JBennett (John Bennett)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Jan 18 2018, 6:32 PM (47 w, 1 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
JBennett (WMF) [ Global Accounts ]

Recent Activity

Wed, Dec 12

JBennett added a comment to T210667: Can exfat be used in WMF production?.

Thanks everyone of for their thoughtful consideration. I have no issues nor do I see a conflict with temporarily allowing the use of this so we can complete our work with our 3rd party partners.

Thanks for commenting. To clarify, are you saying that there is no free filesystem software that will meet our needs? Given that @Platonides offered a decent amount of alternatives in T210667#4789273, it would be helpful if it could be explained why none of those alternatives are sufficient. That will help me when I reach out to various free software upstreams so they can improve their software so it will meet our needs - a goal that I think we all share.

Wed, Dec 12, 1:10 PM · Security-Team, Analytics, Software-Licensing, WMF-Legal, Operations

Tue, Dec 11

JBennett added a comment to T151011: Add password generator to account creation / password change form.

There are two types of good password generation:

  1. A medium-length string of random uppercase/lowercase/numbers (say 12 or 16 characters), with easily confusable characters removed from the pool.
  2. A long human-readable text of space-separated random dictionary words (probably 5 or 6 words), e.g. diceware.

    I'm not sure the first is worth doing as the only sane way to use such passwords is a password manager and that can generate random passwords just fine. (Maybe there are less technical users who have problems with password managers and just write the passwords down, but those are better served by diceware style passwords anyway since words are easier to type.) OTOH it is very trivial to implement.

    The second is good for people who need to memorize the password for some reason, or need to type it in often (ie. often log in on foreign machines). The best library I have seen for it is grempe/diceware (test page), which has support for ~20 languages (of course it would be fairly trivial to add more). Word lists are around 100K which is a bit large but they don't exactly make an effort to reduce the size, which could be done pretty easily.
Tue, Dec 11, 3:40 PM · User-Tgr, Security, Security-Core, MediaWiki-User-login-and-signup

Fri, Dec 7

JBennett added a comment to T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10).

This feels a bit rushed. Maybe I am just not aware that the preparations already happened, in which case apologies in advance, but otherwise I would recommend pushing out the date by a month or so and doing more groundwork.

Fri, Dec 7, 2:48 PM · Patch-For-Review, MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Anti-Harassment (AHT Sprint 35), MediaWiki-User-login-and-signup

Tue, Dec 4

JBennett added a comment to T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config.

I'm fairly confident the plan is for all new passwords to be outside 100,000. This is based on this permissioned Google Doc authored by @JBennett. It was last edited Nov. 1 so other decisions/discussions may supercede this.

Ping @JBennett! 🛎

Well, WMF != MW. But if the intention is to make these changes for all users and help "harden" MW core at the same time, I'm fine with making that change in MW core too

Tue, Dec 4, 4:06 PM · Patch-For-Review, MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Security-team-backlog, MediaWiki-User-login-and-signup

Mon, Dec 3

JBennett added a comment to T210667: Can exfat be used in WMF production?.
  1. With respect to the WMF charter and the values and manifestation thereof, it seems the exception process and/or the bar for each use case is at the discretion of WMF leadership and probably specifically most informed by WMF technical leadership. I'll defer to @JBennett who has more information.
Mon, Dec 3, 8:07 PM · Security-Team, Analytics, Software-Licensing, WMF-Legal, Operations

Fri, Nov 30

JBennett added a project to T189641: Service for checking the Pwned Passwords database: WMF-Legal.
Fri, Nov 30, 7:37 PM · Services (watching), User-Tgr, WMF-Legal, Patch-For-Review, Security, MediaWiki-User-login-and-signup, MediaWiki-Authentication-and-authorization, Security-General
JBennett added a comment to T189641: Service for checking the Pwned Passwords database.

Adding @JBennett as I see he raised concern with the ihaveibeenpwned work in related https://phabricator.wikimedia.org/T210192#4786955

I think that was meant for using it for email lookup, not passwords? If your password hash is in the dump, the applicability of that is pretty clear.

Fri, Nov 30, 7:36 PM · Services (watching), User-Tgr, WMF-Legal, Patch-For-Review, Security, MediaWiki-User-login-and-signup, MediaWiki-Authentication-and-authorization, Security-General

Tue, Nov 27

JBennett added a comment to T208441: 👩‍👦‍👦 AHT password strengthing work, 2018/19.

