[EM] wiki emergency: home page hacked (and maybe more)

Abd ul-Rahman Lomax abd at lomaxdesign.com
Tue Aug 30 14:01:47 PDT 2005


At 02:38 PM 8/30/2005, Rob Lanphier wrote:
>It's fixed now, and the IP is blocked.

Wikis which enjoy a large number of technically sophisticated users 
who can monitor and fix such problems (and perhaps pursue the 
spammers) can afford, perhaps, to leave access completely open. Open 
access *may* encourage more participation. But it is not clear; 
registration is pretty simple, about as simple as subscribing to a 
mailing list is nowadays, now that lists have required validations to 
avoid abuse of the lists by spammers.

When I look at the access logs, I can see that the wiki is constantly 
being scanned by bots. Most of these are probably benign, they are 
scouts for the search engines. But that same technology is being used 
by the spammers....

>Not sure what the sluggishness you saw was.  It was pretty zippy for me.

It may have been a problem with the wireless network I'm using from here....

>I wouldn't refer to this as a "hack" (you had me worried for a sec).  A
>"hack" would be a case where someone circumvented the security measures
>in place.

Technically, yes. But since there are few security measures in place....

>   Since anyone can edit a wiki, they were doing something they
>were permitted to do under the security policy.  "Vandalism" or "spam"
>are more appropriate descriptions.

Yes. Sorry if I gave you a fright.

Since I switched to required-registration mode, the only spammer 
activity I've seen is on the Sandbox, which is open-access. (Not 
configurable to close it, as far as I could tell, but relatively 
harmless, compared to the hijacking of the home page....) And then 
activity is also automatically "signed."

But I really don't know how many comments have not been posted 
because users did not want to register....

Hmm.... maybe I could set up an account that users could use to log 
in if they want to be anonymous or just want to post immediately, 
don't want to register. They would still have to log in, which would 
defeat the spammers, at least for now. There would still be IP access 
records, the only risk would be from human vandals, which is not high.





More information about the Election-Methods mailing list