Wikipedia:Bureaucrats' noticeboard: Difference between revisions

Bureaucrats' noticeboard archives

1, 2, 3, 4, 5, 6, 7, 8, 9, 10 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 21, 22, 23, 24, 25, 26, 27, 28, 29, 30 31, 32, 33, 34, 35, 36, 37, 38, 39, 40 41, 42, 43, 44, 45, 46, 47, 48, 49

This page has archives. Sections older than 5 days may be automatically archived by Lowercase sigmabot III.

The Bureaucrats' noticeboard is a place where items related to the Bureaucrats can be discussed and coordinated. Any user is welcome to leave a message or join the discussion here. Please start a new section for each topic.

This is not a forum for grievances. It is a specific noticeboard addressing Bureaucrat-related issues. If you want to know more about an action by a particular bureaucrat, you should first raise the matter with them on their talk page. Please stay on topic, remain civil, and remember to assume good faith. Take extraneous comments or threads to relevant talk pages.

If you are here to report that an RFA or an RFB is "overdue" or "expired", please wait at least 12 hours from the scheduled end time before making a post here about it. There are a fair number of active bureaucrats; and an eye is being kept on the time remaining on these discussions. Thank you for your patience.

To request that your administrator status be removed, initiate a new section below.

Crat tasks
RfAs	1
RfBs	0
Overdue RfBs	0
Overdue RfAs	0
BRFAs	11
Approved BRFAs	0

Requests for adminship and bureaucratship update

RfA candidate	S	O	N	S %	Status	Ending (UTC)	Time left	Dups?	Report
Elli	199	6	2	97	Open	16:53, 7 June 2024	10 hours	no	report

It is 06:51:34 on June 7, 2024, according to the server's time and date.

I've gotten 4 notifications today from the WMF about logins from an unrecognized device; I understand from this page that that represents at least 20 attempts by someone trying to log in as me. I have a secure password that I've never used anywhere else, but as you may know, the most extensive security breach ever (probably) came to light last month, and I think it's too soon to say who or what might be at risk. Is anyone else getting these messages? I emailed the WMF asking what's up ... no reply yet. If I keep getting these messages, I'll ask you guys for a temporary desysop, to be safe. - Dank (push to talk) 00:29, 9 January 2021 (UTC)[reply]

If you have a strong password, there is nothing to be concerned about, and (more unfortunate) nothing that we can really do about it. However, should you be concerned that you might lose access to your account, we can of course temporarily remove the bit from your account. Primefac (talk) 00:31, 9 January 2021 (UTC)[reply]

Thanks. I think it's too soon to pull the plug, but pull it I will if this keeps up. - Dank (push to talk) 00:33, 9 January 2021 (UTC)[reply]

(Non-administrator comment) If you're concerned, I'd recommend you change your password to something new, and/or enable WP:2FA. power~enwiki (π, ν) 00:33, 9 January 2021 (UTC)[reply]

I too got notification of 190+ attempts to log in to my account on a new device. Dan and I are both active in maintaining the Main Page, so disruption there might be the intent. I do have a strong unique password for this account. Stephen 00:45, 9 January 2021 (UTC)[reply]

Yes do consider WP:2FA if you don't already have it. There were some successful compromises (with a fairly high success rate) in the past few days, and there seems to be more attempts that we don't know about. What I would advise is if you or anyone else gets a notification that someone else has successfully logged in, whether you are still able to log in or not, please contact a checkuser as soon as possible. -- zzuuzz ^(talk) 00:49, 9 January 2021 (UTC)[reply]

I've personally seen an uptick in them the past few days. -- Amanda (aka DQ) 00:55, 9 January 2021 (UTC)[reply]

• Bruteforcing is a highly ineffective way of trying to compromise an account, practically technically infeasible. If you have a long, non-reused, random password (example: "8hCTEwQ,~SV=95ACnas8zDuWqB(JfFCp" using a password manager, or something memorable like "juicy-firework-pineapple-green-horse"), the account will almost certainly not be compromised by bruteforce. 2FA is helpful as a reassurance, but not necessary. Consider that API keys for taking sensitive actions on many sites are about the same length, or shorter, than a long password here. ProcrastinatingReader (talk) 01:45, 9 January 2021 (UTC)[reply]

