Security-Team dropped the ball here on feedback. This is a bit of one-off, and I'll feed it back into our queue so it gets attention, but I support @jaime and @Marostegui in their practicality. Thanks gents.

Sep 17 2020, 2:39 PM · WMF-Legal, Privacy Engineering, Security, SecTeam Discussion, Performance Issue, DBA

Sep 16 2020

• chasemp changed the visibility for T169862: WDQS's REGEX() function is not subject to timeout.

Sep 16 2020, 1:45 PM · Security, Upstream, User-Smalyshev, Discovery-Wikidata-Query-Service-Sprint, Wikidata-Query-Service, Discovery-ARCHIVED, Wikidata

• chasemp added a comment to T169862: WDQS's REGEX() function is not subject to timeout.

In T169862#6013736, @dcausse wrote:

I think we can make this task public, the workaround has been shipped to blazegraph 2.1.5 via https://github.com/blazegraph/database/commit/d13f320ffefc90d668a3411c466ec3c1adf00e10

Sep 16 2020, 1:44 PM · Security, Upstream, User-Smalyshev, Discovery-Wikidata-Query-Service-Sprint, Wikidata-Query-Service, Discovery-ARCHIVED, Wikidata

• chasemp edited projects for T262963: Security Readiness Review For geoip2/geoip2, added: Application Security Reviews; removed Security-Team.

In T262963#6465475, @Gilles wrote:

In T262963#6463951, @chasemp wrote:

The question would be, are these packaged in debian?

I believe we bring PHP libraries into MediaWiki and extensions with composer.

Sep 16 2020, 1:17 PM · user-sbassett, Security, secscrum, Application Security Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor

Sep 15 2020

• chasemp added a comment to T262963: Security Readiness Review For geoip2/geoip2.

We already use maxmind in production in a few places and have a subscription. The geoip2 lib for python seems in use, but I don't see the PHP libs.

Sep 15 2020, 6:29 PM · user-sbassett, Security, secscrum, Application Security Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor

Sep 1 2020

• chasemp reassigned T261765: Requesting access to #wikimedia-security for sobanski from • chasemp to • Dsharpe.

@LSobanski not passing the buck I swear! @Dsharpe has been handling this as part of our Fusion Center function so I'll leave it to his process.

Sep 1 2020, 4:46 PM · Security-Team

Aug 17 2020

• chasemp moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Incoming to Watching on the Security-Team board.

Aug 17 2020, 3:11 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Aug 5 2020

• chasemp added a member for Release Pipeline: • chasemp.

Aug 5 2020, 3:18 PM

• chasemp added a comment to T85203: Imported bugzilla comment by specific account (mwjames) has "Unknown Object (User)" as commenter (does not happen as task author).

Might be a WONTFIX / declined nowadays... :-/

Aug 5 2020, 2:51 PM · Phabricator

Aug 4 2020

• chasemp awarded T200987: Set up volunteer code review queue a Love token.

Aug 4 2020, 12:17 PM · Code-Review-Workgroup

Jul 16 2020

• chasemp lowered the priority of T258134: UrlShortener is shortening URLs from all domains from Unbreak Now! to Medium.

Seems addressed but cleanup remains? Downgrading priority to reflect for now if so. Secteam will also discuss in our weekly.

Jul 16 2020, 12:46 PM · MW-1.35-notes (1.35.0-wmf.41; 2020-07-14), Security, Security-Team

Jul 13 2020

• chasemp added a project to T257830: Create security.wikimedia.org: Epic.

Jul 13 2020, 2:32 PM · Epic, Security-Team

Jul 9 2020

• chasemp moved T257507: HTTP 500 error trying to access phabricator from my server from Incoming to Watching on the Security-Team board.

In T257507#6294524, @Dzahn wrote:

might be blocked due to past vandalism.

Yes, confirmed. This IP is in a range that is blocked by us. It comes from T218589 most likely. CC: @chasemp

why isn't there a... more informative error message

I filed T229620 for this a while ago.

Jul 9 2020, 8:16 PM · Security-Team, SRE, Phabricator

• chasemp closed T162171: Become a CVE Numbering Authority (CNA) for MediaWiki and extensions as Declined.

I think this has been discussed and decline for now. We can always revisit whenever.

