[Owasp-board] My input on our response to CH

Michael Coates michael.coates at owasp.org
Fri Sep 4 18:18:41 UTC 2015


>From a spam/bot blocking perspective
The easiest thing for us to do is to switch over to using @owasp.org email
addresses. We can easily configure the mailist to require admin
confirmation and auto reject non-owasp email addresses.

If we don't want to do that it is also easy to require moderation for all
subscriptions. A quick regex can stop obvious spam iteration.

It would be interesting to see if a CAPTCHA approach for mailman is
possible. Yes, captcha can be defeated if someone tries hard enough, but if
we cut out more of the junk then that is still a win.


--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board
Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San Francisco!




On Fri, Sep 4, 2015 at 10:52 AM, Noreen Whysel <noreen.whysel at owasp.org>
wrote:

> A few thoughts/questions:
>
> Is it possible to map a Mailman subscription to an IP? If so we could
> block or moderate an ip.
>
> Mailman allows you to globally remove your email from all lists in one
> click. Can the admin for the listserv do the same in one click for a
> subscriber?
>
> Are there any other spam catcher program that can look for patterns in
> subscribe email accounts? Kate mentioned today that some lists are
> reporting excessive subscribe requests from random looking gmail accounts.
> Owasp-Manila has also been hit by random gmail sign ups.
>
> Look at other services we use as well. Slack had someone playing with
> slackbot auto
> It's recently. Someone set Slackbot to trigger Johanna's survey every time
> a post included the words "and" or "the". Johanna also mentioned some
> strange slackbot emoji behavior. I didn't see any auto post rules set for
> emoji though.
>
> There are dozens of potential services that someone with a grudge could
> disturb. Does it make sense to put out an alert to leaders to keep an eye
> out and report suspicious behavior?
>
> Personally from a chapter development standpoint, my policy is to do a
> nominal background check on people requesting to start chapters, get
> Owasp.org emails or start a mailing list. This typically means reviewing
> their resume (required for starting a chapter), looking them up on linked
> in or google News search, checking on any previous Owasp involvement in the
> wiki or our member database, etc. as well as checking with leaders and past
> leaders of a chapter, do you know them, is this a good person. Similar for
> volunteers for event booths, university outreach, etc. This is especially
> important as chapter leaders ultimately get to handle money. I've had
> someone in Nigeria ask to restart chapters in Oregon and Canada, one of
> many examples.
>
> I also encourage people to use their Owasp.org email to sign up for the
> wiki account, since that implies they a have already been vetted or at
> least paid a member fee to get gmail access.
>
> Is this sufficient?are there other ways to monitor activity without
> turning into cops or making people feel unfairly scrutinized?
>
> Noreen Whysel
> Community Manager
> OWASP Foundation
>
> On Sep 4, 2015, at 11:45 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> I'm just curious
>
> How can OWASP avoid if he uses another email accounts/fake names addresses
> to gain access?
>
> I think access to the wiki has to be very strong supervised including a
> background check of the person requesting access
>
> Any ideas or procedures that are already in place?
>
> regards
>
> Johanna
>
> On Fri, Sep 4, 2015 at 11:25 AM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>
>> And the screenshot...
>>
>> Rushing to get back to work doesn't actually buy you more time ; )
>>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>> On Fri, Sep 4, 2015 at 10:24 AM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> > I'm assuming wiki editing has been revoked?
>>>
>>> Good point about the wiki - its actually designed to clean up
>>> bad/malicious edits so the damage potential is far less but I went ahead
>>> and blocked his user account.  See screenshot.
>>>
>>> For the curious, his wiki contributions are at:
>>> https://www.owasp.org/index.php/Special:Contributions/Cmlh
>>>
>>> -- Cheers
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP WTE Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>> OWASP OpenStack Security Project Lead
>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>
>>> On Fri, Sep 4, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>> wrote:
>>>
>>>> Hi.
>>>>
>>>> Wow.  I was slow to respond to this whole series of events because I
>>>> didn't have prior direct exposure to this individual.  Lucky me.
>>>>
>>>> First, I'm glad we (esp. Matt T.) have taken care of part of the
>>>> problem through mechanics. Thanks all for dealing with that, especially
>>>> Josh for invoking the bylaws to trigger the action.
>>>>
>>>> Second, is there further action required with regard to CH?  I'm
>>>> assuming we keep our eyes out for disruptive behavior for a bit and just
>>>> catch it and take action quickly.  I'm assuming wiki editing has been
>>>> revoked?
>>>>
>>>> Third, are there other open issues (people) like this that we should
>>>> deal with proactively?
>>>>
>>>> Fourth, what can we do to handle this prior to the face to face
>>>> meeting?  As painful as it is over email, I would really rather focus on
>>>> positive and constructive things we can be doing (like proposals for wiki
>>>> overhaul and investments in projects) than re-hashing blow by blow the
>>>> words of people we don't want to be part of the community.  Is there a
>>>> legitimate legal risk here?
>>>>
>>>> Thanks,
>>>> Matt
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150904/b97c605e/attachment.html>


More information about the Owasp-board mailing list