all accounts or, to cut down on numbers but catch most active editors, any account with any additional permission? JbhTalk 17:50, 16 November 2016 (UTC)
- @Jbhunley: There simply isn't the infrastructure currently to deal with the people who will inevitably get locked out of their accounts. 2FA wasn't supposed to be rolled out this early at all, but in light of the circumstances it was. In due time it will be enabled for everyone once everything is set up. In the meantime, if you wish to have 2FA enabled on your account all you have to do is ask a steward to add you to the testing group (as I have). This can be done at m:Steward requests/Global permissions. Note that you only need advanced permissions on one CentralAuth wiki. So if you are a sysop on the testwiki for example you can enable 2FA there and it will be enabled here. --Majora (talk) 21:26, 16 November 2016 (UTC)
- I don't think it's technically possibly to automatically enable it as it's also a two step process to set up, because it requires you to enter in a verification code from whatever client you will be getting the tokens from (e.g Google Authenticator, winauth) in order to be paired up with that service. Jauerbackdude?/dude. 21:33, 16 November 2016 (UTC)
- "Enabled" as in turn the button that you have to click on. If you aren't a sysop or above on one CentralAuth wiki and you aren't part of the 2FA "testers" group you won't even see the button in your preferences to turn it on. Otherwise, yes. You have to physically enable 2FA by clicking said button. --Majora (talk) 21:37, 16 November 2016 (UTC)
- @Majora: Thank you. JbhTalk 01:48, 17 November 2016 (UTC)
Is there any technical reason that TFA has not been enabled for either all accounts or, ... any account with any additional permission?
— I suggest that forcing all editors, or even editors with some additional minor-not-admin rights (eg me, with AP, ECo, Rv) to use 2FA might be a bad idea, and might lose editors. I would be reluctant to have to get a smartphone, or install additional software on my PC, just to edit as a registered user. (I currently have a password that easily exceeds WP:STRONGPASS and is not used on any other site.) Mitch Ames (talk) 01:04, 17 November 2016 (UTC)- I think "enable" meant "make available for those who want it", not "make mandatory". Right now it's unavailable to regular users, but they are working on that. 50.0.136.56 (talk) 02:30, 18 November 2016 (UTC)
- Is this a mobile only thing? I do not own a table and do not use my smart phone all that much (in fact I abhor the thing so I make a point to "forget it" as much as I feel I can get away with) and the way I am reading this its primary to defend against mobile editing issues, but I contribute only with a tower and/or laptop. I'm not going to put myself through the aggravation of doing the Texas two-step to log in if this is not an issue for the non-mobile editors (the tower/laptop crowd). TomStar81 (Talk) 02:42, 17 November 2016 (UTC)
- Not specifically, you can install a code generator on your computer (see Wikipedia:Simple_2FA#How_to_enable_2FA.2C_the_simple_way_.28desktop_-_Windows.29 for an example). If you do this, keep your setup information very secret so that it can't be used elsewhere. — xaosflux Talk 02:48, 17 November 2016 (UTC)
- The traditional way to do it is with a dedicated device that you put on your keys, like this. That's both more convenient and more secure than a software token like on a smartphone, if you don't mind the additional small gizmo. They're around 5 USD each in quantity and I could imagine the WMF issuing them to users with access to private info (CU's etc.) who have to self-identify to the WMF anyway. The WMF issuing them would also make sure that the person supplied a working snail mail address to receive the token. I'm trying to find a place to get them cheap in small quantity for people who want to buy their own. 50.0.136.56 (talk) 10:22, 17 November 2016 (UTC)
- Comment One further bit of advice: if you have a password manager and 2FA token on the same device (mobile phone or whatever), then if someone pinches your phone they have both authentication credentials. That may be less of an issue of password dumps getting loose though. 50.0.136.56 (talk) 10:11, 17 November 2016 (UTC)
if you have a password manager ... if someone pinches your phone they have both authentication credentials...
— Not necessarily. If you have a password manager that encrypts your passwords with a strong master password/phrase (personally I use Password Safe), and if you keep the password manager locked (with the master password) when not in use, then someone stealing the device gets no passwords - just a database encrypted with a strong password that is only in your head. Of course the attacker may install a keylogger or other snooping software on the device then return it ("evil maid attack"), but that's a different problem. Mitch Ames (talk) 10:58, 17 November 2016 (UTC)- That works, but it's asking a bit much to expect most people to enter a complicated master password if their phone is idle for more than a few minutes. I can think of some alternatives but nothing I know of has caught on. Lots of people in fact do exactly what I described, which is why I brought it up as something to be careful about. You're using more cautious procedures than most people are willing to bother with. 50.0.136.56 (talk) 00:20, 18 November 2016 (UTC)
Two questions
- 1) Is this latest hacking activity happening only to admin accounts, or is it part of a wider hacking happening on Wikipedia?
