Talk:Heartbleed/GA1

Article (edit | visual edit | history) · Article talk (edit | history) · Watch

Reviewer: 3family6 (talk · contribs) 15:46, 3 November 2014 (UTC)[reply]

GA review (see here for what the criteria are, and here for what they are not)

1. It is reasonably well written.

   a (prose, no copyvios, spelling and grammar): b (MoS for lead, layout, word choice, fiction, and lists):

   No apparent copyvios, and the prose for the most part is acceptable. Layout and MOS standards are satisfactory. I have some comments, though:

• "It was reported by a professor at University of Michigan that a computer in China that had been used for hacking and other malicious activities attempted on April 8, 2014 to exploit Heartbleed to attack a university server, which was actually a honeypot intentionally left vulnerable, designed to attract attacks which could then be studied.[50]" - This sentence is a disaster. I'd suggest rewriting as something like: "On April 15, 2014, J. Alex Halderman, a professor at University of Michigan, reported that his honeypot server, an intentional vulnerability designed to attract attacks in order to study them, had received numerous attacks originating from China. Halderman concluded that because his honeypot was a fairly obscure server, these attacks were probably sweeping attacks on large swaths of the Internet."
• Jumping off from that, the whole history section should be cleaned up. It's not that the information isn't good, it's actually quite informative. But right now it's little clusters of small paragraphs. The examples should be elaborated upon and better integrated into the overall flow of the section.--¿3family6 _contribs 03:21, 10 November 2014 (UTC)[reply]

1. It is factually accurate and verifiable.

   a (reference section): b (citations to reliable sources): c (OR):

   This article is very well referenced, but the reference style needs to be consistent. Right now there are some references that are merely a title that links to the source, and the source date, while other references that also provide the publishing website, and yet other provide not only the publishing website, but the company supporting that website. My point is, the references need to follow a consistent standard.--¿3family6 _contribs 03:21, 10 November 2014 (UTC)[reply]

2. It is broad in its coverage.

   a (major aspects): b (focused):

   Scope, focus, and focus all check out.--¿3family6 _contribs 03:21, 10 November 2014 (UTC)[reply]

3. It follows the neutral point of view policy.

   Fair representation without bias:

   Article looks neutral to me.--¿3family6 _contribs 03:21, 10 November 2014 (UTC)[reply]

4. It is stable.

   No edit wars, etc.:

   There have been some disputes in the past, but whatever the problem was seems to have worked itself out, as the article has been stable for over a month apart from a single instance of vandalism.--¿3family6 _contribs 16:03, 7 November 2014 (UTC)[reply]

5. It is illustrated by images and other media, where possible and appropriate.

   a (images are tagged and non-free content have fair use rationales): b (appropriate use with suitable captions):

   Images check out. All free, with correct licensing info.--¿3family6 _contribs 16:03, 7 November 2014 (UTC)[reply]

6. Overall: Almost there, just needs some polishing up in the prose.

Y All issues resolved.--¿3family6 _contribs 20:22, 25 November 2014 (UTC)[reply]

1. Pass/Fail:

How's your progress, AmritasyaPutra? The changes you made certainly improved the article, but they aren't complete yet.--¿3family6 _contribs 15:25, 14 November 2014 (UTC)[reply]

Yes, I will continue with the change, have been busy with my studies lately. I will need a few more days (lets say five). Thank you! --AmritasyaPutra^T 14:08, 16 November 2014 (UTC)[reply]

That's acceptable. I completely understand. I don't mind this taking a while if you actually are trying to work on it.--¿3family6 _contribs 18:11, 16 November 2014 (UTC)[reply]

I think the last edits by AmritasyaPutra took out too much content for no reason and in some cases oversimplified so that some of the remaining content did not make sense. For example "Possible prior knowledge and exploitation" is far less clear than "Possible knowledge and exploitation prior to disclosure"; the words "as part of a stockpile" makes the purpose of the alleged NSA withholding clear; and the "only 43%" and "In addition, 7%" wording indicate why these percentages are important. Tiptoethrutheminefield (talk) 21:01, 19 November 2014 (UTC)[reply]

However, I wonder about the "naming of names" in the history section. This risks giving undue weight (and undue blame). Though there is some content to give balance and context in the Root causes, possible lessons, and reactions section that indicates how much work on the coding was underpaid or unpaid and how impossibly small the development team was to oversee so much code. Tiptoethrutheminefield (talk) 21:17, 19 November 2014 (UTC)[reply]

Tiptoethrutheminefield, what do you mean by "naming of names?" Could you provide specific examples of what you see a problem with? AmritasyaPutra, I agree with Tiptoe that your edits, though they cleaned things up, destroyed some of the context. My problem with the history section wasn't so much the detail, but that the detail wasn't explained. It needs more context, not less.--¿3family6 _contribs 02:16, 20 November 2014 (UTC)[reply]

The History section content names two people, Robin Seggelmann and Stephen N. Henson, saying essentially that they were to blame for the flaw existing - the first for creating it, the second for not noticing it: "Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code...". While this seems correct, it is said without any wider context (for example, sources explain that OpenSSL development is mostly unfinanced, with no budget for proper code checking, yet users still expect something for nothing and expect it to be perfect and set up critical systems with the unjustified assumption that it IS perfect). There is something about that in that later section I mentioned, but that section is far away from the section that names those two individuals. Tiptoethrutheminefield (talk) 02:52, 20 November 2014 (UTC)[reply]

