Thread: Wiki 2FA
Hello, Perhaps we should considering enforcing 2FA for the Wiki? https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication Sincerely, JD -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development.
On Sat, Jan 23, 2016 at 9:06 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
Hello,
Perhaps we should considering enforcing 2FA for the Wiki?
https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication
Two factor auth protects you against someone using your account. Have we had any issues with that?
It does not protect against people signing up for multiple accounts. Unless you were actually planning to send out hardware 2FA tokens to each actual contributor, but I'm pretty sure you didn't mean that?
And as a sidenote, it also doesn't support our version of mediawiki -- but that's only a problem if we actually think it would bring any benefit.
On Sat, Jan 23, 2016 at 8:41 PM, Magnus Hagander <magnus@hagander.net> wrote: > It does not protect against people signing up for multiple accounts. Unless > you were actually planning to send out hardware 2FA tokens to each actual > contributor, but I'm pretty sure you didn't mean that? We could put a captcha which would at least prevent spammers from scripting attacks. I'm not sure what type of spamming we've had. I expect we would still see one-off spam by humans though. -- greg
On Sat, Jan 23, 2016 at 10:43 PM, Greg Stark <stark@mit.edu> wrote:
On Sat, Jan 23, 2016 at 8:41 PM, Magnus Hagander <magnus@hagander.net> wrote:
> It does not protect against people signing up for multiple accounts. Unless
> you were actually planning to send out hardware 2FA tokens to each actual
> contributor, but I'm pretty sure you didn't mean that?
We could put a captcha which would at least prevent spammers from
scripting attacks. I'm not sure what type of spamming we've had. I
expect we would still see one-off spam by humans though.
We have a captcha for account singups already. That increased the signup time by 30-45 seconds on average.
We also have a 7 day grace period, so new accounts could not use the wiki for 7 days. It took *exactly* 7 days before the spam started again.
To me it's pretty clear that it did not come from scripts. Another hint of that it that a couple of those "scripts" emailed us asking for us to let them bypass the 7 day grace period.
On 01/23/2016 12:41 PM, Magnus Hagander wrote: > On Sat, Jan 23, 2016 at 9:06 PM, Joshua D. Drake <jd@commandprompt.com > <mailto:jd@commandprompt.com>> wrote: > > Hello, > > Perhaps we should considering enforcing 2FA for the Wiki? > > https://www.mediawiki.org/wiki/Extension:TwoFactorAuthentication > > > > Two factor auth protects you against someone using your account. Have we > had any issues with that? > > It does not protect against people signing up for multiple accounts. > Unless you were actually planning to send out hardware 2FA tokens to > each actual contributor, but I'm pretty sure you didn't mean that? No. I meant the idea of having Google Authenticator required (which is open source). It works on any Android device as well as others (windows). I believe it would help with the autoscripting edits? JD -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development.
On Sat, Jan 23, 2016 at 1:50 PM, Magnus Hagander <magnus@hagander.net> wrote: > We have a captcha for account singups already. That increased the signup > time by 30-45 seconds on average. I think that it's now economical for spammers to farm out the completion of captchas. Real people actually fill them out, with everything else highly automated. I'm not sure how much of the work performed by the Amazon Mechanical Turk service is actually filling out captchas, but it's certainly some proportion. (The whole concept of Mechanical Turk is downright creepy in my view). -- Peter Geoghegan
"Joshua D. Drake" <jd@commandprompt.com> writes: > On 01/23/2016 12:41 PM, Magnus Hagander wrote: >> It does not protect against people signing up for multiple accounts. >> Unless you were actually planning to send out hardware 2FA tokens to >> each actual contributor, but I'm pretty sure you didn't mean that? > No. I meant the idea of having Google Authenticator required (which is > open source). It works on any Android device as well as others > (windows). I believe it would help with the autoscripting edits? I doubt it would help much unless we required a 2FA auth cycle for every single edit, which I for one wouldn't stand for. Reasonably user-friendly policies like one auth a day would still be plenty easy for spammers too. (They've got phones too ya know.) In fact, considering it is trivial to have as many GA instances as you want all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit policy could be scripted against. The bots would just need to have a local token generator running the same key that the mechanical turks had signed up with. regards, tom lane
On 01/23/2016 03:35 PM, Tom Lane wrote: > "Joshua D. Drake" <jd@commandprompt.com> writes: >> On 01/23/2016 12:41 PM, Magnus Hagander wrote: >>> It does not protect against people signing up for multiple accounts. >>> Unless you were actually planning to send out hardware 2FA tokens to >>> each actual contributor, but I'm pretty sure you didn't mean that? > >> No. I meant the idea of having Google Authenticator required (which is >> open source). It works on any Android device as well as others >> (windows). I believe it would help with the autoscripting edits? > > I doubt it would help much unless we required a 2FA auth cycle for > every single edit, which I for one wouldn't stand for. Reasonably > user-friendly policies like one auth a day would still be plenty > easy for spammers too. (They've got phones too ya know.) In fact, > considering it is trivial to have as many GA instances as you want > all sharing the same key, I'm pretty sure that even a 2FA-check-per-edit > policy could be scripted against. The bots would just need to have > a local token generator running the same key that the mechanical > turks had signed up with. Bummer, o.k. Although it seems that spammers only go after easy targets. It was an idea. Thanks :) Sincerely, JD > > regards, tom lane > -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development.
