[Owasp-board] [Owasp-leaders] Barracuda

Matt Tesauro matt.tesauro at owasp.org
Wed Feb 13 21:03:29 UTC 2019


Dirk,

Please don't conflate the reason (old OS & software) why recovering from
the recent issue was problematic with the reasons to retire Mailman.

Yes, we could move to a more recent LTS version of Ubuntu and continue to
run Mailman 2.x largely the same as it is today.  However, this won't
address the reasons why  Mailman should be retired.  Those include:

   - Mailman sends passwords in the clear via email and requires a shared
   password if 2+ people are list owners - hardly security best practice
   - Site Admin of Mailman is via a single shared admin password, meaning
   it's virtually impossible to find out who did what from an admin/staff
   perspective
   - This has been causing repeated angst in the community for years -
   enough that I wrote about it in 2013 so I could just send a link when it
   popped up again.
   https://www.owasp.org/index.php/About_Mailman_at_OWASP
   - The "old guard' of OWASP needs to realize that using Mailman makes
   OWASP look completely out of touch with the next generation of AppSec
   people.  Ask a 20-something about mail lists and they'll give you a blank
   look. I include myself in that "old guard" - I just happen to be working
   with a Univ student with my project and it's been enlightening to hear what
   his age group thinks of mail lists and IT infrastructure in general.
      - I'm sorry 'old guard" - what's really important is getting new,
      young people involved in our community - and that means change
and meeting
      them were *they* participate on the Internet.  I get that I'm going
      to be changing right with the rest of you since I'm definitely
not 20 years
      old anymore.
   - OWASP's mission is to make AppSec visible.  Considering the very small
   staff, running any server, that we can replace with an external service
   offering, removes the sys admin burden from staff and actually helps us in
   our mission.  Otherwise, we spend staff time on things that aren't core to
   our mission.  This is called Opportunity Cost
   <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and the
   opportunity cost of running any IT service that requires hands-on admin
   work by staff is too high.
   - If you're tempted to chime in with "Let volunteers run it", I'd say
   two things:
      - Re-read that previous bullet and switch "staff" for "volunteer" -
      the reason is still valid.  Volunteers should help on the mission not
      administrivia.
      - In the 10+ years I've been around OWASP, I've seen volunteer run
      things go one of two ways:
         - Run for a while, get forgotten and either go stale or get hacked
         (yeah, that's happened in the past)
         - Run for a while, then life changes for the volunteer(s) and it
         gets handed off to staff.  This happened with Slack, this
happened with
         hosting the AppSec EU conference sites.  So even this
positive outcome only
         delays a return to managing IT systems
      - Mailman at OWASP may hold a warm nostalgic feeling for people that
   have bean around a while but its not what it used to be
      - We have far more conversations happening on Slack today then we do
      Mailman
      - During restoring the current service, I looked at which lists had
      received any email (legit or SPAM) in the last calendar year - *~80%
      of the existing lists had not emails to them in the past year*.
      Mailman might be serving some of our community decently well but it's a
      ever shrinking number.  The number are:
         - 875 (previous) Total lists
         - 181 lists with any sort of email in the last calendar year (now
         the current total lists)
         - 693 lists with no email for 1+ years
      - Considering the recent vocal complaints about how unreliable email
   sent to the lists, it's surprising to see the same people argue for keeping
   this 'unreliable' service up and running
   - Barracuda;s licensing (the anti-SPAM gateway upstream of Mailman) has
   expired and Barracuda has not renewed the donation of those services.  I'm
   honestly surprised every time I can still log into their web control panel
   - apparently they've not turned off our account (yet) but could at any
   time.  Rough numbers show 2/3rds of inbound email to Mailman is SPAM.  I'd
   love to hand that problem off to Google or Discourse rather then spend
   staff time (and money) as we do currently.  There's also no way I'd suggest
   either running email without SPAM filtering or having staff spend time
   running it themselves.

Tangential reason why retiring Mailman is my current focus include:

   - The fact that the current server is woefully out of date and setup by
   someone else is a, to be nice, very "creative" fashion
   - Rack is no longer donating their cloud services so we're paying a
   premium to keep that server hosted there. I've been actively migrating
   servers from Rackspace and this is the next one on my list.

For options instead of Mailman:

(1) Timur is correct, we get Google Groups for $0 cost as part of the G
Suite for Charities package/donation from Google.  We have to spend $0 and
0 time doing sys admin work on Google Groups.

(2) We also get a year of Discourse SaaS for ~7 months of Mailman hosting
costs and we spend 0 time spent doing sys admin work.  Plus, Harold has
already written some automation code against Discourse's REST API to make
things easier going forward.

Cheers!

