Wikipedia talk:IP block exemption

From Wikipedia, the free encyclopedia

Shortcut:
WT:IPEXEMPT

Archives:

  • /Archive 1 - policy creation up to enabling of IPEXEMPT, May 2008.


Contents

[edit] Template and mediawiki namespace edits needed

Templates such as "checkuserblock", mediawiki interface pages such as the various "block messages", and the WP:BLOCK, WP:IP and WP:APPEAL pages may need updating to reflect roughly, that "IPEXEMPT is now an option if you are a well behaved user affected by a block. You should read WP:IPEXEMPT to understand the conditions on which this is granted before requesting it in your unblock request, if applicable."

We don't want heavy traffic, but we do need to consider that very problematic IP ranges will more often be hard blocked with exemption now (not previously possible), and ensure good-faith users are really quickly directed to IPEXEMPT if this happens to them. FT2 (Talk | email) 00:28, 9 May 2008 (UTC)

We can do this in a little while I'd like to make the uptake of this slow but smooth. :-) --Kim Bruning (talk)
Yes. FT2 (Talk | email) 00:53, 9 May 2008 (UTC)
Special:AllMessages. In case you weren't aware. : - ) --MZMcBride (talk) 01:27, 9 May 2008 (UTC)
Yes. I was actually thinking of Mediawiki:Blocktext more... which I drafted ;-) (and Mediawiki:Autoblockedtext etc which I didn't). FT2 (Talk | email) 02:33, 9 May 2008 (UTC)
One notable change: blocked users using Template:Unblock-auto (edit|talk|history|links|watch|logs) won't have to reveal their IP addresses. The template's probably not needed anymore, actually—blocktext can point directly to unblock-l. GracenotesT § 01:37, 9 May 2008 (UTC)
Why? (Sorry I'm coming late on this part) I mean, if we want to be able to decide whether or not ipblockexempt is a good idea, we might need to check which range is affected first and why? -- lucasbfr talk 09:32, 10 May 2008 (UTC)

[edit] While learning, let's keep a log

/log <- Can folks who have applied this flag leave a short description here please? This is not a requirement, just a friendly request so you can help us help you help us. --Kim Bruning (talk) 02:44, 9 May 2008 (UTC) and then there will be cake

[edit] Summary for newcomers to IPEXEMPT

IPEXEMPT means a user can bypass any IP block at all - only a block specifically on their username will affect them. There are two main situations it'll be most useful - constructive users who edit via a vandalism range or shared IP we would like to hard-block, and users who would like to edit anonymously via Tor or another hard-blocked open proxy.

The main risk area with IPEXEMPT is it is wiki pixie dust to avoid checkuser. So it's likely to be a highly desired flag by wiki-abusers for its WP:GHBH and WP:SOCK deniability potential. Fortunately most uses will not be for anonymous access, but for hard IP block bypassing.

  • Users who want IPEXEMPT to bypass a hard IP block on their usual IP, aren't a problem. They don't especially want to edit via proxies, it just happens IPEXEMPT would let them if they did. To keep it simple, the suggested policy is that a user in this position who just wants to use their normal connection but there's an IP block on it (schoolblock, vandalism, etc), can be given IPEXEMPT by any admin, but there's a condition they may not use it to edit via blocked proxies, or else it'll be removed.
    Logging of the right, may be needed to track when the right should be removed (ie, end of block), perhaps. Nothing much more. Making non-proxied use a condition means minimal scrutiny is needed and avoids loads of needless inquiry and such. It also means most requests don't need anything more than a quick check it's justified (ie, due to an IP block on their native IP), since the right will be removed if used to edit via a proxy. Easy.
  • Users who want IPEXEMPT to edit anonymously need more scrutiny. That's still being discussed. Main risk - Admins might quietly give the right to socks or friends on a pretext (send self email). We've had a few sock-admins and some abuse proxy access and unblock methods.
    This should be a rare request, and it requires a high level of trust of the user, and certainty of uninvolved admin scrutiny (IPEXEMPT is effectively an admin level tool). But if there is a bona fide need for anon proxy access by a non-admin, and sufficient trust, then we now have a way to let them.

