Page MenuHomePhabricator

chasemp (Chase)
security engAdministrator

Projects (36)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Sep 16 2014, 11:39 AM (256 w, 5 d)
Roles
Administrator
Availability
Available
IRC Nick
chasemp
LDAP User
Rush
MediaWiki User
CPettet (WMF) [ Global Accounts ]

Current: security person

Past: engineering manager, lead operations engineer, operations engineer

Local changes.
for upgrades

Recent Activity

Jun 3 2019

chasemp updated the task description for T224887: apache modsec rules deployment with scap.
Jun 3 2019, 6:26 PM · Security-Team, Operations
chasemp updated the task description for T224887: apache modsec rules deployment with scap.
Jun 3 2019, 2:58 PM · Security-Team, Operations
chasemp updated subscribers of T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.

pinged @MoritzMuehlenhoff to get feedback, esp on the list of perms for secteam-admin and he graciously agreed to look at things tomorrow

Jun 3 2019, 2:56 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp updated the task description for T224887: apache modsec rules deployment with scap.
Jun 3 2019, 2:53 PM · Security-Team, Operations
chasemp updated the task description for T224886: Establish secteam production norms.
Jun 3 2019, 2:35 PM · Operations, Security-Team
chasemp added a parent task for T224887: apache modsec rules deployment with scap: T224886: Establish secteam production norms.
Jun 3 2019, 2:34 PM · Security-Team, Operations
chasemp added a subtask for T224886: Establish secteam production norms: T224887: apache modsec rules deployment with scap.
Jun 3 2019, 2:34 PM · Operations, Security-Team
chasemp triaged T224887: apache modsec rules deployment with scap as Normal priority.
Jun 3 2019, 2:33 PM · Security-Team, Operations
chasemp added a hashtag to Security-Team: #secteam.
Jun 3 2019, 2:32 PM
chasemp added projects to T224886: Establish secteam production norms: Security-Team, Operations.
Jun 3 2019, 2:30 PM · Operations, Security-Team
chasemp added a parent task for T223463: (2019-09) Create secteam groups in admin.yaml and define permissions: T224886: Establish secteam production norms.
Jun 3 2019, 2:29 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp added a subtask for T224886: Establish secteam production norms: T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.
Jun 3 2019, 2:29 PM · Operations, Security-Team
chasemp triaged T224886: Establish secteam production norms as Normal priority.
Jun 3 2019, 2:29 PM · Operations, Security-Team
chasemp added a comment to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.

Quick example on use cases and such, last week in {T224725} there were some artifacts that members of secteam wanted to help verify/collab on but without shell or a predefined mechanism it's difficult. (i.e. root@clouddb1001:/srv/labsdb/s53220__quickstatements_p)

Jun 3 2019, 1:59 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review

May 23 2019

bd808 awarded T193264: Replace labsdb100[4567] with instances on cloudvirt1019 and cloudvirt1020 a Party Time token.
May 23 2019, 8:46 PM · Scoring-platform-team, Wikilabels, cloud-services-team (Kanban), Patch-For-Review, Epic, Cloud-VPS

May 16 2019

chasemp added a comment to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

May 16 2019, 5:47 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp added a comment to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.

Is this SRE-Access-Requests? I'm not giving anyone rights they don't have. Security-Team is shell only and no sudo, secteam-admin is me only and I already have root.

May 16 2019, 5:40 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp added projects to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions: Security-Team, Operations.
May 16 2019, 5:32 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp triaged T223463: (2019-09) Create secteam groups in admin.yaml and define permissions as Normal priority.
May 16 2019, 4:49 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review
chasemp closed T222097: scan external ranges with current Nessus rulesets as Resolved.

If anyone is curious to see the results Security-Team can share but at this point I'm not going to put it all up in phab.

May 16 2019, 4:45 PM · Operations, Traffic, Security-Team
chasemp added a comment to T222097: scan external ranges with current Nessus rulesets.

A few scans of all ranges didn't turn up too much scary. A collection of mediums that are mostly SSL shenanigans or weak SSH ciphers etc. T222392 was the most pressing thing I found and it seems to be squared away. I'm thinking we need to scan weekly and report on High or above for awhile and maybe someday we can bring that down to medium. I need to write up some more docs on this process but the initial idea was to scan and see where we stand.

