Page MenuHomePhabricator

acooper (Andy Cooper)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Apr 4 2023, 12:52 PM (53 w, 4 d)
Availability
Available
LDAP User
Andy Cooper
MediaWiki User
ACooper-WMF [ Global Accounts ]

Recent Activity

Tue, Apr 9

acooper added a comment to T357353: Application Security Review Request : NetworkSession MediaWiki extension .

Thank you very much, I sent a calendar invite.

Tue, Apr 9, 1:40 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews

Mon, Apr 8

acooper added a comment to T359087: Redirecting @priv_eng_sync Phab account (Asana sync) to new email address.

I have a plan for fixing this. This is just some notes for myself

  • Add myself to the Privacy Engineering phabricator project so that I (hopefully) get emails for any new task
  • Setup a gmail rule to forward these emails to Asana
  • Document the above process so it could be run by any team member in future by adding themself to the project and configuring the same gmail rule
Mon, Apr 8, 7:28 PM · SecTeam-Processed, Security-Team
acooper added a member for Privacy Engineering: acooper.
Mon, Apr 8, 7:26 PM
acooper claimed T359087: Redirecting @priv_eng_sync Phab account (Asana sync) to new email address.
Mon, Apr 8, 7:20 PM · SecTeam-Processed, Security-Team
acooper added a comment to T357353: Application Security Review Request : NetworkSession MediaWiki extension .

I'm going to pick this up initially to help prioritize. @EBernhardson would it make sense for us to have an initial meeting to get a sense of the risk involved? Anyone else to invite on your side. I'll invite some folks from product security

Mon, Apr 8, 6:51 PM · Discovery-Search (Current work), secscrum, Security, Application Security Reviews

Feb 20 2024

acooper added a comment to T344509: Security Issue Access Request for (Kappakayala).

@mmartorana could this be actioned since the approval was given?

Feb 20 2024, 11:03 AM · SecTeam-Processed, Security-Team, Security

Feb 13 2024

acooper updated subscribers of T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline.

Regarding this ticket, I would recommend syncing with @MoritzMuehlenhoff as I believe he had ideas and thoughts for scanning and updated running containers. This is different to CI of course, but would be good to be aware and plan the overall approach together.

Feb 13 2024, 11:46 AM · GitLab-Application-Security-Pipeline, SecTeam-Processed, GitLab (CI & Job Runners), Security, Security Team AppSec, Security-Team

Nov 30 2023

acooper added a comment to T348781: Add higher-level organizational header names to the risk matrix Google sheets.

I like these headings, thank you.

Nov 30 2023, 12:23 PM · Security-Team, SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment

Nov 24 2023

acooper added a comment to T190891: Develop canonical/single record of origin, machine readable list of all repos deployed to WMF sites.

I did create some hacky code that may help, it queries the API for each wiki to determine deployment status of skins/extensions. https://gitlab.wikimedia.org/acooper/extusage. There is a dump from the historical data in october here: https://docs.google.com/spreadsheets/d/1SBU6sPHSrkWmxLbMaUu1WoEVEPVQTmSHUgo_DVT7c4c/edit?usp=sharing

Nov 24 2023, 11:40 AM · Quality-and-Test-Engineering-Team (Quality Engineering), Code-Health

Nov 15 2023

acooper added a comment to T306708: Establish a workflow that scales for requesting Phab 2FA resets.

Namely or just the gmail synced address book.

Nov 15 2023, 11:29 AM · Release-Engineering-Team, collaboration-services, User-AKlapper, Phabricator

Nov 10 2023

acooper added a comment to T306708: Establish a workflow that scales for requesting Phab 2FA resets.

You could also require messages of acknowledgement to be sent across at least two authentication domains to increase the security. So say a slack message (linked in a phab comment) and a phab comment.

Nov 10 2023, 3:59 PM · Release-Engineering-Team, collaboration-services, User-AKlapper, Phabricator
acooper added a comment to T306708: Establish a workflow that scales for requesting Phab 2FA resets.

Oh and all that is required is for the verifier to also post a message authenticated to their accounted confirming they have verified the identity. The verifier in this case is someone from the persons team or management chain. So its not a fixed identity.

Nov 10 2023, 3:54 PM · Release-Engineering-Team, collaboration-services, User-AKlapper, Phabricator
acooper added a comment to T306708: Establish a workflow that scales for requesting Phab 2FA resets.

I was assuming finding the person would be easy - it would be maybe their manager? Which is easily available from the address book.

Nov 10 2023, 3:52 PM · Release-Engineering-Team, collaboration-services, User-AKlapper, Phabricator

Nov 3 2023

acooper added a comment to T347576: Including donor's first name as a URL parameter..

We have concerns that the following code snippet from this feature contains a XSS that might be triggered by a malicious link opened by a user:

Nov 3 2023, 7:03 PM · Privacy Engineering, SecTeam-Processed

Oct 13 2023

acooper added a comment to T347104: Application Security Review Request : Fundraise Up scripts for Donatewiki.