• About the long password thing, even random long non-reused passwords can be less secure without 2FA. If you don't think that's a possibility - one compromised user recently told me that their computer had a keystroke logger. Yes, 2FA is useful as a security measure. It's not for everyone, but please do consider it. -- zzuuzz ^(talk) 08:36, 9 January 2021 (UTC)[reply]

• • • Meh, I’m not sure using 2FA to obscure otherwise bad security practices (ie, those resulting in one ending up with a keylogger on their computer) is a good idea. Besides, if you have malicious software on your computer 2FA won’t help; your cookies could just get stolen. ProcrastinatingReader (talk) 09:48, 9 January 2021 (UTC)[reply]
• From a comment I recently left elsewhere: There is no need to change your password, assuming it wasn't bad and preferably was not on list of common passwords (that is the useful page from the "Password Blacklist library" at m:Password policy). Wikipedia's advice is at WP:SECURITY. However, it is essential that you do not use a password for Wikipedia or for the email account associated with Wikipedia that you have ever used at any other website. That's because other websites are often hacked and lists of username/password are published that hackers can access, and they might try using any such combinations here). Johnuniq (talk) 02:33, 9 January 2021 (UTC)[reply]
• I've been getting these all day, too. Normally, I'd get one or two a week from a certain someone, but today it has been 8 hours of non-stop targeting. Seems like someone badly wants to crack and admin account - Alison ^❤ 09:32, 9 January 2021 (UTC)[reply]

Maybe they're going for people with short names? Or common words? I got one too .... on both this account and Lollipop. —Soap— 09:40, 9 January 2021 (UTC)[reply]

Who knows but one likelihood is that the attacks are what has happened before, namely someone is trying to match leaked username/password combinations from aggregation websites that list literally millions of hacked accounts. It's likely that many people have called themselves "Alison" or "Soap" when logging in to some minor website which was later hacked and their poorly defended password list stolen. The attacker might have 100 combinations for each of you (Alison + password2, Allison + 1234, etc.) and they have a program that tries them all. As I mentioned above, any decent password would be adequate to deal with that. Johnuniq (talk) 09:47, 9 January 2021 (UTC)[reply]

Sorry to contribute to the split discussion but anyone interested in this might like to see some information I found here at WP:VPT. There is definitely a large attack underway. Johnuniq (talk) 10:13, 9 January 2021 (UTC)[reply]

@Dank: If your password is strong and unique (you have never used it or a variant of it on any other service) you should be OK (if it isn't - change it to fix that!). I had to turn off that notification before, as there isn't really anything you can "do" about it. Regarding cookie re-use, if you manually log-off it will void all your sessions on all devices to all WMF sites. 2FA will not stop someone from guessing your password, but will help stop them from actually getting logged in as you. 2FA is also helpful against password-recovery attacks (where someone gains access to your email and uses it to reset your account) - as are extra controls on your email (many email providers have robust supported 2FA solutions as well). — xaosflux ^Talk 10:42, 9 January 2021 (UTC)[reply]

•  Request withdrawn per above discussion, anyone may certainly ask for a desysop for any (or no reason) - but securing your account is normally sufficient. — xaosflux ^Talk 10:42, 9 January 2021 (UTC)[reply]
• 2FA is really something all admins should be using (not policy, just my personal advice). Long randomized passwords protect against some kinds of attacks, but not all. For example, I would assume that any machine you use in a public location has a keylogger installed; 2FA is a good defense against that. -- RoySmith (talk) 22:17, 9 January 2021 (UTC)[reply]

  Never logging into an admin account from a public computer is even better :-) Boing! said Zebedee (talk) 22:25, 9 January 2021 (UTC)[reply]

This. I only use my admin account from my desktop at home. I think most experienced admins are careful and use a separate non-admin account when away from home. If an admin is using their admin account on their phone, even with 2FA, they are taking a risk as 2FA is no protection if someone picks up your unlocked phone with the 2FA on it. I would say that, provided you have a unique and decent password, not using your admin account on your phone, and not using it away from home is a much better protection than having 2FA and feeling you can use your phone away from home. SilkTork (talk) 04:35, 10 January 2021 (UTC)[reply]

SilkTork, Just to clarify, I don't suggest people log into public terminals with their admin accounts. I was just using that as an example of one kind of attack 2FA protects you against. I use 2FA on my own (admin) account on my laptop. I have a second (non-admin) account which I use on my phone, because I know my phone is much more likely to get lost or stolen.