May 16 2019, 4:45 PM · Operations, Traffic, Security-Team
chasemp updated the task description for T222097: scan external ranges with current Nessus rulesets.
May 16 2019, 4:43 PM · Operations, Traffic, Security-Team
chasemp added a subtask for T222097: scan external ranges with current Nessus rulesets: Unknown Object (Task).
May 16 2019, 4:41 PM · Operations, Traffic, Security-Team
chasemp added a comment to T204160: Create a security issue task type with additional attributes.

Should we resolve this task? It seems like the new type is being used successfully. @chasemp: What do you think?

May 16 2019, 4:40 PM · Release-Engineering-Team-TODO (201908), User-MModell, Phabricator, Security-Team

May 14 2019

chasemp closed T222417: Add Tgr to security@ as Resolved.

Approved verbally by @JBennett in our weekly meeting.

May 14 2019, 3:07 PM · Security
chasemp updated subscribers of T127640: Re-evaluate our use of Phabricator Conpherence chat.

Security team has an ongoing chat with the stewards via conpherence. So far we (Security) have proposed a move to IRC but there are various blockers. I wonder if in the close-up-shop case (I guess restrict with no uninstall in this case) for general use there could be an exception for acl*stewards and acl*security-team. Stewards in particular have a variety of technical capability and phab and esp conpherence has been really valuable in meeting in the middle while keeping back and forth easy and secure.
@greg @Aklapper

Interesting, I wasn't aware (see also: one of the negatives of Conpherence, even admins can't access rooms they don't have explicit access to :) ). I think this is worth discussing more what can be done here.

May 14 2019, 3:06 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator

May 13 2019

chasemp added a comment to T127640: Re-evaluate our use of Phabricator Conpherence chat.

Security team has an ongoing chat with the stewards via conpherence. So far we (Security) have proposed a move to IRC but there are various blockers. I wonder if in the close-up-shop case (I guess restrict with no uninstall in this case) for general use there could be an exception for acl*stewards and acl*security-team. Stewards in particular have a variety of technical capability and phab and esp conpherence has been really valuable in meeting in the middle while keeping back and forth easy and secure.

May 13 2019, 2:54 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator

May 8 2019

chasemp updated subscribers of T222417: Add Tgr to security@.

@Tgr @JBennett has been away but I'll try to get this handled next week!

May 8 2019, 3:13 PM · Security
chasemp closed T217042: Security Issue Access Request for mepps as Resolved.
May 8 2019, 3:10 PM · Security-Team, Security
chasemp added a comment to T217042: Security Issue Access Request for mepps.

@chasemp Sorry this dropped of my radar! Finally done today. Thanks for the pings :).

May 8 2019, 3:09 PM · Security-Team, Security
chasemp added a member for Security: mepps.
May 8 2019, 3:09 PM

May 6 2019

chasemp added a comment to T167293: Nova-network to Neutron migration.

I think this can be closed?

May 6 2019, 10:22 PM · Patch-For-Review, Epic, Cloud-Services
chasemp updated the task description for T212772: Track remaining trusty servers in production.
May 6 2019, 10:10 PM · cloud-services-team (Kanban), Operations
chasemp added a comment to T193496: Allocate public v4 IPs for Neutron setup in eqiad.

I was 6 months off on my estimate for this :)

May 6 2019, 1:20 PM · Patch-For-Review, cloud-services-team (Kanban), Cloud-Services, netops, Operations

May 2 2019

chasemp awarded Blog Post: Nova-network is gone! a Love token.
May 2 2019, 9:25 PM · Toolforge, Cloud-VPS

Apr 29 2019

chasemp added a project to T222097: scan external ranges with current Nessus rulesets: Traffic.
Apr 29 2019, 6:44 PM · Operations, Traffic, Security-Team
chasemp triaged T222097: scan external ranges with current Nessus rulesets as Normal priority.
Apr 29 2019, 6:44 PM · Operations, Traffic, Security-Team
chasemp updated the task description for T218091: Security Team quarterly check in for April - June 2019.
Apr 29 2019, 6:18 PM · Security-Team
chasemp closed Restricted Task, a subtask of T167293: Nova-network to Neutron migration, as Resolved.
Apr 29 2019, 6:15 PM · Patch-For-Review, Epic, Cloud-Services
chasemp updated the task description for T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.
Apr 29 2019, 6:08 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team

Apr 23 2019

chasemp closed T219896: Security Issue Access Request for WDoranWMF as Resolved.

