This is an RfB talk page. While voting and most discussion should occur on the main RfB page, sometimes discussions stray off-topic or otherwise clutter that page. The RfB talk page serves to unclutter the main RfB page by hosting discussions that are not relevant to the candidacy. Please remain calm and civil in discussions on both pages, avoiding personal attacks and harassment. Uninvolved administrators and bureaucrats can still fully intervene in RfBs. Discussions should remain relevant to the RfB; consider moving or continuing discussions that are going off-topic elsewhere. Otherwise, avoid starting discussions here if they would be of interest to RfB participants and can fit on the main RfB page; generally, discussions should begin at the "General comments" section or as an indented reply to a vote.

MusikBot II protected this RfB as a high-risk template, but there's not consensus to exclude non-autoconfirmed editors from participating in these sorts of discussions. Could an admin please unprotect? Thanks. (This is the same thing that happened at Wikipedia talk:Requests for adminship/Eostrix#Automatic semi-protection by MusikBot II, where we decided to exclude RfAs from the bot's list. It might be worth doing the same for RfBs.) Best regards, Extraordinary Writ (talk) 18:08, 8 June 2022 (UTC)Reply[reply]

This is already done, I was about to do it though. — xaosflux ^Talk 18:55, 8 June 2022 (UTC)Reply[reply]

Thanks Xaosflux – would you (or someone else) mind excluding RfBs from User:MusikBot II/TemplateProtector/config like Zzuuzz did here? Cheers, Extraordinary Writ (talk) 00:41, 9 June 2022 (UTC)Reply[reply]

Here I am again, having just done that. -- zzuuzz ^(talk) 06:33, 9 June 2022 (UTC)Reply[reply]

I should note that I'd never have come up with the idea of asking this if it hadn't been specifically mentioned in A3. I have overlooked it in the nomination statement, and I couldn't have recalled who was involved in closing that section. I wouldn't have thought of it if someone had asked me for examples of bad closures either. But now that it's the very first link in the response to Q3, I really have to ask how this could possibly be a positive example. The question is rhethorical and affronting because I was pretty upset about the closure, but I genuinely expect Lee Vilenski to be able to provide an answer that makes me support. I just need to see that proven for my peace of mind. ~ ToBeFree (talk) 18:31, 8 June 2022 (UTC)Reply[reply]

I had similar feelings and concerns, which I talked about with Lee. I am glad someone is asking the question - quite honestly if I had thought to do so I might have done it with the nomination. I felt reassured enough by what lee said to do the nomination and hope that when you get your answer you will also find it reassuring. Best, Barkeep49 (talk) 19:08, 8 June 2022 (UTC)Reply[reply]

Moved from #General comments

• Just as a hypothetical question - what would be the disadvantage of Wikipedia having 100, 1,000, really an unlimited number of crats? It's true that a lot of them wouldn't have much to do except flip flags, but if the competence and the ability exist, would not we consider having them simply for those thankless but often times tricky situations that require crat work?--WaltCip-(talk) 17:39, 8 June 2022 (UTC)Reply[reply]

  I assume that the fewer there are, the less likely that one of them will freakishly turn bad or mad and do serious damage to Wikipedia. I have no idea what such damage might be, beyond what an ordinary administrator (or user) could perpetrate, but there may well be something. W. P. Uzer (talk) 18:21, 8 June 2022 (UTC)Reply[reply]

  They can grant WP:INTADMIN which is a sensitive right. I do not want the es.wp model of bureaucratship near here whatsoever. Izno (talk) 18:35, 8 June 2022 (UTC)Reply[reply]

  Fair enough. I understand the need to reduce the attack vector. WaltCip-(talk) 18:43, 8 June 2022 (UTC)Reply[reply]

  Do you mind explaining said model? Snowmanonahoe (talk) 19:55, 8 June 2022 (UTC)Reply[reply]

  In another hypothetical scenario, if a bureaucrat account gets compromised/goes wild, they can remove the bit of all the active admins, and then rest of the admins. But they cant remove bit of other crats, so there's that. —usernamekiran (talk) 20:11, 8 June 2022 (UTC)Reply[reply]

  The number of admins is about 1000 so it would take a lot of actions, and it could be detected pretty easy. Thingofme (talk) 10:36, 9 June 2022 (UTC)Reply[reply]

  I might be a doomer but it shouldn't be a lot of work if you could build a script to do just that. We have the massdelete and massmove scripts. Who knows maybe a "mass snatch away adminship" script can also be created. —CX Zoom[he/him] ^{(let's talk • {C•X})} 14:36, 9 June 2022 (UTC)Reply[reply]

  I think that this could easily be reverted by a steward or whoever and removal of the admin flag for a few minuites would have minimal impact in the grand scheme of things, compared to just abusing the admin rights themselves which over 1000 accounts can currently do. Terasail^[✉️] 14:43, 9 June 2022 (UTC)Reply[reply]

  Bureaucrats can grant interface admins to themselves, however it's disallowed by policy? So an compromised crat can actually do damage like WP:INTADMIN do. Thingofme (talk) 16:04, 9 June 2022 (UTC)Reply[reply]

  I think a script for that is possible. It could be revertes, yes, but removing the bit of all admins would be disruptive move with odd repercussions (WP:BEANS). Also, to revert the moves, a crat should be around/online at that time. Admins can unblock themselves, I think same goes for crats. But the thing is, crats cant remove the crat flag, so a steward should be around to remove the rough crat's bit. Until a steward comes along, the crats might play the game of "flipping the bits on 'n off". Then there is INTADMIN issue. What if they remove "publish" button altogether from entire enwiki site? It has been done before (by mistake, only for their own account). —usernamekiran (talk) 17:25, 9 June 2022 (UTC)Reply[reply]

