• Play
  • About
  • News
  • Forums
  • Yppedia
  • Help
Welcome Guest   | Login
  Index  | Recent Threads  | Register  | Search  | Help  | RSS feeds  | View Unanswered Threads  
  Search  


Quick Go »
Thread Status: Normal
Total posts in this thread: 7
[Add To My Favorites] [Watch this Thread] [Post new Thread]
Author
Previous Thread This topic has been viewed 1363 times and has 6 replies Next Thread
LJAmethyst

Member's Avatar


Joined: Jul 19, 2007
Posts: 4151
Status: Offline
The Great 2020 Purge Reply to this Post
Reply with Quote

So a great purge has been effected across the YPPedia user base, removing administrator and bureaucrat and other rights from inactive and vanished users. Players and OMs and Developers alike were affected. Take a look.

There are now zero, count 'em, zero player administrators; even Faulkston was de-sysopped. There are 6 Ocean Masters left active and 3 developers with the mop. Approximately 59 users were caught in the dragnet put out by administrator Rsugden.

This seems drastic, but it's really a long-needed adjustment. The YPPedia is so quiet and slow that 9 admins can handle it with no problems. This is undoubtedly a measure to tighten security in the wake of the Ocean Master password compromise. Anyone taking over an administrator account could seriously damage the Wiki.
----------------------------------------
Retired as of August 2015.
Sic transit gloria mundi.
[Oct 31, 2020 6:33:44 PM] Show Printable Version of Post        Send Private Message    http://www.newadvent.org/bible/jon001.htm [Link]  Go to top 
Stan5



Joined: Sep 6, 2017
Posts: 124
Status: Offline

Re: The Great 2020 Purge Reply to this Post
Reply with Quote


[Oct 31, 2020 11:32:21 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
Thunderbird

Member's Avatar


Joined: Sep 4, 2003
Posts: 5771
Status: Offline
Re: The Great 2020 Purge Reply to this Post
Reply with Quote

Note that Faulkston's admin access has already been put back.
----------------------------------------
Pirate tells you, "my, that's one BIG wad o' chewing gum ye have mounted on yer bonce! oO'"
Sungod officer chats, "I wonder if anyone's sailing the harpsichord"
Pirate tells you, "ZOMG CANDYFLOSS!!! *munches*"
[Nov 6, 2020 7:29:53 PM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
LJAmethyst

Member's Avatar


Joined: Jul 19, 2007
Posts: 4151
Status: Offline
Re: The Great 2020 Purge Reply to this Post
Reply with Quote

 
Note that Faulkston's admin access has already been put back.


Yep, but I doubt it has done him much good so far; the YPPedia server is giving me timeouts and HTTP server errors. The forums were down awhile too. Is there a DDOS bundled with this OM compromise?
----------------------------------------
Retired as of August 2015.
Sic transit gloria mundi.
[Nov 6, 2020 8:02:06 PM] Show Printable Version of Post        Send Private Message    http://www.newadvent.org/bible/jon001.htm [Link]  Go to top 
LJAmethyst

Member's Avatar


Joined: Jul 19, 2007
Posts: 4151
Status: Offline
Re: The Great 2020 Purge Reply to this Post
Reply with Quote

19:47, 18 October 2019 Callistan (Talk | contribs) changed group
membership for User:Callistan from bureaucrat and administrator
to bureaucrat, administrator and Check user


Callistan was a user who has not made a contribution since 2011.

I suspect that his account was compromised last year, and someone has been logging in to abuse "Check user" privileges.

What are "check user" privileges? CUs have special access to personal information on MediaWiki. They are enabled so that they can prevent sock puppetry. They do this by comparing account characteristics such as user agent, IP address and corresponding geolocation, HTTP headers, etc. These are bits of personal information not exposed to ordinary users or even administrators of MediaWiki.

Given the fact that an ordinary bureaucrat can give themselves all the permissions they need, this is a dangerous userright for anyone to have when there is not an absolute need for it. As we can see, Callistan or whoever compromised his account was able to elevate privileges to that which Grey Havens did not intend.

I would say that if you have edited YPPedia in the past 18 months, there is a good possibility that your personal information (as explained above) has been exposed.
----------------------------------------
Retired as of August 2015.
Sic transit gloria mundi.
----------------------------------------
[Edit 2 times, last edit by LJAmethyst at Nov 9, 2020 1:01:27 AM]
[Nov 9, 2020 12:56:23 AM] Show Printable Version of Post        Send Private Message    http://www.newadvent.org/bible/jon001.htm [Link]  Go to top 
Phaerie2

Member's Avatar


Joined: May 4, 2010
Posts: 310
Status: Offline
Re: The Great 2020 Purge Reply to this Post
Reply with Quote

 
I would say that if you have edited YPPedia in the past 18 months, there is a good possibility that your personal information (as explained above) has been exposed.


I'm not too good with internet technical stuff so please bear with me, and forgive me if my post is not relevant.

Would the above apply to people who had uploaded to YPPedia? eg: as required for entry to the portrait background competition.
----------------------------------------
***********************************
Phaerie: Obsidian and Cerulean Phaeirie: Emerald
___________________________________
Fray Cray Phae at yer service!
[Nov 9, 2020 3:59:22 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
Thunderbird

Member's Avatar


Joined: Sep 4, 2003
Posts: 5771
Status: Offline
Re: The Great 2020 Purge Reply to this Post
Reply with Quote

 
What are "check user" privileges? CUs have special access to personal information on MediaWiki. They are enabled so that they can prevent sock puppetry. They do this by comparing account characteristics such as user agent, IP address and corresponding geolocation, HTTP headers, etc. These are bits of personal information not exposed to ordinary users or even administrators of MediaWiki.


From reading about the CheckUser extension on MediaWiki's site ([url]https://www.mediawiki.org/wiki/Extension:CheckUser[/url]), getting geolocation information isn't mentioned at all, and the only header present is the identifying browser. There is a mention of Firefox users being able to add a snippet to a subpage of their User page to make lookups, but this was not done in Callistan's case (the subpage in question does not exist, even in a deleted form).

Furthermore, all requests made through CheckUser are logged. However, this log is only accessible to other CheckUsers. Grey Havens is able to access the logs and determine if this was actually abused.
----------------------------------------
Pirate tells you, "my, that's one BIG wad o' chewing gum ye have mounted on yer bonce! oO'"
Sungod officer chats, "I wonder if anyone's sailing the harpsichord"
Pirate tells you, "ZOMG CANDYFLOSS!!! *munches*"
[Nov 9, 2020 6:01:45 AM] Show Printable Version of Post        Send Private Message [Link]  Go to top 
[Show Printable Version of Thread] [Post new Thread]

Puzzle Pirates™ © 2001-2020 Grey Havens, LLC All Rights Reserved.   Terms · Privacy · Affiliates