test

On Thu, Nov 12, 2015 at 11:02 PM, Mike Nicolaije <taketawiki(a)hotmail.com> wrote: We exlusively mailed the list _owner_ address of each list and only that. -- Daniel Zahn <dzahn(a)wikimedia.org> Operations Engineer

Hey Craig, As far as we know, no, we have not seen any connection between the two. Sent from my iPhone James Alexander Manager, Trust & Safety Wikimedia Foundation +1 415-839-6885 x6716

I have already forgot my password before .... On 13 Nov 2015 17:23, "Lodewijk" <lodewijk(a)effeietsanders.org> wrote:

https://lastpass.com/f?171486 <-- a good password tool to remember all those long passwords Yes, remembering short passwords is easier. But nowadays you might have like 400 passwords, and they should all be different (or you do not manage them by yourselve (alone)). LastPass is one of the tools out there that can handle that for you, among others. I now use LastPass for several years, it's free, I believe it's safe (safer then 123passw everywhere) and it never let me down. Edo 2015-11-13 11:16 GMT+01:00 James Alexander &lt;jalexander(a)wikimedia.org&gt;rg>: -- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl

That's precisely what you do when using "default" LastPass. One master password to rule them all. For LastPass in particular there's a variety of supported multi factor authentication, like Google Authenticator to Yubikey. See https://helpdesk.lastpass.com/multifactor-authentication-options/ Christoph 2015-11-13 13:12 GMT+01:00 GorillaWarfare &lt;gorillawarfarewikipedia(a)gmail.com > +1 for LastPass. Write it down and stick it on your desk if you need > to—the likelihood that your passwords will be compromised by someone > physically breaking into your home is minuscule (and if so, you have much > larger things to worry about). More conveniently, use password management > software like LastPass, KeePassword, or 1Password. The days of using one > password for everything should be far, far in the past. > > – Molly (GorillaWarfare) > > On Fri, Nov 13, 2015 at 7:06 AM, Edo de Roo &lt;edoderoo(a)gmail.com&gt; wrote: > >> https://lastpass.com/f?171486 <-- a good password tool to remember all >> those long passwords >> >> Yes, remembering short passwords is easier. But nowadays you might have >> like 400 passwords, and they should all be different (or you do not manage >> them by yourselve (alone)). >> >> LastPass is one of the tools out there that can handle that for you, >> among others. >> I now use LastPass for several years, it's free, I believe it's safe >> (safer then 123passw everywhere) and it never let me down. >> >> Edo >> >> 2015-11-13 11:16 GMT+01:00 James Alexander &lt;jalexander(a)wikimedia.org>> >>> On Fri, Nov 13, 2015 at 1:23 AM, Lodewijk &lt;lodewijk(a)effeietsanders.org&gt; >>> wrote: >>> >>>> Were only the admin passwords compromised, or also the passwords of the >>>> list members (who can set a password to view the membership etc)? >>>> >>>> Lodewijk >>>> >>> >>> All passwords were reset, including list member passwords. Because list >>> member passwords can go through a "retrieve password" + they get periodic >>> reminders automatically mass emails about those resets were not sent out >>> however. (I believe we may be adding a note in the auto reminder about how >>> they were reset... but not entirely sure, I will leave that for ops) >>> >>> James Alexander >>> Manager >>> Trust & Safety >>> Wikimedia Foundation >>> (415) 839-6885 x6716 @jamesofur >>> >>> _______________________________________________ >>> Listadmins mailing list >>> Listadmins(a)lists.wikimedia.org >>> https://lists.wikimedia.org/mailman/listinfo/listadmins >>> >>> >> >> >> -- >> [I don't print e-mails. Do you?] >> http://gplus.to/edoderoo _-=-_ edoderoo.nl >> >> _______________________________________________ >> Listadmins mailing list >> Listadmins(a)lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/listadmins >> >> > > _______________________________________________ > Listadmins mailing list > Listadmins(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/listadmins > >

LastPass's salted master password* plus 2FA is far preferable to using a single password on every site you visit. *https://lastpass.com/support.php?cmd=showfaq&id=1116 – Molly (GorillaWarfare)

+1 on LastPass. 1Password for Mac has seen some problems lately http://appleinsider.com/articles/15/10/20/1password-to-change-file-formats-… -Andrew Lih Associate professor of journalism, American University Email: andrew(a)andrewlih.com WEB: http://www.andrewlih.com BOOK: The Wikipedia Revolution: http://www.wikipediarevolution.com PROJECT: Wiki Makes Video http://en.wikipedia.org/wiki/Wikipedia:WikiProject_Wiki_Makes_Video On Fri, Nov 13, 2015 at 7:52 AM, GorillaWarfare < gorillawarfarewikipedia(a)gmail.com&gt; wrote:

2015-11-13 14:09 GMT+01:00 Andre Koopal &lt;andre(a)molens.org&gt;rg>: Can't agree more. The security model of mailman bugs me so much… -- Jérémie

On Fri, Nov 13, 2015 at 4:06 AM, Edo de Roo &lt;edoderoo(a)gmail.com&gt; wrote: Software recommendations are generally more convincing when not done via a "get a free month of premium access when someone subscribes through it" link :)

I pay for "premium" access on LastPass for 2-3 years already. Not because you need premium access, because you don't .. more because LastPass is worth the $12 per year. So if you are more easily convinced by just using LastPass without my referral, or someone else's, I don't care too much ... It would save me $1 maybe 2015-11-13 14:41 GMT+01:00 Andrew Lih &lt;andrew(a)andrewlih.com&gt;om>: -- [I don't print e-mails. Do you?] http://gplus.to/edoderoo _-=-_ edoderoo.nl