Jul 9 2020, 3:38 PM · Security-Team

• chasemp removed a project from T243436: Refine Seakeeper proposal for Security/SRE review: Security-Team.

Stepping Security-Team back from this as our understanding is this is potentially indefinitely stalled, and we are trying to be diligent with containing our 'watching' elements.

Jul 9 2020, 3:37 PM · Release-Engineering-Team (Doing)

Jul 2 2020

• chasemp closed T248095: test for assigned but wrong projects as Resolved.

Jul 2 2020, 4:28 PM · User-chasemp

• chasemp closed T256987: Add reporting for untracked assigned issues to Peek as Resolved.

Jul 2 2020, 4:26 PM · PM, Peek, Security-Team

• chasemp triaged T256987: Add reporting for untracked assigned issues to Peek as Medium priority.

Really, this involves refactoring the anti pattern reporting code first to make this a sane addition.

Jul 2 2020, 3:34 PM · PM, Peek, Security-Team

• chasemp created T256987: Add reporting for untracked assigned issues to Peek.

Jul 2 2020, 3:34 PM · PM, Peek, Security-Team

• chasemp claimed T248095: test for assigned but wrong projects.

Jul 2 2020, 2:42 PM · User-chasemp

Jul 1 2020

• chasemp renamed T248095: test for assigned but wrong projects from test for assigned but wrong tasks to test for assigned but wrong projects.

Jul 1 2020, 6:25 PM · User-chasemp

• chasemp reopened T248095: test for assigned but wrong projects as "Open".

Jul 1 2020, 6:24 PM · User-chasemp

• chasemp renamed T248095: test for assigned but wrong projects from test for inprogress but unassigned reporting to test for assigned but wrong tasks.

Jul 1 2020, 6:08 PM · User-chasemp

Jun 18 2020

• chasemp awarded T255707: Security Issue Access Request for Jrogers-WMF a Like token.

Jun 18 2020, 1:17 PM · Security-Team, Security

Jun 17 2020

• chasemp added a subtask for T251190: Security Request For Service - Push Notifications: Unknown Object (Task).

Jun 17 2020, 3:48 PM · Privacy Engineering, Push-Notification-Service, Product-Infrastructure-Team-Backlog-Deprecated, Security-Team

Jun 16 2020

• chasemp awarded T255392: August 2020 Wikimedia Technical Talk: openZIM/Kiwix ETL toolchain for Wikipedia dumping a Mountain of Wealth token.

Jun 16 2020, 8:37 PM · Wikimedia-Tech-Talks, User-srodlund, Developer-Advocacy (Jul-Sep 2020), affects-Kiwix-and-openZIM, Documentation

• chasemp updated subscribers of T255571: removed.

Thank you @Majavah

Jun 16 2020, 3:34 PM · Trash

• chasemp added a comment to T223463: (2019-09) Create secteam groups in admin.yaml and define permissions.

Apologies @jcrespo and @herron for the lag here. I was away (thanks for updating the task @sbassett) and then this fell to the bottom of the pile due to fires forever and ever it feels like. I'll cleanup, revisit, and add the tags as appropriate.

Jun 16 2020, 3:24 PM · SRE, Security-Team, Patch-For-Review

Jun 12 2020

• chasemp triaged T254628: Security Readiness Review For Diff (diff.wikimedia.org) as Medium priority.

Jun 12 2020, 2:32 PM · Privacy Engineering, secscrum, Security, Application Security Reviews

• chasemp updated the task description for T254628: Security Readiness Review For Diff (diff.wikimedia.org).

Jun 12 2020, 2:21 PM · Privacy Engineering, secscrum, Security, Application Security Reviews

Jun 10 2020

jcrespo awarded T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam a Like token.

Jun 10 2020, 5:10 PM · Peek, Security-Team, SRE, Phabricator

• chasemp closed T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam as Resolved.

Jun 10 2020, 4:31 PM · Peek, Security-Team, SRE, Phabricator

• chasemp closed T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam, a subtask of T132324: Tracking and Reducing cron-spam to root@ , as Resolved.