Other kinds of attacks 2FA protects you against include shoulder surfing, and plain old accidentally typing your password into the wrong window (we've all done that). If my LastPass account were ever to be compromised, it would protect against that too. Although to be honest, if that happened, the security of my wiki admin account would be very low on the list of things I'd be freaking out about. -- RoySmith (talk) 03:01, 11 January 2021 (UTC)[reply]

Me too, FWIW --Dweller (talk) Become old fashioned! 18:11, 10 January 2021 (UTC)[reply]

• Last time I tested it our 2FA system was half-baked. I don't recommend it. As for password compromises, the way to avoid them is to use a password manager and let it choose a unique random password for each account. Your risk is that somebody compromises the end point and steals the password from your computer or the service. Something like SRP protocol can help prevent passwords from being stolen from the service endpoint because they avoid sharing the password. Even if the service hashes passwords, it's not that hard to find collisions (a password with the same hash which will also work). What Wikipedia ought to do is implement automatic blocking of IP addresses, for a finite duration, after they are involved in threshold number of failed login attempts. This would slow down brute force attacks. Another thing Wikipedia could do is download the HIBP database of compromised credentials and automatically disable any credentials found on the list. Jehochman ^Talk 14:35, 11 January 2021 (UTC)[reply]

  I have not had any issues with the 2FA system. (And I was hesitant to enable.)

  Wikimedia does already pull either the top 10k or 100k compromised phrases and forces a change for those passwords for old people trying to login and forces new accounts to avoid those. --Izno (talk) 17:24, 11 January 2021 (UTC)[reply]

• Ivanvector (current rights · rights management · rights log (local) · rights log (global/meta) · block log)

Requesting restoration of my administrator privileges, following an incident last week. I've taken all the steps I think I can to ensure my account's security (logged out, changed passwords, and same on my password manager and recovery email account), and verified with checkusers to the extent possible that there don't seem to have been any attempts to access my account.

Thanks to everyone who has reached out with messages of support, both on- and off-wiki. They are greatly appreciated. Cheers. Ivanvector (^Talk/_Edits) 19:32, 13 January 2021 (UTC)[reply]

• No concerns, standard 24-hour hold for restoration of sysop access. — xaosflux ^Talk 20:01, 13 January 2021 (UTC)[reply]
• Given this was a security removal and not a resignation, I don't see the need to wait the standard 24 hours, and we can let Ivanvector get back to their good work.  Done -- Amanda (aka DQ) 20:56, 13 January 2021 (UTC)[reply]

  I don't see where policy allows for any exception, regardless of circumstances. Being that this was security related, if anything, would make it more important such that time is allowed for comments and can be considered before handing back the bit. Dennis Brown - 2¢ 22:30, 13 January 2021 (UTC)[reply]

  Wikipedia:Bureaucrats#Restoration_of_permissions and Wikipedia:Administrators#Restoration_of_adminship seem to be pretty clear that this hold is expected. So what to do now? On the one hand, absent any actual complaints I don't see the practicality of continuing to flip flags on Ivanvector's account. I do feel that @AmandaNP:'s action was a bit rogue though, even if in good faith. Can't see any reason to drag this to ArbCom - but will float the idea of an informal admonishment to the other crats here. Any thoughts from the rest of our cohort? — xaosflux ^Talk 00:12, 14 January 2021 (UTC)[reply]

  Just thoughts from crats? --Floquenbeam (talk) 00:40, 14 January 2021 (UTC)[reply]

