Misplaced Pages

User talk:Jimbo Wales: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 00:27, 17 December 2020 view sourceJeromi Mikhael (talk | contribs)Extended confirmed users14,605 edits Der Grüne Wagen: yeah user smart← Previous edit Revision as of 11:59, 17 December 2020 view source Rockyrocks48 (talk | contribs)22 edits draft restoration or undeletion: new sectionNext edit →
Line 61: Line 61:
::I had this same question. My understanding from the article is that {{tquote|The shared public key is derived from two random numbers, one generated by the client, and the other generated by the server, '''which are unique to the login attempt'''. (emphasis added)}} I believe that the solution is completely transparent to the user. It looks like the current password login scheme, and requires no permanent local storage of keys, meaning that it should work on a guest computer. The big security problem is that users often reuse their passwords on multiple sites. HTTPS secures data in motion, but if one of the endpoints is compromised, then the passwords can leak, even if they are stored in hashed form, because there are hash crackers. Once a malicious actor has stolen credentials from Site A (such as Misplaced Pages), they can then go to Sites B, C, D,..., and try those credentials. A not insignificant fraction of them will work, allowing further destruction to spread across the Internet. Although this is not Misplaced Pages's direct problem, as good citizens we want to stop this, and we want to encourage others to stop it too. One thing we can do is to lead by example. ] <sup>]</sup> 19:04, 16 December 2020 (UTC) ::I had this same question. My understanding from the article is that {{tquote|The shared public key is derived from two random numbers, one generated by the client, and the other generated by the server, '''which are unique to the login attempt'''. (emphasis added)}} I believe that the solution is completely transparent to the user. It looks like the current password login scheme, and requires no permanent local storage of keys, meaning that it should work on a guest computer. The big security problem is that users often reuse their passwords on multiple sites. HTTPS secures data in motion, but if one of the endpoints is compromised, then the passwords can leak, even if they are stored in hashed form, because there are hash crackers. Once a malicious actor has stolen credentials from Site A (such as Misplaced Pages), they can then go to Sites B, C, D,..., and try those credentials. A not insignificant fraction of them will work, allowing further destruction to spread across the Internet. Although this is not Misplaced Pages's direct problem, as good citizens we want to stop this, and we want to encourage others to stop it too. One thing we can do is to lead by example. ] <sup>]</sup> 19:04, 16 December 2020 (UTC)
:: Recommended reading http://srp.stanford.edu/. Unfortunately the site appears to be down at the moment. ] <sup>]</sup> 19:34, 16 December 2020 (UTC) :: Recommended reading http://srp.stanford.edu/. Unfortunately the site appears to be down at the moment. ] <sup>]</sup> 19:34, 16 December 2020 (UTC)

== draft restoration or undeletion ==

dear ] ; please undelete my draft ]. it has been deleted by ] . My draft ] is about my personal and professional life as computer research scientist, government of india, asia, world. my pages are generally maintained by government of india, asia, world.

Revision as of 11:59, 17 December 2020

    Welcome to my talk page. Please sign and date your entries by inserting ~~~~ at the end.
    Start a new talk topic.
    Jimbo welcomes your comments and updates – he has an open door policy.
    He holds the founder's seat on the Wikimedia Foundation's Board of Trustees.
    The current trustees occupying "community-selected" seats are Doc James, Pundit and Raystorm.
    The Wikimedia Foundation's Lead Manager of Trust and Safety is Jan Eissfeldt.
    Sometimes this page is semi-protected and you will not be able to leave a message here unless you are a registered editor. In that case,
    you can leave a message here
    This is Jimbo Wales's talk page, where you can send them messages and comments.
    Archives: Index, Index, A, B, C, D, E, F, G, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252Auto-archiving period: 2 days 
    This user talk page might be watched by friendly talk page stalkers, which means that someone other than me might reply to your query. Their input is welcome and their help with messages that I cannot reply to quickly is appreciated.

    Centralized discussion
    Village pumps
    policy
    tech
    proposals
    idea lab
    WMF
    misc
    For a listing of ongoing discussions, see the dashboard.

