User talk:Widux

Hi Widux, I was drafting an explanation to you and went to save it when I ran into an edit conflict and to my frustration found the further conversation. I've saved it anyway, but have come here to ask you to reconsider your decision to leave us. This is only the second "major incident" that I've seen in the four years I've been editing here and it was very unfortunate that you were caught in the edge of it. Particularly so in that your validating was not a problem. I understand you're feeling angry and frustrated at the moment and that this may last for a while. However, I would be very happy to see you back at any point and I'll keep this page on my watchlist just in case. Best wishes, Beeswaxcandle (talk) 02:47, 26 February 2013 (UTC)[reply]

Open response to Beeswaxcandle, ResidentScholar and Billinghurst:

Now that my fury and irritation have cooled to merely sub-millimetre wavelength emitting levels, I shall grant you congratulations due for at least trying to offer an olive branch. You deserve at least that.

However, there appear to have been two important (to me at least) matters which have so far evaded the collective attention of the cabal:

1. 1. Whilst laudably attempting to protect the finer feelings of my co-accused, despite my "innocent" involvement no apparent effort has been expended to inform me why my user-id ever was involved in the investigation; what I should or should not have done otherwise. This leaves me guilty by association without even the effort of an accusation being made. Not nearly good enough.

As a sub-issue; why was the investigation not competently completed beforehand? If there was nothing wrong with my behaviour, why was it even discussed in public forum before a decision reached? If there were no fault, why should I have even been able to find out about what turned into this travesty?

As a poorer alternative, all parties should have been informed immediately before the investigation began. You three have cleverly failed to follow either alternative. Somebody panicked, didn't they? Also not acceptable.

2. Irrespective of how senior ResidentScholar is or believes they are, how is their not-even-veiled threat "I can't guarantee your user ID won't show up again in another security missive." tolerable to anyone? This was simply pouring fuel on a conflagration; yet there was no apparent censorship of the remark. I simply do not have to take this treatment. Totally unacceptable. See Hanlon's razor. Either ResidentScholar is a fool who is covering up for being found out, or a malicious fool absolute. Don't expect false respect from the maligned.

There is clearly "something rotten in Denmark" and I certainly do not wish to remain a part of a community which finds such behaviour unremarkable. [Widux adeiu.] 09:20, 26 February 2013 (UTC)

To say that I was not a party to any dispute or aware of information relating to a block upon you. I would agree with you that we have a serious matter occurring within enWS. This is unusual for our community, and one that I believe is genuinely distressful to the community.

To note that today that I have undertaken a checkuser of your account which has provided general geolocation data by means of identifying your IP address. It is a requirement of our community that when this is done to an established community member, that they are informed. None of this information will be made public, nor have I recorded it anywhere. I understand that you are in communication with another community member, so let me reassure you and this person that this is purely procedural to allow me present a case on this matter. We don't have official investigations (we have no officials), however, a CU check is probably the closest that we can get, beyond review of edits. So please note that what review that we are having is now occurring and predominantly will be occurring in Wikisource:Administrator's noticeboard. — billinghurst sDrewth 00:07, 4 March 2013 (UTC)[reply]

Widux, First let me express my regret for discussing your behavior with someone else on a user's page in the context of others' bad behavior. We are now convinced that a coincidence occured and that you were innocent from the beginning. You have educated me that it is discourteous to allow links to be formed in the potential perceptions of others by associating the two behaviors, even when we have grounds for suspicion, which, of course, we no longer have.

Widux, I regret to report I went beyond that. When you became angry with me, you misread what I wrote, but I misread what you wrote as well. You wrote "Am I in the wrong place and/or should withdraw from the project as a complete insulting waste of everybody's time?" I read it as "a completely insulting waste of everybody's time?" Together with the coincidence of you speed-validating right after two other parties were, I suspected, wrongly, that you were one of the earlier editors, again, suspecting and perceiving wrongly, now taunting and harassing us under the impunity of a different user ID. These thinkings merged with the thought that your singling out specific admins was a sign (now believed to be a mistaken one) of a long-time user with a grudge, rather than a new user simply observing with a skeptical eye.

Yet, let me defend my answer to you. We had been placed on high security alert, and you had mentioned you had hoped "to be a low-profile contributor with as little publicity as possible". Instead of answering your question as to whether you should withdraw, I wanted to communicate to you the root of the matter (out of respect for the grasp of the situation you had shown) so you could judge for yourself whether you wanted to remain, that, yes, you were, at that moment in time, under suspicion (though now your name has been cleared), and that I was not sure (though now we are) that you were not operating more than one account involved.

Unhappily, that statement, "I can't guarantee your user ID won't show up again in another security missive" turned out to be sadly prophetic, and the basis of my deepest regret in the matter.

Once you said "consider my account composted", I thought you had left us permanently, and I did not make an effort to respond to your misapprehension about what I was trying to communicate to you. But when you returned to castigate us, my incorrect suspicions that I stated above hardened under the belief, wrongly strengthened through its association with the incorrect suspicions, that you had announced your departure insincerely for the purpose of attacking us, again, a belief wrongly strengthened through association with the incorrect suspicions, without giving us the benefit of an effective dignified defense, and that you had repeated the act.