"Joshua D. Drake" <jd@commandprompt.com> writes: > On 01/23/2016 03:35 PM, Tom Lane wrote: >> I doubt it would help much unless we required a 2FA auth cycle for >> every single edit, which I for one wouldn't stand for. Reasonably >> user-friendly policies like one auth a day would still be plenty >> easy for spammers too. (They've got phones too ya know.) > Bummer, o.k. Although it seems that spammers only go after easy targets. I dunno. I was astonished that they came back a second time after we'd once thrown them off and cleaned up the mess; you'd think they'd realize that that would just happen again. I think it may have been an intentional attack on the PG project as such, not just drive-by spamming. (If so, and if the goal was to complicate our lives, they succeeded.) Or maybe I'm just too paranoid. regards, tom lane
On 01/23/2016 03:49 PM, Tom Lane wrote: > "Joshua D. Drake" <jd@commandprompt.com> writes: >> On 01/23/2016 03:35 PM, Tom Lane wrote: >>> I doubt it would help much unless we required a 2FA auth cycle for >>> every single edit, which I for one wouldn't stand for. Reasonably >>> user-friendly policies like one auth a day would still be plenty >>> easy for spammers too. (They've got phones too ya know.) > >> Bummer, o.k. Although it seems that spammers only go after easy targets. > > I dunno. I was astonished that they came back a second time after we'd > once thrown them off and cleaned up the mess; you'd think they'd realize > that that would just happen again. I think it may have been an > intentional attack on the PG project as such, not just drive-by spamming. > (If so, and if the goal was to complicate our lives, they succeeded.) > > Or maybe I'm just too paranoid. Hrm, do we have the IPs that they were coming from? Were they from a specific block? Or GEO region? I hate the idea of blocking login from a region but it may be an unfortunate reality. Sincerely, JD > > regards, tom lane > -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development.
On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd@commandprompt.com> wrote: > No. I meant the idea of having Google Authenticator required (which is open > source). It works on any Android device as well as others (windows). I > believe it would help with the autoscripting edits? Why? It doesn't in any way prevent automated scripted spammers. They can automatically generate TOTP codes from a script just as easy as the app can. A SMS-based 2FA scheme might have an impact but even that can be farmed out easily. Actually requiring a Google account and OAUTH login would actually have an impact because Google cares about spammers with Google accounts and goes after them and shuts them down. On the one hand Google is going to do a better job of anti-spam, opsec, and dos mitigation than we every will. But on the other hand I suspect Google is only concerned by numbers that are significantly larger than our threshold of pain and it would mean giving away a lot of control over the process. -- greg
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > I dunno. I was astonished that they came back a second time after we'd > once thrown them off and cleaned up the mess; you'd think they'd realize > that that would just happen again. I think it may have been an > intentional attack on the PG project as such, not just drive-by spamming. > (If so, and if the goal was to complicate our lives, they succeeded.) I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector these days, and reminds me of Windows in the old days: you can setup a brand new wiki and be guaranteed a spammer before you even start advertising your site. And once you are on a list, expect to never be able to fully open your wiki again. The captcha war is absolutely being won by the spammers at the moment, so I think our current solution is probably the best tradeoff we can get. Although it would be nice to be able to point people the #postgresql channel for editor rights too. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 201601231931 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlakG38ACgkQvJuQZxSWSsj5fgCgz8TYBB7hU+ypTqd8Y69MAFUA ygAAn3oU74gObKJ9eXqN5QcNNovocMME =01Yz -----END PGP SIGNATURE-----
On 01/24/2016 01:32 AM, Greg Sabino Mullane wrote: > > >> I dunno. I was astonished that they came back a second time after we'd >> once thrown them off and cleaned up the mess; you'd think they'd realize >> that that would just happen again. I think it may have been an >> intentional attack on the PG project as such, not just drive-by spamming. >> (If so, and if the goal was to complicate our lives, they succeeded.) > > I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector > these days, and reminds me of Windows in the old days: you can setup a > brand new wiki and be guaranteed a spammer before you even start advertising > your site. And once you are on a list, expect to never be able to fully open > your wiki again. yeah :( > > The captcha war is absolutely being won by the spammers at the moment, so > I think our current solution is probably the best tradeoff we can get. > Although it would be nice to be able to point people the #postgresql > channel for editor rights too. well the blurb on the wiki clearly states you can ask in the channel as well, though it might actually take a bit longer for granting access there becase not all of us are monitoring the channel that closely. Stefan
On Sun, Jan 24, 2016 at 1:04 AM, Greg Stark <stark@mit.edu> wrote:
-- On Sat, Jan 23, 2016 at 11:25 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
> No. I meant the idea of having Google Authenticator required (which is open
> source). It works on any Android device as well as others (windows). I
> believe it would help with the autoscripting edits?
