[sf-lug] SF-LUG (& BALUG) SSL/TLS certs renewed, etc. (thanks to https://letsencrypt.org/)

Rick Moen rick at linuxmafia.com
Sun May 1 16:49:51 PDT 2016

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

[The dokuwiki playground:]

> Anyway, changed the permissions - no more editing by unauthenticated
> users.  That should prevent them from (ab)using it, and once it goes
> that approximately 25 mintutes without being used at all, it revert and
> drop all their spamvertizing.

I know it's just the playground, and intending no criticism, but the
writing's been on the wall for a couple of decades that _any_ unauth 
Internet service on _any_ port will get comment spammed on an ongoing
basis.  This gives you an idea of how much (mostly) stolen firepower 
the spamvertisers can afford to waste.

I saw this a long time ago when Santa Cruz Linux User Group (which no
longer exists) set up a wiki, left it completely defenseless with no
authentication required in the name of maximal user friendliness.
Several people put some signficant work into building its content after
it went up -- and then the admin ignored what was going on with the
wiki, for about a week.

Within that week, a comment bot found it and started mindlessly
submitting pages revisions.  The admin noticed, went to revert to the
last non-spam page versions, and then got a second shock:  So many
spam-comment page rewrites had been made to each page that the last
non-spam page revision was no longer in the wiki history.  So, the
entire wiki had to be abandoned and taken down, as they'd lost
everyone's work.

The admin had decided to forego backups because, hey, the whole version
history is there, so what could go wrong?

(You'll never guess who tried to warn him that unauthenticated editing
was a bad idea.)

More information about the sf-lug mailing list