Page MenuHomePhabricator

Jcross (Jennifer Cross)
Project Manager

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Jul 1 2019, 6:26 PM (32 w, 6 d)
Availability
Available
IRC Nick
jencross
LDAP User
Unknown
MediaWiki User
JCross (WMF) [ Global Accounts ]

Recent Activity

Thu, Feb 13

Jcross closed T242792: Update language in security review SOPs to establish timelines and expectations as Resolved.
Thu, Feb 13, 6:03 PM · PM, Security-Team
Jcross added a comment to T242792: Update language in security review SOPs to establish timelines and expectations.

Language updated and will continue to monitor and adjust.

Thu, Feb 13, 6:03 PM · PM, Security-Team

Tue, Feb 11

Jcross added a comment to T240869: Security Review For KaiOS Wikipedia app.

Hi @AMuigai - do you have a specific stop date / date we could begin review yet? Our process is frozen so long as commits are frequently being made. Alternatively, if you could choose a specific commit we could begin reviewing at that point with the understanding that we would *only* be reviewing to that point and further commits would not be included in our assessment.

Tue, Feb 11, 6:14 PM · Security Readiness Reviews, Inuka-Team

Mon, Feb 10

Jcross added a comment to T242792: Update language in security review SOPs to establish timelines and expectations.

We've determined that the expectation of "30 days" as a timeframe will only apply once the team has received everything needed to move forward and as long as nothing occurs to hamper / restart our review process. This could include changes to code, which would restart the 30 day timer. I'll look at precise phrasing of this for Readiness reviews, and it will not apply to Concept reviews.

Mon, Feb 10, 7:07 PM · PM, Security-Team

Fri, Feb 7

Jcross added a comment to T242134: Security Review For Talk pages project.

@JTannerWMF We expect this to be in progress shortly and @sbassett will be in touch with any questions or concerns.

Fri, Feb 7, 5:22 PM · user-sbassett, Editing-team (Tracking), DiscussionTools, Security Readiness Reviews

Thu, Feb 6

Jcross added a comment to T244076: Security Readiness Review For ChessBrowser extension.

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

Thu, Feb 6, 6:13 PM · ChessBrowser, Security Readiness Reviews
Jcross lowered the priority of T244076: Security Readiness Review For ChessBrowser extension from Low to Lowest.
Thu, Feb 6, 6:07 PM · ChessBrowser, Security Readiness Reviews
Jcross triaged T244076: Security Readiness Review For ChessBrowser extension as Low priority.
Thu, Feb 6, 6:05 PM · ChessBrowser, Security Readiness Reviews
Jcross moved T244076: Security Readiness Review For ChessBrowser extension from Incoming to Back Orders on the Security Readiness Reviews board.
Thu, Feb 6, 6:05 PM · ChessBrowser, Security Readiness Reviews

Wed, Jan 22

Jcross added a comment to T243398: Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress.

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Wed, Jan 22, 5:19 PM · Security Readiness Reviews
Jcross closed T187846: Security Review of Office IT Internal Account Management Tool as Declined.

Closing per email conversation with @bcampbell in OIT- this is an old ticket that no longer requires work from the Security-Team.

Wed, Jan 22, 12:03 AM · Office-IT, Security Readiness Reviews

Jan 17 2020

Jcross updated subscribers of T242792: Update language in security review SOPs to establish timelines and expectations.

Will review with @JBennett and AppSec team and plan on updating before 1/27/20

Jan 17 2020, 5:29 PM · PM, Security-Team

Jan 15 2020

Jcross moved T239940: Security review of OAuth 2.0 patches from In Progress to Our Part Is Done on the Security Readiness Reviews board.
Jan 15 2020, 4:21 PM · Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)

Jan 8 2020

Jcross placed T187846: Security Review of Office IT Internal Account Management Tool up for grabs.
Jan 8 2020, 7:58 PM · Office-IT, Security Readiness Reviews
Jcross moved T187846: Security Review of Office IT Internal Account Management Tool from In Progress to Back Orders on the Security Readiness Reviews board.
Jan 8 2020, 7:57 PM · Office-IT, Security Readiness Reviews