Yeah, good catch. Makes sense to bump this one up too. I forget, though... do Stewarts also need 2FA? If so, the length is less of an issue.

Tue, Nov 27, 1:46 PM · Anti-Harassment

Mon, Nov 26

JBennett added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

I'm in favor of removing unblock self. It's overly permissive to allow admins to unlock themselves and we should follow some level of separation of duties to ensure proper governance. Let's go ahead and make this change.

Mon, Nov 26, 6:10 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Patch-For-Review, Community-consensus-needed, Wikimedia-Site-requests

Nov 1 2018

ToBeFree awarded Blog Post: Details of dictionary attack from May 2018 a Grey Medal token.
Nov 1 2018, 12:29 PM · Security-Team

Oct 29 2018

JBennett added a comment to T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.

+1 from me

Oct 29 2018, 3:14 PM · Patch-For-Review, User-jijiki, Operations, SRE-Access-Requests

Oct 10 2018

JBennett published Blog Post: translatewiki.net security incident.
Oct 10 2018, 8:14 PM

Sep 27 2018

JBennett created Blog Post: translatewiki.net security incident.
Sep 27 2018, 11:21 PM

Sep 17 2018

D3r1ck01 awarded Blog Post: Details of dictionary attack from May 2018 a Love token.
Sep 17 2018, 6:05 PM · Security-Team

Sep 13 2018

JBennett added a comment to T150605: Publish an analysis of the OurMine hack.

Our process around security incident response is evolving and something the security team is working to improve. We're not there yet but we are definatley making improvements.

Sep 13 2018, 1:49 PM · Wikimedia-Incident, Security-Team

Sep 11 2018

JBennett added a comment to Blog Post: Additional details on OurMine.

This 1st round is really to address changes to our wiki password policy. Phase 2 is being planned and will address 2FA for privileged users.

Sep 11 2018, 11:53 AM · Security-Team

Sep 7 2018

Halfak awarded Blog Post: Additional details on OurMine a Like token.
Sep 7 2018, 6:51 PM · Security-Team
Halfak awarded Blog Post: Details of dictionary attack from May 2018 a Like token.
Sep 7 2018, 6:49 PM · Security-Team
JBennett published Blog Post: Additional details on OurMine.
Sep 7 2018, 6:37 PM · Security-Team
JBennett published Blog Post: Details of dictionary attack from May 2018.
Sep 7 2018, 6:37 PM · Security-Team

Sep 4 2018

JBennett moved T118750: Document and test security response process from Backlog to In Progress on the Security-Team board.
Sep 4 2018, 3:02 PM · Documentation, Security-Team
JBennett claimed T118750: Document and test security response process.

In progress

Sep 4 2018, 3:01 PM · Documentation, Security-Team
JBennett assigned T116305: Followup assessment for analytics cluster to chasemp.
Sep 4 2018, 2:53 PM · Security-Team
JBennett edited projects for T111820: Set default CSP header in service template to "default-src 'none'", added: Security-team-backlog; removed Security-Team.
Sep 4 2018, 2:47 PM · Security-team-backlog, Services (later), service-template-node, RESTBase
JBennett removed a project from T110620: Make User::newFromId(0) not return current user's IP: Security-Team.
Sep 4 2018, 2:44 PM · MediaWiki-User-management
JBennett edited projects for T110249: Allow OAuth applications to be granted rights the user doesn't have, added: Security-team-backlog; removed Security-Team.
Sep 4 2018, 2:42 PM · Security-team-backlog, MediaWiki-extensions-OAuth
JBennett edited projects for T109726: Privacy review of graphite and grafana data sets, added: Security-team-backlog; removed Security-Team.
Sep 4 2018, 2:38 PM · Security-team-backlog, Privacy
JBennett closed T109524: DFIR process documented on officewiki as Invalid.
Sep 4 2018, 2:37 PM · Security-Team
JBennett closed T109102: Investigate / test hardware tokens for WMF identity key as Declined.
Sep 4 2018, 2:34 PM · Security-Team
JBennett closed T109102: Investigate / test hardware tokens for WMF identity key, a subtask of T109083: Goal: Support legal during rollout of email encryption initiative, as Declined.
Sep 4 2018, 2:33 PM · Goal, Security-Team
JBennett closed T76158: Pitfalls checklist for software using AGPL as Resolved.
Sep 4 2018, 2:27 PM · Software-Licensing, MediaWiki-General-or-Unknown, WMF-Legal
JBennett closed T76158: Pitfalls checklist for software using AGPL, a subtask of T78212: Determine license for RESTBase code, as Resolved.
Sep 4 2018, 2:27 PM · Software-Licensing, RESTBase
JBennett removed a project from T67848: [SpamBlacklist] Do not include '(?:https?:)?\/\/+[a-z0-9_\-.]*' in whitelist regex: Security-Team.
Sep 4 2018, 2:21 PM · SpamBlacklist, Security, Security-Extensions
JBennett removed a project from T103912: [Task] Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck: Security-Team.
Sep 4 2018, 2:19 PM · Wikibase-Quality-External-Validation, Wikidata, Wikibase-Quality
JBennett closed T90033: Support 1password for login as Declined.
Sep 4 2018, 2:17 PM · WorkType-NewFunctionality, Security-Team, Wikipedia-iOS-App-Backlog
JBennett closed T75953: RFC: MediaWiki HTTPS policy as Resolved.
Sep 4 2018, 2:16 PM · MediaWiki-Configuration, Security-Team, TechCom-RFC