Jun 10 2020, 4:31 PM · Patch-For-Review, Tracking-Neverending, SRE

• chasemp moved T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam from In Progress to Our Part Is Done on the Security-Team board.

sudo -u peek crontab -l
# HEADER: This file was autogenerated at 2020-06-10 16:26:11 +0000 by puppet.
# HEADER: While it can still be managed manually, it is definitely not recommended.
# HEADER: Note particularly that the comments starting with 'Puppet Name' should
# HEADER: not be deleted, as doing so could cause duplicate cron jobs.
# Puppet Name: peek_monthly
MAILTO=security-team@wikimedia.org
0 0 1 * * . $HOME/.profile; /var/lib/peek/git/peek.py -c /etc/peek/config/base.conf,/etc/peek/config/monthly.conf -s > /dev/null
# Puppet Name: peek_weekly
MAILTO=security-team@wikimedia.org
0 0 * * 1 . $HOME/.profile; /var/lib/peek/git/peek.py -c /etc/peek/config/base.conf,/etc/peek/config/weekly.conf -s > /dev/null

Jun 10 2020, 4:31 PM · Peek, Security-Team, SRE, Phabricator

• chasemp moved T217435: Changing /wiki/Security and wiki/MediaWiki security reference content from Waiting to Our Part Is Done on the Security-Team board.

Jun 10 2020, 3:47 PM · MoveComms-Support (Jan-Mar-2019), Security-Team

• chasemp updated the task description for T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

Jun 10 2020, 3:47 PM · MoveComms-Support (Jan-Mar-2019), Security-Team

• chasemp closed T217435: Changing /wiki/Security and wiki/MediaWiki security reference content as Resolved.

In T217435#6188068, @Aklapper wrote:

In T217435#5806759, @chasemp wrote:

I talked with @JBennett about this today, he is going to reach out to @APalmer_WMF to discuss a bit.

@JBennett, @APalmer_WMF: Was there any outcome to share?

Jun 10 2020, 3:45 PM · MoveComms-Support (Jan-Mar-2019), Security-Team

Jun 9 2020

• chasemp claimed T217435: Changing /wiki/Security and wiki/MediaWiki security reference content.

Jun 9 2020, 4:22 PM · MoveComms-Support (Jan-Mar-2019), Security-Team

Jun 8 2020

• chasemp added a comment to T254628: Security Readiness Review For Diff (diff.wikimedia.org).

The referenced code link is dead here https://github.com/wpcomvip/wikimedia-blog-wikimedia-org/

Jun 8 2020, 3:18 PM · Privacy Engineering, secscrum, Security, Application Security Reviews

• chasemp closed T248095: test for assigned but wrong projects as Declined.

This test task has served it's reporting purpose.

Jun 8 2020, 2:55 PM · User-chasemp

Jun 3 2020

• chasemp closed T254042: Investigate peek0[12].orch.eqiad.wmflabs not allowing SSH connections from cloud-cumin-01 as Resolved.

deleted :)

Jun 3 2020, 3:50 PM · Peek, Security-Team, Cloud-VPS

• chasemp moved T254368: Change peek scheduled jobs to systemd timer or k8s cron from Backlog to Radar on the SRE board.

Jun 3 2020, 3:35 PM · SRE, Peek, PM, Security-Team

• chasemp moved T254368: Change peek scheduled jobs to systemd timer or k8s cron from Incoming to Back Orders on the Security-Team board.

Jun 3 2020, 3:35 PM · SRE, Peek, PM, Security-Team

• chasemp triaged T254368: Change peek scheduled jobs to systemd timer or k8s cron as Medium priority.

Jun 3 2020, 3:34 PM · SRE, Peek, PM, Security-Team

Jun 1 2020

• chasemp added a project to T254042: Investigate peek0[12].orch.eqiad.wmflabs not allowing SSH connections from cloud-cumin-01: Peek.

Jun 1 2020, 3:09 PM · Peek, Security-Team, Cloud-VPS

• chasemp edited projects for T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam, added: Peek; removed Security.

Jun 1 2020, 3:09 PM · Peek, Security-Team, SRE, Phabricator

• chasemp placed T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe up for grabs.

Jun 1 2020, 3:08 PM · Peek, User-chasemp, PM, Security-Team

• chasemp created Peek.

Jun 1 2020, 3:07 PM

• chasemp lowered the priority of T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam from High to Medium.

