Wikipedia:Arbitration Committee/CheckUser and Oversight/2019 CUOS appointments/CU

ST47 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

I am volunteering for Checkuser and Oversight. I returned to Wikipedia early this year from a long inactivity - I originally edited from 2006 - 2009. I am familiar with WP:SPI and investigate and resolve cases there regularly, and I have already signed the WMF NDA as a WP:ACC user. I'm a computer security researcher and a part time web admin, so I am very familiar with the uses - and limitations - of the tool. I am comfortable calculating IP ranges and issuing range blocks. My Recent Changes and AbuseFilter patrolling causes me to stumble upon likely sock puppet accounts fairly often, and access to the Checkuser tools would allow me to properly resolve those cases and help with backlogs at WP:SPI and elsewhere. Similarly, I do occasionally run into oversightable things from recent changes or sockpuppets, and report them to the oversight team. I often have IRC and email open even while I'm not actively on wiki. So, I offer to take on either or both roles, as you decide.

1. Please describe any relevant on-Wiki experience you have for this role.

   I regularly patrol WP:SPI for cases that are ready for administration, either because a CheckUser has already commented or because no CheckUser is required, so I am familiar with investigating behavioral evidence of sockpuppetry as well as the procedures at SPI. I come across enough likely socks through patrolling Recent Changes, abuse filters, and a few other venues, to be familiar with the common LTAs. I also issue my fair share of range blocks, balancing the size of the range and the duration against the level of disruption in order to minimize collateral damage.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   I work in computer security, and I'm a developer/sysadmin for a small hobbyist website, so I regularly work with IP addresses and ranges, WHOIS and port scan data, user agent headers, and so on.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   No.

Editors may ask a maximum of two questions per candidate.

1. You went almost an entire decade with minimal activity [1]. While I think it's great that you have returned, some might say that you should have been desysopped for inactivity. CU/OS are particularly sensitive permissions if put in the wrong hands, even more so than just administrator. If given the tools (and you are applying for both tools), do you think that you will be active enough over the next few years to put them to good use? --Rschen7754 01:14, 5 October 2019 (UTC)[reply]

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.

---

L235 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

Greetings: I’m Kevin, and I’m applying for CheckUser and Oversight access to help with some of the backlogs we’ve seen, particularly at SPI. I’ve been an SPI clerk since December 2015, where I’ve been actively involved in sockpuppetry investigations. As a clerk and patrolling administrator, I am responsible for making initial determinations on the use of CheckUser (endorsing or declining CU requests prior to CU review), evaluating evidence, and blocking users for sockpuppetry. I’ve made over 500 blocks in the ~1 year since my RfA, and many SPI-clerk recommendations for admin action before that.

I have an extensive track record as a thorough evaluator of behavioral evidence in SPI cases, and I have a technical background as a Stanford computer science student. I am regularly available and accessible on IRC, and I am glad to perform CU/OS functions on ACC, UTRS, and OTRS (all of which I currently have access to).

1. Please describe any relevant on-Wiki experience you have for this role.

   My nomination statement describes a number of pertinent areas in which I've contributed; in particular, I've been an SPI clerk for nearly four years, an ArbCom clerk for over four and a half years, and an administrator for over a year. In these roles, I have worked closely with functionaries and arbitrators, especially in sockpuppet investigations, and have developed experience in evaluating evidence and using the block and revdel tools.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   I have a technical background as a student of computer science at Stanford; although networking is not my area of research, I know the basics and I'm confident I can pick up relevant skills fairly quickly. As for experience dealing with private information, I have held a number of positions requiring NDAs and/or background checks.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   I do not have other advanced permissions, but I do have OTRS access to the info-en queue.

Editors may ask a maximum of two questions per candidate.

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.

---

Oshwah (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

I am applying for the CheckUser permissions in order to extend my participation on Wikipedia and help put a stop to sock puppetry, disruption, and abuse. I'll be available to help with processing requests that I see go unanswered on IRC, as well as help with the backlog at SPI and ACC. I've been an administrator for three years, an oversighter for one year, and have been consistently active, available, and happy to help with requests and urgent matters on IRC and other communication methods. Having the checkuser tools will help me to be able to help more people, as well as help protect this project from sock puppetry and abuse, and put an end to harassment. If you have any questions, please do not hesitate to ask and I'll be happy to answer them.

