So, a couple of weeks ago we came across a new user, who seemed to be acting newish, but after a couple of days seemed to be acting much more like an experienced editor, albeit slightly IMHO childish. I first became suspicious when he requested rollback, and claimed to have had rollback before on a different account, to which he lost the password to, and had forgotten the username, and also lost access to his email account.
As “sockpuppetry” (using multiple accounts) isn’t allowed on Wikipedia except in a very select set of circumstances, suspicions quickly arose as to who this person could be. It wasn’t until another editor questioned who it might be and made a suggestion did I start properly looking into it.
Helpmebot’s IRC logs showed that he’d joined IRC a few times without getting a hostname/IP-hiding cloak, so I had a hostname, resolved it to an IP address, and performed a geolocate: Liverpool. The suggested user I happen to know from previous experience is in Arizona.
Eventually, he manages to “remember” the account, a previous antivandalism account with rollback unused for just over a year. Already being suspicious, I jump to the conclusion that he’s claiming an old account to gather trust.
Password resets seem to fail on that account, because it’s going to an email account that appeared to have been compromised, even the security questions had been changed. Sending password-type information such as this to a compromised email account by definition compromises the enwiki account too – something another admin appeared to have a hard time understanding.
Anyway, it turns out he was typing the wrong email address in, and the security questions belonged to a different account. Regaining access to the email account, he regained access to his old account, and we moved stuff over to his new account, which he’s now using.
Frape: short for facebook rape. this is where someone changes someone elses status without them knowing.
On another security note, it appears one of my uni friends isn’t the best at this whole security thing either – he left his laptop unlocked next to me for a while, after logging out of facebook etc (so I couldn’t frape him). He didn’t lock his entire laptop as a secondary precautionary measure, as I was “unable” to get into his account to frape him.
When he came back and deleted the frape I managed to slip in, he spent 5-10 minutes trying to figure out how I did it. When he eventually found that a version of firefox was saving his password, he thought he’d solved it – until I kindly let him know that I didn’t actually find that hole, and that there was another one sat around.
Because he deleted the frape, he also deleted crucial evidence that would have helped him to close the hole a lot quicker – I’d fraped him from TweetDeck, and the deleted frape showed that – but he didn’t realise because he’d deleted the frape before looking at where it came from.
Lesson: don’t delete evidence quickly cos you never know how useful it might be in closing a security hole. Another lesson: don’t assume a system is secure. Logging out of everything you can think of is one thing, but you’ll probably forget something. Maybe another lesson? A second layer of security probably doesn’t hurt.