[Owasp-board] My input on our response to CH

Noreen Whysel noreen.whysel at owasp.org
Fri Sep 4 18:46:36 UTC 2015


The problem with requiring owasp.org emails is that the lists are supposed
to be open, but not everyone affiliated with OWASP qualifies for an
owasp.org email (leaders and paid members only).

Noreen Whysel
Community Manager
OWASP Foundation

On Fri, Sep 4, 2015 at 2:18 PM, Michael Coates <michael.coates at owasp.org>
wrote:

> From a spam/bot blocking perspective
> The easiest thing for us to do is to switch over to using @owasp.org
> email addresses. We can easily configure the mailist to require admin
> confirmation and auto reject non-owasp email addresses.
>
> If we don't want to do that it is also easy to require moderation for all
> subscriptions. A quick regex can stop obvious spam iteration.
>
> It would be interesting to see if a CAPTCHA approach for mailman is
> possible. Yes, captcha can be defeated if someone tries hard enough, but if
> we cut out more of the junk then that is still a win.
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
> Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San Francisco!
>
>
>
>
> On Fri, Sep 4, 2015 at 10:52 AM, Noreen Whysel <noreen.whysel at owasp.org>
> wrote:
>
>> A few thoughts/questions:
>>
>> Is it possible to map a Mailman subscription to an IP? If so we could
>> block or moderate an ip.
>>
>> Mailman allows you to globally remove your email from all lists in one
>> click. Can the admin for the listserv do the same in one click for a
>> subscriber?
>>
>> Are there any other spam catcher program that can look for patterns in
>> subscribe email accounts? Kate mentioned today that some lists are
>> reporting excessive subscribe requests from random looking gmail accounts.
>> Owasp-Manila has also been hit by random gmail sign ups.
>>
>> Look at other services we use as well. Slack had someone playing with
>> slackbot auto
>> It's recently. Someone set Slackbot to trigger Johanna's survey every
>> time a post included the words "and" or "the". Johanna also mentioned some
>> strange slackbot emoji behavior. I didn't see any auto post rules set for
>> emoji though.
>>
>> There are dozens of potential services that someone with a grudge could
>> disturb. Does it make sense to put out an alert to leaders to keep an eye
>> out and report suspicious behavior?
>>
>> Personally from a chapter development standpoint, my policy is to do a
>> nominal background check on people requesting to start chapters, get
>> Owasp.org emails or start a mailing list. This typically means reviewing
>> their resume (required for starting a chapter), looking them up on linked
>> in or google News search, checking on any previous Owasp involvement in the
>> wiki or our member database, etc. as well as checking with leaders and past
>> leaders of a chapter, do you know them, is this a good person. Similar for
>> volunteers for event booths, university outreach, etc. This is especially
>> important as chapter leaders ultimately get to handle money. I've had
>> someone in Nigeria ask to restart chapters in Oregon and Canada, one of
>> many examples.
>>
>> I also encourage people to use their Owasp.org email to sign up for the
>> wiki account, since that implies they a have already been vetted or at
>> least paid a member fee to get gmail access.
>>
>> Is this sufficient?are there other ways to monitor activity without
>> turning into cops or making people feel unfairly scrutinized?
>>
>> Noreen Whysel
>> Community Manager
>> OWASP Foundation
>>
>> On Sep 4, 2015, at 11:45 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> I'm just curious
>>
>> How can OWASP avoid if he uses another email accounts/fake names
>> addresses to gain access?
>>
>> I think access to the wiki has to be very strong supervised including a
>> background check of the person requesting access
>>
>> Any ideas or procedures that are already in place?
>>
>> regards
>>
>> Johanna
>>
>> On Fri, Sep 4, 2015 at 11:25 AM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> And the screenshot...
>>>
>>> Rushing to get back to work doesn't actually buy you more time ; )
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP WTE Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>> OWASP OpenStack Security Project Lead
>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>
>>> On Fri, Sep 4, 2015 at 10:24 AM, Matt Tesauro <matt.tesauro at owasp.org>
>>> wrote:
>>>
>>>> > I'm assuming wiki editing has been revoked?
>>>>
>>>> Good point about the wiki - its actually designed to clean up
>>>> bad/malicious edits so the damage potential is far less but I went ahead
>>>> and blocked his user account.  See screenshot.
>>>>
>>>> For the curious, his wiki contributions are at:
>>>> https://www.owasp.org/index.php/Special:Contributions/Cmlh
>>>>
>>>> -- Cheers
>>>>
>>>> --
>>>> -- Matt Tesauro
>>>> OWASP WTE Project Lead
>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>> http://AppSecLive.org - Community and Download site
>>>> OWASP OpenStack Security Project Lead
>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>
>>>> On Fri, Sep 4, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>>> wrote:
>>>>
>>>>> Hi.
>>>>>
>>>>> Wow.  I was slow to respond to this whole series of events because I
>>>>> didn't have prior direct exposure to this individual.  Lucky me.
>>>>>
>>>>> First, I'm glad we (esp. Matt T.) have taken care of part of the
>>>>> problem through mechanics. Thanks all for dealing with that, especially
>>>>> Josh for invoking the bylaws to trigger the action.
>>>>>
>>>>> Second, is there further action required with regard to CH?  I'm
>>>>> assuming we keep our eyes out for disruptive behavior for a bit and just
>>>>> catch it and take action quickly.  I'm assuming wiki editing has been
>>>>> revoked?
>>>>>
>>>>> Third, are there other open issues (people) like this that we should
>>>>> deal with proactively?
>>>>>
>>>>> Fourth, what can we do to handle this prior to the face to face
>>>>> meeting?  As painful as it is over email, I would really rather focus on
>>>>> positive and constructive things we can be doing (like proposals for wiki
>>>>> overhaul and investments in projects) than re-hashing blow by blow the
>>>>> words of people we don't want to be part of the community.  Is there a
>>>>> legitimate legal risk here?
>>>>>
>>>>> Thanks,
>>>>> Matt
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150904/38b7edad/attachment-0001.html>


More information about the Owasp-board mailing list