- 2) How is WP:INACTIVITY monitored? Right now, it doesn't seem like a good idea to have stagnant admin accounts on Wikipedia.
— Maile (talk) 17:07, 16 November 2016 (UTC)
- As far as I know it is limited to admins. There's little point to hacking an account with no advanced permissions. And don't get me started on the inactive admin policy. I tried to get it beefed up a while back, but everybody insisted that just making one edit every few years was enough to protect the project from rogue admins. Beeblebrox (talk) 17:13, 16 November 2016 (UTC)
- So far 5 of the compromised accounts have been normal users, however they don't seem to be targeting them as much anymore. Additionally at one point they compromised a crat and used it to promote a normal account they had recently created. However patterns can change, so please secure your account even if you are not an admin. BWolff (WMF) (talk) 17:36, 16 November 2016 (UTC)
- I was surprised to find the compromised admin accounts are seem to be people with recent activity. If this were not the case, and the crackers were targeting "sleeper admins", we'd have a brilliant case for strengthening WP:INACTIVITY. But I don't think we do. Ritchie333 (talk) (cont) 18:03, 16 November 2016 (UTC)
- So far 5 of the compromised accounts have been normal users, however they don't seem to be targeting them as much anymore. Additionally at one point they compromised a crat and used it to promote a normal account they had recently created. However patterns can change, so please secure your account even if you are not an admin. BWolff (WMF) (talk) 17:36, 16 November 2016 (UTC)
- As far as I know it is limited to admins. There's little point to hacking an account with no advanced permissions. And don't get me started on the inactive admin policy. I tried to get it beefed up a while back, but everybody insisted that just making one edit every few years was enough to protect the project from rogue admins. Beeblebrox (talk) 17:13, 16 November 2016 (UTC)
I gave up on that after the RFC last year. I presented an example of an admin whose last hundred edits go back eight years, who hasn't used their admin tools in any way in seven years, so basically isn't an admin, but gets to permanently keep the tools so long as every time they are informed they are about to use them, they just reply to the message and -bam- renewed for another two years. Why someone would cling to administrative right they clearly have no intention of using is a bit obscure to me, but apparently enough of the community is ok with it to let it persist. Or maybe, looking back, I didn't do a good enough job presenting the case, I don't know. Beeblebrox (talk) 18:50, 16 November 2016 (UTC)
- @Beeblebrox: In light of recent events, I think that now is a good time to revisit the current policy on admin inactivity. If you and/or any other users are interested, I'm willing to help draft a new RfC -FASTILY 09:38, 17 November 2016 (UTC)
- @Beeblebrox and Fastily: As an editor who has also proposed increasing the activity requirements, this is another good reason for it. I doubt anything will change unless we have proof that inactive editors have been targeted though. Sam Walton (talk) 11:01, 17 November 2016 (UTC)
Possibly related at VPump. This individual has not edited since Dec 2015, but more significantly, has not used the tools since May 2012. And still has the tools. Nobody seems to be saying it's a compromised account, but it's a case for more oversight of tools. — Maile (talk) 19:04, 16 November 2016 (UTC)
- To be more specific, they used their tools once in 2012, and that is the only time they have used them in the past ten years, before that they used them about fifty times in 03-06, and that's it. But still an admin so long as they make an edit every two years. Beeblebrox (talk) 19:13, 16 November 2016 (UTC)
For reference, though, getting back tot the original question, the actua process for removing admins via our current, extremely lax policy i documented at Wikipedia:Inactive administrators. All one would have to do is remove themselves from the list there and then they're good for another two years even if they do nothing else. Beeblebrox (talk) 19:22, 16 November 2016 (UTC)
- A bot actually updates that, if they make any edit-anywhere, or any log action they will get retained. If the community wants to define a new activity requirement for admins a RfC will need to be passed. — xaosflux Talk 22:43, 16 November 2016 (UTC)
- A vote (link) three weeks ago to remove rights from a long term Commons bureaucrat, based on the spirit of the inactivity policy rather than a literal reading, makes for an interesting test case. If only for the fact that the mood of the community is demonstrated by the vote being 100% to remove rights. --Fæ (talk) 10:25, 17 November 2016 (UTC)