Why? It doesn't in any way prevent automated scripted spammers. They
can automatically generate TOTP codes from a script just as easy as
the app can. A SMS-based 2FA scheme might have an impact but even that
can be farmed out easily.
Actually requiring a Google account and OAUTH login would actually
have an impact because Google cares about spammers with Google
accounts and goes after them and shuts them down. On the one hand
Google is going to do a better job of anti-spam, opsec, and dos
mitigation than we every will. But on the other hand I suspect Google
is only concerned by numbers that are significantly larger than our
threshold of pain and it would mean giving away a lot of control over
the process.
The majority of the spam came from people with freshly signed up @gmail.com or yandex email addresses. So they clearly got through at least one layer of defense there.
On Sun, Jan 24, 2016 at 12:51 AM, Joshua D. Drake <jd@commandprompt.com> wrote:
On 01/23/2016 03:49 PM, Tom Lane wrote:"Joshua D. Drake" <jd@commandprompt.com> writes:On 01/23/2016 03:35 PM, Tom Lane wrote:I doubt it would help much unless we required a 2FA auth cycle for
every single edit, which I for one wouldn't stand for. Reasonably
user-friendly policies like one auth a day would still be plenty
easy for spammers too. (They've got phones too ya know.)Bummer, o.k. Although it seems that spammers only go after easy targets.
I dunno. I was astonished that they came back a second time after we'd
once thrown them off and cleaned up the mess; you'd think they'd realize
that that would just happen again. I think it may have been an
intentional attack on the PG project as such, not just drive-by spamming.
(If so, and if the goal was to complicate our lives, they succeeded.)
Or maybe I'm just too paranoid.
Hrm, do we have the IPs that they were coming from? Were they from a specific block? Or GEO region? I hate the idea of blocking login from a region but it may be an unfortunate reality.
The majority was from India, but not all. Most of it was from what looked like typical residential or small business DSL connections. Some also originated from USA. Those were the only two sources I saw when I looked back then, but we had a limited number of attempts logged at that time.