Aug 13 2018

JBennett removed a member for acl*security_team: debt.
Aug 13 2018, 7:00 PM
JBennett added a member for acl*security_team: debt.
Aug 13 2018, 6:28 PM
JBennett added a member for acl*security_team: charlotteportero.
Aug 13 2018, 6:28 PM

Jul 2 2018

JBennett added a comment to T190875: Security review for Wikidata queries data release proposal.

Has legal reviewed this? I don't see any comments from them in this ticket. I'd like to sort out a process for reviewing items like this. It's sort of in-between security/privacy/data governance. I'll put together a strawman review process so to help us avoid delays and follow up with Stas.

Jul 2 2018, 3:16 PM · Privacy, Security-Team-Reviews, User-Smalyshev, Wikidata, Research

Jun 6 2018

JBennett created T196542: Private space for tracking internal security team activities.
Jun 6 2018, 12:13 PM · Phabricator

May 3 2018

JBennett added a comment to T193771: Requesting access to Logstash for jbennett.

I need to be able to access logstash to invistigate security incidents. So, i'll similar access to Brian Wolff or Sam Reed.

May 3 2018, 5:45 PM · Patch-For-Review, LDAP-Access-Requests, Operations
JBennett added a comment to T193771: Requesting access to Logstash for jbennett.

Your Full Name: John Bennett
developer access userid: jbennett
ssh key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIOdNYh9J4uSm7uuVZG7zttu/9Xtk5IaCPSokdOyhNnAoMBE51mnTZTrGm+SxUTfXs3tniklrn2lZtDDookMOnDFzN/HwhKbw0QEsef9f2hOVj16QLF5jqdZi8Tk/15OOaHJST4/BafT3uFpMnaQLRpApfSYlKvqLxs2cZFLCtfZZ2HscCpNUPpbNLyRg0OcPoFhjui+dnVZJR856L+wStSFv9oUytshOa0/JYd0VMRV78kDcXIKIMbaqufhaMKCel3lA7QnJzQMoTvWY/FB888koHza+si0bzwc/DhQE19kE6Oobu8WabmDwiP3sQyiuc+bEM6Xn3YUer8nnJoBPx john@gpants

May 3 2018, 5:44 PM · Patch-For-Review, LDAP-Access-Requests, Operations
JBennett created T193771: Requesting access to Logstash for jbennett.
May 3 2018, 5:36 PM · Patch-For-Review, LDAP-Access-Requests, Operations

Apr 19 2018

JBennett added a comment to T188561: SSL cert for links.email.wikimedia.org.

What's the data? From our clicktracking efforts what will we be collecting?

Apr 19 2018, 3:08 PM · Operations, Traffic, fundraising-tech-ops, Fundraising-Backlog

Mar 19 2018

JBennett claimed T187846: Security Review of Office IT Internal Account Management Tool.
Mar 19 2018, 2:59 PM · Security-Team-Reviews

Feb 23 2018

JBennett added a comment to T185236: Password Vault for Security Team.

Couple questions:
*Is each 'group' required to have their own repo? How is that access and credential sharing determined?
*If that's not the case, how will we prevent credential disclosure to folks who have access to the repo but dont have a need to know all the creds?
*Do people know to update creds when someone no longer requires access to them (leaves the foundation, changes groups, etc)?

Feb 23 2018, 7:14 PM · Security-team-backlog, Operations, Security