Jan 7 2020

Jcross added a member for Security Readiness Reviews: Jcross.
Jan 7 2020, 7:37 PM
Jcross triaged T242124: Security Review For EventStreamConfig extension as Low priority.
Jan 7 2020, 6:27 PM · MW-1.35-notes (1.35.0-wmf.19; 2020-02-11), user-sbassett, Analytics-Kanban, Security Readiness Reviews, Analytics, Event-Platform
Jcross triaged T242134: Security Review For Talk pages project as Low priority.
Jan 7 2020, 6:25 PM · user-sbassett, Editing-team (Tracking), DiscussionTools, Security Readiness Reviews

Dec 19 2019

Jcross triaged T240999: Create 'user affiliation' custom drop down field for forms as Medium priority.
Dec 19 2019, 12:21 AM · Phabricator, Security-Team
Jcross updated subscribers of T240492: Create generic security-team request for service intake mechanism.

Massaged a bit @chasemp but @JBennett is going to look as well. https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services has been updated.

Dec 19 2019, 12:09 AM · Phabricator, Security-Team

Dec 18 2019

Jcross added a comment to T240999: Create 'user affiliation' custom drop down field for forms .

@chasemp - talked to JB and we are good to run with just this as a first iteration / attempt at metrics. This list looks accurate (ish) for team names? https://office.wikimedia.org/wiki/Contact_list

Dec 18 2019, 8:27 PM · Phabricator, Security-Team

Dec 13 2019

Jcross added a comment to T239940: Security review of OAuth 2.0 patches.

Hi @CCicalese_WMF - apologies, I'm out of the office. Do you have a date you're aiming for? Let me know and we'll try and get someone on it fairly quickly.

Dec 13 2019, 5:05 PM · Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)

Dec 9 2019

Jcross added a comment to T239940: Security review of OAuth 2.0 patches.

Hi @CCicalese_WMF - can you please let us know if this is the only patch set you'd like us to look at? https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/550847/

Dec 9 2019, 4:28 PM · Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)
Jcross lowered the priority of T239778: Security review of banner with FB and Twitter share buttons from High to Medium.
Dec 9 2019, 4:21 PM · Security Readiness Reviews, Privacy Engineering, MediaWiki-extensions-CentralNotice, Privacy, Fundraising-Backlog

Nov 20 2019

Jcross closed T227726: Security review of preact 8.4.2, a subtask of T225577: Audit component library for MobileFrontend's security, as Declined.
Nov 20 2019, 5:25 PM · Readers-Web-Backlog (Tracking), MobileFrontend (MobileFrontend and MinervaNeue architecture), Technical-Debt
Jcross closed T227726: Security review of preact 8.4.2 as Declined.

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.

Nov 20 2019, 5:25 PM · Readers-Web-Backlog (Tracking)

Nov 18 2019

Jcross closed T238268: How to best contact the WMF Security team? as Resolved.

Happy @sbassett could help, and as he mentioned we'll be adding more and refining in the near future. Cheers :)

Nov 18 2019, 5:54 PM · Security-Team

Nov 4 2019

Jcross created T237321: New subtask #2 for Chase.
Nov 4 2019, 9:05 PM · User-chasemp, Security-Team
Jcross created T237320: New Subtask #1 for Chase.
Nov 4 2019, 9:05 PM · Security-Team

Oct 29 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Excellent news @JTannerWMF - James is on it and we should have an update for you soon.

Oct 29 2019, 9:32 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 28 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Hi @JTannerWMF - we've taken a look at this and once WMF-Legal has wrapped up their review we should only need a few days at most.

Oct 28 2019, 5:34 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 25 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Hi @JTannerWMF, @sbassett beat me to the punch! We'll make a point of reviewing on Monday at our triage meeting and I'll be sure to touch base with you when we know what our timeline will look like.

