[OpenStack-Infra] Wiki.o.o sustaining spam attack

JP Maxwell jp at tipit.net
Wed Feb 17 21:19:21 UTC 2016


Sure.. So a couple of thoughts:

1. If the attack vector involves creating a launchpad account, there's not
much we can do about that portion (account creation).   But, we could
potentially force the user to do a re-captcha when they want to edit /
insert content.   This doesn't fix the creation of fake accounts, but at
least enables a basic check of humanity before editing is allowed.

2. It was discovered that the mobile view does not invoke the SSO via
launchpad.  While it appears this is unrelated to the spam and should take
a lower priority, I would propose going ahead and fixing this for good
measure.

3. Longer term - using OpenStack ID instead of LaunchPad.  Would have to
either implement a sunset period as Martin suggested or have the user
authenticate to both SSO providers creating a relationship in the users
table of mediawiki.   The ability / complexity of such an approach would
need to be investigated.

Input is welcome.  I'll investigate whatever path people agree with and
welcome other suggestions.

J.P. Maxwell / tipit.net <http://www.tipit.net>


On Wed, Feb 17, 2016 at 2:21 PM, Elizabeth K. Joseph <lyz at princessleia.com>
wrote:

> On Mon, Feb 15, 2016 at 7:46 AM, Jeremy Stanley <fungi at yuggoth.org> wrote:
> > On 2016-02-15 09:04:41 -0600 (-0600), JP Maxwell wrote:
> >> Tom, yes we can probably help. Do you want to ping me off list -
> >> need to get some more info about how it is setup / version
> >> controlled / deployed / etc.
> >
> > Our openstack_project::wiki class[1] calls into our mediawiki Puppet
> > module[2]. Ryan Lane set up and maintained most of this for us while
> > he was at WMF, but since he's moved on to other things it's fallen
> > into some disuse so assistance is appreciated!
> >
> > [1]
> http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/manifests/wiki.pp
> > [2] http://git.openstack.org/cgit/openstack-infra/puppet-mediawiki/tree/
>
> As Jeremy points out, our infrastructure is all open source so I'd
> prefer to keep this discussion here on the list so we can all pitch
> in. I don't see any active patches for this yet (please let me know if
> I've missed anything).
>
> Another data point: Canonical IS also uses Launchpad authentication,
> like we do, for edits to their Ubuntu wikis and have been hit pretty
> hard by spammers this week (initial attacks go back to December). They
> are on MoinMoin, we're on Mediawiki, so wiki-side anti-spam proposals
> will differ, but I've been keeping an eye on any solutions they may
> propose for altering how SSO is being handled for their wiki to
> perhaps shut these spammers down before they get a chance to edit.
>
> --
> Elizabeth Krumbach Joseph || Lyz || pleia2
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160217/91e509fe/attachment.html>


More information about the OpenStack-Infra mailing list