[OpenStack-Infra] Wiki.o.o sustaining spam attack

Elizabeth K. Joseph lyz at princessleia.com
Thu Feb 18 00:52:40 UTC 2016


On Wed, Feb 17, 2016 at 1:19 PM, JP Maxwell <jp at tipit.net> wrote:
> Sure.. So a couple of thoughts:
>
> 1. If the attack vector involves creating a launchpad account, there's not
> much we can do about that portion (account creation).   But, we could
> potentially force the user to do a re-captcha when they want to edit /
> insert content.   This doesn't fix the creation of fake accounts, but at
> least enables a basic check of humanity before editing is allowed.

Thanks for taking some time to look at this today! If we could find an
open source captcha option, that may be part of the solution.

Do you think you might have some time to also look at the other
generalized Mediawiki proposals that Clint Byrum linked to earlier in
the thread? I don't think we've really made the time to do an audit in
this direction and starting to implement some of them may help.

https://www.mediawiki.org/wiki/Manual:Combating_spam

> 2. It was discovered that the mobile view does not invoke the SSO via
> launchpad.  While it appears this is unrelated to the spam and should take a
> lower priority, I would propose going ahead and fixing this for good
> measure.

This is definitely a hole that should be plugged at some point.

> 3. Longer term - using OpenStack ID instead of LaunchPad.  Would have to
> either implement a sunset period as Martin suggested or have the user
> authenticate to both SSO providers creating a relationship in the users
> table of mediawiki.   The ability / complexity of such an approach would
> need to be investigated.

Longer term, definitely. We've been slowly working to move various
services over to OpenStackID and I think the wiki is a great
candidate. Tom kicked off a "Moving wiki.o.o to OpenStackID login?"
thread about it last Thursday and we've very gradually started looking
into the migration considerations, thread starts here:
http://lists.openstack.org/pipermail/openstack-infra/2016-February/thread.html#3787

-- 
Elizabeth Krumbach Joseph || Lyz || pleia2



More information about the OpenStack-Infra mailing list