[09:54:20] apergos: ping https://bugzilla.wikimedia.org/show_bug.cgi?id=54915 [09:55:32] I don't know what I can do about that, and I don't know that it's highest/critical [09:56:03] prio changed ^-^^ [09:57:12] I'm sorry but that's an area I know nothing about, and no idea who to ask either [09:57:23] ok [09:57:39] ok, thanks aniway [09:57:54] I dropped the bug link into wikimedia-dev in case anyone knows there, that's about all I can do [09:59:16] thanks [09:59:25] yw [10:46:56] Elsie: https://bugzilla.mozilla.org/show_bug.cgi?id=168772 [10:48:03] and https://bugzilla.mozilla.org/show_bug.cgi?id=148564 , so you'll be able to do what you asked in 5.0 afaics [10:48:11] (I'm eagerly waiting for that one too) [10:49:59] why be on a bug and ignore it? seems weird [10:56:37] apergos: e.g. because the reporter can't remove self from "cc" [10:57:00] I often file bugs on behalf of others and sometimes it gets annoying [10:58:09] filing a bug should be just that, not a life sentence to following the issue [10:59:03] ah, that would never have occurred to me (if I file I want to know about it every time) [11:14:58] Nemo_bis: you can set bz not to email you if you are the reporter, then jsut set yourself to cc if you want follow it [11:15:41] who in the earth can get password while having just hesh? [11:15:51] what computer shall he have? [11:15:52] p858snake|l_: sure but it's not very handy to add myself to cc to hundreds reports just to ignore a handful [11:16:08] I hate when someone force me to change the passors [11:16:10] Base: any recent 100 $ computer or Amazon and the like [11:16:16] Steinsplitter / apergos: sieband/nikerabbit are the ones you want to harrse [11:16:31] p858snake|l_: 1) I know, 2) I don't want, 3) it's probably not a bug [11:16:54] why nobody asked if users want to change the password? [11:17:07] The password you have entered matches an old password associated with your account. Please set a new, different password [11:17:07] thats owful [11:17:31] so if I have the hash I can try a dict attack and see if any of my guesses produce your hash [11:17:32] why shall i hit my brain to invent the new pass.... [11:17:47] I can do it happily off line so as fast as my little cpus can run [11:17:57] Base: good question! just use http://maord.com/ ;) [11:18:02] Base: because the foundation cares about users security? [11:18:15] we don't want someone else to login as you [11:18:23] and then do bad things in your name [11:18:26] why it cares more than i do? [11:18:32] Base: you in particular don't have the right to complain ;) as you have some semi-advanced permissions [11:18:35] that's just how we are :-) [11:18:37] they just care to stop all the bots [11:18:46] we care so you don't have to ;-) [11:19:23] passordgenerator's pass are not rememberable [11:19:37] more seriously, I know it's an inconvenience, you might consider a program like keepassx to manage your passwords because it will generate them for you too [11:19:55] and then you can just get it from there when you log in once every 30 days or whatever [11:20:07] http://www.keepassx.org/ [11:20:23] you can also try another approach to passwords, [11:20:32] where is that xkcd comic [11:21:08] yeah yeah better to give my password on my own to service owners than to have the possibity of leaked hashes would be solved [11:21:08] http://xkcd.com/936/ where you could take the first syllable of words if the phrase is too long, or some other variant [11:21:51] keepassx is an application that runs on your computer, open source, encrypts the passwords on your local disk, you don't give them to anyone else [11:23:51] it's like you keeping all your passwords in a gpg-encrypted file on your disk that no one else has access to, except someone else wrote it and made it suck a lot less [11:24:09] thats seems to be the same weirdness as saving passwords in browser [11:24:38] also if pass is on local drive how can i get it from another pc or mobile to use it [11:24:42] well with the browser there are sometimes little issues about how they are saved [11:24:44] useless tool [11:25:17] your keeppassx file can easily be copied between computers, or put on a flash drive [11:25:52] there's a version for android too [11:26:17] https://play.google.com/store/apps/details?id=com.android.keepass (haven't used it myself, I don't edit from my phone and I don't have other mobile devices) [11:26:56] http://keepass.info/download.html there's a whole list of mobile etc versions here [11:26:59] I had no idea :-D [11:27:08] Base> passordgenerator's pass are not rememberable [11:27:12] not true [11:27:23] that website, for instance, allows you to produce dozens [11:27:34] usually, among them there is one that for some reason will be easy to remember for you [11:27:55] I wonder if we should do password strength checking for folks with 'elevated privileges' [11:28:03] perennial proposal [11:28:04] crats and checkusers anyways [11:28:28] hrm and stewards [11:28:34] anyways not the billion sysadmins [11:28:44] :D [11:29:12] password strength is weird thing [11:29:26] e.g. 5 chars in latin and in cyrillic is not the same story [11:29:37] well it's an easy thing to check if your pssword is crackable in 10 sec or less by an automated script [11:29:42] that would seem to be basic [11:29:58] actually it is, because dictionary attackers will have lists in all the languages [11:30:05] if those 5 chars are a word, it doesn't matter [11:30:20] apergos: i think brion did that when wikipedia was only a baby and there was bitching by even [11:30:34] *everyone [11:30:36] hmm not sure it was him [11:30:45] but yes it was done once [11:31:06] might be worth a revisit, checkuser and others wh can view private data, that would be a bad deal if such an account was compromised b/c weak password [11:31:12] not in such ancient times though, rather recently iirc; like, 2005 [11:31:19] that's ancient [11:31:28] nah [11:31:29] 8 years ago, in the life of the internet or even wikipedia [11:32:00] sorry, Proust teaches us that for me everyone coming in 2006 or later is just a newbie [11:32:26] and in 5 years that will stil be the same right? [11:32:34] stil 2006 I mean [11:32:56] sure [11:33:45] too bad I didn't note down that passage [11:34:03] Nemo_bis: but how you know word of what language? [11:34:04] it's not very handy to re-read 2500 pages by Proust [11:34:12] Base: you just try all of them [11:34:25] if it's in a dictionary, whatever dictionary, it takes probably few seconds [11:34:45] and i can write this sentence in cyrillic - ай кен врайт зиз сентенс ин кириллик - how would you search for it in dictionary [11:35:04] if it's a sentence and it's not a sentence that's a known quote or meme etc [11:35:19] you might be better off [11:35:31] there are dbs with lists of movie quotes and all the rest [11:35:44] lol [11:35:47] large collections of text, really not so large as you would think [11:35:57] eh for password cracking use I mean [11:36:02] but wait [11:36:03] folks have already been there and done that [11:36:14] bruteforce is fast in pc localy [11:36:37] but what internet you must have to brute force pass in wiki via internet? [11:36:58] also with these 5m or so pauses and capchas for unsuccess [11:37:04] so this is why we require a wait period after a few failed login attempts [11:37:05] but [11:37:11] in the case where the hash is compromised [11:37:15] like today's email [11:37:27] it's now done off line, *not* on the internet [11:37:55] it's only a matter of time [11:37:55] apergos: the last i was about idea of minimum strength for crat+ [11:37:57] someone grabs a list of usernames and hashes, puts it on their desktop, starts up the cracker [11:38:03] you can assume your password is known [11:38:05] and waits for some good hits [11:38:19] yes, in case something like this happens [11:38:34] well also to weed out stupid things like people using 'wiki' or their username [11:38:37] my pass is not a word of any language i suppose :) [11:38:57] why> [11:38:59] *? [11:39:07] whats wrong with wiki-root? [11:39:19] by this time you could have learnt 5 new secure passwords btw ;P [11:39:25] why weed those out? because someone guessing via the internet might try those as one of the first few guesses [11:40:04] anyways, making the password strong against dictionary attacks is a good idea as we see by today's incident [11:40:07] so, please do that [11:41:52] Nemo_bis: i have bad memory and i like flood :P [11:42:28] apergos: you speak about wiki in pass or in login? [11:42:44] you said username [11:42:51] but argue about pass [11:43:18] people use wiki- as their password [11:43:26] or they use just their username as the password [11:43:36] both very guessbale [11:43:38] *guessable [11:44:12] wiki- [11:44:13] omg [11:44:24] how much such users? [11:44:27] who knows [11:44:30] and how you know that? [11:44:33] I just know of some who have done it [11:44:53] lol [11:44:58] but its a nice idea [11:45:04] because these particular people told me [11:45:07] wiki-Base is quite difficult pass [11:46:19] you know, if you *want* to use 1111111 [11:46:24] we can't actually stop you [11:46:43] but we can tell you that if your account is abused you will have only yourself to blame [11:47:22] o_O [11:49:44] apergos: my bot's pass is as easy as 111111 [11:49:54] since nobody cares on my bot :) [11:50:16] if