Vandalbots on the wiki
March 21, 2006 6:08 AM   Subscribe

RichardP usually runs a script that undoes a lot of the vandalism, but it does seem to have been getting worse lately. I wrote to Adrian to see if the site could be made login only and didn't hear back and sort of forgot about it. Maybe it's time to write again.
posted by jessamyn at 6:12 AM on March 21, 2006

He brings up a good point, I think many of us prospective 'external Mefi-related-thingie' developers would like to know whether a user is a credentialed Mefi user, eg. we say, http://metafilter.com/check-logged-in/firas/ and it returns whether Firas is cookied as an authorized mefite or not.

Though implementing something like OpenID or TypeKey in ColdFusion may be a fair amount of work.

(Stream-of-Consciousness-Filter)
posted by Firas at 7:43 AM on March 21, 2006

On the face of it I know of no reason why Matt can't grant the wiki server a hostname in the metafilter.com domain. This would allow the wiki code access to domain level cookies, and it could test that the user is currently logged into metafilter before allowing them to contribute. I've set things up this way like this a number of times.

The downside is that there are trust issues involved: it would allow the wiki server code to manipulate those metafilter.com cookies, creating another security vulnerability -- anyone with admin access to the wiki server would be trivially able to write code that spoofs Metafilter logins.

That doesn't rule out other verification schemes but it does rule out the easy ones.
posted by George_Spiggott at 7:55 AM on March 21, 2006

I'd be ok with pointing wiki.metafilter.com at it, if adrian wants to write the code to make it writeable to only those with a user cookie.
posted by mathowie at 8:01 AM on March 21, 2006

I would very much like to see this happen.
posted by jessamyn at 8:29 AM on March 21, 2006

In the interests of total paranoia, I'd just like to mention that spoofing plaintext cookies is not especially difficult, so unless you use something like a hash digest and a shared secret, it would be possible to 'frame' a user as having posted something on the wiki when they didn't. So while this would be a decent barrier to linkspam, the wiki shouldn't regard the user as having been positively identified on the basis of the mere existence of a user cookie for the domain.
posted by George_Spiggott at 8:45 AM on March 21, 2006

I didn't say anything about identification. There is no identification on wikis anyway. It would only check for existence of a cookie to thwart linkspam.
posted by mathowie at 9:57 AM on March 21, 2006

Right. Mainly just being thorough. I was thinking more in terms of a hypothetical situation in which you or he were trying to trace some misuse back to its source; information based on the cookie wouldn't be conclusive.
posted by George_Spiggott at 10:04 AM on March 21, 2006

You don't even really need access to the MetaFilter cookies if you're just looking to block automated vandalism. You could do like the TV Tropes wiki does and require HTTP auth and give the required password right in the authentication prompt. Any bot will be stymied by this, but it's only a speed bump for a human. The password could be changed occasionally if necessary.
posted by kindall at 10:54 AM on March 21, 2006

What about an ilayer script?

wiki loads an Ilayer that points somewhere on metafilter.com, which can (I would think) read our cookies. If we're credentialed, then a script would run.

Users would have to change their privacy settings a bit to get this to work, since a lot of browsers disable this to prevent user tracking on multiple sites.
posted by Paris Hilton at 10:56 AM on March 21, 2006

I didn't say anything about identification.

Well, at that point, checking for just the existence of a Mefi cookie isn't that different from checking for anything else.

But I agree that having 'wiki.metafilter.com' would be nice, and unless the arms race escalates from the bot side I guess you don't need to verify that the person is who he says he is.
posted by Firas at 11:23 AM on March 21, 2006

I think we have identified the culprit. This fellow seems to be posting the same spam across all metafilter sites.
posted by dios at 11:34 AM on March 21, 2006

I would be happy trying to improve this situation. Right now I don't really spend any time on doing admin for the wiki (my main involvement was setting it up and writing the first few dozen pages), so I wouldn't actually know how to sort out cookie-based authentication or a password or whatever.

I'll get in touch with RichardP about it (or if he's watching, he should email me) to see what we can do. Alternatively, if anyone would like to help, please let me know.
posted by adrianhon at 11:37 AM on March 21, 2006

How about upgrading to Mediawiki, the wikipedia engine, then turning on the feature that requires anyone editing to be a registered user?
posted by mathowie at 12:28 PM on March 21, 2006

Rest in peace, mrmojoflying's thread. You were like a candle in the wind.
posted by UKnowForKids at 12:28 PM on March 21, 2006

I didn't ;_;
posted by Bugbread at 12:39 PM on March 21, 2006

11543, we hardly knew ye.

