"Dante Alighieri"
<dalighieri(a)digitalgrapefruit.com> wrote in
message news:5.2.0.9.2.20030903133745.02d3b748@digitalgrapefruit.com...
At 05:13 AM 9/3/2003, you wrote:
Jimmy Wales wrote:
Sure, but the great irony is that if someone did
attack us in some
more sophisticated way, the net result would not be to shut us down,
but to force us to abandon one of our ideals of anonymous edits and
instant-signup-edits.
Yes, but then the terrorists would have won.
-- Toby
I can envision a protection against vandalbots that would not endanger our
ability to accept instant anonymous edits. We could require that anyone
trying to make an edit from an IP (not logged-in) have to pass a little
test on every 5th edit or so. I'm sure you've all seen those images with
distorted words where you are asked to read and type in the word so that
bots can't sign up for various mailing lists, etc. We could use something
like that. Every 5th edit wouldn't be TERRIBLY inconvenient for the user,
but would sure stop a vandalbot. Plus, the minor inconvenience might even
nudge people towards generating and using a login... which is A Good
Thing.
I suppose this could be problematic for anonymous
contributors who are
vision impaired, but we could have an audio version as well.
In any event, even if the above example isn't terribly feasible, I doubt
we
would truly have to give up in defeat (by disallowing
anonymous edits) if
we were subject to a concerted attack. We're resourceful, we'll come up
with something when the time comes.
A sophisticated vandalbot would not be at all deterred by this protection. A
well-written vandalbot would create a new, random username before every
edit. It would never use the same name twice. If the attacker was at all
aware of how our software works, it would probably concentrate on deleting
images by uploading a dummy and then deleting the old revision. It would
open multiple connections to the server, for greater speed.
If this ever actually happens, then I would be in favour of implementing
anti-bot protection when new users log in.
In the meantime, I think we should have better protection for our images. At
the moment they're deleted permanently and instantly. They should be moved
to an archive instead. More regular backups would also be useful -- some
method of backing up only those old and cur entries which have changed would
be useful for this. I don't think we should be spending too much time on
filters and other annoying security when we don't even have a decent backup
system in place. I think if we can get it to the stage where the most a bot
can do is lose us a few hours worth of edits plus say half an hour downtime,
it won't be worth spending any more time on the problem unless it actually
happens.
-- Tim Starling <tstarlingphysicsunimelbeduau>