    Tides Advocacy & WMF $8.7 million grant

    According to the 2019-20 financial audit FAQ question 2.2.1, the WMF has provided an unconditional grant of $8.723 million to Tides Advocacy to launch the Wikimedia Knowledge Equity Fund. It is for the purpose to invest in new grant-making opportunities in support of groups that are advancing equitable, inclusive representation in free knowledge. Tides is a left-of-center $470 million revenue San Francisco-based grantmaker that operates as donor-advised fund, funneling money from anonymous donors to activist non-profits or political campaigns (sometimes called dark money due to lack of IRS oversight in DAFs). Tides is distinctively partisan because it donates to organizations like the Democratic Party ActBlue and People for the American Way. Indeed, the suborganization that will be used to launch the new fund, TidesAdvocacy.org, describes themselves as seasoned political advisors, financial experts and legal counselors, we know the rule book inside and out. With our infrastructure and ongoing support, our partners can hit the ground running with the right strategies for successful ballot, electoral and legislative campaigns. That sounds awfully unphilanthropic.

    I'm aware it's been public knowledge for a few of years that the WMF has established an endowment at Tides, but this seems like a step further. Do you have any views on why does the WMF need Tides to run the Knowledge Equity Fund and why was Tides chosen? Is it not a problem to tie the WMF to a particular political grantmaking network? --Pudeo (talk) 15:21, 12 December 2020 (UTC)

    This fund has nothing at all to do with whatever political advocacy Tides or any of their other customers may be doing. This explanation from Lisa Gruwell at the WMF explains it well. "We transferred the full amount for Annual Plan Grants (APG) for FY20-21 over to Tides to ensure that all funding for affiliates for this year was secured, regardless of how fundraising performed." We think a lot about safety for the movement, and this is part of that.--Jimbo Wales (talk) 18:01, 14 December 2020 (UTC)
    Anyone with further questions, there are a lot of answers in that mailing list thread now. Lisa has explained quite clearly that this is a purely functional/administrative service of Tides, it does not give them any grant making decision authority at all. (This is what 'donor advised' means, fundamentally.)--Jimbo Wales (talk) 10:02, 15 December 2020 (UTC)

    Almost 20 years and approaching one billion edits

    Hello Mr. Wales, just curious, when you started Misplaced Pages did you ever think that it would become this big and so ubiquitous? Thanks, Thanoscar21contribs 20:54, 12 December 2020 (UTC)

    I always say that I'm a pathological optimist, so I thought it could be great. But I didn't really fully understand what it meant to be this big and so ubiquitous!--Jimbo Wales (talk) 21:29, 14 December 2020 (UTC)
    Sorry, I meant that, now Siri, Bing, Google, and all other major search engines default to Misplaced Pages. People, in general, just default to Misplaced Pages when they have a question now (at least in my experience). Thanks, Thanoscar21contribs 13:37, 15 December 2020 (UTC)

    Something silly and inconsequential happened (URGENT!)

    Essentially, there was some guy who was the caliph of some small sect of Islam, and Google's goofy auto-generated information boxes started pulling his name out (and citing the factoid to Misplaced Pages) when people were searching for the caliph of all Islam. The article got changed so that it'd stop doing this, but in the meantime, a few pissed-off people were making threads on the helpdesk, ANI, etc about it. Google seems to love distributing misinformation in general (not just with Misplaced Pages articles). Anyway, it's not a big deal, and you've probably heard about it already, but in case you didn't, now you do. Wow! In all seriousness, though, it might be condign for someone (not it!) to ask Google to quit making other people look stupid by lying about what's on their websites. jp×g 08:15, 14 December 2020 (UTC)

    Der Grüne Wagen

    Any opinions people on the notability of this Austrian theatre company? If you think it's not notable feel free to say so. It was relisted for deletion!† Encyclopædius 16:53, 15 December 2020 (UTC)

    Encyclopædius, Not sure the benefit of canvassing here, nor do I imagine Jimbo will chime in about a random Austrian theatre company. For my two cents, I'd say that merely asserting notability without giving evidence is not notability at all. Saying that there is probably offline coverage in another language is not very helpful. There could be offline coverage about a lot of things. Who knows, I could be notable based on offline coverage nobody has found. But of the sources that have been found, PMC's analysis reveals they are mostly garbage. CaptainEek 18:32, 15 December 2020 (UTC)
    @CaptainEek: Probably the user is noting the fact that this talkpage has half amount of watchers as the Teahouse, but contains only one-thirteenth of discussion compared to the teahouse. Regards, Jeromi Mikhael 00:27, 17 December 2020 (UTC)

