[Owasp-leaders] New OWASP project

Lucas Ferreira lucas.ferreira at owasp.org
Tue Nov 1 08:43:05 EDT 2011


Hello Azzeddine,

I'm moving this discussion to the project's mailing list to keep project
details out of the leader's list. I'll answer your questions there:
https://lists.owasp.org/mailman/subscribe/owasp-file-hash-repository

Hope you understand.

Regards,

Lucas

On Tue, Nov 1, 2011 at 10:16, Azzeddine Ramrami <azzeddine.ramrami at owasp.org
> wrote:

>
>  Hi,
> I find this project and idea very interesting. This is project is not like
> Tripwire because it is not an HIDS.
> Why MD5 ? This has function is not still secure.
> Questions :
> - how this project can ensure the integrity of the has itself ?
> - how this project can ensure the integrity of the stored files if it is
> the case ?
> Regards,
> Azzeddine
>
>
>
> On Tue, Nov 1, 2011 at 12:58 PM, Lucas Ferreira <lucas.ferreira at owasp.org>wrote:
>
>> Sorry to come back again, but I have to correct that Google safe
>> browsing database IS available for download. Kudos to them.
>>
>> Regards,
>>
>> Lucas
>>
>> On Tue, Nov 1, 2011 at 09:37, Lucas Ferreira <lucas.ferreira at owasp.org>
>> wrote:
>> > Hello all,
>> >
>> > I'll hijack Michael's email to answer all previous emails in this
>> > thread. If I left anything out, please remind me and I'll do my best
>> > to provide a suitable answer.
>> >
>> > First, I also had doubts if this project would fit in OWASP. I then
>> > talked to some OWASPers and the conclusion was that it should be given
>> > a try. I then submitted the project proposal to the Global Projects
>> > Committee and it was approved.
>> >
>> > Second, I understand that this project is not directly linked to web
>> > or application security, but I think it could be used in web or
>> > application security tasks. As Dinis pointed out, there is the
>> > possibility of using the database to validate scripts or libraries in
>> > a convergence-inspired way. A web crawler could be used to check web
>> > pages and downloads, as pointed by Christian.
>> >
>> > In any case, if the OWASP community thinks this project does not
>> > belong here, I can withdraw it. No problems with that at all. So far,
>> > opinions are divided, so I'd ask the Projects Committee to take care
>> > of this and warn me if the project needs to be taken off OWASP.
>> >
>> > Answering more specific concerns:
>> >
>> > Christian, the list of data sources for the projects database is not
>> > closed. If you know a good source of hash data of web-related files,
>> > please let me know and I'll manage to include them. Regarding
>> > including tripwire-like functionality, it can be done. We need to
>> > finish writing some code to allow users to upload data to the database
>> > and also  a web crawler. I will post a roadmap soon. Regarding Google
>> > safe browsing, their approach is to work with URLs. We work with file
>> > contents. I think the approaches are complementary. The problem I see
>> > with Google is that their database is not open, as far as I know. Our
>> > database should be available to anyone to copy or query.
>> >
>> > Mark, I am aware of the MD5 collision attacks. That's why the project
>> > includes SHA-1 hashes too. Also, the use of both hashes combined seems
>> > beyond current attacks. Please note that the hashes are not stored
>> > with the files. Our database only includes the hashes. The process
>> > would be for someone to get the file, calculate the hashes and then
>> > check the hashes against the database.
>> >
>> > Well, thanks everyone for the attention and please excuse me if I
>> > caused any trouble.
>> >
>> > Regards,
>> >
>> > Lucas
>> >
>> > On Tue, Nov 1, 2011 at 02:48, Michael Coates <michael.coates at owasp.org>
>> wrote:
>> >> This has been an interesting discussion and its a good sign that the
>> >> community is weighing in with various view points.
>> >>
>> >> I'd like to present a few thoughts for people to consider.
>> >> OWASP is built on top of a community of volunteers that are experts in
>> their
>> >> respective fields. Our guides, tools, resources, outreach, conferences
>> (and
>> >> more) are excellent because talented people have dedicated their time
>> and
>> >> skills.
>> >> One of the great things that OWASP works towards is making OWASP a
>> platform
>> >> that is easy for anyone to contribute their time and effort.  A model
>> that
>> >> requires approval from a centralized body before a project could be
>> started
>> >> would be a very different model than what we have now and one that I
>> think
>> >> would diminish the successes of our community.
>> >> In the end, good ideas will flourish and attract more participation
>> and also
>> >> more support from OWASP overall.  However, its very hard to know what
>> the
>> >> next great idea is unless we experiment with bright minds in a variety
>> of
>> >> areas.
>> >> With that, I say best of luck to this new project and any others that
>> are
>> >> inline with the principles of OWASP.
>> >>
>> >>
>> >>
>> >> --
>> >> Michael Coates
>> >> OWASP
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Homo sapiens non urinat in ventum.
>> >
>>
>>
>>
>> --
>> Homo sapiens non urinat in ventum.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>


-- 
Homo sapiens non urinat in ventum.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111101/73b849d5/attachment-0001.html 


More information about the OWASP-Leaders mailing list