- I would support putting through an amendment to the de-adminship policy permitting some sort of non-adversarial process for doing a similar thing. Perhaps talk with the Arbcom folks about using the committee members as a decision-making panel, to avoid WP:NOTAVOTE issues. When there's concern that an admin with no misconduct issues isn't really going with the spirit of the inactivity policy, the members of Arbcom would then vote on whether the admin should retain rights. Since the voting would be done by the arbitrators as individuals, not as the official committee acting on a case, we'd go to the vote without workshop, case pages, proposed decisions, etc. A decision to remove rights would be treated as any other inactivity case — we would need to be careful to emphasize that the desysop was not some sort of sanction, and the rights-removal log would need to be something like "Procedural removal of +sysop due to inactivity", just like with an admin who just hadn't edited at all. Nyttend backup (talk) 16:39, 17 November 2016 (UTC)
- I do stilll believe the policy needs to be stricter, but I don't want to be the primary drafter of an contentious RFC. I started one on unique passwords because I feel this is an emergency situation and it is important for all admins to know about it and to get it into policy ASAP, but other than that I'm pretty much done with pushing big policy RFCs. I'll happily participate and offer advice to drafters who are interested though. As always, I will shamelessly plug my essay on the subject: User:Beeblebrox/The perfect policy proposal. Beeblebrox (talk) 19:52, 17 November 2016 (UTC)
- I thought that inactive admins got their bit turned off for security reasons, but they could get it back on request if they became active again. If you're saying they'd need a new RFA or something like that, then that would be a hard sell and I'd hope it wouldn't pass. I'd expect there aren't a huge number of inactive admins (> 1 year) so maybe it's worthwhile to send an email reminder to any admins that haven't edited in that long. 50.0.136.56 (talk) 00:12, 18 November 2016 (UTC)
- Inactive admins (no logged events in > 1 year) should indeed have their bit removed permanently (or until they pass another RfA). The main issue being admins that haven't edited for a long time and then find themselves doing something wrong because they weren't up to date with current community norms. There have been a couple of examples recently. Black Kite (talk) 00:16, 18 November 2016 (UTC)
- Meh, the same thing happens with active admins. An admin with good common sense is much more valuable than someone who is boned up on the latest wikilawyering but is clueless, even if the sensible admin has some out-of-date knowledge here and there. The cases where someone got in trouble is that they were obnoxious about defending errors instead of saying "oops, I see what you mean, thanks". 50.0.136.56 (talk) 00:29, 18 November 2016 (UTC)
- Inactive admins (no logged events in > 1 year) should indeed have their bit removed permanently (or until they pass another RfA). The main issue being admins that haven't edited for a long time and then find themselves doing something wrong because they weren't up to date with current community norms. There have been a couple of examples recently. Black Kite (talk) 00:16, 18 November 2016 (UTC)
- I thought that inactive admins got their bit turned off for security reasons, but they could get it back on request if they became active again. If you're saying they'd need a new RFA or something like that, then that would be a hard sell and I'd hope it wouldn't pass. I'd expect there aren't a huge number of inactive admins (> 1 year) so maybe it's worthwhile to send an email reminder to any admins that haven't edited in that long. 50.0.136.56 (talk) 00:12, 18 November 2016 (UTC)
- I do stilll believe the policy needs to be stricter, but I don't want to be the primary drafter of an contentious RFC. I started one on unique passwords because I feel this is an emergency situation and it is important for all admins to know about it and to get it into policy ASAP, but other than that I'm pretty much done with pushing big policy RFCs. I'll happily participate and offer advice to drafters who are interested though. As always, I will shamelessly plug my essay on the subject: User:Beeblebrox/The perfect policy proposal. Beeblebrox (talk) 19:52, 17 November 2016 (UTC)
