Page MenuHomePhabricator

Query percentage of English Wikipedia admins without 2FA
Closed, ResolvedPublic

Description

Hi sec team, I've been advised to get this cleared by yourselves before proceeding any further - I'd like to add a line to an upcoming Administrator Newsletter on the English Wikipedia saying something along the lines of only x% of you have enabled 2FA - please consider enabling it now

Some people have expressed concerns that publicly releasing this percentage could be seen as an attack vector - what do you think?

Event Timeline

Samtar created this task.Feb 7 2017, 9:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2017, 9:33 PM

Personally I think its a reasonable risk relative to the benefits of comvincing more admins to enable 2fa. (However please hive a chance for other security team members to comment before doing it)

Dont release the status of which admins have it enabled.

Bawolff added a subscriber: Reedy.Feb 8 2017, 12:23 AM
Samtar added a comment.Feb 8 2017, 9:40 AM

@Bawolff will do, I can't personally run the query so I'll ask whoever does just to read through this (providing the comments from other members of the team are positive) and only return a percentage

Ugh. How would we even query this? Either it's a query across multiple dbservers to get to the centralauth db...

Or we do it on user preferences? Else writing a maintenance script

I think it's reasonable to do; it doesn't show any personally identifiable data

@Jalexander Any comments from your end about "releasing"/publicising this information if we get it? :)

Ugh. How would we even query this? Either it's a query across multiple dbservers to get to the centralauth db...
Or we do it on user preferences? Else writing a maintenance script
I think it's reasonable to do; it doesn't show any personally identifiable data
@Jalexander Any comments from your end about "releasing"/publicising this information if we get it? :)

As long as there is no way to figure out 'who' doesn't have it I think its a reasonable risk. That would mostly mean percentage only and large wikis only (if others ask) because the smaller the wiki is the more of a problem that becomes.

Legoktm added a subscriber: Legoktm.Feb 8 2017, 7:42 PM

This is a duplicate of {T150589} (we should probably make that public now).

Samtar added a comment.Feb 8 2017, 7:44 PM

@Legoktm helpful! :-D either way, good to know it's been discussed/looked at elsewhere as well!

Thank you all for your comments. Am I right in summarising this discussion as it's okay to do providing the public result is a plain "x% of admins haven't enabled 2FA"?

Yes I think so, presumably with some minimum number of admins on the wiki.

Samtar added a comment.Feb 8 2017, 7:47 PM

Personally I'm only interested in (and thus will only be requesting) the English Wikipedia

How about this plan. I can run a query for English Wikipedia and if it proves useful we can talk about looking at the other wikis and doing the analysis over time, as we see fit and the data indicates.

Sounds great :-)

Ok, results. 203 out of 1274 admins on english wikipedia have enabled two-factor auth. Let's make sure I did the numbers right. I assumed the following:

  • if someone has two-factor authentication enabled, their gu_id from globaluser will be found in centralauth.oathauth_users
  • I can join enwiki.user to centralauth.globaluser by user_name = gu_name and that join makes sense (it should, and seems to join fine)
  • you're an admin on english wikipedia iff you're in the 'sysop' group

If that's true, then the following query will join all the right tables together and count who enabled two-factor. You can run just the inner query to spot check and make sure this makes sense, if you have rights to query the slaves. I did that and it seemed to make sense to me, like most WMF employees had it turned on.

 select count(*) as sysops,
        sum(has_two_factor) as enabled_two_factor
   from (select user_name,
                if(id is null, 0, 1) as has_two_factor
           from enwiki.user
                    inner join
                enwiki.user_groups          on ug_group = 'sysop'
                                            and ug_user = user_id
                    inner join
                centralauth.globaluser      on user_name = gu_name
                    left join
                centralauth.oathauth_users  on gu_id = id

        ) two_factor_status_of_all_sysops
;

+-------+--------------------+
| sysop | enabled_two_factor |
+-------+--------------------+
|  1274 |                203 |
+-------+--------------------+
chasemp triaged this task as Medium priority.Sep 4 2018, 4:06 PM
chasemp edited projects, added acl*security; removed Security-Team.

It's been a couple of years since the query was ran in this task, might be nice to know what the latest figures are.

A few less sysops, a few more with 2FA (note: my query from above is now harder to run on the analytics replicas because the dbs are sharded):

+--------+--------------------+
| sysops | enabled_two_factor |
+--------+--------------------+
|   1180 |                275 |
+--------+--------------------+

There are results in this task. Can this task be resolved?

Milimetric closed this task as Resolved.May 2 2019, 2:30 PM
Milimetric claimed this task.

don't see why not