JBennett (John Bennett)
Disabled

Projects

User does not belong to any projects.

User Details

User Since: Jan 18 2018, 6:32 PM (357 w, 5 d)
Roles: Disabled
LDAP User: Unknown
MediaWiki User: JBennett (WMF) [ Global Accounts ]

Recent Activity
View All

Mar 24 2022

• JBennett added a comment to T297791: Authentication and Authorization Experiment.

Mostly exploratory/discovery work at this point but as part of discovery we are looking at what it might take to decouple authentication from MediaWIki.

Mar 24 2022, 1:32 PM · Authentication-Experiments-2022, SecTeam-Processed, Foundational Technology Requests, Security

• JBennett renamed T304600: Authentication changes from {Name the Problem/Opportunity} to Authentication changes.

Mar 24 2022, 1:27 PM · Authentication-Experiments-2022, tech-decision-forum

• JBennett created T304600: Authentication changes.

Mar 24 2022, 1:25 PM · Authentication-Experiments-2022, tech-decision-forum

Mar 4 2022

• JBennett created T303055: US Department of Homeland Security (DHS) IP blocks.

Mar 4 2022, 3:23 PM · SRE, SecTeam-Processed, Traffic, Security, Security-Team

Feb 28 2022

• JBennett added a comment to T301659: Requesting access to analytics-privatedata-users for Damiendf.

Approved

Feb 28 2022, 11:51 PM · SRE, SRE-Access-Requests

• JBennett added a comment to T301679: Requesting access to analytics-privatedata for Tom Magerlein.

Approved

Feb 28 2022, 11:50 PM · SRE, SRE-Access-Requests

Feb 17 2022

• JBennett added a comment to T301782: Requesting access to analytics-privatedata-users for Michael.hay.

approved

Feb 17 2022, 4:32 PM · SRE, SRE-Access-Requests

• JBennett added a comment to T301581: Requesting access to analytics-privatedata for Skye Berghel.

Approved.

Feb 17 2022, 4:31 PM · SRE, SRE-Access-Requests

Feb 2 2022

• JBennett added a comment to T218618: Add no-transform to Cache-Control header.

I'm not aware of prior management decisions or risk assessments to prohibit no-transform and I'm only seeing an upside to making this change. Seems like the evidence we have suggests performance issues are negligible, increased analytics in areas where we are seeking growth and we have improved security and privacy by not proxying and this feels like a relatively easy fix. I'm supportive of making this change happy to discuss other options but in the interest of mitigating immediate concerns and risks this seems like a good fit so can we go ahead and add no-transform?

Feb 2 2022, 10:26 PM · Traffic, WMF-Legal, Privacy

Dec 15 2021

• JBennett created T297791: Authentication and Authorization Experiment.

Dec 15 2021, 2:42 PM · Authentication-Experiments-2022, SecTeam-Processed, Foundational Technology Requests, Security

Oct 27 2021

• JBennett added a comment to T289607: <Security Initiative> Improving Captcha.

Oct 14 2021

• JBennett renamed T293365: Code governance policy from {Name the Problem/Opportunity} to Code governance policy.

Oct 14 2021, 1:39 PM · tech-decision-forum

• JBennett created T293365: Code governance policy.

Oct 14 2021, 1:35 PM · tech-decision-forum

Oct 13 2021

• JBennett added a comment to T289899: Security Review For Mailman3 / lists.wikimedia.org.

In T289899#7403249, @Legoktm wrote:

I'd still like to get this reviewed somehow, given how much private information is passing through it.

Oct 13 2021, 5:31 PM · SecTeam-Processed, secscrum, Security, Application Security Reviews

Jun 2 2021

• JBennett added a comment to T283368: Requesting access to production analytics data and cluster for htriedman.

Approved from my end.

Jun 2 2021, 3:59 PM · Analytics, SRE, SRE-Access-Requests

May 21 2021

• JBennett created T283351: Access request for Hal Tredman.

May 21 2021, 12:54 PM · SRE, SRE-Access-Requests

Apr 29 2021

• JBennett added a member for Security-Team: Mstyles.