- I would support putting through an amendment to the de-adminship policy permitting some sort of non-adversarial process for doing a similar thing. Perhaps talk with the Arbcom folks about using the committee members as a decision-making panel, to avoid WP:NOTAVOTE issues. When there's concern that an admin with no misconduct issues isn't really going with the spirit of the inactivity policy, the members of Arbcom would then vote on whether the admin should retain rights. Since the voting would be done by the arbitrators as individuals, not as the official committee acting on a case, we'd go to the vote without workshop, case pages, proposed decisions, etc. A decision to remove rights would be treated as any other inactivity case — we would need to be careful to emphasize that the desysop was not some sort of sanction, and the rights-removal log would need to be something like "Procedural removal of +sysop due to inactivity", just like with an admin who just hadn't edited at all. Nyttend backup (talk) 16:39, 17 November 2016 (UTC)
We do all make mistakes here and there, no doubt, but there is an ever-diminishing group of admins who were appointed "back in the day",( usually defined as pre-2007) when RFA was a cakewalk, or in some cases not even done at all. Some of these admins are still active members of the community, but there are some that seem to make an edit once every year or so just so they get to hold onto their bits for another year. Some of them have not actually used their tools in five years or more, yet stubbornly cling to them for no apparent reason. We shouldn't have people holding advanced permisssions if they don't intend to use them, yet our current policy allows exactly that, having no requirement whatsoever regarding actually using admin tools. One edit every two years is all you need to retain admin status indefinitely, and even if you have it removed you still have another year to ask fo it back, and then you're set for another two years. Does that really seem right to anyone? Beeblebrox (talk) 21:16, 18 November 2016 (UTC)
- We have one of the loosest admin activity policies of the "big" Wikimedia wikis - see m:Admin activity review/Local inactivity policies. --Rschen7754 05:22, 19 November 2016 (UTC)
Tools
If we enable 2FA, how are we supposed to login to tools like AWB? Timrollpickering 10:58, 17 November 2016 (UTC)
- @Timrollpickering:Either the tool is changed to use OAUTH, letting MediaWiki take care of the authenication, or you can use bot passwords. -- AntiCompositeNumber (Leave a message) 12:13, 17 November 2016 (UTC)
I've created a new page Wikipedia:Compromised accounts to try to explain why accounts get compromised, and measures that can be taken. Also a new account navbox might help people find account related info more easily, including a/c security.
.
Any comments at all? --Jules (Mrjulesd) 00:09, 18 November 2016 (UTC)
- I made a few small edits. 50.0.136.56 (talk) 00:37, 18 November 2016 (UTC)
- Thanks! --Jules (Mrjulesd) 02:03, 18 November 2016 (UTC)
- I made a few copyedits too, though this may overlap with Wikipedia:Personal security practices; perhaps the two should be combined. Sam Walton (talk) 11:50, 18 November 2016 (UTC)
- Thanks. I agree that this may be possible. --Jules (Mrjulesd) 12:07, 18 November 2016 (UTC)
- I made a few copyedits too, though this may overlap with Wikipedia:Personal security practices; perhaps the two should be combined. Sam Walton (talk) 11:50, 18 November 2016 (UTC)
- Thanks! --Jules (Mrjulesd) 02:03, 18 November 2016 (UTC)
- Tell people that writing down passwords is much safer than using the same password on every site. That outdated rule ("don't write passwords down") made sense at a time when people only used a computer at work, nowadays it does more harm than good... Prevalence 02:58, 19 November 2016 (UTC)
Please block one of my alt accounts
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
I forgot the password to User:ThePlatypusofDoom's Sock. I forgot to link it to email. I have created a new alt User:PlatypusofDoom (alt) that is connected to my email. ThePlatypusofDoom (talk) 17:46, 16 November 2016 (UTC)
Protection request for the article Ganja, Azerbaijan because of POV pushing of the official and referenced population data
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
An IP is constantly POV pushing by erasing the official and referenced population data of the city of Ganja, Azerbaijan and is replacing them with unsourced bogus numbers. The person has done this previously according to the revision history of the article under the accounts Cavadxangence1992 and Historicalcity2016 and as an IP, and the article was temporarily proteced as a result. But the temporary protection of this article and warnings to that person have not deterred him or her.