  @Floquenbeam: not trying to quell discussion from anyone else, just floating some idea; - as I said above, I'm assuming good faith here and can't see any serious proposal to issue other remedies being helpful. Also, policies and policy interpretations can change - and if this is reflection of a new community norm we can document it. — xaosflux ^Talk 00:45, 14 January 2021 (UTC)[reply]

  OK, then for what it's worth, I think Amanda's quick resysop was fine for this particular set of circumstances, for the reason that she gave. I don't see it as a mistake. But I'd hope that, at absolute worst, if this view is in the minority, that this discussion is refocused as "what do we as crats want to do next time", rather than any kind of "informal admonishment". Crats seem to get along as a group better than most other groups on WP. I'd hate for that to change and see informal admonishments become a thing. --Floquenbeam (talk) 00:55, 14 January 2021 (UTC)[reply]

  (ec) The link to the permissions restoration policy is clear that a minimum of 24 hours is required. If I recall correctly, the discretionary portion of the resysopping procedure was added in order to be more conservative rather than more liberal. Turning the bit back off to return to the status quo would probably be just a formality, and, in fact, I'm not even certain that that can technically be done within policy, barring WP:IAR, which isn't something I'd be prone to invoke in a bureaucratic capacity, so I will decline to flip it back. While I do agree with Dennis Brown's statement, I have no comment on Xaosflux's floated idea. As a rule, I stay out of that sphere. Useight (talk) 01:02, 14 January 2021 (UTC)[reply]

  Going to agree on multiple points. Unless there is a substantiated concern in the next... 18(ish) hours, flipping the bit just for the formality of it is pointless (and for what it's worth the CUs and Arbs are fairly convinced the account has not been compromised). Should this sort of thing happen in the future? Likely not, even in clear cut cases such as this (and given the general feedback in this discussion). I would also say that there is little point in going through any formal process w.r.t. Amanda for doing said action; if anything it gives us the opportunity to discuss the matter. Primefac (talk) 01:54, 14 January 2021 (UTC)[reply]

  My primary reason for mentioning it wasn't to change the status or raise a stink, but to insure it didn't happen again in the future. I was a bit taken aback that a Crat would do that, seeing that Crats have a reputation for being very conservative about applying policy. I know Amanda reasonably well and respect her, but felt it was necessary to point out the mistake, regardless of who did it. Dennis Brown - 2¢ 00:49, 14 January 2021 (UTC)[reply]

  I'm not too big on bureaucracy or policy adherence, but from a security viewpoint and as with future cases in mind, it would make sense to give the REAL Ivanvector (as opposed to the community) the chance to offer an objection to a potential compromise by an imposter. Hence I think a delay would be appropriate even in these particular circumstances, next time. For now, we'll just have to keep an eye on Ivan :) -- zzuuzz ^(talk) 01:25, 14 January 2021 (UTC)[reply]