your bot account suddenly ran rampant, people might care a great deal [11:50:51] the police might care if its used for death threats :) [11:51:02] it is rampant when i run it :P [11:51:36] hm DeathThreatsBot :D did anybody use such one? [11:52:22] Base: why not 123 ? :P [11:53:29] Steinsplitter: it is 123456 [11:53:36] :P [11:54:07] there used to be a time when people used blank passwords on Wikipedia :) [11:54:34] MeatBallWiki still don't ask any login, let's see if Sunir brought it back up [11:54:35] :-) [11:55:31] heh SunirShah -- Thu Jul 12 02:51:11 2012 The MeatballWiki code is unreadable by humans and out of control. [11:56:43] what is meatballwiki? [11:57:28] http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/ [12:07:09] I just logged into en-wp using a chrome incognito tab to test something. then logged out in the incognito window. somehow i was also logged out in the regular chrome window. i thought incognito had separate cookies and stuff (since it doesn't show user as logged in even when user is logged in in a normal window). wmf bug? or chrome bug? [12:38:45] Sid-G: logout terminates all sessions [12:39:10] So that's a feature ? [12:41:09] your call; but it's expected, or so I believe [12:48:29] * Sid-G sighs [12:48:32] one man's bug is another man's feature [13:05:07] https://meta.wikimedia.org/wiki/Template:WMF-navigation/en OMG [13:05:23] PHP fatal error in /usr/local/apache/common-local/php-1.22wmf19/extensions/Translate/tag/TranslatablePage.php line 219: [13:05:23] Call to a member function getMessage() on a non-object [13:16:31] PHP fatal error fixed :) [13:30:50] Steinsplitter: hey :) [13:31:01] Steinsplitter: regarding latexml , I am not sure what else I can do to help [13:31:25] Steinsplitter: any reason you abandoned the idea of building a debian package and use git clone to deploy ? [13:32:25] hmm :) [13:33:44] I'll think about it. [13:38:34] bit i am tech 0,001 :P [13:42:47] Steinsplitter: luckily the other 99,999 are reachable there :-D [13:42:59] :D [13:43:12] Steinsplitter: what I suspect is that we will end up refusing deploying the code using puppet + git [13:43:19] but ask for git-deploy instead [13:43:33] that is essentially the same, but instead of having puppet managing the repo, you do it manually [13:43:40] and can deploy on several nodes [13:43:41] could anyone merge this into ops/mw-config? https://gerrit.wikimedia.org/r/#/c/86379/ [13:44:08] it's been stalled fora few days already [13:44:12] hashar: :-) thx [13:44:44] wizardist: I can't remember the impact of changing the TZ sorry :-( [13:44:51] please! :) [13:45:25] wizardist: sorry [13:45:26] hashar: I don't think I understand what impact are you talking about? DB issues? [13:45:53] wizardist: I am at a conference right now with some bad internet, I don't want to take the risk of breaking something [13:45:56] but +1ed [13:46:09] wizardist: unknown impacts, like I have no clue what it is going to change [13:46:11] hashar: oh sure, enjoy the conference! [13:46:19] wizardist: hopefully it is only used for display purposes [13:46:21] :) [13:46:39] wizardist: it is in Gerrit, so it will be deployed eventually. For sureç [13:47:30] šure ;) [14:04:39] wizardist: whats new with your tab ext? [14:06:10] postponed as always [14:35:54] wizardist: :( [22:11:34] greg-g: Is the deployment schedule accurate that there were normal deployments during metrics? [22:12:26] marktraceur: yes. [22:13:37] Hm. Kay. [22:13:59] marktraceur: u got a problem with that? [22:14:13] (I only know a small amount of lolspeak) [22:14:25] and what's up with all the part/joins? [22:14:26] greg-g: I was concerned, but whatever [22:14:30] As long as it worked [22:14:37] <^demon> greg-g: freenode sucks. [22:14:38] all sf staff peeps [22:14:46] They're not on dickson! [22:14:47] <^demon> Also, wmf office wifi sucks. [22:14:49] Dickson 4eva [22:14:59] marktraceur: until dickson dies [22:15:04] Shush you [22:15:19] "GetYourOwnWifiPenny" ? [22:16:31] <^demon> T13|needsCoffee: My access point on my phone is called "getyourowndamnwifi" :) [22:17:16] ^demon: not pennyalreadyeatsourfoodshecanp­ayforwifi ? [22:18:14] <^demon> :) [22:41:56] lol [22:47:03] greg-g: The level of vitriol incoming to wikitech-l will likely be unprecedented. [22:47:28] :( [22:48:20] I know people use the phrase "rip someone a new asshole" all the time, but... [22:49:34] * Nemo_bis checks ngrams [22:52:06] :( :( [22:52:54] Wait, what vitriol? From what? [23:12:15] marktraceur: massmessage [23:13:49] we haven't had a good flame war in a while [23:13:54] it was starting to get boring [23:13:56] so... [23:14:29] * mwalker goes and gets the hotdogs to roast over the inbox