Sondrion (talk) 21:16, 16 November 2016 (UTC)
User:EEng's userpage deleted without discussion and with improper rationale(s)
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
For those of you who do not have WP:AE watchlisted, the discussion is currently here: Wikipedia:Arbitration/Requests/Enforcement#EEng. I'm simply posting this notice here because many people do not have AE watchlisted and therefore do not know the deletion occurred. Therefore this posting is a notification of the action and the link to the discussion. If persons wish to discuss the admin action here as well, that's fine. Softlavender (talk) 23:43, 16 November 2016 (UTC)
- See my statement at the AE for examples of some of the heinous things on that user page. The deletion was entirely proper, and it most certainly was an attack page. The plainly non-neutral heading to the section is unhelpful. Borderline canvassing, even. ~ Rob13Talk 23:50, 16 November 2016 (UTC)
- You're saying, like User:The Wordsmith did, that the entire page was "an attack page"? And, as User:Softlavender has pointed out, wasn't the enforcement notice referred to related to BLP violation in article mainspace? Martinevans123 (talk) 23:57, 16 November 2016 (UTC)
- There was no discussion or even tagging anywhere prior to the deletion, and the rationales supplied for the unilateral deletion did not apply. There's also no current consensus that any of the humor on the userpage was "heinous". A userpage is not the main page or The Signpost. Please see WP:CRYBLP. -- Softlavender (talk) 23:59, 16 November 2016 (UTC)
- Silly me, I didn't even know we had a guideline or policy called WP:CRYBABY, but it certainly applies in this case. EEng 00:08, 17 November 2016 (UTC)
- It's an essay, doesn't apply here in any event, and in response to Martinevans123, no, the remedy specifically states "all edits" and "all pages". ~ Rob13Talk 00:22, 17 November 2016 (UTC)
- Silly me, I didn't even know we had a guideline or policy called WP:CRYBABY, but it certainly applies in this case. EEng 00:08, 17 November 2016 (UTC)
- There was no discussion or even tagging anywhere prior to the deletion, and the rationales supplied for the unilateral deletion did not apply. There's also no current consensus that any of the humor on the userpage was "heinous". A userpage is not the main page or The Signpost. Please see WP:CRYBLP. -- Softlavender (talk) 23:59, 16 November 2016 (UTC)
- The deletion (both process and rationale) is correct, whether the deletion is subsequently reversed because of the Arbitration Enforcement decision does not make the initial deletion improper. The BLP policy and a number of Arbitration decisions give administrators enormous leeway to take a cautious approach with material they believe to violate the BLP policy. Nick (talk) 23:54, 16 November 2016 (UTC)
- (edit conflict) Yes, I agree with Nick here. That I don't agree with the deletion (as should be clear from the discussion at AE, and the fact that Arbcom will probably take it as a pretext to desysop me once they figure out that I've unilaterally reverted an AE action), doesn't mean I don't believe Wordsmith was within the bounds of reasonable discretion in deleting it. ‑ Iridescent 23:58, 16 November 2016 (UTC)
- It wasn't an AE action. The erroneously cited ArbCom ruling applies to articles, not userpages. Softlavender (talk) 00:06, 17 November 2016 (UTC)
- It's a BLP action, and we have wide discretion in enforcing BLP, period. It doesn't matter if it's in an article or a userpage or in the Signpost. Katietalk 00:09, 17 November 2016 (UTC)
- Wide discretion, as in deleting a 113,000-byte longterm humorous userpage, largely about Wikipedia, of a longterm editor without the slightest discussion, notification, or tagging? Can you please point me to a policy that covers that? Softlavender (talk) 00:17, 17 November 2016 (UTC)
- I think Badlydrawnjeff definitely applies here, but I'd also point to WP:BLPTALK. Katietalk 00:23, 17 November 2016 (UTC)
- Badlydrawnjeff only refers to articles. WP:BLPTALK has some bearing, but only to remove contentious material, not entire userpages that are mostly gentle humor about Wikipedia. Softlavender (talk) 00:29, 17 November 2016 (UTC)
- I think Badlydrawnjeff definitely applies here, but I'd also point to WP:BLPTALK. Katietalk 00:23, 17 November 2016 (UTC)
- Wide discretion, as in deleting a 113,000-byte longterm humorous userpage, largely about Wikipedia, of a longterm editor without the slightest discussion, notification, or tagging? Can you please point me to a policy that covers that? Softlavender (talk) 00:17, 17 November 2016 (UTC)
- (edit conflict) Softlavender, that just isn't true; the ruling in question (WP:ARBAPDS) explicitly says "all pages", not "all articles", so if one accepts that the material is problematic then it explicitly is covered by BLP. ‑ Iridescent 00:13, 17 November 2016 (UTC)
- That's not the ruling in question. The ruling in question is Wikipedia:Requests_for_arbitration/Badlydrawnjeff#Summary_deletion_of_BLPs. Even the ruling you linked to is only about WP:DS, not deletion. -- Softlavender (talk) 00:23, 17 November 2016 (UTC)
- As a BLP action, it is massive over-reach. Guy (Help!) 00:16, 17 November 2016 (UTC)
- Well, at least massive overreach is one thing we won't have to worry about with the incoming administration. EEng 00:19, 17 November 2016 (UTC)
- It's a BLP action, and we have wide discretion in enforcing BLP, period. It doesn't matter if it's in an article or a userpage or in the Signpost. Katietalk 00:09, 17 November 2016 (UTC)
