Board Thread:General Discussion/@comment--20150814190019/@comment--20150815160027

Hello,

Wanted to post a general update to touch on concerns or lines of questions raised higher up in the thread.

First off, I want to re-stress that what I've announced in the "moving forward" realm is tentative. While I feel very confident we are moving in the direction I stated (otherwise I would not make such a statement!), keep in mind that this week we spent most of our time investigating the incident and taking emergency measures. We have had little time to nail down specifics on either the JavaScript review system or the Verbatim replacement tools. We have just begun our normal product building process - talking to all stakeholders inside our company and broaching the subject with Community Council. While we are doing that in the most rapid way we can, that still takes time. Until we have scoped out exactly what we're going to build, there's literally not much more I can say.

Regarding JavaScript review, it's essential to understand that not all wikias have custom JavaScript - that number is less than 4% of our 330,000 current communities. And of that subset, very few touch their JavaScript files once per day much less per month. Of course, there definitely are communities that are very active JavaScript editors. We will be looking at some of them to better understand the volume and needs. I will be scoping out who exactly will be a reviewer in the week to come. It will likely start with ComSup techs though I could certainly envision a VSTF-ish global group that helps with both a review and library system.

At first, yes, it's entirely possible that there will be some delays in approving JavaScript as we initialize who is reviewing it and get a feel for an approval interface. While stating that, I think again it's important to look at perspective. VSTF has one of the fastest response times of any group anywhere I've ever seen and despite immense volume, Wikia Staff has a 48h response time and 90% of our tickets get replied to within 24h (yes, including weekends). I expect the volume of review to be very low compared to both groups' workload. So yes, there may be growing pains, but please do not jump to conclusions that there will be week-long waits getting JavaScript approved.

Regarding login security, as touched on earlier in this thread, Helios authentication has a number of additional security tools that will help. Helios will be explained either late this month or early next month as we talk about how Wikia is tackling some of our architectural needs through SAAS (Software as a service). In addition, we have been throughout the summer aggressively scoping out the most feasible way to bring SSL/HTTPS services into Wikia (this being tied into some of the core components of Helios). Simply put our scale and number of domain structures has made this difficult, but it has been a priority for some time before this incident.

I also want to very directly address those who expressed concern that a code review process either takes away our users' freedom or enjoyment from using our platform. Custom, user-written, executable JavaScript simply doesn't make sense on today's internet. We can close one hole (like login form security) with attackers simply quick to try to find another. One of our engineers has literally most of his free time all year doing penetration/vulnerability tests on our code and made improvements as needed. But on the front end, there is nothing more dangerous than JavaScript.

That said, we understand and respect what our communities have done with JavaScript. The aim of this project is to continue to allow JavaScript to be used as a customization method on our site with an extra layer of review for security. JavaScript is not going to be reviewed for the purpose of determining if an idea is "good" or "bad". It is simply going to be reviewed to see if it breaks (causes fatal errors) or harms our communities in any way. If the code submitted meets that criteria, it will be approved. If an attacker is trying to phish, it will be denied and Community Support will investigate. It's a safer environment for everyone that should not infringe on the power of customization our communities have.