Apr 29 2021, 4:09 PM

Apr 8 2021

• JBennett closed T269517: Security Readiness Review For WatchSubpages, a subtask of T237809: Install Extension:WatchSubpages on frwiktionary, as Declined.

Apr 8 2021, 3:56 PM · Wikimedia-extension-review-queue, Wikimedia-Extension-setup, MediaWiki-extensions-WatchSubpages, Community-consensus-needed, Wikimedia-Site-requests, Wiktionary-fr

• JBennett closed T269517: Security Readiness Review For WatchSubpages as Declined.

The Security team is updating their readiness review SOP to reflect a new change that any request that has aged 90 days without being in a reviewable state will be declined. We do this to help keep our work area current, accurate and reflective of actual work. If the status of your project changes please re-tag us and we will get this work scheduled.

Apr 8 2021, 3:55 PM · secscrum, Application Security Reviews, MediaWiki-extensions-WatchSubpages

• JBennett closed T275402: Security Readiness Review For UseResource, a subtask of T275403: Deploy 'UseResource' extension on MediaWiki wikis, as Declined.

Apr 8 2021, 3:54 PM · MediaWiki-extensions-UseResource, Wikimedia-extension-review-queue, Wikimedia-Extension-setup

• JBennett closed T275402: Security Readiness Review For UseResource as Declined.

Apr 8 2021, 3:54 PM · secscrum, Application Security Reviews, MediaWiki-extensions-UseResource, Security

• JBennett closed T258306: Security Readiness Review For Suggestor as Declined.

Apr 8 2021, 3:53 PM · secscrum, Application Security Reviews, Tor, Suggestor, Security

• JBennett closed T258306: Security Readiness Review For Suggestor, a subtask of T258302: Rollout Suggestor, as Declined.

Apr 8 2021, 3:53 PM · WMF-Legal, Tor, Suggestor

• JBennett closed T211489: Security review of bjeavons/zxcvbn-php as Declined.

Apr 8 2021, 3:53 PM · secscrum, Application Security Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup

• JBennett closed T211489: Security review of bjeavons/zxcvbn-php, a subtask of T32574: Display a password strength bar, as Declined.

Apr 8 2021, 3:52 PM · Patch-Needs-Improvement, User-Tgr, MediaWiki-User-login-and-signup

Apr 6 2021

• JBennett added a member for acl*security_team: Htriedman.

Apr 6 2021, 9:10 PM

Mar 5 2021

• JBennett added a member for Security-Team: sguebo_WMF.

Mar 5 2021, 4:24 PM

Feb 11 2021

• JBennett added a comment to T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search.

I'm going to chime in here:

Feb 11 2021, 9:13 PM · Application Security Reviews, WVUI, Web-Team-Backlog (Kanbanana-FY-2020-21), user-sbassett, secscrum, Security, Design-Systems-team-20200324-20220422 (Vue.js Search Experience (Vector modern))

Feb 9 2021

• JBennett moved T261248: Security review request for IRCCloud from Back Orders to Our Part Is Done on the secscrum board.

Feb 9 2021, 4:54 PM · WMF-General-or-Unknown, Security

Oct 23 2020

• JBennett added a comment to T265121: Check home/HDFS leftovers of rush.

Nothing we need to keep, good to cleanup, thanks!

Oct 23 2020, 1:11 PM · Analytics

Oct 9 2020

• JBennett updated the task description for T265147: Offboard Chase Pettet from Security Team.

Oct 9 2020, 6:37 PM · SRE, Security-Team

• JBennett updated the task description for T265147: Offboard Chase Pettet from Security Team.

Oct 9 2020, 6:35 PM · SRE, Security-Team

Feb 20 2020

sbassett awarded Blog Post: Changes to Security Team Workflow a Like token.

Feb 20 2020, 6:18 PM

Feb 3 2020

• JBennett published Blog Post: Changes to Security Team Workflow.

Feb 3 2020, 8:08 PM

Jan 28 2020

• chasemp awarded Blog Post: Changes to Security Team Workflow a Yellow Medal token.