• The risk of someone at his former place of work who is not Ivanvector finding BN, learning how to wikilink to the resignation, and also take his somewhat distinct cadence of writing in order to get admin flags is, to be blunt, practically non-existent.
  Ivanvector was right to resign the tools as accidental compromise of sensitive accounts is probably the biggest risk. Once someone has access to an account they find has special buttons they might do something damaging. That’s a real risk. One of his former coworkers caring this much to impersonate him really isn’t. The policy calls for 24 hours, so if you want to yell at AmandaNP for that, I guess you can. There’s no real security risk here, though. Human nature and motivations are as much a part of IT risk assessment as the technical measures that we like to focus on. TonyBallioni (talk) 06:29, 14 January 2021 (UTC)[reply]
• As above — not an issue here, clearly good faith, probably shouldn't happen again. Someone gets a little trout for dinner, nothing more. ~ Amory (u • t • c) 11:54, 14 January 2021 (UTC)[reply]
• It's done, so it's done, but I hope that it doesn't happen again, particularly in a case where there have been security concerns and the community may wish to see that several 'Crats are satisfied that those security concerns have been checked and cleared. 'Crats are here to uphold consensus and not push the envelope on what is and is not permitted. There was no imperative involved here which would justify not waiting the standard 24 hours. I don't know what we do if it happens again, or a 'Crat pushes the envelope too often. I suppose we have a 'Crat chat and issue a formal warning? And if it happens again after a formal warning, we request an ArbCom case? SilkTork (talk) 15:19, 14 January 2021 (UTC)[reply]
• On User:Xaosflux's request to gather thoughts on an informal admonishment - I think by default an informal admonishment is already occurring. I should think by now Amanda would have taken on board this was an action that has provoked discussion, and I doubt if Amanda will do it again. I don't think we need go any further than that. However, the community may wish to consider if it may be appropriate to draft a formal process to outline what happens when a 'Crat is making decisions which cause concern. Is it just 'Crats who can issue informal or formal admonishments to a 'Crat? Because of the "get along as a group" aspect to 'Crats, perhaps 'Crats really aren't best placed to be the ones to judge or admonish a fellow 'Crat. How would the community feel about a 'Crat acting out of consensus, and fellow 'Crats shrugging and saying that's OK, because it appears we don't want to upset the group camaraderie? I'd welcome the community discussing the issue of a 'Crat making decisions which cause concerns, and drafting a proposal for a route to resolve such matters. I should think that any user could take a 'Crat to ArbCom if they felt that 'Crat was making serious errors of judgement. But what about minor errors of judgement which are eroding confidence in that 'Crat? SilkTork (talk) 15:51, 14 January 2021 (UTC)[reply]

  @SilkTork: not sure the best way - I think this was a bad execution, but I don't think it needs a corrective action; I do think it should be discouraged from reoccurring baring new community standards emerging. If this was a similar admin action I'd say WP:TROUTing would be in order - but that seemed a bit wrong. I suggested admonition in the sense that I think that this was an inappropriate action and that we would would oppose future occurrences of the same. We are a unique group in that there are a few special processes that rely on the consensus of only crats, also related to the administrator of administrators. — xaosflux ^Talk 16:04, 14 January 2021 (UTC)[reply]

"oppose future occurrences of the same". Agree - both in the sense of Amanda acting out of consensus again (which I truly doubt she would), and of any 'Crat resysopping without waiting 24 hours again (which I also truly doubt would happen). However, where I'm not sure is how that opposition would take place. Is there, for example, any precedent for a 'Crat reversing a 'Crat action? How do we get consensus for reversing a 'Crat action? Are 'Crats the ones best placed to issue admonishments, given that we are such a small group and some may not wish to create tension within the group. Indeed, in this issue, where a 'Crat has clearly and deliberately flouted consensus, we are tip-toeing around it and saying it was done in good faith, that it doesn't matter, that it was a minor incident, etc. On the other hand, given the nature and circumstances of the incident, it was relatively minor, and I can't see the community really wanting to take this particular incident any further. It's not serious enough for an ArbCom case; it is, as you say, just an incident which requires a trouting - an informal, even friendly, reminder to the individual to take more care in future - particularly where there are security concerns. And I think in this discussion we have done that. As such I don't think this particular incident needs to be taken any further. But I do feel there is room for the community to look into how we deal with such incidents in future. And I don't think it is our place to decide that alone. It has to be a community decision. SilkTork (talk) 17:52, 14 January 2021 (UTC)[reply]

I think it is even more simple than this, although I don't disagree with your logic. The community has already spoken when it wrote the policy (something I was actually quite involved in). Amanda's actions were counter to the policy, but I have to assume it was an innocent mistake as I can see no malice, nothing to be gained by Ivan or Amanda by the move. A non-Crat (me) was the first to point it out. Several people have spoken out about it and more or less agree, so this discussion is already creating a consensus that confirms the original consensus, that there should always be a 24 hour wait. Understandably, Amanda hasn't replied, waiting for the smoke to settle, but really there isn't any need for smoke or fire. It was a mistake, nothing was broken, the discussion confirms that the policy should be taken very literal. I would oppose ANY action to sanction or make an Arb case from it, as it would be overkill for this singular incident. For me, the best outcome is it being closed at the appropriate time with a statement that "The community agrees that the policy should be strictly viewed when it comes to the 24 hour wait to resysop. No further action is needed". Amanda needs to be informed, but not trouted or admonished. Dennis Brown - 2¢ 18:14, 14 January 2021 (UTC)[reply]