--
-- Matt Tesauro
*OWASP Foundation*
Director of Community and Operations
matt.tesauro at owasp.org

Consider giving back, and supporting the open source community by becoming
a member <https://www.owasp.org/index.php/Membership> or making a donation
<https://www.owasp.org/index.php/Donate> today!


On Wed, Feb 13, 2019 at 1:22 PM Timur 'x' Khrotko [owasp] <timur at owasp.org>
wrote:

> Dirk, darling, I may be totally wrong and superficial, correct me. Imo
> there are several aspects of the situation, some actionable.
>
> 0) In what modern group communication format could the lists type of
> exchange continue. My understanding is that mailing list remains.
>
> a) For the further operation the mailing list fictionally of the Gsuite we
> use here is an organic option -imo, probably. And is a way more modern
> solution ops-wise than anything paas-based.
>
> b) For the archive of the mailing list - you guys know the options better.
>
> c) Criticism regarding the ages old os wasn't my topic. And I rather would
> like to thank Matt for his mitigating the critical situation!
>
> timur
>
>
> On Wed, 13 Feb 2019 at 19:16, Dirk Wetter <dirk at owasp.org> wrote:
>
>>
>> Timur,
>>
>> what are you talking about?
>>
>> We're running a 9year old OS out of support for five years -- exposed
>> in the internet -- and this should be a reason to blame the SW ??
>>
>> As indicated: It should be a task for half a day or less to sync all the
>> files
>> from mailman to a modern Ubuntu or Debian system.
>>
>>
>> Dirk
>>
>>
>> On 13.02.19 18:23, Timur 'x' Khrotko [owasp] wrote:
>> > * Matt already suggested to move to Google groups which is part of the
>> gsuite if my
>> > understanding is correct.
>> >
>> > On Wed, 13 Feb 2019 at 18:21, Frank Catucci <frank.catucci at owasp.org
>> > <mailto:frank.catucci at owasp.org>> wrote:
>> >
>> >     Matt, et al.,
>> >
>> >     Can we (OWASP leaders, project leaders, etc.) not have a modern
>> email server implemented to
>> >     run @owasp.org <http://owasp.org> email? Is that not a reasonable
>> ask of OWASP and OWASP
>> >     staff? Am I missing something here? This sounds like a very
>> reasonable and actionable
>> >     request to me...
>> >
>> >     Regards,
>> >
>> >     Frank
>> >
>> >
>> >     On Tue, Feb 12, 2019 at 4:35 PM Matt Tesauro <
>> matt.tesauro at owasp.org
>> >     <mailto:matt.tesauro at owasp.org>> wrote:
>> >
>> >
>> >         On Tue, Feb 12, 2019 at 4:03 AM Dirk Wetter <dirk at owasp.org
>> <mailto:dirk at owasp.org>> wrote:
>> >
>> >             Hi all / Matt,
>> >
>> >             short update, see below. This time our germany list seems
>> unknown.
>> >
>> >
>> >         All of the lists were unknown for some time starting last night
>> (GMT -6) - not just
>> >         "our germany list".  The server that hosts mailman went down in
>> a spectacular fashion.
>> >         It took a while to get it back up but it's running again.
>> Items which complicated things:
>> >
>> >           * that server's been running on the same VM since 2013
>> >           * it's running an EOL/EOS OS (Ubuntu 10.04 - a 9 year old OS)
>> >           * Rack's support does not cover Mailman and we're running an
>> out of date version that
>> >             is a major release behind current (2.x vs 3.x)
>> >           * technically, Rack's support doesn't cover EOL/EOS OS'es but
>> they still helped us
>> >             get back online
>> >           * the OS is so old, Rack's monitoring and backup agents are
>> no longer supported nor
>> >             run on the OS
>> >           * the VM configuration and type used for that host is no
>> longer offered by Rackspace
>> >             causing complications which both caused the initial outage
>> and complicated the
>> >             restoring the server
>> >           * since monitoring is no longer supported for that server, no
>> alerts were sent when
>> >             it went down
>> >           * since the back agent can no longer run on a server that
>> old, the most recent
>> >             file-level backup is from July 17, 2017
>> >           * Full VM image backups were still in place and working.
>> However, restoring those
>> >             backups to different type and configuration of VM caused
>> issues that took working
>> >             with Rack's support team to get resolved.
>> >
>> >         Even with all those strikes against it, it's up and running
>> again.  Not too bad to have
>> >         one (regrettably long) outage in 6 years.
>> >
>> >         Props to the several people on Rack's support team that helped
>> me get the Mailman VM
>> >         back up and running as they were able to do the 'behind the
>> cloud'' work required to
>> >         get the VM working again.
>> >
>> >         The system you seem to love to hate, Barracuda, spooled all the