- It wasn't an AE action. The erroneously cited ArbCom ruling applies to articles, not userpages. Softlavender (talk) 00:06, 17 November 2016 (UTC)
- "The BLP policy and a number of Arbitration decisions give administrators enormous leeway". Specifically, with deletions. This authority to delete per BLP policy and a number of Arbitration decisions should be described somewhere at WP:CSD. --SmokeyJoe (talk) 00:11, 17 November 2016 (UTC)
- (I wonder would EEng be interested in writing a monthly political column for Signpost?) Martinevans123 (talk) 00:13, 17 November 2016 (UTC)
- Here Nick (talk) 00:20, 17 November 2016 (UTC)
- Again, that refers to articles, and nothing else. Softlavender (talk) 00:24, 17 November 2016 (UTC)
- Sorry, you want this then which specifically states pages rather than articles. Nick (talk) 00:29, 17 November 2016 (UTC)
- Yes, please read that. Nowhere does it say summarily delete, without discussion, tagging, or notification, an entire 113,000-byte humorous userpage about Wikipedia that happens to also contain some material that could be problematical. Softlavender (talk) 00:46, 17 November 2016 (UTC)
- Sorry, you want this then which specifically states pages rather than articles. Nick (talk) 00:29, 17 November 2016 (UTC)
- Again, that refers to articles, and nothing else. Softlavender (talk) 00:24, 17 November 2016 (UTC)
- @SmokeyJoe and Softlavender: In this clear-cut instance, WP:G10 certainly applied. Again, I invite any editors who wish to defend this page to affirmatively state they see no issues with calling Trump's son a "chip off the old pussy", Trump's wife comparable to a sex doll, and asserting that Christie has a fetish for overweight women. ~ Rob13Talk 00:25, 17 November 2016 (UTC)
- WP:G10: G10. Pages that disparage, threaten, intimidate, or harass their subject or some other entity, and serve no other purpose (underscoring mine), which it clearly wasn't. It was a 113,000-byte longterm humorous userpage, and most of the humor was about Wikipedia. Softlavender (talk) 00:32, 17 November 2016 (UTC)
- No opposition to the deletion, just a note that WP:CSD is years lagging in documenting BLP deletion. However, I do find your repetition of the offensive remarks to be offensive. --SmokeyJoe (talk) 00:28, 17 November 2016 (UTC)
- The sex doll thing is easy enough to cite, at any rate; it's well documented that Rachel Johnson (contributing editor of The Spectator, sister of British Foreign Secretary Boris, and fairly high-profile spokeswoman for the UK right-wing) is on record as publicly describing Melania Trump as "a scary sex doll". ‑ Iridescent 00:32, 17 November 2016 (UTC)
- Unfortunately, there are editors who are actually attempting to state that this didn't violate BLP in any way, whatsoever, at the AE. Many are even trying to get this user page restored. Those individuals either need to own the attacks they're trying to protect or reconsider, and I do not intend to allow them to pretend the attacks didn't exist. Additionally, I note that many of the editors who quickly leaped to EEng's defense are not actually administrators, meaning they may very well not know what they're defending. Makes one wonder why they're defending it, doesn't it? ~ Rob13Talk 00:31, 17 November 2016 (UTC)
- We're discussing the unilateral undiscussed, un-notified, untagged deletion of a longterm 113,000-byte humorous userpage. If there were problems with it, the proper procedure would have been to do one or more of the following: (1) Request to EEng that he remove the perceived problematical material. (2) Open an WP:MFD on the page. (3) Tag the page. (4) Open a noticeboard discussion about the page. (5) Remove the perceived problematical material. Softlavender (talk) 00:41, 17 November 2016 (UTC)
One of the questions prominently raised by the Gamaliel arbitration case earlier this year, but not resolved by that case (perhaps because it is a policy matter), is whether a BLP violation exists where, outside mainspace, (1) statements are made about a prominent living person that would be defamatory if taken literally, but (2) the intent is satirical and no reasonable reader would take them literally. Perhaps a further consideration might be if (3) the statements are unusually graphic, or indelicate, or some would say crass. There are good-faith arguments on both sides of this question, and perhaps the (über-serious) discussion of April Fools jokes that took place earlier this year could have discussed the broader question. (My own passing comment at the time was, "non-mainspace humor has its place in Wikipedia, as part of the friendly comeraderie and shared experience of editing that sustains the community—but when an attempt at humor causes widespread dissension and unhappiness among one's colleagues and becomes a distraction, the humorist should reconsider whether it is serving its purpose, whether it is or recently was April 1 or any other day. This is not a call for self-censorship per se, but for common sense.") Regarding today's developments, I am actually pleased to see a situation in which administrators and editors are acting out of principle and with good faith on all sides. A compromise seems to be working out, under which the userpage is being restored without the most disputatious of the material, and I'd be happy to see this matter resolved, without further action against anyone, on that basis. (Cross-posting this to AE also.) Newyorkbrad (talk) 00:40, 17 November 2016 (UTC)
- Also cross-posted. One comment re your sensible criterion,
but when an attempt at humor causes widespread dissension and unhappiness among one's colleagues and becomes a distraction...
: I completely agree, but in this case, of the literally thousands of editors who have apparently visited my user page in the last six months there has been, to my recollection, exactly one objection registered [17] -- which I resolved by making a change addressing the concern expressed. (Can't diff that edit since it's in the deleted part of the history.) Had there been more than that, I would certainly have rethought my approach.
- I too am pleased this is being discussed so constructively (by most, at any rate). EEng 01:00, 17 November 2016 (UTC)
- (Responded on AE. We can't keep cross-posting forever. :) ) Newyorkbrad (talk) 01:06, 17 November 2016 (UTC)
Please hide insulting edit
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
This edit has been only partly suppressed. The summary text and page content should be also suppressed as they contain insults in Persian language. huji—TALK 17:50, 17 November 2016 (UTC)
- That needs an oversighter. I have emailed them. JohnCD (talk) 18:58, 17 November 2016 (UTC)
- I saw your batsignal. Oversighted. --Floquenbeam (talk) 19:03, 17 November 2016 (UTC)
- Also, everyone please remember not to post requests for revision deletion or oversight on AN or ANI - the most widely watched pages on the site. Use email, please. --Floquenbeam (talk) 19:04, 17 November 2016 (UTC)
- I saw your batsignal. Oversighted. --Floquenbeam (talk) 19:03, 17 November 2016 (UTC)
@Floquenbeam and JohnCD: please hide This and This edit--Sunfyre (talk) 04:37, 18 November 2016 (UTC)
- @Sunfyre: already done, but please read the note just above: this high-traffic page is not the place to mention problematic material. Next time use email - see WP:Oversight for the address. JohnCD (talk) 10:06, 18 November 2016 (UTC)
Unlock the page
The following discussion is closed. Please do not modify it. No further edits should be made to this discussion.
There is a request at Articles for creation/Redirects, which was accepted but could not be processed due to salted title. Please unlock the page, Angry video game nerd so that it may be redirected to Angry Video Game Nerd. sami talk 19:47, 17 November 2016 (UTC)
- Did you one better, I've created the redirect to Angry Video Game Nerd. RickinBaltimore (talk) 19:51, 17 November 2016 (UTC)
Revdelete, not a privacy issue
Could someone go to https://en.wikipedia.org/w/index.php?title=%E2%80%A2&action=history and revdelete the edit by 71.107.172.221 at 03:11 on 10 January 2008? It made my browser basically unusable (except for keyboard shortcuts) because the single character is so massive that its associated whitespace covered most of the screen, so my mouse really couldn't do anything. The code is visible at , if you care. Nyttend backup (talk) 20:57, 17 November 2016 (UTC)
Done. I reckon RD3 purely disruptive material covered that. JohnCD (talk) 21:27, 17 November 2016 (UTC)
- Thanks. I've seen RD3 used in the past for this kind of thing: it's not offensive per se (nowhere close to putting goatse on a random article, for example), and it's not something illegal such as copyright infringements: it's just playing with the website in order be disruptive, and it's successful to the point of making the website hard to use. Nyttend (talk) 01:08, 18 November 2016 (UTC)
Mass (and probably multilingual) addition of unsourced birth dates, etc
The edits of User:Swineposit came to my attention via the article on Sirkka-Liisa Konttinen (see Talk:Sirkka-Liisa Konttinen), but Yamaguchi先生 had already noticed oddities. Swineposit has been most active with birth dates, in particular adding those that are "sourced" by virtue of appearing in Wikipedia articles on other languages, or that are "unsourced", which seems to mean "invented". Yamaguchi先生 blocked him indefinitely; and rightly so, I believe. (And massive thanks to Davey2010 for mass rollbacking.)
It does seem that, whether out of laziness or incompetence, Wikipedia contributors do often pull stuff from articles in other-language Wikipedias. Thus a lot of the poorly sourced and unsourced (probably including fictional) material added to biographical articles here will make its way to their equivalents in French, Japanese, etc. However, there's more. Swineposit nonchalantly talks of editing French- and Macedonian-language Wikipedias. I'd already known that he'd been active on Portuguese-language Wikipedia; it doesn't stop there. Few edits to each of these, but some are newish: Latvian, Asturian, Serbo-Croatian. Few edits to each of these, none of them new: Uzbek, Irish, Kazakh, Basque, Faroese, Dutch, Swahili, Ido, Esperanto, Azeri. This list is not exhaustive. And there may be other usernames involved (cf "MaryCatherineismyname" here).