    Not canvassing, simply looking for wider input on why we wouldn't include such an article. Aymatth2 is as baffled as myself. † Encyclopædius 20:15, 15 December 2020 (UTC)

    Password security

    Could Misplaced Pages please start leading by example? Our login system uses passwords that are transmitted to the server, which creates abundant security risks for our users. Instead, we should implement a zero knowledge proof system such as Secure Remote Password protocol so that the user typed password is never sent to the server. This would make Misplaced Pages more secure. Standard libraries exist so implementation would be straightforward. If there is a cost, I think I could raise the money to cover it. Jehochman 02:16, 16 December 2020 (UTC)

    Oh gee, I think Misplaced Pages could let loose of some of its $165mill+ net assets (at least as of 2019...) but yeah, maybe you're right, we could always set up a GoFundMe or something. Shearonink (talk) 04:48, 16 December 2020 (UTC)
    It would be helpful to offer multi-factor authentication to all users. Currently it is only available to "administrators and editors with advanced permissions". Correct use of 2FA makes remote hacking into an account almost impossible, while username/password combinations are never 100% secure.--♦IanMacM♦ 07:55, 16 December 2020 (UTC)
    Anyone can request 2FA at Meta. It's still, in effect, in production pilot so it is not switched on by default. QuiteUnusual (talk) 09:45, 16 December 2020 (UTC)
    I support efforts to roll out MFA to everyone (as an option, some people may not want it) but I note that other than admins (where a break-in could be potentially destructive) the risks of single factor authentication are very much lessened by the lack of any private information (like emails or private messages) in our system. I don't think there has been any major problem with stolen credentials.
    In terms of the original question, passwords are not transmitted to the server unencrypted. Everything is https. So I don't think "abundant security risks" is an accurate description of the situation. Having said that, I would support transitioning to a zero knowledge proof system - I'm not familiar enough with our exact infrastructure today to know what complexities would be involved in that transitioning. As noted by others, money is almost certainly not the issue.--Jimbo Wales (talk) 10:56, 16 December 2020 (UTC)
    ADDENDUM: Jehochman, I just read (some of, didn't work through the details!) the Misplaced Pages entry that you referenced, but it raised in my mind a practical question or two - I wonder if you can point me to a good article about the protocol including any downsides? In particular, if the system relies on a large shared public key, then what happens if I lose or break my device? What happens when I want to log in from a friend's computer? That is to say, if the protocol is such that I can only login if I know my password, *and* my computer knows a large random number, I see some (not impossible, but worth considering) practical downsides to this method.--Jimbo Wales (talk) 11:01, 16 December 2020 (UTC)
    I had this same question. My understanding from the article is that The shared public key is derived from two random numbers, one generated by the client, and the other generated by the server, which are unique to the login attempt. (emphasis added) I believe that the solution is completely transparent to the user. It looks like the current password login scheme, and requires no permanent local storage of keys, meaning that it should work on a guest computer. The big security problem is that users often reuse their passwords on multiple sites. HTTPS secures data in motion, but if one of the endpoints is compromised, then the passwords can leak, even if they are stored in hashed form, because there are hash crackers. Once a malicious actor has stolen credentials from Site A (such as Misplaced Pages), they can then go to Sites B, C, D,..., and try those credentials. A not insignificant fraction of them will work, allowing further destruction to spread across the Internet. Although this is not Misplaced Pages's direct problem, as good citizens we want to stop this, and we want to encourage others to stop it too. One thing we can do is to lead by example. Jehochman 19:04, 16 December 2020 (UTC)
    Recommended reading http://srp.stanford.edu/. Unfortunately the site appears to be down at the moment. Jehochman 19:34, 16 December 2020 (UTC)

    draft restoration or undeletion

    dear User:Jimbo_Wales ; please undelete my draft Draft:Rakesh Kumar Sinha. it has been deleted by User:RickinBaltimore . My draft Draft:Rakesh Kumar Sinha is about my personal and professional life as computer research scientist, government of india, asia, world. my pages are generally maintained by government of india, asia, world.