  Bureaucrats does not require 2FA but WP:INTADMIN do? Thingofme (talk) 04:45, 10 June 2022 (UTC)Reply[reply]

  Also if they remove "publish" button altogether sidewide, the effect is irreversible but rollback can be used..., you may be able to issue blocks, permissions but cannot edit... Thingofme (talk) 04:48, 10 June 2022 (UTC)Reply[reply]

  However it is possible to add Wikibreak-enforcer script, set the time to forever and logged in editing is impossible. Thingofme (talk) 09:16, 10 June 2022 (UTC)Reply[reply]

  Publish button can be restored if an intadmin with admin rights just deletes the common.js/css. Wouldn't require the publish edit button. Also, neither publish button removal nor WBE works in mobile version. I don't know if "mobile-friendly" versions of them can be built tho. —CX Zoom[he/him] ^{(let's talk • {C•X})} 11:49, 10 June 2022 (UTC)Reply[reply]

  I see a lot of wild, weird hypotheses above. You may be looking for "safemode=yes", which can be appended to MediaWiki URLs to prevent the loading of custom styles and scripts. ~ ToBeFree (talk) 15:54, 11 June 2022 (UTC)Reply[reply]

  Admins can unblock themselves. I don't think admins can unblock themselves anymore. If I remember correctly, they changed it so if an admin gets blocked, they stay blocked, but the blocked admin can also block the person that blocked them and only the person that blocked them. I imagine this was to help deal with compromised accounts and also to discourage wheel warring. –Novem Linguae (talk) 05:23, 10 June 2022 (UTC)Reply[reply]

  That was done in phab:T150826 and led to the removal of "unblockself" from the English Wikipedia's Special:ListGroupRights, so currently noone can unblock themselves. ~ ToBeFree (talk) 15:45, 11 June 2022 (UTC)Reply[reply]

  Snowmanonahoe Every admin on es.wp is a crat. Izno (talk) 21:38, 8 June 2022 (UTC)Reply[reply]

Security problem

If crats can grant interface admin access to themselves, should they be required to use 2FA? They are not required to use 2FA but they can grant WP:INTADMIN access, which need enabling 2FA. Thingofme (talk) 10:12, 10 June 2022 (UTC)Reply[reply]

Per Wikipedia:Interface administrators#Process for requesting, 'crats cannot are not permitted by policy grant themselves IA, so your question is moot. Any admin (crat or not) is required to enable 2FA if/when they are granted that permission. Primefac (talk) 10:18, 10 June 2022 (UTC)Reply[reply]

@Primefac: that is a policy, so they "may not", not a control ("cannot") - which even if existed wouldn't prevent them issuing it to socks -- and in the case of a compromised crat account, an attacker certainly wouldn't care about policies. — xaosflux ^Talk 10:29, 10 June 2022 (UTC)Reply[reply]

While you are technically correct, and I have amended my statement, any crat granting themselves the perm would likely be brought before ArbCom if they didn't self-revert immediately, and a compromised account would of course be quickly shut down (and this scenario is not what the OP is concerned about). Primefac (talk) 10:42, 10 June 2022 (UTC)Reply[reply]

Thing is though, you could probably write a script to grant yourself INTADMIN and then immediately do whatever malicious stuff you want on the JS/CSS pages and MediaWiki pages. This would take at the very least 10 or so seconds to fully stop, and in that time thousands of readers will be subject to whatever you did. Hell, now that I think about it, that might not even be necessary—No one monitoring logs would instantly assume a bureaucrat is acting malicious and unless they spotted an actual action using the permission, so they probably would have a good 60 seconds or so. Maybe a bit less. Snowmanonahoe (talk) 12:00, 10 June 2022 (UTC); edited 12:11, 10 June 2022 (UTC)Reply[reply]

You can use Wikibreak enforcer script as a malicious script, it would send all of the users logged out and no one can be able to revert it... Thingofme (talk) 13:31, 10 June 2022 (UTC)Reply[reply]

There are certainly ways around that - but this is staying very far from the topic of Lee's RFB - if there are things that need to be developed outside of the existing T150898 stuff perhaps we can move to VP. — xaosflux ^Talk 13:38, 10 June 2022 (UTC)Reply[reply]

I'm also not super-thrilled about brainstorming ways to break Wikipedia. Primefac (talk) 23:38, 10 June 2022 (UTC)Reply[reply]

If we don't come up with the idea first, someone who would use it will. Snowmanonahoe (talk) 19:12, 11 June 2022 (UTC)Reply[reply]

Yep, that's exactly what being a white hat hacker entails. WaltCip-(talk) 16:02, 13 June 2022 (UTC)Reply[reply]

@Thingofme: this and related concepts are still being worked on globally, such as in phab:T150898. I agree that this is a good idea, but practically it will be disruptive on many projects, and 2FA recovery support is ad-hoc at best. As far as Lee Vilenski's RfB goes - feel free to ask them about it, an opened ended question ("What do you think about 2FA for 'crats?") is generally better than a personal question ("Do you have this security option enabled?") that they may decline for security reasons. — xaosflux ^Talk 10:29, 10 June 2022 (UTC)Reply[reply]