1. Please describe any relevant on-Wiki experience you have for this role.

   My time has been mostly spent in recent changes patrolling and attempting to mentor and help new users on Wikipedia. I patrol recent changes and revert vandalism, respond to instances of long-term abuse, username violations, blatant sock puppetry, page protection requests, and (occasionally) AFD, AN3, and ANI. I'm also an ACC Tool Administrator on WP:ACC, and assist with processing account creation requests, as well as helping tool users with difficult or complex cases. I'm also an SPI clerk and help with responding to evidence and accusations of sock puppetry. I'm also highly active on IRC and I respond to requests for assistance and input from other users, and I respond to emergencies such as LTA activity, threats, blocking requests, revision deletion and suppression requests.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   My user page explains the extent of my background in a nutshell - I've grown up around computers and my IT-related experience goes very far back. I performed computer and network administration throughout my youth while in school, and held jobs in IT-related areas ever since. I have a BS in Computer Software Engineering Technology and a Minor in Applied Mathematics. I have extensive IPv4 and IPv6 experience that I actively use during my daily tasks at my current job, including networking, traffic routing, VPN, encryption, and security. I also have basic and advanced certification with Dell SonicWall firewalls and have written packet sniffing, ARP, and ICMP software GUIs and tools completely by myself using C++, Win32, and the WinPcap library.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   I am an oversighter on the English Wikipedia here, and a steward on the Wikimedia beta project (even though it's just a beta project). I have OTRS permissions and access to the oversight-en and info-en queues.

Editors may ask a maximum of two questions per candidate.

1. Your candidacy in 2018 was unsuccessful. What is different about it this time around? --Rschen7754 01:32, 4 October 2019 (UTC)[reply]

Since last year, I was promoted to a full clerk on SPI. I've also extended my participation on Wikipedia by not only responding to suppression requests and suppressing content that required its use with the oversight tool, but also helped to remove missed content that needed supression. I also expanded the oversight page to make it more clear, detailed, and easy to read for newcomers. I've also helped to improve the ACC process for users by increasing deflection. This was done by helping to create necessary pages in order for users to assist themselves and create their own accounts instead of making them wait up to six months to have one created for them by creating a new ticket request.

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.

---

Mz7 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

Hello, I'm Mz7, and I would like to apply for checkuser rights this year. I have a history of evaluating SPIs going back to when I became an administrator in January 2017, and I am experienced at identifying the behavioral peculiarities that may indicate that two accounts are related. CheckUser would just be another tool in the toolbox to help with the work I already do in that area. Apart from SPI, back in January of this year I joined the account creation team (ACC), which typically has a backlog of requests awaiting checkuser (the oldest request in that queue at the time I am writing this is from 7 months ago). I would be happy to help out on that front as well. As far as my personal background goes, I am familiar with networking principles and IPv4/IPv6 range blocks, and I consider myself a quick-learner. If there is a tricky or unfamiliar case, I would not hesitate to consult with a fellow checkuser. I am very active on IRC, and I find that I get along pretty well with others on Wikipedia. I look forward to working with the team if appointed.

1. Please describe any relevant on-Wiki experience you have for this role.

   As I mentioned in my nomination statement, I have commented on numerous sockpuppetry investigations in the past several years I've been an administrator. Specifically, I have experience spotting behavioral peculiarities that carry over between multiple accounts (which are the key in investigations—checkuser is just complementary evidence in that sense), and I am familiar with the kind of information that checkuser would return and how it would factor into the outcome of an investigation. I joined WP:ACC back in January 2019, where I have handled approximately 400 requests, about three dozen of which I had to refer to checkusers.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   I have a technical background and am familiar with basic networking principles and IP address assignment. I consider myself a quick learner, and if there is any technical aspect of a case that I am unfamiliar with, I will not hesitate to ask a fellow checkuser for advice. I also have experience fulfilling confidentiality obligations.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   This is my first time applying for advanced permissions beyond sysop on any WMF project. From November 2016 to April 2019, I was an active member of the OTRS team with access to the info-en and permissions queues. I voluntarily requested that my access be removed in April 2019; although my activity level was still within the activity requirements of OTRS, I decided I wanted to focus my time more on content work and administrative work on-wiki.

Editors may ask a maximum of two questions per candidate.

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.