Done

Apr 23 2019, 6:54 PM · Security-Team, Security
chasemp added a member for Security: FWFX-ERF.
Apr 23 2019, 6:53 PM
chasemp added a member for Security: WDoranWMF.
Apr 23 2019, 6:53 PM
chasemp closed T221661: Add jfishback to security@ alias in exim as Resolved.

Done

Apr 23 2019, 6:52 PM · Operations, Security-Team
chasemp closed T221661: Add jfishback to security@ alias in exim, a subtask of T220517: Onboarding James Fishback to Security Team as Privacy Engineer (April 15th), as Resolved.
Apr 23 2019, 6:52 PM · Security-Team

Apr 17 2019

chasemp added a comment to T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

The last item here will take coordination with other internal WMF folks as what goes on foundation.wm.o is still complicated

Apr 17 2019, 3:05 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team
chasemp updated the task description for T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.
Apr 17 2019, 2:55 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team
chasemp updated the task description for T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.
Apr 17 2019, 2:55 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team

Apr 16 2019

chasemp updated the task description for T218091: Security Team quarterly check in for April - June 2019.
Apr 16 2019, 6:59 PM · Security-Team
chasemp triaged T221133: Create or update 3 security policies (Q4 2019) as Normal priority.
Apr 16 2019, 6:58 PM · Security-Team
chasemp created T221133: Create or update 3 security policies (Q4 2019).
Apr 16 2019, 6:57 PM · Security-Team
chasemp added a comment to T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

The last item here will take coordination with other internal WMF folks as what goes on foundation.wm.o is still complicated

Apr 16 2019, 3:33 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team
chasemp updated the task description for T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.
Apr 16 2019, 3:25 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team
chasemp added a comment to T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

But if...
Report wrong software behavior or a feature proposal makes it onto the landing page and there is a link to https://www.mediawiki.org/wiki/Reporting_security_bugs or that is folded into https://www.mediawiki.org/wiki/How_to_report_a_bug entirely then makes sense to me.

The new https://www.mediawiki.org front page is now live.

Apr 16 2019, 3:24 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team

Apr 11 2019

chasemp added a comment to T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

2: I'll get in touch with @Aklapper as he's working on some homepage stuff it seems :)

@chasemp: Right, that's T653. Currently we are in the layout phase. The audiences and content phases are done. (Though I'm not against smaller tweaks.)
See mw:MediaWiki/Homepage_improvements_2018 for the process and mw:MediaWiki/Homepage_improvements_2018/Proposal for what's being discussed. The current proposal includes an item called "Report wrong software behavior or a feature proposal" which links to mw:How_to_report_a_bug.

Apr 11 2019, 7:36 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team
chasemp reassigned T213933: PoC alert/notification functionality with Elastic Stack from chasemp to fgiunchedi.

Reassiging to reflect the reality of Filippo's awesomeness

Apr 11 2019, 7:29 PM · User-fgiunchedi, Patch-For-Review, Restricted Project, Security-Team, Wikimedia-Logstash

Apr 10 2019

chasemp closed T220630: Security Review For {...} as Invalid.
Apr 10 2019, 4:33 PM · Security-Team-Reviews
chasemp created T220630: Security Review For {...}.
Apr 10 2019, 4:30 PM · Security-Team-Reviews

Apr 9 2019

chasemp added a comment to T217042: Security Issue Access Request for mepps.

Reassinging to @mepps - not actionable until 2FA has been enabled at https://phabricator.wikimedia.org/settings/panel/multifactor/
Please reset the assignee via Add Action...Assign / Claim in the dropdown menu once this has happened.

Apr 9 2019, 3:19 PM · Security-Team, Security
chasemp added a comment to T218109: Security Issue Access Request for EvanProdromou.

@EvanProdromou please associate your (WMF) issued onwiki account and this should be ready to go

Apr 9 2019, 3:18 PM · Security-Team, Security
chasemp closed T211714: #Security access for aezell as Resolved.

