[Owasp-board] [Owasp-leaders] Windows XP like OS

Matt Tesauro matt.tesauro at owasp.org
Thu Feb 14 21:36:04 UTC 2019


Thanks for your reply.  We'll take your feedback and others from the
community as we more forward with the 3 objectives for 2019 provided by the
board after their face-to-face meeting in January:

   - Simplify
   - Unify
   - Grow

I am sure you'll see all three of those objectives in the reasons I've
already provided for retiring the Mailman server.

A couple side points:
>  I am concerned that https://2016.appsec.eu/ is still down.

As you said "in life we need to prioritize", and currently, restoring from
backup a website for a conference that happened 3 years ago and gets little
or no traffic compared to other ongoing work is not a priority. As you may
recall from when this was previously discussed, I stated that it's on a
list of things that need to be done with an appropriate priority.  I might
add that only 1 person has noted the lack of availability for that site.

 > Also https://owaspsummit.org/ seems to be down for months.

The OWASP Foundation does not own nor has ever owned that domain.  I'd
suggest you reach out to Dinis Cruiz and Seba Deleersnyder who were
involved in that site and event.


-- Matt Tesauro
*OWASP Foundation*
Director of Community and Operations
matt.tesauro at owasp.org

Consider giving back, and supporting the open source community by becoming
a member <https://www.owasp.org/index.php/Membership> or making a donation
<https://www.owasp.org/index.php/Donate> today!

On Thu, Feb 14, 2019 at 2:48 PM Dirk Wetter <dirk at owasp.org> wrote:

> Hi Matt and all,
> thanks first for bringing everything online again!. Matt.
> With all due respect though, on some matters I have a different stance.
> See below.
> On 13.02.19 22:03, Matt Tesauro wrote:
> > Dirk,
> >
> > Please don't conflate the reason (old OS & software) why recovering from
> the recent issue was
> > problematic with the reasons to retire Mailman.
> Well, it looked to me like there's such a big mess for years now -- again:
> we are talking
> about an operating system which is five years out of support, out of
> patches. This is
> exposed in the internet. And then I am reading repeatedly "we try
> something else."
> From this I drew the maybe wrong conclusion that probably what we have is
> so rotten, that one
> might think it is easier to start over with something new.
> And all I hear "mailman is bad" which I per se cannot agree with. If I
> start
> arguing I don't get a reply.
> > Yes, we could move to a more recent LTS version of Ubuntu and continue
> to run Mailman 2.x
> > largely the same as it is today.
> I am asking you: How did we get there? Why did nobody in the past 5 years
> did an online
> upgrade of the old OS??? For the non-Linux guys: It's ~3 commands on a
> running system and one
> reboot. It is definitely less painful and way shorter and as one starts
> starting Windows 7 or
> 10 after 3-4 months.
> I was really shocked that we as OWASP run such an old system? Wondering
> where the S in OWASP is?
> > However, this won't address the reasons why  Mailman should
> > be retired.  Those include:
> >
> >   * Mailman sends passwords in the clear via email and requires a shared
> password if 2+ people
> >     are list owners - hardly security best practice
> Come on! This appears to me focusing on a niche security problem compared
> to run a Windows XP
> like OS exposed in the internet for almost five years (Ubuntu 10.10. and
> Windows XP support
> both stopped in April 2014).
> Secondly as mentioned before: This is unfortunately common practice but
> seems to not have a
> large security relevance. Most people save their password in the browser
> or in a pw manager. So
> the pw reset is not often taking place. When it's taking place I assume
> the PW is being reset
> soon after. The only real vector is grabbing the pw from the wire which I
> agree would be bad.
> But the window the attacker to get the pw from the/wire/ shouldn't be
> large.
> There's of course the vector that the pw is being retrieved by an attacker
> from the users
> INBOX.  But if the INBOX is owned 90% of any sw will fail too, except the
> SW using 2FA.
> So this is a bugging issue and somewhat ugly, I agree, but should not be a
> big security concern.
> >   * Site Admin of Mailman is via a single shared admin password, meaning
> it's virtually
> >     impossible to find out who did what from an admin/staff perspective
> For which scenario do you need accountability?
> There are moderators and admins. Don't know how the lists has been setup
> but the lists I
> maintained the techies have admin rights and moderators are the ones
> taking care of legitimate
> and non-legitimate user requests. And that worked.
> >   * This has been causing repeated angst in the community for years -
> enough that I wrote about
> >     it in 2013 so I could just send a link when it popped up again.
> >     https://www.owasp.org/index.php/About_Mailman_at_OWASP
> yes, I answered you before. It doesn't make it any better if you repeat
> your initial stance.
> See my take on this here:
> http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019610.html .
> Did I miss an answer
> on this?
> I am also afraid on security problems as discourse is relatively new. See
> here:
> http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019599.html
> Worth to mention again that mailman is running on millions of servers
> around the
> world. It's definitely no niche software.
> >   * The "old guard' of OWASP needs to realize that using Mailman makes
> OWASP look completely
> >     out of touch with the next generation of AppSec people.  Ask a
> 20-something about mail
> >     lists and they'll give you a blank look. I include myself in that
> "old guard" - I just
> >     happen to be working with a Univ student with my project and it's
> been enlightening to hear
> >     what his age group thinks of mail lists and IT infrastructure in
> general.
> >       o I'm sorry 'old guard" - what's really important is getting new,
> young people involved
> >         in our community - and that means change and meeting them were
> _*they*_ participate on
> >         the Internet.
> That is IMO nonsense. First of all: who's looking at a web interface of
> mailman and based on
> that decides whether OWASP is any good?
> Then: Most people read mails and don't use the UI. So what's the deal with
> the UI?
> If you're saying we need icons and stuff because otherwise generation z
> looses interest?
> This stance might be ok for marketing. But please keep in mind that OWASP
> is about
> technology/security. Security has no icons. It's more or less science. And
> it's interesting
> because the matter itself is interesting. If the matter doesn't appear
> interesting, catchy
> icons won't help either.
> >   * OWASP's mission is to make AppSec visible.  Considering the very
> small staff, running any
> >     server, that we can replace with an external service offering,
> removes the sys admin burden
> >     from staff and actually helps us in our mission.  Otherwise, we
> spend staff time on things
> >     that aren't core to our mission.  This is called Opportunity Cost
> >     <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and
> the opportunity cost of
> >     running any IT service that requires hands-on admin work by staff is
> too high.
> With all due respect -- and I don't have any clue of what you great things
> you do day by day --
> but to me appears to me most important that we run up to date systems and
> keep them running and
> have a reliable service like mail.
> Looking at the current issues we have the mailman vs. discourse vs.
> whatever thing appears to
> me a non-priority issue. Many days will be spent for solving a
> non-existing problem instead of
> just migrating the current sw to a new machine which costs not more than
> half a day. It gives
> us another couple of years before we migrate to mailman 3 or maybe another
> solution.
> Wrt to other issues: I am concerned that https://2016.appsec.eu/ is still
> down. I think I
> mentioned that before. It should be a year now. Also
> https://owaspsummit.org/ seems to be down
> for months.
> As in life we need to prioritize. To me as a volunteer mail sending in a
> reliable fashion is
> important. It is important that systems with information are kept
> available and a secure.
> If the burden is too high for our staff is too high we need additional
> resources.
> Cheers, Dirk
> --
> OWASP Volunteer
> Send me encrypted mails (Key ID 0xD0A74569)
> @drwetter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20190214/ba7c713f/attachment.html>

More information about the Owasp-board mailing list