---

RoySmith (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

I am applying only for CU. Qualifications:

• Admin since 2005.
• Extensive unix DevOps experience, including managing web servers at Songza and Google.
• Engineering team lead for Smarts/EMC's IPv6 network management product.
• Have been active on WP:SPI, opening cases for investigation by CU holders.

1. Please describe any relevant on-Wiki experience you have for this role.

   I've been active for the past few months opening SPI cases. I got into that when I started working on reviewing new drafts, which has a fair amount of socking involved. My role at this point has been gathering whatever evidence I could with the standard admin capabilities. Commonality of editing focus, correlations between users of editing timelines, similarities in usernames, editing style, etc. When there seemed to be enough behavioral evidence, I would open a SPI case for further investigation by a CU.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   My last two positions (Senior Software Engineer at Google, and Director of Engineering at Songza) were both hands-on running web servers and applications. Much diagnostic work involved reading through server logs. In both positions I had access to confidential user information. Particularly at Google, access to any personally-identifiable information was tightly controlled, on a "need to know" basis, and with strict requirements to limit access to the minimum amount of data required to do the job, for the minimum amount of time, and quarantined to a secure environment. As a CU, I would have access to similarly sensitive user information, and would exercise the same diligence. I'm being vague here, but please feel free to ask questions if I've glossed over anything that you want to know.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   Other than being an admin on en, none. No OTRS permissions.

Editors may ask a maximum of two questions per candidate.

1. I'm a little surprised to see, given your apparent technical experience, that you've only blocked 5 IP addresses in the last 10 years. The CU role requires a lot of work with IP addresses, such as blocking, analysing or classifying networks, and evaluating collateral. Could you elaborate on how your experience has prepared you for IP addresses in the context of Wikipedia? Would you expect your blocking activity to massively change? -- zzuuzz ^(talk) 06:32, 4 October 2019 (UTC)[reply]

Every incoming HTTP request will have the remote IP address logged. For logged in users, there will be, in addition, a username. The IP addresses can be used as a clue to suggest that multiple requests may have come from the same place. For example, if I make a logged-in edit, then log out and make another edit, both edits will be associated with the same IP address, and that's a pretty good clue they're by the same person.

But, life is more complicated than that. For example, with my residential internet connection, I have a (mostly) static IP (v4) address. Inside my house, my router does NAT, making multiple computers on my WiFi all appear to have the same IP address. So, all you can really say about a request from that IP is that it was from some computer within range of my WiFi.

NAT is done on a much larger scale at universities, corporations, libraries, and the like. Even countries. Thus, indiscriminate blocking of IPs can deny service to a large number of users as collateral damage.

Commercial customers are more likely to publicly expose a range of IP addresses, commonly written using CIDR notation. For example, a small business I help out with their IT needs, has a /29. That means the top 29 bits are their network address, leaving the bottom 3 bits for internal addressing. Excluding 000 and 111 as reserved, that gives them 6 externally routable IP address, any of which might be visible in the Wikimedia server logs for requests coming from this location. If it were decided that this location was overrun with miscreants and we wanted to block the entire lot of them, we would block the entire /29 range (I don't think I've ever actually used this feature). Special:Block lists some particularly sensitive examples of this, along with cautions for use, and instructions for reporting to the WMF any such blocks.

NAT is theoretically possible with IPv6, but the extremely large address space eliminates the main technical driver (i.e. address space exhaustion) which gave rise to NATv4. It is still used at IPv6-IPv4 traffic boundaries.

On the other end of the spectrum, some users will come from multiple IP addresses. The most obvious case is somebody editing from both home and their office, or from public WiFi hotspots. Users with dial-up connections (increasingly rare these days) will get a different IP address on each connection (although, probably out of a limited-size pool). Mobile users (a large and growing segment, especially outside of North America) will get dynamic IP addresses. With all of those, the IP address won't change very quickly, so a user who logs out and logs in again as a sock will probably still have the same IP address.

Corroborating evidence would be identical user-agent strings. For example, I take my laptop with me and use it on various networks, including public hotspots and on mobile networks via tethering to my phone. In those various locations, I'll have different IP addresses, but my user-agent string will be the same. On the other hand, in large centrally-managed environments, software is usually rolled out onto desktops via automated processes, so every computer may have the same user-agent string. Thus user-agent matches or mis-matches are just another hint, neither conclusively proving or disproving anything.