Looks great @aezell

Apr 9 2019, 3:18 PM · Security-Team, Security
chasemp added a member for Security: aezell.
Apr 9 2019, 3:17 PM
chasemp closed T215961: Security Issue Access Request for marcella as Resolved.

good to go

Apr 9 2019, 3:17 PM · Security-Team, Security
chasemp added a member for Security: marcella.
Apr 9 2019, 3:16 PM
chasemp added a comment to T219896: Security Issue Access Request for WDoranWMF.

@WDoranWMF please add 2fa to your phabricator account, and then we can process this :)

Apr 9 2019, 3:16 PM · Security-Team, Security

Apr 8 2019

chasemp added a comment to T211714: #Security access for aezell.

@chasemp - You may want to include Marcella's ticket at the same time (T215961) since it's similar (Engineering Manager needing access for triaging, etc.)

Apr 8 2019, 7:03 PM · Security-Team, Security
chasemp awarded Blog Post: Switching production traffic to Apache Traffic Server a Orange Medal token.
Apr 8 2019, 7:00 PM · Traffic
chasemp added a comment to T165795: Ldap auth extension vs. ldap vs. username Case.

@bd808 explained the problem to be better, and the above outline is a misunderstanding on my part. Seems like the short term fix here is to have a case-insensitive check at the wikitech layer that prevents the case account duping which will/could have weird consequences with the case insensitivity on LDAP. @bd808 agreed to poke at it this week.

Apr 8 2019, 5:32 PM · Patch-For-Review, cloud-services-team (Kanban), wikitech.wikimedia.org, MediaWiki-extensions-LdapAuthentication
chasemp added a parent task for T165795: Ldap auth extension vs. ldap vs. username Case: Unknown Object (Task).
Apr 8 2019, 5:12 PM · Patch-For-Review, cloud-services-team (Kanban), wikitech.wikimedia.org, MediaWiki-extensions-LdapAuthentication
chasemp added a comment to T165795: Ldap auth extension vs. ldap vs. username Case.

I'm not close to an ldap expert so links below are for myself :D

Apr 8 2019, 5:00 PM · Patch-For-Review, cloud-services-team (Kanban), wikitech.wikimedia.org, MediaWiki-extensions-LdapAuthentication

Apr 5 2019

chasemp added a comment to T219277: Wikitech password reset flow.

Thank you @Tgr

Apr 5 2019, 6:56 PM · wikitech.wikimedia.org, MediaWiki-General, Restricted Project, Security
chasemp added a member for acl*security_team: Dsharpe.
Apr 5 2019, 6:38 PM
chasemp added a comment to T211714: #Security access for aezell.

This must have been missed because of recent events, apologies. I'm putting it back on the agenda :)

Apr 5 2019, 3:00 PM · Security-Team, Security
chasemp added a comment to T215961: Security Issue Access Request for marcella.

Account links and 2fa match up.

Apr 5 2019, 2:59 PM · Security-Team, Security

Apr 4 2019

chasemp added a comment to T165795: Ldap auth extension vs. ldap vs. username Case.

Thanks @bd808. I'm going to propose we do this in the next working group meeting on monday.

Apr 4 2019, 7:40 PM · Patch-For-Review, cloud-services-team (Kanban), wikitech.wikimedia.org, MediaWiki-extensions-LdapAuthentication
chasemp added a member for Security: JAufrecht.
Apr 4 2019, 3:19 PM

Apr 3 2019

chasemp accepted D1145: A cli tool to roll back maniphest task transactions.

AFAICT this should work, it's too much to eyeball without testing and we are going to kick the tires a bit before going live but concept is solid.

Apr 3 2019, 7:15 PM

Apr 1 2019

chasemp added a project to T213933: PoC alert/notification functionality with Elastic Stack: Restricted Project.
Apr 1 2019, 7:33 PM · User-fgiunchedi, Patch-For-Review, Restricted Project, Security-Team, Wikimedia-Logstash
chasemp added a comment to T165795: Ldap auth extension vs. ldap vs. username Case.

Can we tell ldap to enforce non-case sensitivity?