Is there, for example, any precedent for a 'Crat reversing a 'Crat action? Only around Floq and the Fram incident, but I think most of us would agree that was a rather crazy situation. That did end up before ArbCom (mostly as an add-on to the case) but we were just given a slap on the wrist for wheel-warring over Floq's Fram's perms. Primefac (talk) 18:18, 14 January 2021 (UTC)[reply]

Wasn’t there an RfA closed by a Crat who voted and so another crat had to reclose it, Xeno I think? ProcrastinatingReader (talk) 18:26, 14 January 2021 (UTC)[reply]

Pretty sure that's not what SilkTork was getting at. Additionally, that's a re-close, not any sort of reversal. Primefac (talk) 18:29, 14 January 2021 (UTC)[reply]

No, but I think some of the same questions as SilkTork mentions were discussed (eg whether a consensus of crats, or even the crat themselves, can reverse a crat action if it involves desysopping), I suppose for the event that the reclose was no consensus. I may be misremembering, and can't check since I don't remember whose RfA it was being discussed (it'll be in the archives here, though). Perhaps someone else remembers. ProcrastinatingReader (talk) 21:10, 14 January 2021 (UTC)[reply]

Ah, here it is, and it was for this RfA. ProcrastinatingReader (talk) 21:13, 14 January 2021 (UTC)[reply]

@Primefac: just for posterity's sake - and not to reopen any old wounds - but I think you're slightly misremembering. No Crats wheel-warred over my perm. WJBscribe reversed a ThePowersThatBe desysop, but he didn't reverse a Crat, and no Crat reversed him. --Floquenbeam (talk) 18:34, 14 January 2021 (UTC)[reply]

You're right, I don't why I thought it was you; we did wheel-war over Fram's bit being restored. I've updated my statement above. Primefac (talk) 18:49, 14 January 2021 (UTC)[reply]

• I'm disappointed to see this characterized as a mistake. I understand that the 'crats owe greater care to security removals and restorations, but this was well scrutinized before I posted here. I explained in much more detail on private email lists (from a known email which was not exposed) and also confirmed with stewards/checkusers that there had been no attempts to access my account. Amanda and several of the other functionaries who have commented here are on those lists (and the thread was also copied to Arbcom) but I think the users who have called this a "mistake" would not have seen those discussions. Of course I can't say if that factored into Amanda's decision to restore my userright before the standard hold (and wasn't expecting it), all I'm saying is there was nothing careless about any of this. So please hold off on the admonishments. Ivanvector (^Talk/_Edits) 18:43, 14 January 2021 (UTC)[reply]

  The problem is that it was a mistake. Policy is crystal clear on this, and doesn't allow for exceptions, regardless of circumstances. This doesn't mean admonishments are required, but an acknowledgement that it was an honest mistake would be welcomed. Dennis Brown - 2¢ 19:59, 14 January 2021 (UTC)[reply]

  @Dennis Brown: Alright, fine. If exceptions are not allowed, then policy is crystal clear that I have been re-opped in error and against policy. You must remove my sysop flag, and wait 24 hours for community input before restoring it. I'll wait for the notification that the flag has been removed again. Ivanvector (^Talk/_Edits) 18:14, 15 January 2021 (UTC)[reply]

  I've already said I was against that, and no one is blaming you. I pointed out a mistake and said we should not repeat it in the future. Anything more made of it isn't on me. Admins are expected to get bold from time to time, Crats are not. Their reputation and standing depends on them not doing so. Dennis Brown - 2¢ 21:53, 15 January 2021 (UTC)[reply]

  Even if they wanted to do that, purely as an academic exercise, there doesn't seem to be a provision at Wikipedia:Bureaucrats#Removal_of_permissions for crats unilaterally removing a sysop flag given in error? ProcrastinatingReader (talk) 18:20, 15 January 2021 (UTC)[reply]

