Wednesday, June 28, 2017

Server upgrade, data breach on old server - change your password!

Tim Starling from Wikimedia has kindly helped upgrade RationalWiki to MediaWiki 1.27. This will be going live shortly. This should bring us many functionality and security improvements.

In the process, Tim discovered that, in February 2017, the RationalWiki site was breached and the site's user table was downloaded. The user table contained:

  • Password hashes. "Because the hash used by MW before version 1.24 is cheap to calculate on a GPU, you can invert even moderately good passwords hashes, like 8 random alphanumeric characters."
  • Email address associated with an account, which could be associated with a password hash.

Users should change their password, and change it anywhere else they've used that password.

Tim thinks the breach was a drive-by opportunist, rather than someone targeting RW specifically.

9 comments:

  1. Thanks for the disclosure. :D

    ReplyDelete
  2. We very much appreciate you letting us know.

    ReplyDelete
  3. I am a little less grateful than other commenters, because I cant help feeling that a small hint of apology would be in order, and might make me feel more sympathetic. Also, your warning email doesn't make it clear that you only just found out about your system's security weakness,

    ReplyDelete
  4. I'm not surprised.

    Rational Wiki is anything but rational.

    Discovering that there is no God is low hanging fruit of knowledge.

    Being rational about CIA support in Syria is poo-poo on by the lovers of goat at Rational Wiki.

    ReplyDelete
  5. Agree with Unknown. Rationwiki is a farce. They don't investigate or properly analyze anything, they just read what the mainstream scientists or leftists are saying on any issue. Many of the editors are literally teenagers. They're propped up by the fact that some actual knowledgeable people actually contribute valuable information for their specific fields. But the main people writing about articles and editing such as on GMOs or on immigration or anything like that are fools beyond belief.

    ReplyDelete
  6. Hello, Is it possible to delete your rational wiki account?

    ReplyDelete
  7. Rational-Wiki is literally a wiki created by wiki vandals. I don't just mean Conservpedia vandals either, because several Rational-Wikians have been Wikipedia vandals too (at least one generally respected Rational-Wikian is community banned on Wikipedia for his blatant abuse, as a matter of fact, and Rational-Wiki defended his actions at Wikipedia). Why someone from WMF would help them in any way is mind boggling. Hopefully this results in a lawsuit that puts Rational-Wiki out of business.

    ReplyDelete
  8. After a brief experience of the snark a few years ago, I had forgotten about RationalWiki... until their notice of the breach found its way into my inbox. When I went to my long-dormant account to change the login, I had several new messages, each one berating me for either not following their sig rules, or for ignoring a previous message. The language was abusive and puerile, and the rhetoric was at the level of a barely literate teenager. I barely needed to read any of the quickly-deleted messages, for the invective was apparent from the magnified subject lines. Any human with experience dealing with kids is more than psychologically prepared for any interactions, regardless of education level, although I would consider the average level of information more "schooled", than educated.

    ReplyDelete
  9. David Gerard, you dumb motherfucker, are you still too dumb to properly manage the wikia?

    ReplyDelete