Stefan Kaltenbrunner wrote: > On 01/24/2016 01:32 AM, Greg Sabino Mullane wrote: > > > > > >> I dunno. I was astonished that they came back a second time after we'd > >> once thrown them off and cleaned up the mess; you'd think they'd realize > >> that that would just happen again. I think it may have been an > >> intentional attack on the PG project as such, not just drive-by spamming. > >> (If so, and if the goal was to complicate our lives, they succeeded.) > > > > I doubt PG was targeted: MediaWiki was. It's a popular and easy spam vector > > these days, and reminds me of Windows in the old days: you can setup a > > brand new wiki and be guaranteed a spammer before you even start advertising > > your site. And once you are on a list, expect to never be able to fully open > > your wiki again. > > yeah :( Keep in mind that our own MediaWiki installation has a custom auth system, using our community auth system. Which means that this wasn't a simple attack script for generic Mediawiki installations; if it was a script at all then it must have been tailored for our system somehow. Maybe part of it is scripted and the auth part requires a human to oversee. Either way, I concur that it's pretty scary. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Sun, Jan 24, 2016 at 3:23 PM, Alvaro Herrera <alvherre@2ndquadrant.com> wrote: > Keep in mind that our own MediaWiki installation has a custom auth > system, using our community auth system. Which means that this wasn't a > simple attack script for generic Mediawiki installations; if it was a > script at all then it must have been tailored for our system somehow. > Maybe part of it is scripted and the auth part requires a human to > oversee. > > Either way, I concur that it's pretty scary. I would assume it's some kind of affiliate system like the old clickfraud schemes. Ever wonder what those "make money from home" scammy ads were about? In the past they used to be pay-to-click schemes where you got paid to go around clicking on ads. I bet they've expanded to schemes where random people are paid for each link they manage to put up somewhere on the internet. -- greg
Greg Stark wrote: > I would assume it's some kind of affiliate system like the old > clickfraud schemes. Ever wonder what those "make money from home" > scammy ads were about? In the past they used to be pay-to-click > schemes where you got paid to go around clicking on ads. I bet they've > expanded to schemes where random people are paid for each link they > manage to put up somewhere on the internet. I guess it's possible. We had a look at the kind of content that was being posted. One pattern was that they posted a phone number hundreds or thousands of times in different pages, with surrouding text stating that the number was the support line for some home product (a laser printer, scanner, etc). No URLs at all. The phone number was the valid number for some poor sod who had no relationship at all to the product in question. (It wasn't a single phone number, but it was a very limited amount of numbers. Maybe a dozen, posted in thousands of fake pages, vandalized valid pages, posted on user pages, and even on the comments for the wiki changes.) What could be the profit model for posting such content? One theory was that they were simply testing whether such a mass post could be done at all, with an eye towards doing something more profitable in the future. Another theory was that the number was for a person with whom someone had some kind grudge, so they paid the attack group to piss them off. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On 01/24/2016 12:03 AM, Stefan Kaltenbrunner wrote: > well the blurb on the wiki clearly states you can ask in the channel as > well, though it might actually take a bit longer for granting access > there becase not all of us are monitoring the channel that closely. > Andrew Gierth (RhodiumToad) was actually complaining about that. He refuses to send an email because we said we would watch on channel. JD > > > Stefan > > -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development.
On 01/24/2016 06:22 PM, Joshua D. Drake wrote: > On 01/24/2016 12:03 AM, Stefan Kaltenbrunner wrote: > >> well the blurb on the wiki clearly states you can ask in the channel as >> well, though it might actually take a bit longer for granting access >> there becase not all of us are monitoring the channel that closely. >> > > Andrew Gierth (RhodiumToad) was actually complaining about that. He > refuses to send an email because we said we would watch on channel. His request was granted rather quickly. -- Vik Fearing +33 6 46 75 15 36 http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
Alvaro Herrera wrote: > We had a look at the kind of content that was being posted. One pattern > was that they posted a phone number hundreds or thousands of times in > different pages, with surrouding text stating that the number was the > support line for some home product (a laser printer, scanner, etc). No > URLs at all. The phone number was the valid number for some poor sod > who had no relationship at all to the product in question. (It wasn't a > single phone number, but it was a very limited amount of numbers. Maybe > a dozen, posted in thousands of fake pages, vandalized valid pages, > posted on user pages, and even on the comments for the wiki changes.) Eh. Today I just saw that somebody posted the same kind of content (a number for support service of a well known Windows antivirus software) in the bug report form. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Mon, Jan 25, 2016 at 4:55 PM, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
We've had them post organizations related to it as well, in the web system. Since the organizations are moderated, and they can't submit news or events until it's approved, they never got any further than creating those. They've also posted doc comments, which are also moderated.
Alvaro Herrera wrote:
> We had a look at the kind of content that was being posted. One pattern
> was that they posted a phone number hundreds or thousands of times in
> different pages, with surrouding text stating that the number was the
> support line for some home product (a laser printer, scanner, etc). No
> URLs at all. The phone number was the valid number for some poor sod
> who had no relationship at all to the product in question. (It wasn't a
> single phone number, but it was a very limited amount of numbers. Maybe
> a dozen, posted in thousands of fake pages, vandalized valid pages,
> posted on user pages, and even on the comments for the wiki changes.)
Eh. Today I just saw that somebody posted the same kind of content (a
number for support service of a well known Windows antivirus software)
in the bug report form.
We've had them post organizations related to it as well, in the web system. Since the organizations are moderated, and they can't submit news or events until it's approved, they never got any further than creating those. They've also posted doc comments, which are also moderated.
The unique thing about the wiki is that we allowed them to post things without moderation. (even the lists have moderation, depending on subscriptions and spam scores)