.
posted by If I Had An Anus at 12:49 PM on March 21, 2006

I think we have identified the culprit. This fellow seems to be posting the same spam across all metafilter sites.

Why do you think this guy is the culprit? Is that who the domain name is registered too?
posted by delmoi at 12:53 PM on March 21, 2006

btw, did anyone see a comment spam for 'newsvine.com' or whatever the other day? Did it get deleted?
posted by delmoi at 12:54 PM on March 21, 2006

IIHAA posts:

.

Am I the only one to see the irony in this?

(probably)
posted by mischief at 12:56 PM on March 21, 2006

RichardP is a god among men.
posted by Emperor Yamamoto's Eggs at 1:10 PM on March 21, 2006

Sorry about the state of the wiki, I've been out town so I didn't notice that my anti-spam robot went offline a couple of days ago. I'll bring it back online ASAP.

I'd be happy to modify the wiki code to add anti-spam capabilities, require login, use MetaFilter login cookies, or anything else that Adrian or the community wants. I'll contact Adrian to see if I can get permission to access the server.
posted by RichardP at 6:13 PM on March 21, 2006

How about upgrading to Mediawiki, the wikipedia engine, then turning on the feature that requires anyone editing to be a registered user?

This would also be a good solution, I think.
posted by stavrosthewonderchicken at 6:38 PM on March 21, 2006

Changing wiki.cgi to deny edits where a particular domain cookie isn't present would only involve a few lines of code, and it would mean that all metafilter users are automatically registered and logged into it.

Spambot authors don't waste their time trying to get around custom anti-spam solutions like this because to them, time is money: if they're going to adapt their bots to get around an obstacle they're going focus on the wikis with the largest installed base. So switching to a popular wiki platform might be a less effective (and certainly more labor-intensive) choice than making a simple adaptation to the one you have.
posted by George_Spiggott at 7:12 PM on March 21, 2006

Mediawiki is kind of a 6,000 pound gorilla, too.
posted by cellphone at 7:43 PM on March 21, 2006

Moving to Mediawiki isn't too terribly technically challenging, although because UseMod doesn't require a database such a move might involve installing mysql on Adrian's server (assuming it isn't already there). The more challenging part of such of move is migrating the data from UseMod to Mediawiki. While moving the content isn't too difficult, the problem is that UseMod has a somewhat different wiki markup syntax then the one used by Mediawiki and as far as I know there don't exist any tools for translating from Usemod-style syntax to Mediawiki-style. Someone would have to hand edit all of the pages after they were moved over.

I think it would be easier to make a couple of quick changes to the UseMod perl script than to move to Mediawiki.
posted by RichardP at 8:04 PM on March 21, 2006

How about just requiring a CAPTCHA for any wiki edits, and forgetting the complication of trying to link metafilter accounts to the wiki? Isn't the point of wiki that anyone can edit and it should be easy to do? Isn't having a CAPTCHA the quickest and easiest way to do this without a whole buttload of work trying to integrate two disparate web applications?
posted by Rhomboid at 11:46 PM on March 21, 2006

Writing a CAPTCHA involves incorporating calls to a graphics and font rendering library, then modifying the form to embed information about what string the image contained, disguised in such way that your POST-handler can properly test the result but a scriptbot can't figure it out. Then you have to add persistent sessions if not already present so people don't have to do this on every post. There are canned scripts to do most of this stuff, but backstitching it into your existing code is nearly as much work.

By comparison, testing for the existence of a cookie inolves one conditional expression.
posted by George_Spiggott at 12:08 AM on March 22, 2006

By comparison, testing for the existence of a cookie inolves one conditional expression.

Just checking for the mere presence of a cookie would be a absolutely horrible thing to do. Cookies are user-supplied data after all. If that is all that you're doing I could simply edit my cookie file and claim to be any metafilter user that I wanted to be, even if I didn't have a metafilter account.

This amounts to zero security. In fact it's worse than zero security, since it is security that purports to tell you that someone is who they claim to be but in fact they could be anyone.