• If nothing else, I'm kind of impressed with Wikipedia's unshakeable ability to reliably turn the tiniest of molehills into mountains. --Floquenbeam (talk) 18:18, 15 January 2021 (UTC)[reply]

• I can't say I agree with Floq that often, but I agree with Floq's statement above. This debate gets at the heart of what bothers me the most about the role of 'crats: these are people who have received an overwhelming amount of community endorsement...in order to follow the rules exactly as they're written, without an inch of deviation (except for 'crat chats, at which point they're suddenly allowed to have opinions). In this case, Amanda applied IAR, which happens to be a fundamental principle of Wikipedia. Per Ivanvector's comments above, the security of their account was amply confirmed to functs and ArbCom, and so their self-requested temporary desysop is no longer necessary. No damage has been done. All I see here is arguing over bureaucracy for the sake of bureaucracy. ^{SubjectiveNotability} _{a GN franchise} (talk to the boss) 18:32, 15 January 2021 (UTC)[reply]

  I can't say I agree with Floq that often... :o !! --Floquenbeam (talk) 18:37, 15 January 2021 (UTC)[reply]

  They are bureaucrats after all. Do we really want crats using their judgement to make IAR decisions? Seems to be a one way street to controversy. The next logical step would be that a SNOWing consensus of community support, 100 votes and 0 opposes for example, in favour of removing a sysop bit means that removal of the bit should be actioned by crats[1] ProcrastinatingReader (talk) 18:50, 15 January 2021 (UTC)[reply]

  I am wholeheartedly in favor of 'crats using their judgment when necessary. I can't speak for anyone else (and frankly, not sure if I can even speak for myself - I don't know if I've ever voted in an RfB), but if I were to !support someone in an RfB, that means I trust them to make decisions involving the crat bit, including ignoring rules when necessary. Your scenario is not at all a "next logical step," it's a slippery slope argument. Here, Amanda skipped one part of a community-consensus rule (admins who resign the bit may have it back on request after a 24-hour hold) in a case where that rule clearly applied but had what I would consider mitigating factors (self-requested desysop due to security concerns, security concerns have been dealt with and apparently verified by functs, I can see literally no reason why Ivanvector should not have the bit back immediately). What you're suggesting, though, is inventing new 'crat powers out of whole cloth, which is not at all the same thing. ^{SubjectiveNotability} _{a GN franchise} (talk to the boss) 19:12, 15 January 2021 (UTC)[reply]

  I do think it’s a bit of a slippery slope. After all, what inherently makes one IAR application any more legitimate than another? If it could be decided in advance, it would be a PAG, not IAR. ProcrastinatingReader (talk) 19:14, 15 January 2021 (UTC)[reply]

• Oh wow, we're still on this? If you want crats to unthinkingly follow the letter of policies, you should check out this aptly named policy and this 19 year old policy. Now obviously crats shouldn't go around flipping the sysop bit willy-nilly, but why appoint them if we don't trust them to use their brains? As Tony explains, the risk of Amanda's action was outrageously low and absolutely nothing bad happened because of the effort CUs and Ivan put into making sure the account was secure before making the request; most unblock requests pose a greater threat to the encyclopedia than this resysop request did. I'm opposed to precess for the sake of process, especially in cases like this where it is so obviously pointless. If you want a policy citation for that opinion, see my links above or check out WP:SNOW. — Wug·a·po·des​ 21:56, 15 January 2021 (UTC)[reply]
• I think Dennis summed it up well. Crats are expected to follow the letter of policy. The only time past that might be extraordinary situations, which this certainly is not. IAR does not apply as there was no big need to help the encyclopedia that could not wait 24 hours. Policy is explicate here, wait 24 hours. I am also pretty sure Amanda acted in good faith and that she won't do this again. All that said I don't think there is anything to do here. PackMecEng (talk) 22:25, 15 January 2021 (UTC)[reply]
  • I will note the section below to make a point, seems unhelpful. PackMecEng (talk) 00:06, 16 January 2021 (UTC)[reply]
• I obviously did not think I would be making that controversial of a decision flipping Ivanvector's bit back on, and obviously I didn't think it would be disruptive enough to warrant the procedural request below this. For those of you who are wondering "what the fuck was she thinking" at the time, it basically follows on what Wugapodes said. Wikipedia is not a bureaucracy and IAR. I thought those two ideas were strong enough to skip the language (I had only read WP:CRAT at the time) of the requirement. Beyond that, Ivanvector's account was not compromised and this was a precautionary measure, which was good on Ivanvector to take. Even if the account did turn out compromised (which I agree with Tony's comments on the very very very low likelihood, it wouldn't be something a 'crat would have to deal with, it goes to a steward for a global lock at that point, who are much faster than our slow "need a discussion" butts. Beyond that, I don't think we've had (if ever) a person in a long time that has taken this security precaution, and I'm not sure it was taken into account when the policy was written requiring the hold. I don't think the community needed an excessive amount of grilling Ivanvector about account security when they took the upmost precautions himself. If the community wants to trout me for this action, I'll take it and not do it again, though I do think the reasoning is still solid. -- Amanda (aka DQ) 01:27, 16 January 2021 (UTC)[reply]