2015-11-13 16:37 GMT+01:00 Paul S. &lt;barras(a)email.de&gt;de>: Call me pedantic, but unless you saved your file on an encrypted filesystem or used shred() instead of unlink() to delete the document, it's still available for recovery on your computer (eg. on Linux, a simple grep directly on the block device could suffice). Also shred() only works if your filesystem and the underlying device both use in-place overwriting (which is less and less true nowadays). :-p -- Jérémie

I might have missed it in all the emails but can you check whether arbcom-en-b was changed. I definitely got emails as an admin for arbcom-l and arbcom-en-c. *---Chris McKenna (Thryduulf)* thryduulf.wiki(a)gmail.com Unless otherwise noted, opinions expressed in this email are solely my own and do not necessarily represent the views of the Arbitration Committee as a whole. On 13 November 2015 at 14:08, Katie Chan &lt;ktc(a)ktchan.info&gt; wrote:

The problem now is I can't login to the panel and I am only admin of wikivoyage-zh, there are no moderator... On 13 Nov 2015 22:08, "Katie Chan" &lt;ktc(a)ktchan.info&gt; wrote:

On 13 November 2015 at 05:16, James Alexander &lt;jalexander(a)wikimedia.org&gt; wrote: Hold on. As a list administrator for 3 lists, I received emails to change the listadmin password for all three, and have done so and shared the new password with the rest of the list admins. However, as a list subscriber, I have yet to receive an email telling me that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users. - Do subscribers have to change their password for each WMF-based mailman mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.) - If not, what happens to those subscriptions? are they discontinued if the user does not update his or her password, or do they just continue? I think that there are a lot of valid points being made about the inherent problem of having listadmin passwords that are not user-specific. At the same time, we should keep in mind that the core issue here is that a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. All the password protection systems in the world are not going to change what happened here, if people are going to use obviously insecure, shared passwords as personal passwords as well. Risker/Anne

On Friday, November 13, 2015 at 11:39 AM, Merlijn van Deen wrote: And not only that, the passwords are routinely emailed—in plain text, without me prompting it. Email is not secure. I use a throwaway password for Mailman for that reason. Frankly, it’s embarrassing we still use this software. Regards, James Hare

On Fri, 2015-11-13 at 16:51 +0000, Sumana Harihareswara wrote: Sumana! Hey! Yes, plan is to upgrade: https://phabricator.wikimedia.org/T52864 Cheers, andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/

On Fri, Nov 13, 2015 at 2:51 PM, Andrew Leung &lt;andrewcleung(a)hotmail.com&gt; wrote: Yes, for user passwords there is a self-service "forgot password" feature than anyone can use who is missing their user (subscriber) password. For list admin passwords there is no such form but you should have recently received an email with it that we generated with a script when we had to reset all list admin passwords. -- Daniel Zahn &lt;dzahn(a)wikimedia.org&gt; Operations Engineer

Hello, I 'm an admin of mailing list "wikipedia-as". I received your email with a new password but was unable to log in with it. Kindly look into the matter. On Sat, Nov 14, 2015 at 7:00 AM, Daniel Zahn &lt;dzahn(a)wikimedia.org&gt; wrote: -- *~~ গীতাৰ্থ বৰদলৈ (Gitartha Bordoloi)*

On 14/11/15 19:33, Gitartha Bordoloi wrote: wikipedia-as was one of the lists whose password was reset *twice*. So you need to make sure to use the password from the _second_ email. That will be the one with subject «Your new wikipedia-as list password», saying «The site administrator at lists.wikimedia.org has changed the password for your mailing list…», not the one titled «Password reset for list wikpedia-as» Best regards

On Sun, 2015-11-15 at 07:00 +0800, Gabriel Chi Hong Lee wrote: Please let Daniel know off list or via a ticket to keep the volume of this large announcement list down. Thanks, andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/

Hi, On Nov 13, 2015 11:06, "Risker" &lt;risker.wp(a)gmail.com&gt; wrote: that there is a forced password change for any WMF-based list to which I subscribe. Some questions are in order about this element, which is not mentioned in the blog, and will affect tens of thousands of users. for your typical list with no sensitive content I imagine many people would just leave the automatically set (random) passwd. many won't even keep a record of it and will just reset it when they need to use it. note, however, that James' point about monthly reminders doesn't hold because our lists typically have that disabled. (I get reminders for 2 lists each month. I subscribe to many more than that.) it's trivial to reset subscriber passwd (and is self-service) and also to set a new password passwd once you have logged in; when you set a new one after logged in to the web interface there's a checkbox for making the change on all your lists or only that one. mailing list separately, or can they use the "one password for all lists" function that currently exists to change all of the passwords at once? (Keep in mind that most of the mailing lists are at least semi-public, so this is not really a big deal.) I'm not sure exactly what you mean. See above. Passwords have been changed but the software behaves the same as before AFAIK. user does not update his or her password, or do they just continue? users don't need to do anything if they don't want to change anything. the inherent problem of having listadmin passwords that are not user-specific. That's not a Wikimedia specific problem. Nothing about that authentication system is locally customized (except maybe a couple lists with an extra layer of auth on top of mailman) There's an upstream and a large user base. I would say patches welcome but maybe they prefer people upgrade to mailman 3. (and maybe that fixes the auth model) a few listadmins appear to have used the same password for listadmin duties as they were using for other accounts. +1 -Jeremy