And, of course, all of the above assumes a technically naive user. A more sophisticated user can intentionally mask their IP address using proxies. User-agent strings are likewise easy to spoof at the desktop (by installing multiple browsers, ua-switcher plugins, virtual machines, custom client software, etc). At the network layer, a security gateway could mutate HTTP headers (including the user-agent string) on the fly. I would be surprised if our most sophisticated and well-funded users (government-backed disinformation agencies, high-priced PR firms with Fortune-500 clients, national political parties) were not already doing this. I think it less likely that garden-variety SEO spammers are using technology like that, but it's not beyond reach of a mid-sized company with more money than ethics.

As for, "Would you expect your blocking activity to massively change?", it's difficult to predict the future. Certainly, as a CU, I would have access to more information than I do now, which would help me make better block-or-no-block decisions. Sometimes I suspect a sock, but not enough to bother opening a case for somebody else to follow up on. As a CU, I could see for myself, which might well lead to more blocks. I imagine I'll also be servicing the SPI queue and/or responding to requests from other queues (arbcom, etc) so that would lead to more blocks. Massively? That would be speculation, so I can't really answer that part. Not to mention, that just like with edit-count-itis, I don't believe there's much value in comparing block counts. With the tools I have now, I could certainly be doing more blocking, but I tend to be conservative about blocks, and I don't expect that would change.

-- RoySmith (talk) 14:26, 4 October 2019 (UTC)[reply]

1. I'd like to discuss your approach to blocking suspected socks. Perhaps you recall this incident last year, in which I undid one of your blocks because it was based solely on your assertion that any new user who shows up at AFD is a sock. At the end of that discussion you seemed to understand that that is not ok, and why it isn't ok. To my mind this isn't something that should have needed to be explained to an admin with your level of experience, but since you seemed to get it that was that.

Or so I thought, but then earlier this year you stated " I generally work under the assumption that when a brand new account immediately heads for AfD, something's not right. It's simply not what you would expect a brand new user to be doing. There was a long AN thread (started by me) about this, which I've taken as an endorsement of this approach.". My read of the reference discussion [2] was that there was support for that specific block and it was not a community endorsement of this approach, and I said so on your talk page, and you seemed to indicate again that you got the point.[3]

So my question is, if you were granted CU access, could we expect that anyone who was new and made a comment at AFD would be checkusered by you, to try and find evidence to back up this assumption that "new user at AFD = 100% certainty of socking"? Beeblebrox (talk) 20:48, 4 October 2019 (UTC)[reply]

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.

---

SQL (talk · contribs · blocks · protections · deletions · page moves · rights · RfA)

Nomination statement

Hi, I'm SQL. I have served as an Administrator since 2007.

I'm the developer behind:

• IPCheck, a tool used by many functionaries daily to help determine if a given IP is a proxy / webhost / compromised.
• ISP Rangefinder and NBCH, tools used to list hosts on hosting networks.
• IPRange, a tool used to resolve a given subnet (often helpful to identify webhosts or proxies).
• I was the original developer behind the account creation interface[4]

I am a regular at Requests for unblock, the account creation interface (mostly in the proxy check queue), the unblock ticket request system, and the Wikiproject on open proxies. I would primarily use the tool in those areas.

1. Please describe any relevant on-Wiki experience you have for this role.

   I mention in my nomination some of the various related tools I've written. I've contributed extensively at the Wikiproject on open proxies. I'm active in the proxy check queue at ACC.

2. Please outline, without breaching your personal privacy, what off-Wiki experience or technical expertise you have for this role.

   As I mentioned last year, I've had a lot of relevant jobs, NOC / internal support, and cable tech support.

3. Do you hold advanced permissions (checkuser, oversight, bureaucrat, steward) on this or other WMF projects? If so, please list them. Also, do you have OTRS permissions? If so, to which queues?

   I do not.

Editors may ask a maximum of two questions per candidate.

1. Your candidacy in 2018 was unsuccessful. What is different about it this time around? --Rschen7754 01:31, 4 October 2019 (UTC)[reply]

Comments may also be submitted to the Arbitration Committee privately by emailing arbcom-en-cwikimedia.org. Please note that the candidate will be provided the opportunity to respond to a paraphrased version of any emailed comments; the sender's name will not be provided.