Moving forwards

Arguing over whether this was a mistake or a good application of IAR isn't helping. Can we just agree a way forward for the future?

I suggest that a 24 hr wait is a very small price to pay for community scrutiny, which is valuable. I propose we strengthen the point in RESYSOP about the delay by adding "in all cases" or "without exception" or something. It won't prevent a future mistake (us Crats are human, I've heard) but it will clearly tell Crats not to IAR on this. --Dweller (talk) Become old fashioned! 11:35, 15 January 2021 (UTC)[reply]

I don't know if we need to clarify the language; I've added emphasis — it is required that a minimum of 24 hours elapse — in order to make that point clear. Primefac (talk) 12:01, 15 January 2021 (UTC)[reply]

Per the discussion above, and per the bureaucrats information summary page (I didn't know that was a thing but it's explicitly not a policy), I am formally requesting removal of my administrator permission. Again.

There was absolutely no need to have made a big deal over this, but since some users felt the need to make it a big deal anyway with my and Amanda's names attached, let's undo all of these "mistakes" and go back to the start, doing things exactly to the letter of policy. While you might think I'm doing this only to make a point, understand my position here: as a functionary I work in highly sensitive areas and do things that tend to make people angry. I don't need to be exposed to the inevitable harassment that any admin actions I make are illegitimate because my rights were restored out of process. I'm not going to be Wikipedia's poster child for deviations from bureaucrat procedures; I get enough crap as it is.

@AmandaNP: I'm very sorry that your kind and rational (and policy-supported) decision has led to this course of action. Ivanvector (^Talk/_Edits) 23:59, 15 January 2021 (UTC)[reply]

I am going to clerk this section as a 'crat, and remove any non-crat (or non-Ivanvector) posts. This is a 'crat decision to make and we don't need the peanut gallery chiming in. I am also declining to enact this request (per the "may" in the procedures). Primefac (talk) 00:04, 16 January 2021 (UTC)[reply]

As this is a rather WP:Pointy request I for one am not going to carry it out. We are all volunteers here, and are not obliged to do anything we don't wish to. SilkTork (talk) 01:32, 16 January 2021 (UTC)[reply]

Ivanvector, I would actively decline this request. (Per my colleagues above, but going further as an active decision) People say pointy, I say pointless. This is a molehill, that can be sorted with words, not actions - I for one accept Amanda's reasoning, but also ask that she (and other crats) do not skip that 24h in future. I don't think anyone is asking for more (except Dennis who wanted the word mistake, but I don't think that's necessary).

I also appreciate the chance to genuinely decline a self desysop! Since the rules state that resignation can be for any reason - look, I'm IARing as a crat! Worm^TT(talk) 08:46, 16 January 2021 (UTC)[reply]

• Decline. I appreciate the intention though. Can we just move on now please? --Dweller (talk) Become old fashioned! 18:18, 16 January 2021 (UTC)[reply]