>> inbound email and that
>> >         is flowing again.  Once the retry period is over and that spool
>> is empty, things should
>> >         return to normal. For a while, delivery of emails that came in
>> during the outage may be
>> >         delayed a bit.  Barracuda, BTW, is also unlicensed and
>> continues to work without any
>> >         agreement in place.  Thanks to Barracuda for now cutting us off.
>> >
>> >         I also added a block volume to that VM to allow for a
>> file-level backup workaround as
>> >         an interim solution while we wind down Mailman and retire it
>> this year.
>> >
>> >             When do we get a reliable mail delivery system for our
>> lists?
>> >
>> >
>> >         Have you considered switching to Google Groups?  I'm pretty
>> sure that Google has a
>> >         slightly larger IT staff and budget than OWASP does.  There's
>> also discourse.owasp.org
>> >         <http://discourse.owasp.org> which is a SaaS alternative we
>> have in place as well.  Or
>> >         you could try the OWASP Slack instance too.
>> >
>> >         Thanks again for all your patience and understanding.
>> >
>> >         Cheers!
>> >
>> >         -- Matt Tesauro
>> >
>> >
>> >
>> >             Dirk
>> >
>> >
>> >             -------- Forwarded Message --------
>> >             Subject:        Delivery Status Notification (Failure)
>> >             Date:   Tue, 12 Feb 2019 01:13:15 -0800 (PST)
>> >             From:   Mail Delivery Subsystem <
>> mailer-daemon at googlemail.com
>> >             <mailto:mailer-daemon at googlemail.com>>
>> >             To:     dirk at owasp.org <mailto:dirk at owasp.org>
>> >
>> >
>> >
>> >             Error Icon
>> >
>> >
>> >                 Address not found
>> >
>> >             Your message wasn't delivered to *
>> owasp-germany at lists.owasp.org
>> >             <mailto:owasp-germany at lists.owasp.org>* because the
>> address couldn't
>> >             be found, or is unable to receive mail.
>> >
>> >             The response from the remote server was:
>> >
>> >             550 permanent failure for one or more recipients (
>> owasp-germany at lists.owasp.org:550
>> >             <http://[email protected]:550> 5.1.1
>> >             <owasp-germany at lists.owasp.org <mailto:
>> owasp-germany at lists.owasp.org>>... User unknown)
>> >
>> >
>> >             Attached Message Part
>> >
>> >             Reporting-MTA: dns; googlemail.com <http://googlemail.com>
>> >             Received-From-MTA: dns; dirk at owasp.org <mailto:
>> dirk at owasp.org>
>> >             Arrival-Date: Tue, 12 Feb 2019 01:13:12 -0800 (PST)
>> >             X-Original-Message-ID: <
>> 2326a30c-8ecb-5ea2-65d6-87b549c23f6a at owasp.org
>> >             <mailto:2326a30c-8ecb-5ea2-65d6-87b549c23f6a at owasp.org>>
>> >
>> >             Final-Recipient: rfc822; owasp-germany at lists.owasp.org
>> >             <mailto:owasp-germany at lists.owasp.org>
>> >             Action: failed
>> >             Status: 5.0.0
>> >             Remote-MTA: dns; d15006a.ess.barracudanetworks.com
>> >             <http://d15006a.ess.barracudanetworks.com>.
>> (209.222.82.126, the
>> >              server for the domain lists.owasp.org <
>> http://lists.owasp.org>.)
>> >             Diagnostic-Code: smtp; 550 permanent failure for one or
>> more recipients
>> >             (owasp-germany at lists.owasp.org:550 <
>> http://[email protected]:550> 5.1.1
>> >             <owasp-germany at lists.owasp.org <mailto:
>> owasp-germany at lists.owasp.org>>... User unknown)
>> >             Last-Attempt-Date: Tue, 12 Feb 2019 01:13:15 -0800 (PST)
>> >
>> >
>> >
>> >
>> >             --
>> >             OWASP Volunteer
>> >             Send me encrypted mails (Key ID 0xD0A74569)
>> >             @drwetter
>> >
>> >         _______________________________________________
>> >         OWASP-Leaders mailing list
>> >         OWASP-Leaders at lists.owasp.org <mailto:
>> OWASP-Leaders at lists.owasp.org>
>> >         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >     This message may contain confidential information - you should
>> handle it accordingly.
>> >     _______________________________________________
>> >     OWASP-Leaders mailing list
>> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
>> >
>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> > --
>> >
>> > secmachine․net #wepowersecdev
>>
>> --
>> OWASP Volunteer
>> Send me encrypted mails (Key ID 0xD0A74569)
>> @drwetter
>>
>>
>> --
>> This message may contain confidential information - you should handle it
>> accordingly.
>>
> --
>
> secmachine․net #wepowersecdev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20190213/5eec5092/attachment-0001.html>


More information about the Owasp-board mailing list