On review of the available penetration testing evidence from the vendor it was confirmed appropriate independent testing had taken place and we have now downgraded the risk to medium.

Oct 13 2023, 10:15 AM · secscrum, Security, Application Security Reviews
acooper added a comment to T348781: Add higher-level organizational header names to the risk matrix Google sheets.

I had another thought about this requirement. Besides the higher level organizational header names, it would be helpful if the risk of those columns could be collectively expressed by a single value.

Oct 13 2023, 10:04 AM · Security-Team, SecTeam-Processed, Code-Health, Security, Security Team AppSec, production-risk-assessment

Oct 11 2023

acooper added a comment to T347104: Application Security Review Request : Fundraise Up scripts for Donatewiki.

I'm currently in some discussions with Greg about how to handle the potential risk in this component. Will update the ticket when we have reached a decision on what to do next. For now we will pause the security review until this is decided.

Oct 11 2023, 6:13 PM · secscrum, Security, Application Security Reviews

Sep 26 2023

acooper added a comment to T341565: CVE-2023-3550: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration).

It appears this issue has been (perhaps unintentionally) publically disclosed at https://fluidattacks.com/advisories/blondie/. @sbassett has asked legal to assistance with how to respond regarding the disclosure.

Sep 26 2023, 4:35 PM · MW-1.40-release, MW-1.39-release, MW-1.35-release, Vuln-XXE, Vuln-CSRF, MediaWiki-File-management, Vuln-XSS, Security, Security-Team

Sep 8 2023

acooper added a comment to T345928: 2 CVE's in SuperSet.

There is also a separate issue which is a configuration based Remote Code Execution vulnerability in the superset.wmcloud.org instance (not the superset.wikimedia.org instance), caused by the use of a guessable secret key in the Flask superset configuration as described in this article: https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Sep 8 2023, 4:30 PM · Infrastructure Security, SecTeam-Processed, Vuln-VulnComponent, superset.wikimedia.org, superset.wmcloud.org, cloud-services-team, Security, Security-Team
acooper added a comment to T345877: Requesting shell access, deployment and analytics-privatedata-users rights for acooper.

I followed these instructions already which requested rsa type (maybe worth updating the instructions if ed25519 is preferred now?)
https://wikitech.wikimedia.org/wiki/Yubikey-SSH

Sep 8 2023, 1:23 PM · SRE-Access-Requests, SRE
acooper added a comment to T345877: Requesting shell access, deployment and analytics-privatedata-users rights for acooper.

Thanks I added the SSH key.

Sep 8 2023, 11:12 AM · SRE-Access-Requests, SRE
acooper changed the status of T345877: Requesting shell access, deployment and analytics-privatedata-users rights for acooper from Stalled to Open.
Sep 8 2023, 11:10 AM · SRE-Access-Requests, SRE

Aug 17 2023

acooper added a watcher for acl*security: acooper.
Aug 17 2023, 1:37 PM

Aug 7 2023

acooper updated subscribers of T343709: Wikifunctions Kubernetes evaluator service exposes some sensitive data/functions within the container.
Aug 7 2023, 4:34 PM · serviceops-radar, SecTeam-Processed, Abstract Wikipedia team, Vuln-Infoleak, Wikifunctions, Security, Security-Team
acooper updated subscribers of T343709: Wikifunctions Kubernetes evaluator service exposes some sensitive data/functions within the container.
Aug 7 2023, 4:29 PM · serviceops-radar, SecTeam-Processed, Abstract Wikipedia team, Vuln-Infoleak, Wikifunctions, Security, Security-Team
acooper added projects to T343709: Wikifunctions Kubernetes evaluator service exposes some sensitive data/functions within the container: Wikifunctions, Vuln-Infoleak, Abstract Wikipedia team.
Aug 7 2023, 12:14 PM · serviceops-radar, SecTeam-Processed, Abstract Wikipedia team, Vuln-Infoleak, Wikifunctions, Security, Security-Team
acooper created T343709: Wikifunctions Kubernetes evaluator service exposes some sensitive data/functions within the container.
Aug 7 2023, 12:13 PM · serviceops-radar, SecTeam-Processed, Abstract Wikipedia team, Vuln-Infoleak, Wikifunctions, Security, Security-Team

Apr 27 2023

acooper created T335483: Grant Access to wmf for Andy Cooper.
Apr 27 2023, 9:10 AM · SRE, LDAP-Access-Requests

Apr 4 2023

Bawolff awarded T333953: Security Issue Access Request for acooper a Party Time token.
Apr 4 2023, 1:54 PM · SecTeam-Processed, Security-Team, Security
acooper created T333953: Security Issue Access Request for acooper.
Apr 4 2023, 1:05 PM · SecTeam-Processed, Security-Team, Security