The fucked up grammar of the headline makes me angry
Then maybe you should apply to edit Wikipedia articles for grammar, to cool down
Big republican energy. “wHy DoN’t u jUsT dO iT yOuRsElF?!!1?!”
How about don’t make the mistake in the first place?
How about you fix Wikipedia first before fixing me?
We must protect wikipedia, they’re our only safe place right now.
Ya tonight Im gonna start torrenting one of the backups. I don’t normally seed more than 2x ratio but I think this one will be set to trickle seed and stay on for at least 10x
Yeah, the entire compressed thing is only ~40GB if you exclude media like photos, audio files, videos, etc, so it’s surprisingly easy to keep a local backup. You need some specialized software to be able to read the compressed data without fully unzipping it, but the software is FOSS so anyone can use it. Even if you include images, the file is only like 120GB, which is easy for anyone with a NAS. I’ve had the 40GB version on my NAS for a while, and happily leave it to seed.
please do if you have the storage space and bandwith
How big is the torrent, and where do I download from?
40G if you don’t download pics. Closer to 100G with pics (apparently 115G at the moment)
See: library.kiwix.org
Kiwix is the simplest way to host a local Wikipedia backup
I’ma let one of you who has 40 spare gigs of HDD space do it
Going to kick this off tonight and seed for a good long while. I got you fam.
I’ve got a copy on a hard drive and one on my phone
Oh, fuck, this is going to be interesting to read about. Just to clarify: it seems like this wasn’t just Wikipedia but Wikimedia generally. So that’s also e.g. Wiktionary, Wikimedia Commons, Wikidata, etc.
Edit: Decided to check Reddit, and someone posted an ostensibly good summary on /r/wikipedia.
Shameless copy/paste of the main info if anyone wants to catch a glimpse without going to reddit :
Summary of events:
On 5 March 2026, a Wikimedia Foundation employee accidentally imported a malicious script to his account on Meta-Wiki while testing global API limits for user scripts (see his global.js page history). The malicious script was created in 2023 to attack two Russian-language alternative wiki projects, Wikireality and Cyclopedia. In 2024, user Ololoshka562 created a page on the Russian Wikipedia containing the script used in these attacks. The script, which had been sitting dormant on ruwiki for 1.5 years, then spread to several accounts on Meta, including WMFOffice, and mass-deleted pages in namespaces 0–3, leaving behind an edit summary of “Закрываем проект”, Russian for “Closing the project”. The staff member, as a global interface administrator, has permission to edit meta:MediaWiki:Common.js, which allowed the script to infect any user who visited Meta-Wiki while it was active. To prevent the script from spreading further, all Wikimedia projects were set to read-only for about 2 hours, and all user JavaScript was temporarily disabled.
Post from WMF staff member on Discord:
Hey all - as some of you have seen, we (WMF) were doing a security review of the behavior of user scripts, and unintentionally activated one that turned out to be malicious. That is what caused the page deletions you saw on the Meta log, which are getting cleaned up. We have no reason to believe any third-party entity was actively attacking us today, or that any permanent damage occurred or any breach of personal information.
We were doing this security review as part of an effort to limit the risks of exactly this kind of attack. The irony of us triggering this script while doing so is not lost on us, and we are sorry about the disruption. But the risks in this system are real. We are going to continue working on security protections for user scripts – in close consultation with the community, of course – to make this sort of thing much harder to happen in the future.
To prevent the script from spreading further, all Wikimedia projects were set to read-only for about 2 hours, and all user JavaScript was temporarily disabled.
The NoScript extension in Firefox makes the web so much nicer. It turns out sites that don’t require JavaScript tend to made by vastly better humans than sites that do. More so for sites that require cross-site scripting and cookies to just show text.
Can’t search on google.com without allowing JavaScript, but it turns out Lite.DuckDuckGo does, and for me at least gives vastly better search results.
Wikipedia can be read and edited without allowing JavaScript, and I personally don’t like the crap that the scripts provide. It’s also usable without cookies, tho the idiotic UI options column on the right is a hassle without cookies.
Can’t search on google.com without allowing JavaScript, but it turns out Lite.DuckDuckGo does, and for me at least gives vastly better search results.
That just means you prefer Bing search results. DDG simply proxies Bing Search and removes the tracking elements. So you’d get the same search results with Bing… Though Bing may sort those results differently, since they’d use tracking to push certain sponsored results to the top if they think you’d be more interested in them.
To be fair I would assume that it’s better to trigger something like this during a security review when people are actively “online” and focused on security risks than at some other time.
Absolutely and it helped prove why they needed to do this security review to begin with as well as will teach them the nature of how this user script worked so they can put up guardrails for this specific type of attack. An unfortunate event but as long as they are using it to learn from and strengthen their security, overall it’s a good thing.
