On Tue, 1 Feb 2005, Alan Horkan wrote:
On Tue, 1 Feb 2005, Bryce Harrington wrote:
Date: Tue, 1 Feb 2005 10:53:31 -0800 (PST) From: Bryce Harrington <bryce@...260...> To: mental@...3... Cc: bulia byak <buliabyak@...400...>, inkscape-devel@lists.sourceforge.net Subject: Re: [Inkscape-devel] wiki spam
All of the suggestions in this thread are viable options, although some will require more work than others:
- Changing the password: Trivial, easy to do
- Blocking more IP's: Trivial, easy to do
- Adding basic auth login: Requires sysadmin work + ongoing account admin
I assumed it was already built in to the wiki and all that would be required would be to turn it on.
Well, it does have a sitewide password that can be turned on for editing, but it'd be the same password for everyone. But that's essentially what we've got currently so really the next step would be to turn on either basic auth (implemented in Apache) or a more advanced auth mechanism (implemented ourselves).
Note that anything we do is going to have have tradeoffs: Either more implementation work, more administrative work, more work on the part of the user, or a combination. For example, like you point out, image-based passwords won't require admin work, but will require some implementation work, and increases the burden on users (esp. those with vision imparements). Having two different systems (image passwords or authentication), gives the users options but at the cost of double implementation work, and doubling our risk (spammers only need to find a way to attack one of the systems).
There is one other programmatic defense that I know about for wiki's. For many bots, there is an inhumanly short period of time between when they click edit and when they submit the page, so apparently if you make the wiki keep track of this time and it's less than a few seconds, then you can make a fairly safe assumption that it's a bot. Our wiki doesn't have this feature, but I would bet that a good perl hacker could figure out a good way to implement it. The advantage of this system over others is that while it wouldn't stop all spamming, at least it would not impose additional administrative or user effort and it might cut down some of the spammers. I bet it would be especially effective at the spammer Bulia was fighting today. Anyone feel like giving it a shot?
Bryce
participants (1)
-
Bryce Harrington