Jan 28 2020, 5:25 PM

Jan 16 2020

• JBennett added a comment to T238547: Security issue access for darthmon_wmde .

approved

Jan 16 2020, 8:26 PM · Security, Security-Team

Jan 2 2020

• JBennett closed T240492: Create generic security-team request for service intake mechanism, a subtask of T240490: Revamping Security-Team Work Intake and Flows, as Resolved.

Jan 2 2020, 8:49 PM · PM, Epic, Security-Team

• JBennett closed T240492: Create generic security-team request for service intake mechanism as Resolved.

Looks good, thanks!

Jan 2 2020, 8:49 PM · Phabricator, Security-Team

Dec 4 2019

• JBennett added a comment to T238546: Security issue access for Tobi_WMDE_SW .

Approved

Dec 4 2019, 4:32 PM · Security, Security-Team

Dec 2 2019

• JBennett added a comment to T238545: Security issue access for @WMDE-leszek.

approved

Dec 2 2019, 8:56 PM · Security, Security-Team

Nov 13 2019

• JBennett created T238222: Request creation of BishopFox VPS project.

Nov 13 2019, 3:14 PM · Cloud-VPS (Project-requests)

Oct 28 2019

• JBennett added a comment to T233213: XSS in Wikidata Query Service UI, DATATYPE_MATHML - CVE-2019-19329.

How is the patch coming along? When do we expect this to be deployed?

Oct 28 2019, 2:04 PM · Security, Discovery-Search (Current work), User-Addshore, Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-XSS, Wikidata, Wikidata Query UI

Oct 4 2019

• JBennett moved T222665: Code Stewardship Review: iegreview from Incoming to Watching on the Security-Team board.

Oct 4 2019, 4:45 PM · Security, Wikimedia-IEG-grant-review, Code-Stewardship-Reviews

• JBennett moved T214423: Certain wikitech auth-related logging information is not being sent to logstash and mwlog from Incoming to Watching on the Security-Team board.

Oct 4 2019, 4:43 PM · Security, wikitech.wikimedia.org, User-herron, Security-Team

• JBennett moved T214489: Improve LDAP logging from Incoming to Watching on the Security-Team board.

Oct 4 2019, 4:34 PM · Infrastructure-Foundations, Observability-Logging, Infrastructure Security, LDAP

• JBennett triaged T221576: Password length requirement error shown twice as Medium priority.

Oct 4 2019, 4:20 PM · TestMe, MediaWiki-User-login-and-signup

• JBennett moved T221576: Password length requirement error shown twice from Incoming to Watching on the Security-Team board.

Oct 4 2019, 4:20 PM · TestMe, MediaWiki-User-login-and-signup

Aug 30 2019

• JBennett closed T231265: Document Security Council on-wiki as Resolved.

Aug 30 2019, 4:27 PM · Documentation, Security-Team

• JBennett closed T218091: Security Team quarterly check in for April - June 2019, a subtask of T216416: Goal: Making life hard for the people who want to do harm to our sites or the people that use them., as Resolved.

Aug 30 2019, 4:15 PM · Security-Team, Goal

• JBennett closed T218091: Security Team quarterly check in for April - June 2019 as Resolved.

Aug 30 2019, 4:15 PM · Security-Team

Aug 27 2019

• JBennett added a comment to T231265: Document Security Council on-wiki.

Sure, charter is at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Council

Aug 27 2019, 2:32 PM · Documentation, Security-Team

Jul 18 2019

• JBennett added a watcher for deprecated-security-team-reviews: • JBennett.

Jul 18 2019, 8:30 PM

Jul 17 2019

• JBennett awarded T228247: +2 nomination for Daimona in mediawiki/* a Like token.

Jul 17 2019, 1:54 PM · MediaWiki-Gerrit-Group-Requests

May 21 2019

• JBennett added a comment to T222910: Requesting access to deployment and analytics-privatedata-users for jfishback.

Approved

May 21 2019, 3:01 PM · User-greg, SRE-Access-Requests, SRE, Security-Team

Apr 24 2019

• JBennett added a comment to T219831: Security Review For Kask.

@Eevans @Clarakosi This one is a bit out of our wheelhouse and something we can provide only a cursory review of. I'd like to propose the following: The Security team can perform a basic security review of this but I would recommend a secondary review by our 3rd party partners at BishopFox. That said, the 2nd review would incur some cost but I'm not sure how much. Do you have any budget available for something like that??

