Page MenuHomePhabricator
Create Task
Maniphest T241781

Audit members of #security for more than x duration of no activity (Jan 2020)
Closed, ResolvedPublic
Actions

Description

A crusty membership group is a dangerous one I suppose.

I see multiple members who are likely AWOL and this should be regularly audited. I'm not sure of what X here is but a year seems the sane maximum, and I'm talking about activity in phabricator at all not just on security issues.

Note: update SOP to indicate annual minimum audit and removal

removed:

  • dpatrick (Darian Anthony Patrick)
  • Stype_and_Co.-WMF (Chris Steipp)
  • HJiang-WMF (HJiang-WMF)

Kept:

Related Objects

Event Timeline

chasemp triaged this task as High priority.Jan 2 2020, 9:30 PM
chasemp created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2020, 9:30 PM
Aklapper added a comment.Jan 2 2020, 11:27 PM
mysql:phstats@m3-slave.eqiad.wmnet [phabricator_user]> SELECT DISTINCT(userName) FROM phabricator_user.user WHERE phid NOT IN (SELECT trs.authorPHID FROM phabricator_maniphest.maniphest_transaction trs INNER JOIN phabricator_user.user u WHERE FROM_UNIXTIME(trs.dateModified) >= (NOW() - INTERVAL 1 YEAR) AND trs.authorPHID = u.phid) AND phid IN (SELECT e.src FROM phabricator_user.edge e WHERE e.dst = "PHID-PROJ-koo4qqdng27q7r65x3cw" AND e.type= 14);
+-------------------+
| userName          |
+-------------------+
| Wim_b             |
| csteipp           |
| QuiteUnusual      |
| Parent5446        |
| Samtar            |
| Pmlineditor       |
| Mdennis-WMF       |
| Grunny            |
| Kalliope          |
| security_team_bot |
| FWFX-ERF          |
+-------------------+
11 rows in set (5.014 sec)
Aklapper moved this task from To Triage to Database fiddling on the Phabricator board.Jan 2 2020, 11:30 PM
Krenair subscribed.EditedJan 3 2020, 12:10 AM

Who on earth is FWFX-ERF and why do they have security access? They've apparently had access since April but have never made a transaction on Phabricator and the linked CA account has never edited.

Platonides subscribed.Jan 3 2020, 12:51 AM
Dzahn subscribed.Jan 3 2020, 12:55 AM

chasemp added a member for Security: FWFX-ERF. Apr 23 2019, 6:53 PM

Platonides added a comment.Jan 3 2020, 12:57 AM

It was added by @chasemp on Apr 23 2019, 6:53 PM, along WDoranWMF.

Dzahn added a comment.Jan 3 2020, 1:00 AM

see T221637

Masumrezarock100 subscribed.Jan 3 2020, 4:41 AM
chasemp added a subscriber: User-chasemp.Jan 3 2020, 10:04 PM
chasemp moved this task from Incoming to In Progress on the Security-Team board.Jan 6 2020, 4:21 PM
chasemp updated the task description. (Show Details)Jan 6 2020, 4:23 PM
Grunny subscribed.Jan 6 2020, 4:35 PM

I see my name is on the list. I unfortunately haven't been as active as a volunteer for a while, but for some context, part of why I was originally given access here is related to my role at Fandom, providing early access to security releases for Fandom and Gamepedia so we can prepare and protect our user base quickly. I still use it for this purpose for each security release, and as we plan to launch a bug bounty for our wikis on Fandom and Gamepedia in the coming year which will include core MediaWiki (once we're on a newer MW version), I'd love to discuss collaborating more closely on it. :)

chasemp added subscribers: FWFX-ERF, TheresNoTime, Kalliope and 6 others.EditedJan 6 2020, 5:11 PM

Thank you for the feedback @Grunny

In a similar vain, ping to others in the current list from @Aklapper

@Wim_b
@csteipp
@QuiteUnusual
@Parent5446
@Samtar
@Pmlineditor
@Mdennis-WMF
@Kalliope
@FWFX-ERF

tldr; with no activity in Phabricator for a year, do you still require access to Security protected tasks?

Kalliope added a comment.Jan 7 2020, 3:31 PM

I would kindly ask that T&S team members (https://meta.wikimedia.org/wiki/Trust_and_Safety/Team) get to keep their Phab accounts active, as a rule of thumb. We may rarely contribute through this platform, however the nature of our work sometimes requires us to review activity here that may be breaching behavioural norms. That is not to say that we step over the CoC for Tech spaces committee's toes, rather we like to work with them if needed, so having access can go a long way towards that end. Accordingly, I would like to keep my account (@Kalliope). I would also like to communicate Maggie's request that hers (@Mdennis-WMF) be kept too, for similar reasons. She's not T&S staff but does oversee the team's work more broadly, as the VP of Support & Services.

chasemp added a comment.Jan 7 2020, 4:06 PM
In T241781#5782232, @Kalliope wrote:

I would kindly ask that T&S team members (https://meta.wikimedia.org/wiki/Trust_and_Safety/Team) get to keep their Phab accounts active, as a rule of thumb.

