sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (12 w, 5 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Yesterday

sbassett added a comment to T151011: Add password generator to account creation / password change form.

I'm not sure how worthwhile this would be if we ever got a decent password strength meter deployed. Though digging through the history, that might be a big if.

Mon, Dec 10, 4:15 PM · User-Tgr, Security, Security-Core, MediaWiki-User-login-and-signup
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

If we're looking to abandon https://gerrit.wikimedia.org/r/475798/, my vote would be to instead go with https://gerrit.wikimedia.org/r/478395/, as it does a good job of balancing both security and usability IMO.

Mon, Dec 10, 4:09 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett triaged T207990: Security review for TheWikipediaLibrary extension as Low priority.
Mon, Dec 10, 4:01 PM · The-Wikipedia-Library, Security-Reviews
sbassett moved T144467: Security review for Google MT for Content Translation from In Progress to Awaiting remediation on the Security-Reviews board.
Mon, Dec 10, 3:58 PM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions

Thu, Dec 6

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

Thanks for all of the quick follow-up on this. https://gerrit.wikimedia.org/r/477972 looks good as additional hardening and the new test within test/mt/Yandex.test.js runs well. I think this is looking pretty good, and would like to leave the SAFE_FOR_JQUERY flag implementation up to you and the Language Team to discuss further, as I believe I've probably provided as much relevant feedback within https://gerrit.wikimedia.org/r/477459/ as I can. Also, thanks for the information regarding the specific implementation of the Youdao service. I'm going to review that a bit more, but for now I'm not seeing any issues there, as it seems to be a more restrictive (fewer html tags/markup) version of the 1) reduce html 2) send to MT service 3) expand translated html process.

Thu, Dec 6, 5:04 PM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions
sbassett added a comment to T204615: Generate new Captcha word list for prod.

Interesting - thanks for the context and history, @Anomie.

Thu, Dec 6, 4:06 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T166622: Allow all users on all wikis to use OATHAuth.

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth at the moment. Though the tasks @Tgr mentioned should alleviate most of their concerns, I'd imagine.

Thu, Dec 6, 4:01 PM · Security-team-backlog, Trust-and-Safety, MediaWiki-extensions-OATHAuth, Security, Wikimedia-Site-requests
sbassett triaged T204615: Generate new Captcha word list for prod as Normal priority.
Thu, Dec 6, 3:21 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T204615: Generate new Captcha word list for prod.

A bit out of scope for this task, but have we ever considered creating alternative captchas (math, image classifying, etc?)

Thu, Dec 6, 3:21 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

A summary of where I think we're at right now:

Thu, Dec 6, 3:49 AM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions

Wed, Dec 5

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

This need to fix via: https://github.com/gwicke/kad/pull/1
This is coming from service-runner and affecting all services. We have asked services team to update the dependencies

Wed, Dec 5, 12:46 AM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions

Tue, Dec 4

sbassett created P7886 https://github.com/cure53/HTTPLeaks/blob/master/leak.html cleaned.
Tue, Dec 4, 11:53 PM

Mon, Dec 3

sbassett changed the visibility for T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.
Mon, Dec 3, 11:05 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security
sbassett added a comment to T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

@Bawolff and I are deploying this now.

Mon, Dec 3, 10:37 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security
sbassett added a comment to T144467: Security review for Google MT for Content Translation.

@santhosh et al-

Mon, Dec 3, 10:15 PM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions
sbassett updated subscribers of T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

@Daimona, @Huji - I checked that T210329.patch applies locally to the abusefilter master branch. Looks good. Not sure if @Bawolff or @Reedy are around right now, but we do have the security deployment window today at 22:00 UTC, so just a shade under two hours away (https://wikitech.wikimedia.org/wiki/Deployments#Monday,_December_03). I've got deployment rights and have done config deployments before, so I could probably do this, but:

  1. I don't have CU anywhere, so the best I'd be able to test is locally. The patch doesn't look volatile, but if anything looked amiss in the logs, I'd have to revert immediately.
  2. I've never done a full security patch and deploy before, by myself.
Mon, Dec 3, 8:18 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security

Thu, Nov 29

sbassett added a member for security_assessment_mobile_2018: sbassett.
Thu, Nov 29, 6:28 PM

Wed, Nov 28

sbassett added a comment to T144467: Security review for Google MT for Content Translation.

Hey everybody-

Wed, Nov 28, 11:08 PM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions
sbassett claimed T144467: Security review for Google MT for Content Translation.
Wed, Nov 28, 11:07 PM · Patch-For-Review, Language-Team (Language-2018-October-December), Security, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions

Tue, Nov 27

sbassett awarded Blog Post: Bring in 'da noise, bring in defunct. It's a zombie party! a Like token.
Tue, Nov 27, 10:06 PM · Continuous-Integration-Infrastructure, Release-Engineering-Team
sbassett changed the visibility for T208474: SQL injection attacks showing up in webrequest logs.
Tue, Nov 27, 9:00 PM · Security-Team, Security
sbassett closed T208474: SQL injection attacks showing up in webrequest logs as Resolved.

Hey Jon-

Tue, Nov 27, 9:00 PM · Security-Team, Security

Mon, Nov 26

sbassett moved T208431: Add Marble to `wmf` LDAP group from Backlog to Waiting on the Security-Team board.
Mon, Nov 26, 9:04 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests
sbassett added a comment to T207777: audit password policy check for constant time string comparisons.

Thanks, @Aklapper.

Mon, Nov 26, 3:43 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Google-Code-in-2018, MediaWiki-User-management, Security

Tue, Nov 20

sbassett added a project to T210018: Security Issue Access Request for @jeena: Security-Team.
Tue, Nov 20, 10:48 PM · Security-Team, Security
sbassett updated subscribers of T210018: Security Issue Access Request for @jeena.
Tue, Nov 20, 10:47 PM · Security-Team, Security
sbassett triaged T210018: Security Issue Access Request for @jeena as Normal priority.
Tue, Nov 20, 10:47 PM · Security-Team, Security
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

@Jdforrester-WMF The Security-Team discussed that item today as well, and perhaps filing it as a separate task related to this issue. Given some of the feedback above, it might be wiser to pursue that approach as opposed to this one.

Tue, Nov 20, 10:43 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Tue, Nov 20, 10:11 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Tue, Nov 20, 10:06 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a comment to T207990: Security review for TheWikipediaLibrary extension.

@Catrope - sounds good, thanks.

Tue, Nov 20, 9:42 PM · The-Wikipedia-Library, Security-Reviews
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

Well you are proposing removal of functionality that's only displaying public data. This does need to be balanced against the value of that functionality.

Tue, Nov 20, 6:35 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a project to T209972: Remove auto-fill/suggest of usernames from password reset forms: Trust-and-Safety.
Tue, Nov 20, 6:20 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett moved T206350: Onboard Michal Anna (to begin on Oct 9th) from In Progress to Waiting on the Security-Team board.
Tue, Nov 20, 5:42 PM · Security-Team
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Tue, Nov 20, 5:40 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett added a comment to T209972: Remove auto-fill/suggest of usernames from password reset forms.

Is that a bad thing? Increasing obscurity and potentially deterring certain behaviors while reassuring legitimate users seems like a good thing.

Tue, Nov 20, 5:37 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett updated the task description for T209972: Remove auto-fill/suggest of usernames from password reset forms.
Tue, Nov 20, 5:04 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett triaged T209972: Remove auto-fill/suggest of usernames from password reset forms as Low priority.
Tue, Nov 20, 5:02 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security
sbassett created T209972: Remove auto-fill/suggest of usernames from password reset forms.
Tue, Nov 20, 5:02 PM · Patch-For-Review, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-Special-pages, Security-Team, Security

Mon, Nov 19

sbassett added a comment to T208431: Add Marble to `wmf` LDAP group.

She may have two wikitech accounts. The one she's linked to Phab is Marble: https://phabricator.wikimedia.org/p/mmarble/. So I'd guess that's correct - @mmarble, can you confirm which wikitech is your primary? Then I'd imagine we can close this out.

Mon, Nov 19, 9:42 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests
sbassett added a comment to T207777: audit password policy check for constant time string comparisons.

Agreed. I'm also happy to mentor anyone for this task, as far as working on mw code, CR in gerrit, etc.

Mon, Nov 19, 9:34 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Google-Code-in-2018, MediaWiki-User-management, Security
sbassett added a comment to T207777: audit password policy check for constant time string comparisons.

If we're just talking about three instances here (lines 89, 112, 117) in PasswordPolicyChecks.php (all I see atm), could this be a Google-Code-in-2018 task? I feel like, given the severity, this could potentially be done publicly in gerrit.

Mon, Nov 19, 7:52 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Google-Code-in-2018, MediaWiki-User-management, Security
sbassett moved T207990: Security review for TheWikipediaLibrary extension from Backlog to In Progress on the Security-Reviews board.
Mon, Nov 19, 5:34 PM · The-Wikipedia-Library, Security-Reviews
sbassett claimed T207990: Security review for TheWikipediaLibrary extension.

I'll start on this. @Catrope - just to confirm, everything there is for this extension is already at: https://github.com/wikimedia/mediawiki-extensions-TheWikipediaLibrary (aside from Flow, which it integrates with)? No pending or near-future commits atm? Thanks.

Mon, Nov 19, 5:28 PM · The-Wikipedia-Library, Security-Reviews

Thu, Nov 15

sbassett added a member for Security-Reviews: sbassett.
Thu, Nov 15, 5:24 PM

Wed, Nov 14

sbassett added a comment to T206784: Security Issue Access Request for Effie Mouzeli.

Right. I'm on the Security-Team and I'd imagine we'd be fine giving any SRE member rights to Security. I just tagged the folks above as they are 1) also on the Security-Team and 2) have full rights to add members to Security (I currently do not.)

Wed, Nov 14, 3:05 PM · Security-Team, User-jijiki, Security

Tue, Nov 13

sbassett updated subscribers of T206784: Security Issue Access Request for Effie Mouzeli.

@Bawolff, @JBennett, @Reedy or @chasemp will need to grant you access to Security, as I believe they are currently the only folks w/ Phab permissions to do so.

Tue, Nov 13, 10:55 PM · Security-Team, User-jijiki, Security
sbassett closed T207798: Security review for GrowthExperiments extension as Resolved.
Tue, Nov 13, 4:03 PM · Growth-Team, Security-Reviews
sbassett closed T207798: Security review for GrowthExperiments extension, a subtask of T206365: [EPIC] Growth: Personalized first day (Part 1), as Resolved.
Tue, Nov 13, 4:03 PM · Epic, Growth-Team

Nov 7 2018

sbassett added a comment to T207798: Security review for GrowthExperiments extension.

Thanks for the update and info - still learning my way around some of these components. This all sounds fine. And yes, if you wouldn't mind adding me as a reviewer when any additional patches are submitted to gerrit prior to launch, that'd be great.

Nov 7 2018, 4:19 PM · Growth-Team, Security-Reviews
sbassett triaged T208431: Add Marble to `wmf` LDAP group as Normal priority.

@Krenair - that's correct, re: her wikitech username.

Nov 7 2018, 4:13 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests

Nov 6 2018

sbassett moved T207798: Security review for GrowthExperiments extension from In Progress to Awaiting remediation on the Security-Reviews board.
Nov 6 2018, 10:29 PM · Growth-Team, Security-Reviews
sbassett added a comment to T207798: Security review for GrowthExperiments extension.

Security Review Summary - November 2018
Overall, this extension looks pretty good. No PHP or JS package/module vulnerabilities as reported by npm audit and security-checker. No DoS vectors or http leaks. And it looks like many of the items elicited here and here are fine or a non-issue for this extension. I did find a few minor things noted below:

Nov 6 2018, 10:28 PM · Growth-Team, Security-Reviews
sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Nov 6 2018, 8:05 PM · Security-Team
sbassett added a comment to T207798: Security review for GrowthExperiments extension.

This will be completed today. I spent most of yesterday reviewing it and just have a couple more items I wanted to check. So far nothing major to report.

Nov 6 2018, 2:41 PM · Growth-Team, Security-Reviews

Nov 2 2018

sbassett added a comment to T207798: Security review for GrowthExperiments extension.

fwiw, I'm not seeing anything egregious within r/469211. I've got the extension enabled in mw-vagrant and am going to pen-test a bit more. Should have full results early next week.

Nov 2 2018, 10:13 PM · Growth-Team, Security-Reviews

Nov 1 2018

sbassett added a comment to T207798: Security review for GrowthExperiments extension.

Apologies, but this is going to be delayed a bit due to other ongoing issues. Still hopeful I can turn it around sometime soon.

Nov 1 2018, 8:29 PM · Growth-Team, Security-Reviews
sbassett triaged T208474: SQL injection attacks showing up in webrequest logs as High priority.
Nov 1 2018, 5:02 PM · Security-Team, Security

Oct 31 2018

sbassett added a comment to T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.

@ema Looks like I'm in (sbassett@stat1007:~$)

Oct 31 2018, 3:57 PM · Patch-For-Review, User-jijiki, SRE-Access-Requests, Operations
sbassett updated subscribers of T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 31 2018, 3:45 PM · Security-Team
sbassett added a comment to T206350: Onboard Michal Anna (to begin on Oct 9th).