What you would actually have to do is read the cookie's contents, decode the stored username and password, and validate THAT against the stored records in the metafilter user database, and continue with the operation only if they match. And doing THAT would involve much more work than a single conditional expression.
posted by Rhomboid at 4:08 AM on March 22, 2006

Rhomboid, read Matt's comment again. This isn't about security.
posted by gleuschk at 4:35 AM on March 22, 2006

Rhomboid, I pointed out earlier that the cookies are easily spoofed and should not be regarded as a way of identifying a user.
posted by George_Spiggott at 8:03 AM on March 22, 2006

Rhomboid writes "Isn't having a CAPTCHA the quickest and easiest way to do this without a whole buttload of work trying to integrate two disparate web applications?"

CAPTCHA's are a pain in the ass from the users perspective, please consider this a last resort.
posted by Mitheral at 8:27 AM on March 22, 2006

Meanwhile, it's still being destroyed, and there's a prominent link to it on the MetaTalk header. Unless the thing can be more actively defended, I'd suggest withdrawing any formal link to it.

Lest anyone accuse me of merely bitching about it and not taking HeyItsAWikiAction, I just went and reverted 20-odd pages of spam.

gleuschk: It's about security. Preventing anonymous vandalism is a security matter. This isn't, however, about authentication. Perhaps that's what you meant.
posted by majick at 9:08 PM on March 22, 2006

Yes, majick, that's a better way to say what I meant.
posted by gleuschk at 7:09 AM on March 23, 2006

Mediawiki is kind of a 6,000 pound gorilla, too.
posted by cellphone at 10:43 PM EST on March 21 [!]

Not at all, it's pretty lissome (at least judging by ease of installation—it's ridiculously simple to get running, and all the power that comes despite those low-end requriements for system software and admin skill makes me marvel at the app).

Anyway, I hate talking about vapourware, but: I'll investigate the markup syntax conversion issue next week and see if I can come up with something to do it. I have another plan cooking regarding the Mefi auth'd user issue, if it all comes together and RichardP & adrianhon agree, and I can rig up a MediaWiki theme that looks a bit like Mefi, we'll have a nice coup de grace.
posted by Firas at 12:36 PM on March 24, 2006

Sorry about the state of the wiki, I've been out town so I didn't notice that my anti-spam robot went offline a couple of days ago. I'll bring it back online ASAP.

Richard, in case you're still checking in, is the bot still down? We've had to do a lot of manual reverts the last few days.
posted by Gator at 12:21 PM on March 25, 2006

Mediawiki is an excellent idea! It might be a heavyweight, but the mefi wiki doesn't exactly get hammered like wikipedia does it? Also, (presumably) everyone knows how to use mediawiki after futzing around on wikipedia for way too long... right?
posted by hoverboards don't work on water at 4:30 AM on March 26, 2006

If you're going to use MediaWiki (which I'd discourage for two reasons*) for god's sake let's do some original CSS and graphics. Every blasted MediaWiki site look exactly the same except for the logo.

*
1. Excess to requirements. What problem are you solving, and how does MediaWiki solve it? Is its solution the most appropriate (e.g. user-friendly) one? Is converting to MediaWiki the most cost-beneficial way in terms of both conversion and maintenance overhead, to achieve that aim?
2. Monoculture, and the vulnerabilities thereof. MediaWiki, being commonplace, is a suitable target for script-kiddies, since any hack they can come up with will kill many birds with one stone.
posted by George_Spiggott at 9:20 AM on March 26, 2006

Ok, so the 'OpenID server' part is making my eyes bleed, but meanwhile I've done the Cross-Site Authentication bit. Works the same way your browser does but throws away the cookies Mefi sends back (for now). I was going to add some gratuitous ajax but ran out of time for tonight.
posted by Firas at 6:34 PM on March 28, 2006

I was able to revert the spam insert on the 28th by akpersonal.icmb.ed.ac.uk
posted by Mitheral at 8:24 PM on March 28, 2006

So, the wiki as it currently exists is being pretty much abandoned, I'm guessing?
posted by Gator at 9:16 AM on April 2, 2006

I haven't emailed adrianhon about it (don't want to step on anyone's toes) but I'll host the MediaWiki install if needed.
posted by Firas at 2:58 PM on April 2, 2006