Totally understood @Kalliope and thanks for responding. We are working on reorganizing the members of this group in such a way that it would be easy to tell moving forward who T&S members are so that will hopefully inform future audits. the only thing we may do is verify status of employment or something.

chasemp updated the task description. (Show Details)Jan 7 2020, 4:07 PM
mmodell subscribed.Jan 7 2020, 6:23 PM

Would it be helpful to implement a phabricator badge for T&S so that those accounts are more easily discernible?

Jdforrester-WMF subscribed.Jan 7 2020, 6:24 PM
In T241781#5783097, @mmodell wrote:

Would it be helpful to implement a phabricator badge for T&S so that those accounts are more easily discernible?

That sounds sensible.

Kalliope added a comment.Jan 7 2020, 7:02 PM

Happy with a badge, or whatever other way you see fit for the purpose of easy identification. Whatever works, basically.

Krenair added a comment.Jan 7 2020, 7:04 PM
In T241781#5782232, @Kalliope wrote:

I would kindly ask that T&S team members (https://meta.wikimedia.org/wiki/Trust_and_Safety/Team) get to keep their Phab accounts active, as a rule of thumb. We may rarely contribute through this platform, however the nature of our work sometimes requires us to review activity here that may be breaching behavioural norms. That is not to say that we step over the CoC for Tech spaces committee's toes, rather we like to work with them if needed, so having access can go a long way towards that end. Accordingly, I would like to keep my account (@Kalliope). I would also like to communicate Maggie's request that hers (@Mdennis-WMF) be kept too, for similar reasons. She's not T&S staff but does oversee the team's work more broadly, as the VP of Support & Services.

This task is about whether people keep access to private security tasks, anyone can have an open Phabricator account without any activity requirement.

Kalliope added a comment.Jan 7 2020, 7:07 PM
In T241781#5783368, @Krenair wrote:

This task is about whether people keep access to private security tasks, anyone can have an open Phabricator account without any activity requirement.

My response still stands. I would ask that T&S team members continue to have access to private security tasks. Not so much to review abuse, but because we are often called to work with security when certain types of issues occur.

mmodell added a comment.Jan 7 2020, 7:11 PM

I created a "T&S" Badge and awarded it to a couple of people. Not sure who else should have it.

Jdforrester-WMF added a comment.Jan 7 2020, 7:14 PM
In T241781#5783418, @mmodell wrote:

I created a "T&S" Badge and awarded it to a couple of people. Not sure who else should have it.

I believe I've now awarded it to everyone in T&S. Please correct that if I've missed anyone.

mmodell added a comment.Jan 7 2020, 7:15 PM

Thanks @Jdforrester-WMF

Legoktm subscribed.Jan 8 2020, 7:13 AM

@Wim_b, @QuiteUnusual, @Samtar and @Pmlineditor are all Wikimedia Stewards, presumably they have access because of that.

@csteipp is the OG security team and @Parent5446 is a now-inactive core developer who was active in security-related stuffs.

Anomie subscribed.Jan 8 2020, 4:10 PM
In T241781#5784989, @Legoktm wrote:

@csteipp is the OG security team

To clarify, he was the entire Security "team" for a while (2012-2015, IIRC; see also https://www.mediawiki.org/w/index.php?title=Wikimedia_Security_Team&oldid=1514136) before the actual team was formed and hired. He left the Foundation in 2016, but had intended to continue as a volunteer. Unfortunately I haven't seen him active since. :(

MarcoAurelio subscribed.Jan 8 2020, 4:23 PM
chasemp updated the task description. (Show Details)Jan 9 2020, 8:42 PM
chasemp updated the task description. (Show Details)
chasemp claimed this task.Jan 9 2020, 8:44 PM
chasemp updated the task description. (Show Details)

I'll plan on removing anyone who is not checked off next week.

MarcoAurelio awarded a token.Jan 11 2020, 9:55 PM
chasemp updated the task description. (Show Details)Jan 13 2020, 7:09 PM
chasemp closed this task as Resolved.Jan 13 2020, 7:12 PM
chasemp moved this task from In Progress to Our Part Is Done on the Security-Team board.

Executed, and I also removed csteipp from WMF-NDA for now. I created a cal entry on the security-team calendar to execute this again in the future. Thanks for everyone's help.

chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Aklapper renamed this task from Audit members of #security for more than x duration of no activity to Audit members of #security for more than x duration of no activity (Jan 2020).Jan 18 2022, 1:23 PM
Aklapper mentioned this in T299400: Audit members of acl*security for more than x duration of no activity (Jan 2022).Jan 18 2022, 1:47 PM
Aklapper mentioned this in T301181: Audit members of acl*security for more than 12 months of no activity (May 2023).Feb 7 2022, 8:45 PM
Aklapper mentioned this in T337305: Audit members of acl*security for more than 12 months of no activity (May 2024).May 23 2023, 12:56 PM
Aklapper mentioned this in T368224: Audit members of acl*security for more than 12 months of no activity (May 2025).Jun 23 2024, 2:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits