Change Details

Ever since T174492 was done, we have had the ability to log login attempts in CheckUser. This task proposes that we should enable this feature in WMF wikis. **Justification** For successful login attempts, the case is clear: it is one additional data point to use for CU purposes. For failed login attempts, there is still a case to make: these are useful to be logged in that some users (especially those who have advanced permissions such as sysop, but are not using two-factor authentication) have repeatedly reported that their accounts have been targets of several failed login attempts (presumably, at least part of it is done by malicious users that are trying to gain access to their account). Logging the failed attempts will allow CheckUsers to investigate these incidents, and possibly identify another editor who seems to be behind the malicious attempt. **Considerations** One possible question that may come up is: would this be compatible with [[https://meta.wikimedia.org/wiki/CheckUser_policy|WMF CheckUser Policy]]? That policy indicates that "logged actions" are within the scope of CU on WMF. In practice, this includes **some** of the publicly logged actions (e.g. account creation, page deletion, #abusefilter logs) but not all of them (e.g. #Thanks logs are not stored in CheckUser yet, see T252226). This has also included some activities that are not publicly logged (e.g. revision suppression) and some activities whose logs are not accessible anywhere else on MediaWiki's web interface or API (e.g. sending emails is logged by CheckUser, and so are password resets). Given that failed login attempts are already logged by #mediawiki-extensions-loginnotify and shown (currently only to the user), storing them in CU logs should be within scope. The other related policies are [[https://meta.wikimedia.org/wiki/Access_to_nonpublic_personal_data_policy | Access to Nonpublic Personal Data Policy]] and [[https://meta.wikimedia.org/wiki/Privacy_policy|Privacy Policy]] both of which are written generically and do not get into the details of which actions are logged or are not. Another possible question: should we do an RFC about it first? The answer, IMHO, is no, it is not needed. For all of aforementioned items that are currently logged, no RFC was done first to get community consensus on whether or not to include them in the CU logs. **Screenshot** If enabled, the log entries would look like below in a "get edits" query by the IP address. If you query by the username instead, only the first row will be returned. {F31861649 size=full} **Further Notes** As discussed further below, it turns out that some bots log hundreds of successful logins per hour (sometimes even per minute) and that could inflate the CU tables significantly. Therefore, we will exclude successful login attempts from the CU logs kept on WMF wikis. **Action Items** [ ] Introduce `$wgCheckUserLogSuccessfulBotLogins` [ ] Create a patch for `operations/mediawiki-config` that sets the two global variables. [x] Get approval from Legal [ ] Get confirmation for T&S (currently under review) [ ] Get approval from DBA [ ] Enable this for a few wikis, and monitor the growth of DB table size; also get feedback on usefulness of the new data

