[e-lang] wiki clock wrong? Also, access control...
James Graves
ansible at xnet.com
Sun Jul 1 07:17:04 EDT 2007
On Sat, Jun 30, 2007 at 08:11:56PM -0700, Mark Miller wrote:
> <http://wiki.erights.org/wiki/Special:Recentchanges> shows changes
> made tomorrow.
Odd. I just manually checked the time on the server, and it seems
correct. I'll look into that.
> More interestingly, I notice that virtually all recent changes are
> either made by spambots, or made by us to reverse the damage, and to
> banish the accounts of the spambots. Spambots can easily have more
> patience in creating accounts than we can have in reacting, so we're
> currently vulnerable to this form of Sybil attack. Should we instead
> shift to requiring new accounts to be manually approved?
Actually, I was thinking about that myself a few weeks ago... seeing all
the reverts Kevin was doing.
I'd expect that the contribution level of the wiki, which is already
quite low, will pretty much drop to zero. We're likely to get about one
person a year asking for account access, if we require further approval
for editing rights on the wiki.
Martin's idea of a catchpa is not a bad one. I started looking for one
that is already integrated with MediaWiki, and didn't find anything
interesting.
My friend Don has a catchpa that's interesting... it asks you questions
like "Is AD 1497 in the past or the future?". The image based ones
aren't too nice for disabled users. We'd probably need to re-write it
for MediaWiki, however.
> Given that Wikipedia is clearly more of a target than we are, and that
> they would seem to be even more vulnerable than we are (they don't
> require a login before posting), I don't understand how they survive.
> Can anyone explain how they handle these issues?
It helps that Wikipedia has lots of editors.
Well, it seems that requiring account sign-up for editing isn't really
helping us.
Keep in mind that if we allow anonymous edits, then we can just ban the
IP address from editing. Whereas since we require an account, we can
only ban the newly created account, but there's nothing stopping the
spambot from creating a new account.
If I had time, I'd write a script that trolls the ban log and the Apache
access logs, and correlates the two. And just block (at the IP level)
any access from an IP that was used to spam.
I'm currently over-commited by, like 200%, so I don't have time to write
that right now, however.
James
More information about the e-lang
mailing list