[WikiEN-l] Re: [JOKE -- or is it?] Re: Michael again *sigh*

[Tim Starling]

"Dante Alighieri"
<dalighieri at digitalgrapefruit.com> wrote in
message news:5.2.0.9.2.20030903133745.02d3b748 at digitalgrapefruit.com...
> At 05:13 AM 9/3/2003, you wrote:
> >Jimmy Wales wrote:
> >
> > >Sure, but the great irony is that if someone did attack us in some
> > >more sophisticated way, the net result would not be to shut us down,
> > >but to force us to abandon one of our ideals of anonymous edits and
> > >instant-signup-edits.
> >
> >Yes, but then the terrorists would have won.
> >
> >
> >-- Toby
>
>
> I can envision a protection against vandalbots that would not endanger our
> ability to accept instant anonymous edits. We could require that anyone
> trying to make an edit from an IP (not logged-in) have to pass a little
> test on every 5th edit or so. I'm sure you've all seen those images with
> distorted words where you are asked to read and type in the word so that
> bots can't sign up for various mailing lists, etc. We could use something
> like that. Every 5th edit wouldn't be TERRIBLY inconvenient for the user,
> but would sure stop a vandalbot. Plus, the minor inconvenience might even
> nudge people towards generating and using a login... which is A Good
Thing.
> I suppose this could be problematic for anonymous contributors who are
> vision impaired, but we could have an audio version as well.
>
> In any event, even if the above example isn't terribly feasible, I doubt
we
> would truly have to give up in defeat (by disallowing anonymous edits) if
> we were subject to a concerted attack. We're resourceful, we'll come up
> with something when the time comes.

A sophisticated vandalbot would not be at all deterred by this protection. A
well-written vandalbot would create a new, random username before every
edit. It would never use the same name twice. If the attacker was at all
aware of how our software works, it would probably concentrate on deleting
images by uploading a dummy and then deleting the old revision. It would
open multiple connections to the server, for greater speed.

If this ever actually happens, then I would be in favour of implementing
anti-bot protection when new users log in.

In the meantime, I think we should have better protection for our images. At
the moment they're deleted permanently and instantly. They should be moved
to an archive instead. More regular backups would also be useful -- some
method of backing up only those old and cur entries which have changed would
be useful for this. I don't think we should be spending too much time on
filters and other annoying security when we don't even have a decent backup
system in place. I think if we can get it to the stage where the most a bot
can do is lose us a few hours worth of edits plus say half an hour downtime,
it won't be worth spending any more time on the problem unless it actually
happens.

-- Tim Starling <tstarlingphysicsunimelbeduau>