Ever since T174492 was done, we have had the ability to log login attempts in CheckUser. This task proposes that we should enable this feature in WMF wikis. **Justification** For successful login attempts, the case is clear: it is one additional data point to use for CU purposes. For failed login attempts, there is still a case to make: these are useful to be logged in that some users (especially those who have advanced permissions such as sysop, but are not using two-factor authentication) have repeatedly reported that their accounts have been targets of several failed login attempts (presumably, at least part of it is done by malicious users that are trying to gain access to their account). Logging the failed attempts will allow CheckUsers to investigate these incidents, and possibly identify another editor who seems to be behind the malicious attempt. **Considerations** One possible question that may come up is: would this be compatible with [[https://meta.wikimedia.org/wiki/CheckUser_policy|WMF CheckUser Policy]]? That policy indicates that "logged actions" are within the scope of CU on WMF. In practice, this includes **some** of the publicly logged actions (e.g. account creation, page deletion, #abusefilter logs) but not all of them (e.g. #Thanks logs are not stored in CheckUser yet, see T252226). This has also included some activities that are not publicly logged (e.g. revision suppression) and some activities whose logs are not accessible anywhere else on MediaWiki's web interface or API (e.g. sending emails is logged by CheckUser, and so are password resets). Given that failed login attempts are already logged by #mediawiki-extensions-loginnotify and shown (currently only to the user), storing them in CU logs should be within scope. The other related policies are [[https://meta.wikimedia.org/wiki/Access_to_nonpublic_personal_data_policy | Access to Nonpublic Personal Data Policy]] and [[https://meta.wikimedia.org/wiki/Privacy_policy|Privacy Policy]] both of which are written generically and do not get into the details of which actions are logged or are not. Another possible question: should we do an RFC about it first? The answer, IMHO, is no, it is not needed. For all of aforementioned items that are currently logged, no RFC was done first to get community consensus on whether or not to include them in the CU logs. **Screenshot** If enabled, the log entries would look like below in a "get edits" query by the IP address. If you query by the username instead, only the first row will be returned. {F31861649 size=full} **Further Notes** As discussed further below, it turns out that some bots log hundreds of successful logins per hour (sometimes even per minute) and that could inflate the CU tables significantly. Therefore, we will exclude successful login attempts from the CU logs kept on WMF wikis. **Action Items** [ ] Introduce `$wgCheckUserLogSuccessfulBotLogins` [x] Create a patch for `operations/mediawiki-config` that sets the two global variables. [x] Get approval from Legal [ ] Get confirmation for T&S (currently under review) [ ] Get approval from DBA [ ] Enable this for a few wikis, and monitor the growth of DB table size; also get feedback on usefulness of the new data

Ever since T174492 was done, we have had the ability to log login attempts in CheckUser. This task proposes that we should enable this feature in WMF wikis. **Justification** For successful login attempts, the case is clear: it is one additional data point to use for CU purposes. For failed login attempts, there is still a case to make: these are useful to be logged in that some users (especially those who have advanced permissions such as sysop, but are not using two-factor authentication) have repeatedly reported that their accounts have been targets of several failed login attempts (presumably, at least part of it is done by malicious users that are trying to gain access to their account). Logging the failed attempts will allow CheckUsers to investigate these incidents, and possibly identify another editor who seems to be behind the malicious attempt. **Considerations** One possible question that may come up is: would this be compatible with [[https://meta.wikimedia.org/wiki/CheckUser_policy|WMF CheckUser Policy]]? That policy indicates that "logged actions" are within the scope of CU on WMF. In practice, this includes **some** of the publicly logged actions (e.g. account creation, page deletion, #abusefilter logs) but not all of them (e.g. #Thanks logs are not stored in CheckUser yet, see T252226). This has also included some activities that are not publicly logged (e.g. revision suppression) and some activities whose logs are not accessible anywhere else on MediaWiki's web interface or API (e.g. sending emails is logged by CheckUser, and so are password resets). Given that failed login attempts are already logged by #mediawiki-extensions-loginnotify and shown (currently only to the user), storing them in CU logs should be within scope. The other related policies are [[https://meta.wikimedia.org/wiki/Access_to_nonpublic_personal_data_policy | Access to Nonpublic Personal Data Policy]] and [[https://meta.wikimedia.org/wiki/Privacy_policy|Privacy Policy]] both of which are written generically and do not get into the details of which actions are logged or are not. Another possible question: should we do an RFC about it first? The answer, IMHO, is no, it is not needed. For all of aforementioned items that are currently logged, no RFC was done first to get community consensus on whether or not to include them in the CU logs. **Screenshot** If enabled, the log entries would look like below in a "get edits" query by the IP address. If you query by the username instead, only the first row will be returned. {F31861649 size=full} **Further Notes** As discussed further below, it turns out that some bots log hundreds of successful logins per hour (sometimes even per minute) and that could inflate the CU tables significantly. Therefore, we will exclude successful login attempts from the CU logs kept on WMF wikis. **Action Items** [ ] Introduce `$wgCheckUserLogSuccessfulBotLogins` [ x] Create a patch for `operations/mediawiki-config` that sets the two global variables. [x] Get approval from Legal [ ] Get confirmation for T&S (currently under review) [ ] Get approval from DBA [ ] Enable this for a few wikis, and monitor the growth of DB table size; also get feedback on usefulness of the new data