Oct 25 2019, 9:25 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 21 2019

Jcross moved T208188: RFC: Partial opt-out method for Content security policy from In Progress to Incoming on the Security-Team board.
Oct 21 2019, 7:10 PM · Security Related, Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security

Oct 15 2019

Jcross triaged T235309: Assess the possibility of data release from a public health related research conducted by WMF and formal collaborators as Medium priority.
Oct 15 2019, 5:38 PM · Privacy Engineering, Privacy, WMF-Legal, Security-Team, Data-release
Jcross assigned T235309: Assess the possibility of data release from a public health related research conducted by WMF and formal collaborators to JFishback_WMF.
Oct 15 2019, 5:05 PM · Privacy Engineering, Privacy, WMF-Legal, Security-Team, Data-release
Jcross triaged T234987: Increase pbkdf2 parameter strengths (2019) as Low priority.
Oct 15 2019, 5:04 PM · Security Related, Wikimedia-Site-requests, MediaWiki-Authentication-and-authorization, Security-Team, Security

Oct 4 2019

Jcross triaged T143969: Unable to mirror repository from git.legoktm.com into diffusion as Medium priority.
Oct 4 2019, 4:59 PM · cloud-services-team (Kanban), Security-Team, Striker, Phabricator
Jcross moved T143969: Unable to mirror repository from git.legoktm.com into diffusion from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:59 PM · cloud-services-team (Kanban), Security-Team, Striker, Phabricator
Jcross added a comment to T133735: Formalize procedures for doing security releases of MediaWiki extensions.

As an initial approach to get better visibility around security issues for bundled and deployed extensions, we plan to send this supplementary announcement: https://phabricator.wikimedia.org/T232113

Oct 4 2019, 4:57 PM · Documentation, Security-Team
Jcross triaged T133735: Formalize procedures for doing security releases of MediaWiki extensions as Medium priority.
Oct 4 2019, 4:52 PM · Documentation, Security-Team
Jcross triaged T217123: Add tests/CI to wikimedia/security/puppet as Lowest priority.
Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross moved T217123: Add tests/CI to wikimedia/security/puppet from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross added a comment to T217123: Add tests/CI to wikimedia/security/puppet.

There is nothing in the repo and we do not know what plans Chase had / has for this. We will move to our "watching" column for the time being.

Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross triaged T214378: Check simple format constraints (no grouping) in PHP instead of SPARQL as Medium priority.
Oct 4 2019, 4:45 PM · Security-Team, Wikidata-Campsite, Wikibase-Quality-Constraints, Wikidata
Jcross triaged T150902: SMS based 2FA as Low priority.
Oct 4 2019, 4:42 PM · Security-Team
Jcross moved T150902: SMS based 2FA from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:42 PM · Security-Team
Jcross triaged T217351: Require original source file(s) to be committed with minified files as Medium priority.
Oct 4 2019, 4:40 PM · Security Related, JavaScript, Security-Team, Security
Jcross moved T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform from Watching to Incoming on the Security-Team board.
Oct 4 2019, 4:38 PM · Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross triaged T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform as Medium priority.
Oct 4 2019, 4:38 PM · Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross moved T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:38 PM · Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross added a comment to T231954: Increase session length for OTRS ticket system.

Upon review, Security Team is untagging as we will not be working on this ticket.

Oct 4 2019, 4:34 PM · OTRS
Jcross removed a project from T231954: Increase session length for OTRS ticket system: Security-Team.
Oct 4 2019, 4:34 PM · OTRS
Jcross triaged T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled as Medium priority.
Oct 4 2019, 4:32 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser
Jcross moved T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:32 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser
Jcross added a comment to T224445: Permit hidden attribute in Sanitizer.

Upon review, Security Team is untagging as we will not be working on this ticket.