Well, it shouldn't be that hard to add some context to that section that discusses this.--¿3family6 _contribs 05:03, 20 November 2014 (UTC)[reply]

I understand your concern, but unlike 3family6, I'm not sure how this could be significantly improved without important duplication. It is important to name names, not just for imputability (they did a big mistake), but to let readers take a lesson on the importance of code review (among other things). This wasn't Joe Blow committing his quick hack to OpenSSL. It was 2 highly-educated security experts - including one core OpenSSL developer holding a Ph.D. Yet, they both failed to avoid/notice the error, and both felt confident enough to proceed.

Our treatment is not only correct - indeed - but it does not "explicitly blame" anyone, it clearly shows that the responsibility is shared, and it does not suggest that the bug was introduced intentionally. That being said, I think they both did a honest error. I agree that the "Root causes, possible lessons, and reactions" section helps, and it's unhelpful that it is found at the other end of the article. Unfortunately, History is typically the first section, and the root causes section is quite rightly at the end (if sections are to be ordered by importance). I don't see a good restructuring which would help. Perhaps we could make the Appearance subsection link to the "Root causes, possible lessons, and reactions" section?? I don't remember seeing this kind of link elsewhere. --Chealer (talk) 05:03, 21 November 2014 (UTC)[reply]

I am the article's top contributor. This article is coming from very far, but it has made a very long way since I discovered it, thanks to the work of myself and many others. I personally invested many tens of hours in it, mostly to improve quality. I reviewed pretty much all of it. Reliability should be pretty high. I've already seen this GA process fix some of the more minor issues which had had less attention, like references. I am not knowledgeable about quality ratings, but I tend to agree that B may understate this article's quality.

I do not see much improvement possible in the History section. Some improvement can surely be made (perhaps adding new information), but this is one area which already received a lot of attention. --Chealer (talk) 04:04, 21 November 2014 (UTC)[reply]

This section is mostly okay now. The "Exploitation" section just needs to see the one-paragraph sentences merged together.--¿3family6 _contribs 04:19, 21 November 2014 (UTC)[reply]

I agree the Exploitation section isn't impressive, in particular the crude "Anti-malware researchers exploited Heartbleed to access secret forums used by cybercriminals." There is some value in separating the elements covered by each paragraph, but it seems it is not enough to warrant different paragraphs. Unfortunately I do not see a good alternative. A list seems inappropriate, and a table would be complicated since we do not have a real date for some elements. --Chealer (talk) 04:43, 22 November 2014 (UTC)[reply]

I disagree with the removal of the date of Google's notice from the History section in revision 633247602. The time taken by OpenSSL to release a fix is very important, and since Google's notice was the first, I find its date most relevant. If the reason was the reference used, I agree a better reference than Google+ would be nice, but if we don't have one, I don't think that justifies removal. --Chealer (talk) 04:04, 21 November 2014 (UTC)[reply]

Yes, that information should be restored.--¿3family6 _contribs 04:19, 21 November 2014 (UTC)[reply]

I restored the paragraph. --Chealer (talk) 22:18, 22 November 2014 (UTC)[reply]

Status?[edit]

AmritasyaPutra, it's been well over five days. Tiptoethrutheminefield and Chealer have pitched in here as well, but some of my concerns have still not been resolved satisfactorily. Right now, the "Exploitation" section needs a bit of polishing, and the reference list needs to maintain a consistent format. I understand about the pressures of keeping up with one's studies, plus participating in the GA cup, but there hasn't been much activity on this page. I'll leave this nom open for another few days, after which I will have to fail it.--¿3family6 _contribs 21:16, 24 November 2014 (UTC)[reply]

I made few minor changes to the Exploitation section, another editor also pitched in and preferred to keep the smaller paragraphs separate owing to separate events. I have added author detail and accessdate to references and replaced all bare references to cite web format with details. I hope that helps. I will wait for your feedback. Thank you. --AmritasyaPutra^T 15:37, 25 November 2014 (UTC)[reply]

The sources look much better, thank you. I reverted the edits by that editor, as myself, as the GA reviewer, insisted that the paragraphs be merged. The passages all are commonly linked by anti-malware/security research. All that remains for correction are these two phrases in "Exploitation:"

• "Anti-malware researchers also exploited Heartbleed to their advantage by exploiting it to access secret forums used by cybercriminals." - repetitive use of "exploited"
• "On August 2014, it was made public that Community Health Systems, a provider of general hospital healthcare services in the United States, had been breached by exploiting Heartbleed, compromising the confidentiality of 4.5 million patient records." - shouldn't this read "had been breached through an exploitation by Heartbleed?"--¿3family6 _contribs 17:37, 25 November 2014 (UTC)[reply]

@3family6: thanks for that, I have reworded the statements to get rid of over-use of 'exploit' and circumvent use of 'breach' altogether. --AmritasyaPutra^T 18:16, 25 November 2014 (UTC)[reply]

Looks good, everything is all set now.--¿3family6 _contribs 20:22, 25 November 2014 (UTC)[reply]