Nevermind, I see T208431 now (thanks, @Krenair). Looks like that's in progress. Did you get added to the wmf LDAP group? Not seeing you here: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/admin/data/data.yaml, which I think you should be? You'd probably want to create a ticket like T204382 for that. I think you can just use the standard task request form: https://phabricator.wikimedia.org/maniphest/task/edit/form/1/ and then add LDAP-Access-Requests and Security-Team to the tags and someone will get to it.

Oct 31 2018, 3:42 PM · Security-Team

Oct 30 2018

sbassett added a comment to T207798: Security review for GrowthExperiments extension.

@MMiller_WMF Ok, sounds good. I believe a local Privacy Policy like this would override the standard Terms of Use, Cookie statement and Data retention guidelines, which should be fine. Thanks.

Oct 30 2018, 5:29 PM · Growth-Team, Security-Reviews
sbassett updated subscribers of T206350: Onboard Michal Anna (to begin on Oct 9th).

This is looking good. I think the important things left are:

Oct 30 2018, 4:46 PM · Security-Team
sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 30 2018, 4:30 PM · Security-Team

Oct 29 2018

sbassett updated subscribers of T207798: Security review for GrowthExperiments extension.

@Catrope- still hope to have this completed by tomorrow or this Weds (apologies - recent security incident fallout). One initial step I was reminded of by @Bawolff that is quasi-security-related - have the new privacy and data retention policy statements (for surveys, etc.) been approved by legal yet?

Oct 29 2018, 8:48 PM · Growth-Team, Security-Reviews
sbassett added a member for Security-team-backlog: sbassett.
Oct 29 2018, 6:12 PM
sbassett added a member for phan-taint-check-plugin: sbassett.
Oct 29 2018, 6:11 PM
sbassett added a watcher for Vuln-Infoleak: sbassett.
Oct 29 2018, 6:11 PM
sbassett updated subscribers of T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.

@jijiki - I think I just need deployment and analytics-privatedata-users. I modeled it off of what @Bawolff has here, which should be all I'd need for now: https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/admin/data/data.yaml.

Oct 29 2018, 3:12 PM · Patch-For-Review, User-jijiki, SRE-Access-Requests, Operations
sbassett added a member for Security-Team: mmarble.
Oct 29 2018, 1:40 PM

Oct 26 2018

sbassett added a comment to T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.

Tagging @JBennett for approval (so I can start doing Brian and Sam things)

Oct 26 2018, 8:44 PM · Patch-For-Review, User-jijiki, SRE-Access-Requests, Operations

Oct 24 2018

sbassett triaged T207798: Security review for GrowthExperiments extension as Normal priority.

Hey @Catrope - I should be able to look at this soon and have a review by the 29th for you. I'll focus on the patch (469211) and let you know if I have any questions. Thanks.

Oct 24 2018, 4:49 PM · Growth-Team, Security-Reviews
sbassett moved T207798: Security review for GrowthExperiments extension from Backlog to In Progress on the Security-Reviews board.
Oct 24 2018, 4:22 PM · Growth-Team, Security-Reviews
sbassett claimed T207798: Security review for GrowthExperiments extension.
Oct 24 2018, 3:56 PM · Growth-Team, Security-Reviews
sbassett created T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.
Oct 24 2018, 3:16 PM · Patch-For-Review, User-jijiki, SRE-Access-Requests, Operations

Oct 23 2018

sbassett added a comment to T207777: audit password policy check for constant time string comparisons.

@Aklapper - mw core: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/refs/heads/master/includes/password/PasswordPolicyChecks.php

Oct 23 2018, 7:37 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Google-Code-in-2018, MediaWiki-User-management, Security

Oct 17 2018

sbassett added a comment to T204603: #Security access for Mooeypoo.

@Bawolff I do for Security-Team but apparently not for Security...

Oct 17 2018, 9:05 PM · Security-Team, Security
sbassett updated subscribers of T204603: #Security access for Mooeypoo.

I believe @Reedy has the magical powers to do this, and maybe @JBennett? There's also this one: T204853.

Oct 17 2018, 7:33 PM · Security-Team, Security
sbassett added a comment to T205972: Fixup Phan errors in SecurePoll.