Jun 1 2020, 3:06 PM · Peek, Security-Team, SRE, Phabricator

• chasemp triaged T254042: Investigate peek0[12].orch.eqiad.wmflabs not allowing SSH connections from cloud-cumin-01 as Medium priority.

Jun 1 2020, 3:04 PM · Peek, Security-Team, Cloud-VPS

• chasemp edited projects for T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe, added: User-chasemp; removed Patch-For-Review.

Jun 1 2020, 3:03 PM · Peek, User-chasemp, PM, Security-Team

• chasemp added a project to T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe: PM.

Jun 1 2020, 3:03 PM · Peek, User-chasemp, PM, Security-Team

• chasemp moved T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe from Incoming to Back Orders on the Security-Team board.

Jun 1 2020, 3:03 PM · Peek, User-chasemp, PM, Security-Team

• chasemp moved T254042: Investigate peek0[12].orch.eqiad.wmflabs not allowing SSH connections from cloud-cumin-01 from Incoming to In Progress on the Security-Team board.

Jun 1 2020, 11:30 AM · Peek, Security-Team, Cloud-VPS

• chasemp claimed T254042: Investigate peek0[12].orch.eqiad.wmflabs not allowing SSH connections from cloud-cumin-01.

I'll take a look.

Jun 1 2020, 11:29 AM · Peek, Security-Team, Cloud-VPS

• chasemp moved T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam from Incoming to In Progress on the Security-Team board.

Jun 1 2020, 11:22 AM · Peek, Security-Team, SRE, Phabricator

• chasemp claimed T254127: peek is incorrectly configured to run every minute every 1st of the month, creating large amounts of cronspam.

Thanks for disabling @jcrespo, sorry for the avalanche. Systemd timer seems like a sane idea.

Jun 1 2020, 11:22 AM · Peek, Security-Team, SRE, Phabricator

May 29 2020

Dzahn awarded T251784: Puppetize Peek for running in prod a Like token.

May 29 2020, 3:34 PM · Security-Team

• chasemp moved T242285: Create status mechanism(s) for security-team@ combining Asana and Phab from In Progress to Our Part Is Done on the Security-Team board.

May 29 2020, 3:24 PM · PM, Security-Team

• chasemp closed T242285: Create status mechanism(s) for security-team@ combining Asana and Phab as Resolved.

May 29 2020, 3:24 PM · PM, Security-Team

• chasemp closed T251784: Puppetize Peek for running in prod as Resolved.

May 29 2020, 3:24 PM · Security-Team

• chasemp closed T251784: Puppetize Peek for running in prod, a subtask of T242285: Create status mechanism(s) for security-team@ combining Asana and Phab, as Resolved.

May 29 2020, 3:24 PM · PM, Security-Team

• chasemp added a comment to T251784: Puppetize Peek for running in prod.

In T251784#6175541, @Dzahn wrote:

Please don't forget to add peek to https://wikitech.wikimedia.org/wiki/Infrastructure_naming_conventions

May 29 2020, 3:24 PM · Security-Team

May 28 2020

• chasemp triaged T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe as Low priority.

May 28 2020, 8:38 PM · Peek, User-chasemp, PM, Security-Team

May 27 2020

• chasemp added a comment to T251784: Puppetize Peek for running in prod.

In T251784#6126514, @chasemp wrote:

waiting on the VM

May 27 2020, 7:22 PM · Security-Team

• chasemp closed T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team), a subtask of T242285: Create status mechanism(s) for security-team@ combining Asana and Phab, as Resolved.

May 27 2020, 2:16 PM · PM, Security-Team

• chasemp closed T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team) as Resolved.

In T252210#6169212, @Dzahn wrote:

@chasemp The VM has been created and I installed the OS and signed the puppet cert request. It is in site.pp with the "insetup" role. The initial puppet run is ongoing right now and I ran out of time. In a couple minutes you should be able to SSH to it. You can start creating your puppet role and applying it in site.pp

May 27 2020, 2:16 PM · serviceops, PM, Security-Team, vm-requests, SRE

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

In T252210#6168983, @Dzahn wrote:

Creating VM peek2001.codfw.wmnet in cluster ganeti01.svc.codfw.wmnet with row=B vcpus=1 memory=2GB disk=20GB link=private. This may take a few minutes.