Oct 4 2019, 4:22 PM · MediaWiki-Parser
Jcross removed a project from T224445: Permit hidden attribute in Sanitizer: Security-Team.
Oct 4 2019, 4:21 PM · MediaWiki-Parser
Jcross moved T227242: Deploy WebAuthn to Wikimedia Wikis from In Progress to Watching on the Security-Team board.
Oct 4 2019, 4:20 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Wikimedia-Extension-setup, Wikimedia-extension-review-queue, Release-Engineering-Team (Deployment services), Security-Team, Wikimedia-Site-requests
Jcross moved T227242: Deploy WebAuthn to Wikimedia Wikis from Incoming to In Progress on the Security-Team board.
Oct 4 2019, 4:17 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Wikimedia-Extension-setup, Wikimedia-extension-review-queue, Release-Engineering-Team (Deployment services), Security-Team, Wikimedia-Site-requests
Jcross triaged T227242: Deploy WebAuthn to Wikimedia Wikis as Medium priority.
Oct 4 2019, 4:17 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Wikimedia-Extension-setup, Wikimedia-extension-review-queue, Release-Engineering-Team (Deployment services), Security-Team, Wikimedia-Site-requests
Jcross added a comment to T227824: Feedback/comment on LibUp 2.0 plans/architecture/changes.

Security Team has reviewed and is untagging to remove from team backlog as we will not be actively working on the ticket. This was reviewed in a Concept Review: https://phabricator.wikimedia.org/T227820

Oct 4 2019, 4:15 PM · LibUp
Jcross removed a project from T227824: Feedback/comment on LibUp 2.0 plans/architecture/changes: Security-Team.
Oct 4 2019, 4:14 PM · LibUp

Sep 24 2019

Jcross closed T150605: Publish an analysis of the OurMine hack as Resolved.

Due to the explanation in T150605#4580720, the Security Team is resolving this task.

Sep 24 2019, 3:08 PM · Security-Team, Wikimedia-Incident
Jcross added a project to T150605: Publish an analysis of the OurMine hack: Security-Team.
Sep 24 2019, 3:07 PM · Security-Team, Wikimedia-Incident

Sep 23 2019

Jcross added a comment to T150605: Publish an analysis of the OurMine hack.

@Aklapper - as I said in my comment above, we were clearly mistaken. We are happy to perform any work that is needed.

Sep 23 2019, 10:57 PM · Security-Team, Wikimedia-Incident
Jcross added a comment to T218956: Should we deploy sshguard on external IP addresses?.

Hi everyone,

Sep 23 2019, 10:23 PM · User-crusnov
Jcross added a comment to T150605: Publish an analysis of the OurMine hack.

Hi @Aklapper - apologies for any confusion. In a team meeting where we were working on cleaning up our workboard, we made the (apparently erroneous) assumption that this ticket had already been addressed and was no longer being worked on. If you could please let me know what additional actions are needed on this ticket I would be happy to keep things moving forward.

Sep 23 2019, 10:21 PM · Security-Team, Wikimedia-Incident
Jcross moved T221272: Expose new ipblocks.ipb_sitewide column to the replicas from Incoming to Our Part Is Done on the Security-Team board.
Sep 23 2019, 4:56 PM · cloud-services-team (Kanban), Data-Services, Security-Team, Anti-Harassment
Jcross moved T213088: Security Credentialing Efforts from Incoming to Our Part Is Done on the Security-Team board.
Sep 23 2019, 4:56 PM · Security-Team, Epic
Jcross moved T230796: Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task] from Incoming to Our Part Is Done on the Security-Team board.
Sep 23 2019, 4:56 PM · Security Related, User-MarcoAurelio, Wikimedia-General-or-Unknown, Security-Team, Security
Jcross moved T232353: Remove mmarble from wmf LDAP group from Incoming to Our Part Is Done on the Security-Team board.
Sep 23 2019, 4:56 PM · Security-Team, LDAP-Access-Requests
Jcross moved T233516: password too short should nag only once and then remember from Incoming to Our Part Is Done on the Security-Team board.
Sep 23 2019, 4:54 PM · Security-Team, MediaWiki-User-login-and-signup
Jcross closed T213088: Security Credentialing Efforts as Resolved.

Resolving for the time being. Will revisit should the desire to pursue arise.

Sep 23 2019, 4:42 PM · Security-Team, Epic
Jcross moved T232348: Offboard Michal Anna from Security Team from Incoming to In Progress on the Security-Team board.
Sep 23 2019, 4:37 PM · Security-Team
Jcross removed a project from T227008: Draft golang security best practices documentation: Security-Team.
Sep 23 2019, 4:29 PM · Security-Team, user-sbassett
Jcross removed a project from T218956: Should we deploy sshguard on external IP addresses?: Security-Team.
Sep 23 2019, 4:29 PM · User-crusnov
Jcross removed a project from T150605: Publish an analysis of the OurMine hack: Security-Team.
Sep 23 2019, 4:25 PM · Security-Team, Wikimedia-Incident
Jcross closed T193769: Thousands of failed login attempts (wrong password) as Resolved.