Apr 24 2019, 5:19 PM · secscrum, Application Security Reviews, user-sbassett, Services (watching), Platform Team Legacy (Watching / External), Platform Engineering (Session Management Service (CDP2)), User-Clarakosi, User-Eevans

Mar 26 2019

• JBennett created T219277: Wikitech password reset flow.

Mar 26 2019, 1:17 PM · Security, wikitech.wikimedia.org, MediaWiki-General, Restricted Project

Mar 20 2019

• JBennett added a member for acl*security: • Fjalapeno.

Mar 20 2019, 4:04 PM

Mar 17 2019

• JBennett added a comment to T218472: gerrit.wikimedia.org is down.

Todays updates sent to wikitech-l https://lists.wikimedia.org/pipermail/wikitech-l/2019-March/091769.html

Mar 17 2019, 4:27 PM · User-greg, SRE, Release-Engineering-Team, Gerrit

Jan 18 2019

• JBennett added a comment to T214130: Requesting access to production for dsharpe.

Approved

Jan 18 2019, 3:13 PM · SRE, SRE-Access-Requests

Dec 12 2018

• JBennett added a comment to T210667: Can exfat be used in WMF production?.

In T210667#4812704, @Legoktm wrote:

In T210667#4795435, @JBennett wrote:

Thanks everyone of for their thoughtful consideration. I have no issues nor do I see a conflict with temporarily allowing the use of this so we can complete our work with our 3rd party partners.

Thanks for commenting. To clarify, are you saying that there is no free filesystem software that will meet our needs? Given that @Platonides offered a decent amount of alternatives in T210667#4789273, it would be helpful if it could be explained why none of those alternatives are sufficient. That will help me when I reach out to various free software upstreams so they can improve their software so it will meet our needs - a goal that I think we all share.

Dec 12 2018, 1:10 PM · Analytics-Radar, Security-Team, Software-Licensing, WMF-Legal, SRE

Dec 11 2018

• JBennett added a comment to T151011: Add password generator to account creation / password change form.

In T151011#4808817, @Tgr wrote:

There are two types of good password generation:

A medium-length string of random uppercase/lowercase/numbers (say 12 or 16 characters), with easily confusable characters removed from the pool.

A long human-readable text of space-separated random dictionary words (probably 5 or 6 words), e.g. diceware.

I'm not sure the first is worth doing as the only sane way to use such passwords is a password manager and that can generate random passwords just fine. (Maybe there are less technical users who have problems with password managers and just write the passwords down, but those are better served by diceware style passwords anyway since words are easier to type.) OTOH it is very trivial to implement.

The second is good for people who need to memorize the password for some reason, or need to type it in often (ie. often log in on foreign machines). The best library I have seen for it is grempe/diceware (test page), which has support for ~20 languages (of course it would be fairly trivial to add more). Word lists are around 100K which is a bit large but they don't exactly make an effort to reduce the size, which could be done pretty easily.

Dec 11 2018, 3:40 PM · Security, User-Tgr, MediaWiki-User-login-and-signup

Dec 7 2018

• JBennett added a comment to T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10).

In T208246#4804686, @Tgr wrote:

This feels a bit rushed. Maybe I am just not aware that the preparations already happened, in which case apologies in advance, but otherwise I would recommend pushing out the date by a month or so and doing more groundwork.

Dec 7 2018, 2:48 PM · Patch-For-Review, MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Anti-Harassment (AHT Sprint 35), MediaWiki-User-login-and-signup

Dec 4 2018

• JBennett added a comment to T151425: Enlarge Popular Password File to 100,000 entries and enforce the new minimum in the config.

In T151425#4796448, @Reedy wrote:

In T151425#4795744, @TBolliger wrote:

I'm fairly confident the plan is for all new passwords to be outside 100,000. This is based on this permissioned Google Doc authored by @JBennett. It was last edited Nov. 1 so other decisions/discussions may supercede this.