That’s hilarious, and I cannot imagine how stressed out that employee is.
After that kind of learning experience that employee needs a reprimand and a raise in that order. You can bet that shit won’t happen twice! 😆
Back when I worked at the foundation there was a special permission that you couldn’t have unless you’d broke stuff super badly. To push new code you have to have one of those folks present. They were responsible for making sure there was a back out plan and ran the actual deploy script. Their ssh keys did the deploy.
I got this bit set after I took out search for Italian Wikipedia. And all none Wikipedias.
We had an employee break procedure, make a dumb mistake, and cause ~$160k worth of damage to a mission-critical piece of infrastructure. It happened due to her own inattention and disregarding her “here’s how to shut down at the end of the night” checklist, at like 8PM. Basically, instead of doing steps A, B, C, and D, she went “eh I know what I’m doing,” jumped straight to step D, and suddenly heard very expensive noises. It required me and her supervisor to pull an overnight shift to get a bodged workaround in place, just to be ready for the next morning at 8AM. And even then, the gear was out of commission for about a month until we could get it fixed.
All in all, it was about $80k worth of equipment repairs, $40k in equipment rentals (to keep things running in the meantime), and about $40k in additional labor (we had to hire specialized contractors to fix the gear).
The employee 100% thought she was going to get fired when it happened. We were obviously angry and disappointed that she made such a dumb mistake, but we didn’t yell or chastise her. We simply told her to go ahead and clock out for the evening, and we’d deal with fixing things overnight. She tried to say she could stick around to help… But this was already at the end of her shift, she was obviously not in the right headspace to pull an overnight shift, and we were both too frustrated to have her around at the time. She was crying on her way out the door.
The supervisor decided to keep her on instead of firing her, for this exact reason. She didn’t get a raise, but she didn’t get fired either. She got reprimanded, but her supervisor was confident that she would never make the same dumb mistake again. And now her story is used as a cautionary tale to drive home the importance of following procedure when we’re training new hires.
You want even more Management?? 😨
Raise and promotion are not synonyms.
Ironically it is comments like these that led to Reddit gold. But thank you kind stranger for saving me having to descend into The Depths for this.
Danke. This should easily be fine for anyone who’s slightly-to-moderately interested; some of the nitty-gritty details like hyperlinks to the edit diffs are excluded from this copy–paste for those who really know their stuff and want to learn more.
“The malicious script was created in 2023 to attack two Russian-language alternative wiki projects, Wikireality and Cyclopedia.”
So this was a US/Ukrainian attack on Russia that backfired ?? Weird ‘friendly fire’ situation…
FYI, the kiwix foundation makes offline versions of wikimedia resources (though at pretty wide intervals, depending on the site, annually) which you can download via torrent and browse with a ZIM viewer. I use this as an offline resource on my home LAN, and have used other kiwix downloaded resources to train a local LLM without spamming the real internet: https://library.kiwix.org/
Download a little offline Wiki for rainy days folks!
I take connectivity for granted but shouldn’t. Batteries charged, books on the shelf, offline games and media stored locally…
> Live on a dorm
> There’s lots of people
> Cell towers are motherfuckingly overloaded during the day
> 0.09Mbps down, 4.5Mbps up and > 300ms on 4GWhat kind of shitty-ass dorm relies on cellular connections? When I was in college, we had wired ethernet in the dorms and then wifi on top of that. Piracy was huge, in part because it was a lot of folks’ first opportunity to have a fast connection, LOL.
(Admittedly, that was at a research university that had been sitting directly on internet backbone since the NSFNET days, but still…!)
We have that available, I just use mobile data because I disagree with their ToS.
The ToS is so restrictive that you basically immediately break it after connecting a device. I was told that, of course, they don’t really care.
Except - there is a point stating the provider has the right to access your computer if there is a suspicion of ToS violation. Considering the network here is a student-run organization, that could easily be exploited if you piss off someone.
Maybe I am just paranoid, but no thanks.Otherwise, from talking with them, most dorms have 1Gbit, some have 2.5Gbit, and all share a 40Gbit link which could apparently do 100Gbit (I think), but it’s capped due to licensing.
They leverage national academic network.
Oh, and they also got a class B subnet back when everyone was sure there’s just way too many IPv4s, so NAT isn’t being used here.paranoid
Mm who wants to rely on someone keeping a verbal promise when it says in writing something like your privacy is at stake?
You are not paranoid. People were sued and jailed under CFAA interpretation that violation of ToS is a federal crime.
I was under impression that this is still the case after listening to a few of DarkNet Diaries recent episodes.
Ah good old dorms. My first t3 line. So much media downloaded, uh, with the express written consent of the license holders I swear
Putinists to turn wiki to moscovite narrative?
👆Least unhinged .world user take on completely unrelated events. Cat poops on the floor? It was probably Putin