FT2 (Talk | email) 03:01, 9 May 2008 (UTC)

[edit] Anon usage proposal (from Archive 1)

For usage where no anon proxy is involved, there's not anticipated to be many problems. But in the rare case that anonymity is requested, a tight control is needed to ensure scrutiny and close means of abuse (this is a highly abusable access). Draft from archive 1:

=== Using IP block exemption for anonymous or proxied editing ===

Editing via an anonymous proxy can be easily abused, so it is only granted under exceptional circumstances. Typical users who may reasonably request an exemption include users who show they can contribute to the encyclopedia, and (for existing users) with a history of valid non-disruptive contribution, but are either being hindered by restrictive firewalls, or for exceptional reasons must edit via anonymous proxies.

Note that avoidance of checkuser, or specific checkusers, is not usually considered a sufficient reason - concerns over checkusers should be discussed with the Arbitration Committee or Ombudsman.

There are strict requirements for determining whether a user can use IP block exemption to edit anonymously. Granting or reinstating exemption without following these would usually be considered a serious misuse of administrative tools:

  • Exemptions are not given without clear need, and a high level of user trust to not abuse the flag.
  • All exemptions must be posted for scrutiny and discussion to a reputable administrative mailing list or wiki-page. Typical venues include the unblock-l, checkuser-l, otrs-en-l, and arbcom-l mailing lists (contact details below), and WP:ANI. Administrators are prohibited from assigning IP exemption with permission to edit anonymously, to any user, without such a list being made fully aware, non-neutrality (if any) being disclosed, and a reasonable opportunity for review.
  • All exemptions are subject to review and repeal. Exemption may be, and will usually be, withdrawn if there is credible evidence or concern of abuse, or the exemption is no longer necessary.
Who may request -- A user who has genuine and exceptional need, and can be trusted not to abuse the right. This is a level of trust equal to that given Administrators, as IP block exemption is an administrative tool.
How to request -- Request to an appropriate administrative mailing list or venue (see above). Uninvolved administrators will discuss your request.

FT2 (Talk | email) 03:01, 9 May 2008 (UTC)

I made a few changes for it to read better (diff). Neıl 10:37, 9 May 2008 (UTC)
Fixed an address; there's no list named "otrs-l". - Jredmond (talk) 14:23, 9 May 2008 (UTC)
Added disclosure of non-neutrality if any. FT2 (Talk | email) 02:53, 10 May 2008 (UTC)

[edit] List of recommended anon proxies

We should create this on the Wikipedia:IP block exemption page at something like Wikipedia:IP block exemption#Suggested proxies. That way, people exempted don't end up using some crappy one that will get them hacked or leaked. Lawrence Cohen § t/e 17:07, 9 May 2008 (UTC)

I would be extremely hesitant to make any recommendations about which proxy to use. There is no evidence whatsoever that any open proxy is any better (more secure, whatever) than any other. There is not even any evidence that something like Wikipedia:WikiProject on closed proxies is secure (no offence guys). Users on anonymity networks should ensure the security of their login credentials by using the secure server. Anything else is a personal choice of risk. -- zzuuzz (talk) 19:52, 9 May 2008 (UTC)

[edit] Autoblocks and bots

This also makes the flagged account immune to autoblocks, rite? This should probably be plugged on bots running on the toolserver so that they don't get whacked by an admin carelessly blocking another malfunctioning bot... Миша13 19:56, 9 May 2008 (UTC)

Yes, it's immunity from absolutely all blocks (IP, IP range, autoblock, etc) except those directly on their usernames. IPEXEMPTing bots is an interesting idea. I guess you mean, to protect bots from accidental IP blocks of the toolserver? If that's really a problem, it would solve it. But does the toolserver get IP blocked often? I don't know much about it. FT2 (Talk | email) 22:47, 9 May 2008 (UTC)
I mean one of two things: either an inexperienced admin hardblocks a malfunctioning toolserver bot (that did happen often in the past) or a bot logs out and starts to edit under TS IP, in which case the policy used to say the IP should be blocked. Миша13 10:02, 10 May 2008 (UTC)
Discussion of IP block exemption generally, for bots, moved to Wikipedia:Bot owners' noticeboard#WP:IPEXEMPT. FT2 (Talk | email) 01:16, 11 May 2008 (UTC)

[edit] Recipients

I was just looking over the list (currently 4) of those who've already received this.