As nothing additional is required on this task, the Security Team is resolving. Please feel free to submit a new ticket should additional / further action be required.

Sep 23 2019, 4:23 PM · Security-Team
Jcross moved T70982: Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic from To Follow Up to Waiting on the Security-Team board.
Sep 23 2019, 4:12 PM · Security-Team, wikimediafoundation.org, WMF-Legal, Wikimedia-Blog
Jcross moved T202080: Publish the source for phabricator-antivandalism from To Follow Up to Waiting on the Security-Team board.
Sep 23 2019, 4:12 PM · Phabricator Antivandalism Extension, Release-Engineering-Team-TODO, Release-Engineering-Team (Development services), Security-Team, User-MModell, Phabricator
Jcross moved T150605: Publish an analysis of the OurMine hack from To Follow Up to Waiting on the Security-Team board.
Sep 23 2019, 4:12 PM · Security-Team, Wikimedia-Incident
Jcross moved T193769: Thousands of failed login attempts (wrong password) from To Follow Up to Waiting on the Security-Team board.
Sep 23 2019, 4:12 PM · Security-Team
Jcross closed T193846: Publish analysis of sustained login attack of 3 May 2018, a subtask of T193769: Thousands of failed login attempts (wrong password), as Resolved.
Sep 23 2019, 4:11 PM · Security-Team
Jcross closed T193846: Publish analysis of sustained login attack of 3 May 2018 as Resolved.

The Security Team agrees and resolving this task for the time being.

Sep 23 2019, 4:11 PM · Security-Team
Jcross moved T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki from Epics in progress to Waiting on the Security-Team board.
Sep 23 2019, 4:07 PM · ContentSecurityPolicy, Core Platform Team Legacy (Watching / External), TechCom-RFC (TechCom-Approved), Patch-For-Review, Epic, Security-Team
Jcross moved T28508: Content Security Policy (CSP) from In Progress to Waiting on the Security-Team board.
Sep 23 2019, 4:07 PM · Security Related, ContentSecurityPolicy, Front-end-Standards-Group, Security, Security-Team, WorkType-NewFunctionality, MediaWiki-General
Jcross moved T28508: Content Security Policy (CSP) from Epics in progress to In Progress on the Security-Team board.
Sep 23 2019, 4:07 PM · Security Related, ContentSecurityPolicy, Front-end-Standards-Group, Security, Security-Team, WorkType-NewFunctionality, MediaWiki-General

Sep 10 2019

Jcross added a comment to T227346: Security readiness review for the MachineVision extension.

The team has taken a look at this feels we can provide a basic review by your target deployment date, but that a more in-depth look may need to happen post-launch. We hope that this will work for you and your team - please let us know if you have any questions or concerns and we'll be in touch as we move forward.

Sep 10 2019, 5:17 PM · Security Readiness Reviews, MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, user-sbassett, Product-Infrastructure-Team-Backlog, MachineVision

Sep 9 2019

Jcross edited Description on Security.
Sep 9 2019, 7:06 PM
Jcross edited Description on Security.
Sep 9 2019, 7:06 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:18 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:14 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:14 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:12 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:12 PM
Jcross edited Description on Security-Team.
Sep 9 2019, 5:11 PM
Jcross updated the task description for T232348: Offboard Michal Anna from Security Team.
Sep 9 2019, 4:01 PM · Security-Team

Sep 4 2019

Jcross edited Description on Vuln-InsufficientMonitoring.
Sep 4 2019, 7:25 PM
Jcross edited Description on Vuln-VulnComponent.
Sep 4 2019, 7:24 PM
Jcross edited Description on Vuln-SerDe.
Sep 4 2019, 7:22 PM
Jcross edited Description on Vuln-XSS.
Sep 4 2019, 7:19 PM