Stewards' noticeboard

__NEWSECTIONLINK__

Donation Drive Notice
Just leaving a notice that I received 3 of the exact same message postings from the "mass messaging system" on my profile at the same time. Kinda of an annoying way to blow up my profile messages.

Anthonyk747 (talk) 15:46, 5 January 2015 (GMT)
 * Hi Anthony - I'm really sorry about that. I went through and removed all of the duplicates. It was my first time using the extension and none of the messages seemed to go out. I then noticed a typo in the Indiegogo link and had to fix that. Again, my apologies for the newbie mistake :) D u s t i *Let's talk!* 15:49, 5 January 2015 (GMT)

Organizational Structure Change
It's with great sadness that I announce that John Lewis has decided to part ways with Orain. At this time, Tanner, Zachary_DuBois, and Tim will be joining our SysAdmin team. Each of them are identified according to our Privacy Policy, however, they will not have access to the Steward permissions unless they go through a community granted permissions process. D u s t i *Let's talk!* 03:29, 20 January 2015 (GMT)

A message from one of the founders
The last couple of days have been, well, insane. Personally, I've had some issues to take care of and haven't been around as much as needed. Professionally, Orain has gone through a vast amount of changes that have gone unannounced. This is due, in part, because of my negligence, and I apologize for that. At no time have I intended to keep the community "in the dark" over what's been going on. The first order of business is a staffing change. John Lewis is no longer with Orain. This is due for several reasons and I'm not going to dive into those in an attempt to keep this community drama free and out of respect for John. He and I spoke and it was determined the best course of action was for Orain and he to part ways. I cannot thank him enough for his hard work, dedication, and the commitment that he's shown this project. With that being said, the obvious issue at hand, and the reason that we've had an Indiegogo campaign, is because we have technical resource needs. We've outgrown our current home and things were happening that aren't fair to the end user - you. While John was looking towards us purchasing our own servers to help with long term stability, several neutral parties expressed their concerns over the cons of that thought. When looking at the long term pro's and con's of the idea, the con's, while few, outweigh the benefits. I approached several individuals that I have worked with in the past at other wiki farms and they were enthusiastic about helping Orain. They quickly came to our think tank and had excellent ideas. They have the passion, enthusiasm, and skills that Orain needs to continue strong as we prepare for some changes to our community. After the departure of John, I did not hesitate trusting these individuals. These individuals had no problem identifying to our community as per our identification procedures and have been given root access. They do not, however, have steward rights. Those rights are community trust positions and granted by the community. Each of them have agreed to abide by the Privacy policy set in place to protect our users and the community as a whole. I am confident that with these individuals, plus our two standing sysadmins Geth and Southparkfan, in addition to the co-founder of this project Kudu we will not only continue to better our project and our community, but we'll be able to quickly implement and respond to Feature requests and wiki requests in a timely manner. I've asked one of the users, Tanner (git on IRC) to prepare a statement that I'll now share with you. I want to reiterate and assure you that Orain is going to remain heading in the direction that it was already heading. The only major change that we're currently looking at is our servers, which was the purpose of the Indiegogo campaign. Here is git's statement:
 * Hi, I'm Tanner. As I'm sure you know, Orain has been having some technical problems. Dusti reached out to me a few days ago asking if I could help solve these problems. I investigated them a bit, and saw a few problems. First, the current infrastructure is not suited for our number of users. I plan on fixing this by shifting some things around on the servers, and adding/removing servers as necessary. In addition, I would like to move some of our services off of Orain-owned servers, onto "as a service"s. These might include Route 53 (a DNS service provided by Amazon), SES (an outgoing email service provided by Amazon), and Mailstache, Zoho, or Google Apps (all services to recieve emails). I would also like to move from using Nagios to monitor our servers to a service such as New Relic and Pingdom. By doing this, we will ensure that, should an entire datacenter go down, we will be notified no matter what. In addition, we, as a team of system administrators, are considering moving our servers from DigitalOcean to Amazon Web Services, also known as AWS. AWS is used by some of the largest websites on the internet, including Netflix, Reddit, NASA. By using AWS, we would more easily be able to scale our services as needed, and reduce downtime.

Some users have expressed a concern about our funds and a staff change while undergoing a donation drive. I want to reiterate that I am the only individual that has access to Orain's funds. No other user has access to our funds. These funds are held in our PayPal account and a savings account held by the Bank of Nova Scotia. The funds are linked (i.e. PayPal is linked to the Savings account) so funds can be transferred back and forth and not held in a single location for security reasons. A minimal amount (i.e. two months of bills) are held in the PayPal account at a time. This is due to PayPal's ability to freeze funds without cause and for security reasons. Kudu and I are in the process of submitting paperwork to the Government of Canada to obtain a non-profit classification for Orain which will enable us to have a completely separate bank account to hold our funds in. Finally, over the coming days and weeks, proposals will be made to the community regarding policy updates. These are usually done yearly by organizations such as Facebook, PayPal, etc. and are meant to increase the level of security and privacy the members of the community have and should expect. These policies will only be strengthened, not weakened. I am excited over these changes and feel that Orain is going to continue to head in a positive fashion and that the changes we are beginning to experience will better our services, strengthen our community, and help us move forward united as one. Warm regards, Dustin Muniz D u s <font color="#0000ff">t <font color="#6600cc">i *Let's talk!* 00:30, 22 January 2015 (GMT)

SRP
I logged in here to scramble password, and found the request above wasn't handled. Thanks, &mdash; ReviComplaint?  16:35, 26 January 2015 (GMT)
 * Done. <font face="MV Boli"><font color="#ff0000">D <font color="#ff6600">u <font color="#009900">s <font color="#0000ff">t <font color="#6600cc">i *Let's talk!* 16:45, 26 January 2015 (GMT)

Illegal attack by User:John
On 26 January 2015, at 03:01 AM, an email was received by Dusti indicating that the domain name `orain.org` had been sold via the NameCheap Marketplace at the price of $5. NameCheap is the current registrar for Orain.