I think it would be helpful if those who have would have some note on their userpage as to why they have received this. (Some do, somewhat, already.) - jc37 20:38, 9 May 2008 (UTC)

Not a bad idea at all. A template would probably be voluntary - so it might be a bit self-defeating. But what about some site code that puts an icon on a user's page if they have ipexempt, like admins have a little mop in the title bar? FT2 (Talk | email) 22:47, 9 May 2008 (UTC)
I wouldn't oppose that. However, I think it should be a requirement of receiving it that an explanation of it being granted is posted on the person's userpage. (Or, in rare cases, a link to the person who granted it, who "may" explain it's granting, if appropriate. - this exception due to possible anonymity concerns that we may not foresee.)
No explanation (or no link to explanation/explainer), then no IP-exempt. - jc37 00:04, 10 May 2008 (UTC)
Why not a central list of them all? Lawrence Cohen § t/e 00:07, 10 May 2008 (UTC)
I don't like the idea of a little icon, as that makes it start to seem like a status symbol, which it absolutely is not. I think a central list might be a good idea. My original thought was that it would be too much work to maintain such a list, but I don't think it would, given the limited amount of users that are likely to be assigned this flag. --Deskana (talk) 00:09, 10 May 2008 (UTC)
If you provide crackers and cheese, they'll line up to eat : )
As for a list, we already have one: Special:ListUsers filterable by userrights.
And a list of explanations isn't going to be useful to someone who may just be coming to the user's page. - jc37 00:19, 10 May 2008 (UTC)
This guy knows what he's talking about. Concur on the crackers, cheese, and list. We have all that's needed, except a quick way to review for expiry/reasons/abuse, really. And reasons will be in their user rights log. Ideas that avoid crackers and cheese? FT2 (Talk | email) 02:49, 10 May 2008 (UTC)
(Hmm... what if the icon was only visible (like the DELETE/PROTECT tabs), if the viewer was a sysop? Zero cheese?) FT2 (Talk | email) 02:59, 10 May 2008 (UTC)
Then let's pummel those giving this that they need to make sure the reason is explictly clearly explained in the user rights log. - jc37 03:05, 10 May 2008 (UTC)
Ok, I'm apparently lost. Where does one find these logs? : ) - jc37 03:11, 10 May 2008 (UTC)
Ok, I found [1], but is there really no listing of this linkable by user, from the user's page? - jc37 03:18, 10 May 2008 (UTC)
Re "pummelling"... agree. (But gentler!) FT2 (Talk | email) 01:19, 11 May 2008 (UTC)
{{minnow}} ?
(Or perhaps the S. S. Minnow : ) - jc37 01:32, 11 May 2008 (UTC)

Maybe better not to show people's flags. :-) --Kim Bruning (talk) 13:18, 11 May 2008 (UTC)

[edit] WikiProject on closed proxies

Hi, I was just wondering, that if possible, could we advise users considering getting IP exempt to have a look at Wikipedia:WikiProject on closed proxies (provides access to password-protected Wikipedia-only no-account-registration or anonymous editing proxies specifically for Wikipedia editors who need to bypass filtering) and trying that out before requesting exemption?  Atyndall93 | talk  11:59, 11 May 2008 (UTC)

Sounds like a plan. --Kim Bruning (talk) 13:17, 11 May 2008 (UTC)
I'm not sure what the advantage is. Ip block exemption allows the user's native IP to remain unchanged, a valuable safeguard against attempts to abuse that are inherent with all kinds of proxies. See above for concerns over controls for proxy usage of any kind. The same issues would exist with closed proxies or open ones. Given exemption is available, do we need closed proxies any more, or can we make do with tor + exemption alone? And can someone clarify how abuse possibilities are addressed by the wikiproject? FT2 (Talk | email) 14:44, 11 May 2008 (UTC)
Well basically, there are several user's that are hosting proxies on servers whose names are not disclosed, these proxies require a username and password to access (you contact the proxy operator to setup an account and find out the proxy's address) and only access the Wikipedia website. They automatically block account creation, so you must contact an admin or the proxy operator to create yourself a Wikipedia account. Accounts using the proxies will have their user talk page's periodically checked (about every 3 days) to see if they are vandalizing or doing bad things, if they are, their proxy username and password are revoked, thus stopping them from using the proxy. The proxy will either prevent anonymous access via its own interface, or I will see if an admin can softblock the proxy's IP address.  Atyndall93 | talk  22:10, 12 May 2008 (UTC)
Also, in response to the security of the proxy discussed above, the proxies all must use SSL between the user and the proxy and can be programmed to access the SSL version of Wikipedia, stopping packet sniffing and other security problems. As to the security of the proxy itself, the proxies are hosted by people who have made significant contribution to the Wikipedia project and who would receive a very bad reputation if they were found to be using the proxy against policy.  Atyndall93 | talk  22:17, 12 May 2008 (UTC)