Page MenuHomePhabricator

Security Issue Access Request for MBinder_WMF
Closed, ResolvedPublic

Description

Full Name: Max Binder
Phabricator Username: @MBinder_WMF
Reason For Access: I regularly monitor and support team practices around using Phabricator, including facilitating conversations on tickets, promoting healthy behavior, and ensuring tickets have the right information and that they are following processes agreed to within and across teams. When I am locked out of a ticket, I am extremely limited in providing this support. :)

Permissions requested:

  • View (preferably edit) access to Phab tickets that have security limits on them. Globally would be easiest for me, and most sustainable long-term as I frequently change teams, but if that's not acceptable I would like access to tickets being worked on by the following teams: Readers Web, Product Analytics, iOS, Android, Anti-Harrassment, Community Tech, Multimedia, Structured Data on Commons.

Support for this request has been offered by

  • @phuedx (Sam, please confirm in a comment)
  • @Mooeypoo (Moriel, please confirm in a comment)

My understanding is that as a WMF employee I am already bound to an NDA, so I don't need to sign another. If that's the case, then I believe the remaining step is to get approval from a C-Level, per https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Policy/Access_to_security_issues and https://wikitech.wikimedia.org/wiki/Volunteer_NDA :)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 19 2018, 5:42 PM
chasemp triaged this task as Normal priority.Sep 19 2018, 6:33 PM
chasemp added a project: Security-Team.

@Tnegrin for C-Level approval, per @ggellerman . Thanks, both. :)

Hey @Legoktm ! I saw it in the link in Step 3: https://wikitech.wikimedia.org/wiki/Volunteer_NDA

My interpretation of this is that the "sign an NDA" part is automatic for a WMF employee (they sign one when starting work), but read and assumed the "Get sign off by a C-level staff of the Wikimedia Foundation" part of that same page as still required. Happy to be corrected, though, and work together to clarify the wiki page instructions. :)

Hey @Legoktm ! I saw it in the link in Step 3: https://wikitech.wikimedia.org/wiki/Volunteer_NDA
My interpretation of this is that the "sign an NDA" part is automatic for a WMF employee (they sign one when starting work), but read and assumed the "Get sign off by a C-level staff of the Wikimedia Foundation" part of that same page as still required. Happy to be corrected, though, and work together to clarify the wiki page instructions. :)

No, that whole page is specifically for volunteers (volunteers need to have a C-level sign off on their NDA).

@Legoktm Ah, I see, thanks for clarifying. That makes sense given the title of the page, I was just playing it as safe as possible. Might be good to update Step 3 to clearly say WMF employees can disregard the Step 3 entirely (since they are covered when hired).

Step3 on https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Policy/Access_to_security_issues says "Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement;" (emphasis by me) so I don't see anything to update.

sbassett added a subscriber: sbassett.EditedSep 21 2018, 1:46 PM

FWIW, as a recent staff addition, I don't recall signing anything resembling an NDA within my new-hire paperwork. apparently that was in my Terms of Employment sheet.

Thanks @Aklapper . I added a sentence to make it really explicit, just in case. :)

I support @MBinder_WMF's request.

There have been a few occasions where a security task has made it onto our board and @MBinder_WMF has been unable to provide his usual high level of operational support. Admittedly, these occasions are rare. I can't speak to how frequently this occurs for him while he's supporting other teams (and as you can see from the description, there are a lot of other teams!).

@sbassett Thank you for info that NDA is in Terms of Employment

Reedy added a subscriber: Reedy.Oct 17 2018, 8:01 PM

@MBinder_WMF Have you got 2FA enabled on your phab account?

@Reedy: For the records, https://phabricator.wikimedia.org/people/query/advanced/ allows Phab admins to check for "Has MFA".

@Reedy: For the records, https://phabricator.wikimedia.org/people/query/advanced/ allows Phab admins to check for "Has MFA".

Aye. It's just remembering that when I need it next time ;)

Reedy closed this task as Resolved.Oct 17 2018, 10:01 PM
Reedy claimed this task.

Done

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:10 PM