May 27 2020, 1:12 PM · serviceops, PM, Security-Team, vm-requests, SRE

• chasemp updated the task description for T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

May 27 2020, 12:58 PM · serviceops, PM, Security-Team, vm-requests, SRE

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

In T252210#6168163, @Dzahn wrote:

Ah, wait, so i was about to create it and already added peek2001.codfw.wmnet to DNS but then noticed it asks for external IP. So this really needs to be peek2001.wikimedia.org ? (Why though? )

May 27 2020, 12:58 PM · serviceops, PM, Security-Team, vm-requests, SRE

May 26 2020

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

In T252210#6165524, @MoritzMuehlenhoff wrote:

@chasemp I think it's a little overblown, but if it helps unblocking existing tests, feel free go ahead. Our Ganeti capacity in eqiad is exceeded though, you'll have to wait until the new servers are fully setup or you can set up the instance as peek2001 (the DC shouldn't matter for your use case).

May 26 2020, 3:27 PM · serviceops, PM, Security-Team, vm-requests, SRE

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

@MoritzMuehlenhoff could you revisit this when you have a minute? I'd like to get this off my plate and @wiki_willy and I were waiting on this to do some coordination.

May 26 2020, 3:10 PM · serviceops, PM, Security-Team, vm-requests, SRE

• chasemp edited projects for T71367: page_recent_contributors leaks revdeleted user names (CVE-2021-31545), added: Privacy Engineering; removed Security-Team.

May 26 2020, 2:32 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), AbuseFilter (Overhaul-2020), Privacy Engineering, Security, Vuln-Infoleak

• chasemp awarded T253632: update profile::waf::apache2::administrative to use the new abuse_networks hiera key a Yellow Medal token.

May 26 2020, 2:28 PM · User-jbond, SRE

May 19 2020

• chasemp moved T235858: Increase of training data retention (>90 days) is validated with Legal / Privacy from Incoming to Watching on the Security-Team board.

May 19 2020, 4:19 PM · Privacy Engineering, Security-Team, Discovery-Search (Current work)

• chasemp added a project to T235858: Increase of training data retention (>90 days) is validated with Legal / Privacy: Security-Team.

May 19 2020, 4:19 PM · Privacy Engineering, Security-Team, Discovery-Search (Current work)

• chasemp added a project to T189531: All Wikimedia developer services should use single sign-on: CAS-SSO.

May 19 2020, 3:47 PM · Security, User-Tgr, Wikimedia-Hackathon-2018, WMF-General-or-Unknown, Epic

May 18 2020

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

10 day bump :)

May 18 2020, 6:20 PM · serviceops, PM, Security-Team, vm-requests, SRE

May 14 2020

• chasemp closed T252778: Add OIT to author affiliation drop down as Resolved.

done

May 14 2020, 3:05 PM · Phabricator, PM, Security-Team

• chasemp added a project to T252778: Add OIT to author affiliation drop down: Phabricator.

May 14 2020, 3:04 PM · Phabricator, PM, Security-Team

• chasemp closed Restricted Task, a subtask of T251190: Security Request For Service - Push Notifications, as Resolved.

May 14 2020, 2:59 PM · Privacy Engineering, Push-Notification-Service, Product-Infrastructure-Team-Backlog-Deprecated, Security-Team

• chasemp moved T252778: Add OIT to author affiliation drop down from Incoming to In Progress on the Security-Team board.

May 14 2020, 2:53 PM · Phabricator, PM, Security-Team

• chasemp triaged T252778: Add OIT to author affiliation drop down as Medium priority.

May 14 2020, 2:53 PM · Phabricator, PM, Security-Team

May 12 2020

• chasemp added a comment to T252210: Eqiad: 1VM request for Peek (PM service in use by Security Team).

In T252210#6128718, @MoritzMuehlenhoff wrote:

Why does this need a complete VM, though? If this simply sends some notifications triggered by cron jobs, simply running them from mwmaint1002 seems fine? (Despite the mw-specific name, mwmaint1002 also hosts various other maintenance profiles (profile::mariadb::maintenance and profile::openldap::management)

May 12 2020, 6:24 PM · serviceops, PM, Security-Team, vm-requests, SRE