Ping @JBennett! 🛎

Well, WMF != MW. But if the intention is to make these changes for all users and help "harden" MW core at the same time, I'm fine with making that change in MW core too

Dec 4 2018, 4:06 PM · User-notice-archive, MW-1.34-notes (1.34.0-wmf.22; 2019-09-10), Patch-For-Review, Security-team-backlog, MediaWiki-User-login-and-signup

Dec 3 2018

• JBennett added a comment to T210667: Can exfat be used in WMF production?.

With respect to the WMF charter and the values and manifestation thereof, it seems the exception process and/or the bar for each use case is at the discretion of WMF leadership and probably specifically most informed by WMF technical leadership. I'll defer to @JBennett who has more information.

Dec 3 2018, 8:07 PM · Analytics-Radar, Security-Team, Software-Licensing, WMF-Legal, SRE

Nov 30 2018

• JBennett added a project to T189641: Service for checking the Pwned Passwords database: WMF-Legal.

Nov 30 2018, 7:37 PM · SecTeam-Processed, Security, Platform Team Legacy (Watching / External), Services (watching), User-Tgr, WMF-Legal, MediaWiki-User-login-and-signup, MediaWiki-Core-AuthManager

• JBennett added a comment to T189641: Service for checking the Pwned Passwords database.

In T189641#4789805, @Tgr wrote:

In T189641#4789786, @chasemp wrote:

Adding @JBennett as I see he raised concern with the ihaveibeenpwned work in related https://phabricator.wikimedia.org/T210192#4786955

I think that was meant for using it for email lookup, not passwords? If your password hash is in the dump, the applicability of that is pretty clear.

Nov 30 2018, 7:36 PM · SecTeam-Processed, Security, Platform Team Legacy (Watching / External), Services (watching), User-Tgr, WMF-Legal, MediaWiki-User-login-and-signup, MediaWiki-Core-AuthManager

Nov 27 2018

• JBennett added a comment to T208441: 👩‍👦‍👦 AHT password strengthing work, 2018/19.

In T208441#4711167, @TBolliger wrote:

In T208441#4710847, @Framawiki wrote:

Related: T197577: Increase password policies for the 'steward' group and others

Yeah, good catch. Makes sense to bump this one up too. I forget, though... do Stewarts also need 2FA? If so, the length is less of an issue.

Nov 27 2018, 1:46 PM · Anti-Harassment (Vav — ו)

Nov 26 2018

• JBennett added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

I'm in favor of removing unblock self. It's overly permissive to allow admins to unlock themselves and we should follow some level of separation of duties to ensure proper governance. Let's go ahead and make this change.

Nov 26 2018, 6:10 PM · User-notice-archive, MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, Community-consensus-needed, Wikimedia-Site-requests

Nov 1 2018

ToBeFree awarded Blog Post: Details of dictionary attack from May 2018 a Grey Medal token.

Nov 1 2018, 12:29 PM · Security-Team

Oct 29 2018

• JBennett added a comment to T207852: Requesting access to deployment and analytics-privatedata-users for sbassett.

+1 from me

Oct 29 2018, 3:14 PM · User-jijiki, SRE, SRE-Access-Requests

Oct 26 2018

• JBennett added a comment to T208008: Consumer owner-only oauth proposals should require reauth.

I'm not 100% sure who should be claiming this task. Could one of you please claim it in support of this recent security incident?

Oct 26 2018, 7:45 PM · Patch-Needs-Improvement, Sustainability (Incident Followup), Security, MediaWiki-extensions-OAuth

Oct 10 2018

• JBennett published Blog Post: translatewiki.net security incident.

Oct 10 2018, 8:14 PM

Sep 27 2018

• JBennett created Blog Post: translatewiki.net security incident.

Sep 27 2018, 11:21 PM

Sep 17 2018

xSavitar awarded Blog Post: Details of dictionary attack from May 2018 a Love token.

Sep 17 2018, 6:05 PM · Security-Team

Sep 13 2018

• JBennett added a comment to T150605: Publish an analysis of the OurMine hack.

Our process around security incident response is evolving and something the security team is working to improve. We're not there yet but we are definatley making improvements.

Sep 13 2018, 1:49 PM · Sustainability (Incident Followup), Security-Team