Apr 1 2019, 5:07 PM · Patch-For-Review, cloud-services-team (Kanban), wikitech.wikimedia.org, MediaWiki-extensions-LdapAuthentication
chasemp removed a member for Security: MarkTraceur.
Apr 1 2019, 2:24 PM
chasemp added a project to T168692: Blocking an account on wikitech should disable LDAP logins: Security-Team.
Apr 1 2019, 1:22 PM · MW-1.33-notes (1.33.0-wmf.23; 2019-03-26), Security-Team, Patch-For-Review, wikitech.wikimedia.org, LDAP, Wikimedia-Incident

Mar 26 2019

chasemp added a project to T219277: Wikitech password reset flow: MediaWiki-General.
Mar 26 2019, 6:09 PM · wikitech.wikimedia.org, MediaWiki-General, Restricted Project, Security
chasemp added a comment to T219277: Wikitech password reset flow.
Mar 26 2019, 6:06 PM · wikitech.wikimedia.org, MediaWiki-General, Restricted Project, Security
chasemp triaged T219277: Wikitech password reset flow as Normal priority.
Mar 26 2019, 1:20 PM · wikitech.wikimedia.org, MediaWiki-General, Restricted Project, Security
chasemp changed the visibility for T219277: Wikitech password reset flow.
Mar 26 2019, 1:20 PM · wikitech.wikimedia.org, MediaWiki-General, Restricted Project, Security

Mar 21 2019

chasemp empowered Dsharpe as an administrator.
Mar 21 2019, 3:26 PM
chasemp changed the "Can Configure Application" policy for application People from "Custom Policy" to "Administrators".
Mar 21 2019, 3:25 PM
chasemp changed the "Can Configure Application" policy for application People from "Administrators" to "Custom Policy".
Mar 21 2019, 3:04 PM
chasemp changed the "Can Disable Users" policy for application People from "Administrators" to "Custom Policy".
Mar 21 2019, 3:03 PM
chasemp changed the "Can Create (non-bot) Users" policy for application People from "Administrators" to "Custom Policy".
Mar 21 2019, 3:03 PM

Mar 20 2019

chasemp added a comment to T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.

Can we find a way to ensure toolsadmin.wikimedia.org doesn't start allowing LDAP user creations when this is fixed? Right now user creation is stopped via wikitech, and is broken there but it would be best to couple the two.

How does user creation work? Does Striker do it on its own, and it just checks something via OAuth first (which now breaks), or does it create accounts via the wikitech API? If it's the latter, just revoke its createaccount permission.

Mar 20 2019, 7:46 PM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security
chasemp added a project to T218608: OAuth doesn't work when $wgBlockDisablesLogin is true: Security-Team.

Can we find a way to ensure toolsadmin.wikimedia.org doesn't start allowing LDAP user creations when this is fixed? Right now user creation is stopped via wikitech, and is broken there but it would be best to couple the two.

Mar 20 2019, 6:21 PM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security

Mar 18 2019

chasemp added a comment to T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.

https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/497357/

Mar 18 2019, 10:30 PM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security
chasemp added a comment to T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

Outcome from a meeting

Mar 18 2019, 4:13 PM · CommRel-Specialists-Support (Jan-Mar-2019), Security-Team

Mar 15 2019

chasemp added a comment to T218338: labstore: Re-evaluate traffic shaping settings.

I may have some of this in the dusty halls of my brain:

Mar 15 2019, 9:28 PM · cloud-services-team (Kanban)
chasemp closed T217361: Security Issue Access Request for steward election as Resolved.

@chasemp Now enabled, seems to work. Thanxs.

Mar 15 2019, 8:46 PM · Security-Team, User-revi, Stewards-and-global-tools, Security
chasemp updated the task description for T217361: Security Issue Access Request for steward election.
Mar 15 2019, 8:46 PM · Security-Team, User-revi, Stewards-and-global-tools, Security
chasemp added a member for Security: Schniggendiller.
Mar 15 2019, 8:45 PM

Mar 14 2019

chasemp added a project to T218308: Add gerrit.wikimedia.org to the Phabricator CSP: Security-Team.
Mar 14 2019, 3:35 PM · Security-Team, Operations, Phabricator, Gerrit

Mar 13 2019

chasemp updated the task description for T217361: Security Issue Access Request for steward election.
Mar 13 2019, 7:26 PM · Security-Team, User-revi, Stewards-and-global-tools, Security