Seems like there's been a decent effort to get SecurePoll to play nicely w/ the seccheck plugin: T202365, https://gerrit.wikimedia.org/r/460211/

Oct 17 2018, 7:30 PM · MW-1.33-notes (1.33.0-wmf.4; 2018-11-13), Patch-For-Review, phan-taint-check-plugin, MediaWiki-extensions-SecurePoll

Oct 16 2018

sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 16 2018, 6:58 PM · Security-Team
sbassett changed the status of T206350: Onboard Michal Anna (to begin on Oct 9th) from Stalled to Open.
Oct 16 2018, 6:37 PM · Security-Team

Oct 11 2018

sbassett renamed T206784: Security Issue Access Request for Effie Mouzeli from Security Issue Access Request for (Your Phabricator Username) to Security Issue Access Request for Effie Mouzeli.
Oct 11 2018, 6:42 PM · Security-Team, User-jijiki, Security
sbassett changed the status of T206350: Onboard Michal Anna (to begin on Oct 9th) from Open to Stalled.
Oct 11 2018, 2:34 PM · Security-Team

Oct 5 2018

sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 5 2018, 7:25 PM · Security-Team
sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 5 2018, 7:12 PM · Security-Team
sbassett moved T206350: Onboard Michal Anna (to begin on Oct 9th) from Backlog to In Progress on the Security-Team board.
Oct 5 2018, 6:11 PM · Security-Team
sbassett updated the task description for T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 5 2018, 6:08 PM · Security-Team
sbassett created T206350: Onboard Michal Anna (to begin on Oct 9th).
Oct 5 2018, 6:07 PM · Security-Team

Oct 4 2018

sbassett added a comment to T193780: Wikimetrics docker build/test environment is broken.

Sounds good, thanks.

Oct 4 2018, 9:47 PM · Patch-For-Review, Analytics-Wikimetrics, Analytics

Oct 2 2018

sbassett added a comment to T193780: Wikimetrics docker build/test environment is broken.

Hmm, a handful of flake8 fails unrelated to my patch: https://integration.wikimedia.org/ci/job/tox-docker/4084/console. I could add the check codes to the ignore list in tox.ini, but I'm probably not the right person to make that call.

Oct 2 2018, 9:45 PM · Patch-For-Review, Analytics-Wikimetrics, Analytics
sbassett added a comment to T193780: Wikimetrics docker build/test environment is broken.

Not sure exactly what issues this ticket meant to address, but I was able to get the docker env working for the current master branch of wikimetrics with a few modifications to docker-compose.yml and wikimetrics/config/queue_config.yaml, under docker 18.06.1-ce using the rev 3 compose file format (https://docs.docker.com/compose/compose-file/compose-versioning/). I know this is a low-priority item at the moment, but I wanted to get this working for some sec rev work I'm performing (though sadly, the meta and Google OAuth config tokens seem to maybe not be working within my local dev env.) Happy to submit this patch in gerrit if it helps solve some of these issues.

Oct 2 2018, 9:05 PM · Patch-For-Review, Analytics-Wikimetrics, Analytics

Sep 21 2018

sbassett added a comment to T204853: Security Issue Access Request for MBinder_WMF.

FWIW, as a recent staff addition, I don't recall signing anything resembling an NDA within my new-hire paperwork. apparently that was in my Terms of Employment sheet.

Sep 21 2018, 1:46 PM · Security-Team, Security

Sep 20 2018

zeljkofilipin awarded T203145: Vagrant 2.1.[3-5] - NameError: uninitialized constant MediaWikiVagrant::Environment a Party Time token.
Sep 20 2018, 8:41 AM · Patch-For-Review, Upstream, User-zeljkofilipin, MediaWiki-Vagrant

Sep 18 2018

sbassett added a comment to T203145: Vagrant 2.1.[3-5] - NameError: uninitialized constant MediaWikiVagrant::Environment.

Not sure why, but adding

Sep 18 2018, 8:14 PM · Patch-For-Review, Upstream, User-zeljkofilipin, MediaWiki-Vagrant

Sep 17 2018

sbassett triaged T204590: Add sbassett to security@ as Normal priority.
Sep 17 2018, 7:30 PM · Operations
sbassett added a watcher for Security: sbassett.
Sep 17 2018, 7:20 PM
sbassett updated subscribers of T204382: wmf group access for SBassett.

(Tagging @JBennett for any approval issues)

Sep 17 2018, 3:01 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests

Sep 14 2018

sbassett created T204382: wmf group access for SBassett.
Sep 14 2018, 8:36 PM · Patch-For-Review, Security-Team, LDAP-Access-Requests
sbassett added a watcher for Security-Reviews: sbassett.
Sep 14 2018, 5:54 PM
sbassett added a member for Security-Team: sbassett.
Sep 14 2018, 5:53 PM