Oh, and another fun fact: a remarkable percentage of the edits concern 27 March. I'd had no reason to think that this wasn't as humdrum a date as most others, but Wikipedia proved me wrong. -- Hoary (talk) 01:38, 19 November 2016 (UTC)
- Macedonian (a single, recent edit); French (a lot, some of it recent); Greek (very little, but very recent); German (not much; very recent); Neapolitan (little, old); Russian (little, very recent); maybe more besides. -- Hoary (talk) 02:08, 19 November 2016 (UTC)
- And some more: Ilokano (two, this year); Slovenian (quite a few, this year); Afrikaans (one, new); Tamil (one, this year); Nahuatl (several, two of them this year); Malay (two, old); simple English (four, two of them this year). -- Hoary (talk) 02:31, 19 November 2016 (UTC)
- No worries, It seems apart from my mass rollback he's been adding unsourced crap for quite some time and has more or less constantly been reverted by various editors too, He's blocked indef and personally I don't think that should change - Ofcourse if someone would mentor the editor then I would perhaps support unblocking providing the unsourced edits stop. –Davey2010Talk 02:53, 19 November 2016 (UTC)
- And some more: Italian (quite a bunch, several of them this month); Spanish (few, but two of them this month); Turkish (only one, old); Czech (only one, old); Slovak (only one, old); Swedish (only four, but one very recent); Danish (only four, old); Norwegian (Bokmål) (few, but one from this year); Norwegian (Nynorsk) (only one, but it's new); Icelandic (not many, but one from this year). ¶ Again, I have no reason to think that this list is exhaustive. I'd thought that there was some tool that presented stats for any username across the entire range of WMF sites (every Wikipedia, plus Commons, plus very much more); but if it does exist then I can't think where it might be, and some searches have failed to unearth it. -- Hoary (talk) 04:38, 19 November 2016 (UTC)
- @Hoary: WMFlabs Global user contributions may be what you're looking for. What a mess. BlackcurrantTea (talk) 05:15, 19 November 2016 (UTC)
- Excellent! Just what I'd been looking for. Here's Swineposit, who's been active in "104 projects". ¶ I do know that global blocks only work for IP numbers; and that although a "global lock" would do the job, the circumstances wouldn't demand it. -- Hoary (talk) 05:34, 19 November 2016 (UTC)
Yes, multilingual childishness
Let us consider Dimitrios Maximos (Δημήτριος Μάξιμος): not a household name to most anglophones, but a prime minister and definitely somebody meriting an encyclopedia article free of "factual information" merely plucked from a contributor's fundament. On 11 November 2016, Swineposit added a birth date of 27 March to the English article about this person. (Does 27 March sound familiar?) And on the same day he did the same to the Greek article. Four days later, he did the same to the French article (together with a special bonus).
However, also on 11 November:
- Swineposit added a birth date of 21 March (Portuguese)
- Swineposit added a birth date of 21 March (Russian)
- Swineposit added a birth date of 3 March (Dutch)
- Swineposit added a birth date of 17 March (Italian)
- Swineposit added a birth date of 27 February (Spanish)
-- and yes, all for the same one person, Dimitrios Maximos.
Davey2010 and BlackcurrantTea are right. And if global blocking worked for user IDs and not just IP numbers, I'd apply for a global block of Swineposit right now. -- Hoary (talk) 07:19, 19 November 2016 (UTC)
US Presidential inauguration
Howdy. It appears we've an editor (Jvfmgnlllj) at List of multilingual presidents of the United States and List of Presidents of the United States by date and place of birth, who isn't listening to others. He keeps inserting Donald Trump in those articles, despite being told to wait until January 20, 2017. GoodDay (talk) 04:12, 19 November 2016 (UTC)
Reviewing an unblock on a block I administered
Hey, a quickie for fellow admins: If I block an obvious sockpuppet account, is it okay to decline their subsequent unblock request? Though I'd normally agree that if a single-account-holder got him/herself in a behavioral pickle, a fresh admin should evaluate their unblock request, but in a sock situation, no admin would unblock a sockpuppet account, the user would have to request an unblock at their main account. Thanks. Cyphoidbomb (talk) 05:00, 19 November 2016 (UTC)
- An open unblock request isn't doing you any harm, closing even an obvious one yourself leaves you open to irritating wikilawyering, and the administrators who habitually patrol unblock requests are in my experience entirely reasonable people. Besides which, policy says not to. Best leave it for the second set of eyes. —Cryptic 05:35, 19 November 2016 (UTC)