Believing that this was either a phishing email or a joke, he then immediately accessed the NameCheap account directly and discovered the `orain.org` domain was missing from the account. He then contacted NameCheap via chat and via a support ticket informing them of the issue. The first ticket was filed at 03:09AM and the chat session was initiated at 03:12AM.

During the chat session the agent immediately locked our account, the account of the buyer, and also froze the domain so DNS records could not be changed. This was done at Dusti's request to prevent any type of security threat or disruption to the farm. There was nothing further that the chat agent could do other than to advise me to wait for the registrar's Risk Management division to reply to the ticket. One hour and seven minutes later, Risk Management began working on the support ticket gathering information from him about the incident. The domain was returned to our control at 08:08AM.

Support was then contacted to determine the series of events that led to the domain being listed for sale. The account was accessed at 5:00:26 PM from a certain IP address. The domain was listed for sale on 1/23/2015 at 5:59:40 PM EST. IP information on hand for John, obtained by our staff via CheckUser once he was suspected of being behind the attack, indicates that the last IP address from which John last accessed our own website was that same one, on both 19 January 2015 and 20 January 2015.

For those who may be unaware, John Lewis is a former volunteer with Orain who was part of our tech division for about a year and a half, until he resigned last week. It is our belief that the domain was most likely not transferred to his own account, but simply purchased on the free market, although this is speculative. It is possible that John, in a rather cowardly way, wouldn't have wanted the domain to remain associated with his account.

I would like to highlight Dusti's formidable agility in the handling of this case and the protection of the farm. At no time, other than the brief few minutes from the domain transfer until locking, was the community at risk. This entire incident was unacceptable and both NameCheap and the Staff are reviewing the incident to determine the cause and also to determine what steps can be taken to ensure that this does not happen again.

However, it is important not to misinterpret this incident as a minor internal feud between staffers or ex-staffers, or as a simple matter of operational security. As far as the staff is aware, John Lewis clearly committed a criminal act by accessing the account of an organization from which he voluntarily resigned, when he clearly did not have the right to do so, and then proceeded to successfully have the domain sold and our website's service disrupted, even though this domain was not his legal property.

As such, an official police report has been filed with the National Fraud & Cyber Crime Reporting Centre in the United Kingdom, and a case reference number (CRN) has been obtained. The report will be forwarded to the National Fraud Intelligence Bureau, which is run by the City of London Police. We are sorry to see that our long and fruitful business relationship with John, which until now appeared to have ceased without any drama, must have turned this way, but we have no choice but to take such issues seriously.

Dusti and I have decided to take the staff action of [ locking] John's global account. Please note that this can be considered a preemptive block. We will privately contact John to ask him to either accept or reject our finding of events. If there is no objection to the facts that have been found, the preemptive block will be replaced with a global ban. Given that the case is in the hands of the police, we have instructed our staff members not to make any further comment on the matter, given that our only communications will be on this noticeboard for the entire community to have a clear view of the facts.

For the staff, <span style="font-family: Georgia, Garamond, serif;"> Kudu ~I/O~ 23:57, 26 January 2015 (GMT)

Abuse Filter
I set up several abuse filters in right.orain.org. They work fine, however, in case of user error the behaviour is somewhat user unfriendly. The rules for error case are simply not accepted.

For example, filter 14 is for new pages without category. What happens is, that the page will not get created, even though I just clicked "Warn" and "flag" when created the filter. Even, when I click just flag, the same happens: the incident is logged, no page will be created, user action blocked, but no explanation at all.

I compared the behaviour with en.wikipedia.org behaviour. There, if a filter says flag only, the event will only be flagged, but the action can be done. If the filter says warn and flag, the user will be warned, but can do the action. The rules for error case are here accepted.

Is there a possibility to make sure, that the rules for error case are accepted? With other words, they behave as in en.wikipedia.org? Fiala1 (talk) 23:05, 28 January 2015 (GMT)
 * We're currently taking a look into this and will let you know once we've figured out what the issue is. <font face="MV Boli"><font color="#ff0000">D <font color="#ff6600">u <font color="#009900">s <font color="#0000ff">t <font color="#6600cc">i *Let's talk!* 15:14, 29 January 2015 (GMT)


 * Feel free to use right.orain.org. Just create a new page with one line and without category, and you will see the effect. You can repeat the same thing in en.wikipedia.org, and then theck the edit log - you will see, it makes an entry, but it lets create the page. The filter itself is . Fiala1 (talk) 15:38, 29 January 2015 (GMT)