I regret it now, but, five days later, on March 1, I acted on those suspicions out of the mistaken fear that your account would be used as an unsecured outlet for disorder to avenge other users (wrongly thought on my part to be united) and blocked your account from editing on what are now seen to be mistaken grounds, wrongly reporting that you had co-ordinated with other users to disrupt (good order) and interfere with our investigation. I want to endeavor to explain the second mistaken report. When I mentioned the wrongly strengthened belief that you had acted to attack us without giving us the benefit of an effective dignified defense, I don't mean that such a defense would have been impossible, but that it would have drawn resources away from various other tasks required to secure the wiki at that time, and effectively embarrassed us for a while from taking vigorous action that could have resolved concerns related to these tasks, for fear of a perception of aggressiveness, when time was of the essence. What I am saying is, I meant "interfere" in a fairly passive way.

Once we became convinced there was no collusion, on March 4, but coincidence, I immediately lifted the block on the basis of mistaken identity. Please realize that we admins are part-time volunteers, without the time to perform extended analyses of behavior through examinations of all the edits of a user. Again, please accept my sincere regrets and defense.

ResScholar (talk) 13:11, 4 March 2013 (UTC)[reply]
Administrator, Wikisource.

And this should be the apologies of the whole community, not just the one administrator. The community failed you, not one person, by our actions or inactions. So from me you get my unreserved apologies. I wish you well, wherever your volunteer activities take you, and hope that you find tasks and a community that suits you. Thanks for the edits while you were here. — billinghurst sDrewth 13:58, 4 March 2013 (UTC)[reply]

Ditto. We as a group of volunteers failed, what we allowed to happen was wrong. We are attempting to learn from the event and preventing it from occurring again. Strange how you came onto Wikisource, made a few hundred edits, and actually had a bigger positive impact on the project as a whole then you may ever know. Jeepday (talk) 14:05, 5 March 2013 (UTC)[reply]

For the record, I received this email today and include it below in full in case anybody cares. Does anybody doubt why I continue to feel let down by this community? This approach does nothing to restore my confidence. Widux (talk) 07:49, 3 October 2013 (UTC)[reply]

From wiki@wikimedia.org  Thu Oct  3 17:24:02 2013
X-Greylist: Passed host: 208.80.152.133
To: Widux
Subject: Notification about Wikimedia user account security issue
From: Wikimedia Foundation <accountsecurity@wikimedia.org>
Date: Thu, 03 Oct 2013 07:22:57 +0000
Message-ID: <enwiki.524d1b512f1f07.53092412@en.wikipedia.org>
X-Mailer: MediaWiki mailer
MIME-Version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit

Dear Wikimedia user,

On October 1, 2013, we learned about an implementation error that made
private user information (specifically, user email addresses, password
hashes, session tokens, and last login timestamp) for approximately
37,000 Wikimedia project users accessible to volunteers with access to
the Wikimedia "LabsDB" infrastructure.

Your user account is one of the ones which was affected.

LabsDB, launched in May 2013, is designed to give volunteers the
ability to write tools and generate reports that make use of data from
our databases in real-time. This supports bottom-up innovation by the
Wikimedia community. As part of this process, private data is
automatically redacted before volunteers are given access to the data.
Unfortunately, for some of Wikimedia's wikis [1], the database
triggers used to redact private data failed to take effect due to a
schema incompatibility, and LabsDB users had access to private user
data present for some users in these specific wiki databases.

As of October 1, 2013, 228 users have access to LabsDB, and the window
of availability of this data was May 29, 2013 to October 1, 2013.

This issue was discovered and reported by a trusted volunteer, and
access to the data in question was revoked within 15 minutes of the
report. We have no evidence to suggest that the private data in
question was exported in bulk or used for malicious purposes, but we
cannot definitively exclude the possibility. As a precautionary
measure, we have invalidated all affected user sessions, and are
requiring affected users like yourself to change their password on
their next login.

We regret this mistake. LabsDB is still a new part of our
infrastructure, and we will fully audit the redaction process, so as
to minimize any risk of a future mistake of this nature.

This notice is also posted to:
https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue

Sincerely,
Erik Moeller
Vice President of Engineering & Product Development, Wikimedia Foundation

Contact information: Should you have any questions, please contact us
via email to:

accountsecurity@wikimedia.org

You can also reach the Wikimedia Foundation at:

Wikimedia Foundation, Inc.
149 New Montgomery Street
Floor 6
San Francisco, CA 94105
United States
Phone: +1-415-839-6885
Fax: +1-415-882-0495

[1] List of affected databases: aswikisource bewikisource dewikivoyage
elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource
hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki
nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage
sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki
ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki

To say that I'm startled and concerned by this is an understatement. It is only by sheer chance that my own details are not in the affected list given that I have visited enwikivoyage and wikidatawiki as you have. The only thing I can offer in mitigation for our small corner of the wider Wikimedia community is that the enwikisource database was not involved. Not much of an encouragement, I know. Beeswaxcandle (talk) 08:48, 3 October 2013 (UTC)[reply]

Concerned? Unless I've got this wrong you had better be—isn't that entry loginwiki an indication of the common processing of all wiki*** logins? (Please let me know if I am wrong!) Widux (talk) 10:16, 3 October 2013 (UTC)[reply]

Hadn't noticed that one, and had never heard of it. On investigation it's a locked test "wiki" that the developers are using to test the new SUL logins. I think the new SUL logins have been fully rolled out across all the wikis, so loginwiki is negligible in impact now. Beeswaxcandle (talk) 06:26, 4 October 2013 (UTC)[reply]

Thank you for investigating. You are a gentleman!

Please forgive my (somewhat?) hysterical paranoia. Widux (talk) 06:42, 4 October 2013 (UTC)[reply]