Hi BikeRider95. Welcome to Wikipedia! What security questions do you have? --MZMcBride (talk) 04:28, 27 September 2013 (UTC)
- Basically just the questions in my initial post, which I copy & pasted below. I understand that people may not be able to answer them fully for security reasons, but I was curious so I figured might as well ask. BikeRider95 (talk) 05:23, 27 September 2013 (UTC)
- What type of security/anti-hacking programs does Wikipedia use to safeguard against various types of attacks?
- This is a pretty vague question, so it's difficult to answer. :-) I'll try to speak generally to server operations and I'll try to include some links so that you can read more.
- There are different layers of security for any site. Wikimedia is a bit unusual in that it's insanely huge and popular, but it's also run by a relatively small non-profit organization (cf. wmf:staff and wmf:board). A key component to security is limiting who has access to the servers, physically and technically. The day-to-day operations of the site are managed by m:system administrators. Anyone with access to the servers has to contractually agree to certain conditions, as I understand it, offering legal security and other intangible forms of security.
- As I understand the server infrastructure, most servers are firewalled off from the outside world. There's a private network and one main entry point, which reduces the attack area size dramatically. The entry point relies on SSH using public-key cryptography.
- Further information can be found at https://wikitech.wikimedia.org. Most operations configuration is in Git repositories that can be browsed here: https://git.wikimedia.org/repositories/ (search for "operations/").
- If you have more specific questions, you can ask on the technical village pump or here. --MZMcBride (talk) 03:31, 1 October 2013 (UTC)
- Also being a free website that doesn't use any ads, how is Wikipedia able to do this?
- The Wikimedia Foundation hosts and manages the technical operations of the sites. They're supported as a non-profit organization by donations (click the link to learn much more). --MZMcBride (talk) 03:31, 1 October 2013 (UTC)
- As far as I know Wikipedia has never been hacked or shut down or anything like that.
- Wikipedia temporarily shut itself down in January 2012 during the protests against SOPA and PIPA. Wikipedia and other Wikimedia wikis (cf. https://www.wikimedia.org) have never been "hacked" that I'm aware of, though a good enough hacker would be able to get in without detection, I suppose. :-) --MZMcBride (talk) 03:31, 1 October 2013 (UTC)
- One more question I was always curious about is if someone was an experienced hacker would they have the ability to hack into Wikipedia and obtain the IP address (or other information) of a registered user?
- Sure, IP address information is retained. Web server access logs are stored usually for a few months, though there have been rumors of storing full logs for longer. Any edit to a Wikimedia wiki has its IP address and other browser-provided information (such as the browser's User-Agent) recorded for ninety days, after which the data is purged. Some non-private information such as e-mail addresses is stored on Wikimedia servers. Passwords are hashed and salted in the database, so they can't be easily retrieved by anyone (including system administrators). The general principle in most cases is to store as little personal (or non-public) information as possible (cf. m:privacy policy). --MZMcBride (talk) 03:31, 1 October 2013 (UTC)
Hope you can answer some questions when you get a chance, thanks for offering. BikeRider95 (talk) 02:48, 28 September 2013 (UTC)
- My answers were somewhat broad, but so were the questions. Let me know if you have more specific questions and I can try to provide more specific answers. --MZMcBride (talk) 03:31, 1 October 2013 (UTC)
- Thanks MZMcBride, you pretty much answered everything. My last question about whether an experienced hacker could possibly have the skill/ability to hack into Wikipedia and obtain the IP address of a registered (non IP) user you didn't really answer. The reason I asked about that is I always wondered if some powerful person or organization didn't like what a user posted about them on Wikipedia could they hack Wikipedia and find out who it was? BikeRider95 (talk) 04:34, 1 October 2013 (UTC)
- Okay, I'll try to address this more specifically. The concern being expressed here reminds of me the concern people have over dying in a plane crash, when it's far more likely you'll die in a car crash. That is, yes, if you've recently edited (or even accessed) Wikipedia or one of its sister projects, your IP address information is recorded and is theoretically accessible to a hacker or some other evildoer. However, anyone wishing to know your IP address has a number of easier methods for retrieving it. If you connect to Internet Relay Chat, send e-mail through your own mail client (as opposed to Gmail), or access any Web site, your IP address is generally exposed to a number of servers, many of which will record it. If I wanted your IP address, I could leave a link here to a Web server that I operate and simply wait for you to click it. That's significantly easier than trying to hack Wikipedia. At a larger scale, depending on how powerful I am, I could request your information from your Internet service provider or use another legal tool to obtain the information. At a hyper-local level, any local site administrator is able to modify the CSS and JavaScript that your Web browser executes, which could easily be modified to remotely load an image or other resource, giving me your IP address. And, of course, government agencies such as the National Security Agency have been spying on and collecting information about everyone for years. Your IP address is in a lot of databases. :-)
- Looking at your query a bit more broadly, it also depends on what you mean by "didn't like what a user posted." If a user posts libelous information or other information that threatens another user (or organization or property), getting an IP address—legally—becomes much easier.
- In terms of defense, you can use a proxy server or establish a virtual private network to obfuscate your IP address. This basically routes your Internet traffic through another computer, making it more difficult to locate you or locate information about you. There's also Tor, etc.
- Hope that helps. --MZMcBride (talk) 14:21, 1 October 2013 (UTC)
- Thanks MZMcBride, you pretty much answered everything. My last question about whether an experienced hacker could possibly have the skill/ability to hack into Wikipedia and obtain the IP address of a registered (non IP) user you didn't really answer. The reason I asked about that is I always wondered if some powerful person or organization didn't like what a user posted about them on Wikipedia could they hack Wikipedia and find out who it was? BikeRider95 (talk) 04:34, 1 October 2013 (UTC)