[Owasp-leaders] My expectation is that nobody is reading my @owasp.org emails

Dennis Groves dennis.groves at owasp.org
Tue Jul 1 07:52:38 UTC 2014


Indeed this is a big problem, real security is based in the foundation of
'separation of duty'. Please see my project "OWASP security principles" - -
this is a giant failure for OWASP.  If we can not differentiate between
Samantha the person and Samantha the employee - why should should any body
listen to OWASPL

 isn't Jim an expert on RBAC?; why is this not under control?

Dennis


On Wed, Jun 11, 2014 at 7:51 PM, Matt Tesauro <mtesauro at gmail.com> wrote:

> Abbas,
>
> Be careful when you argue from the specific (your experiences) to the
> general (others experiences).
>
> You've worked for progressive and quite generous employers.
>
> For one of my past employers, I lost access (all access, email, VPN, etc)
> ~30 minutes after I gave my 2 week notice.  Understandable but it actually
> made it quite difficult for me to cleanly hand off all the things I had in
> various stages with clients.  Even worse because I was a remote employee.
>  I wanted to do the right thing but my lack of access made that much harder
> then it had to be.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Wed, Jun 11, 2014 at 7:29 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Well you could ask her to take all her data and remove anything else
>> before forcing it. If you OWASP does not trust its former employees to this
>> extent, whats keeping them from leaking all the internal information they
>> got in the process? There should be at least a good level of trust between
>> them.
>>
>> All the corporations I’ve been at (and have seen) leave the address in
>> place for at least one year. We use our corporate emails for many matters,
>> not just corporate business. Any violation of the privacy or basic access
>> is not tolerated.
>>
>> -Abbas
>>      ______________________________________________________________
>> *Notice:* This message is *digitally signed*, its *source* and
>> *integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird
>> <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Jun 11, 2014, at 6:42 PM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>> Correct. Samantha's no longer an employee of OWASP. Sarah worked to
>> transition ownership of google docs and system access to foundation
>> controls. Samantha's old email account also now has an autoreply so anyone
>> that would be reaching out to her know who to contact.
>>
>> Removing email access is not an unexpected action and is standard for any
>> organization. Facebook had a similar situation on how to handle employees
>> email when they left (since they were using FB email accounts). They ended
>> up changing domains for corp employees. In our case, Samantha can ask for
>> another owasp.org email address if she'd like to keep using an owasp
>> email account. Or as some people chose to do she can use a different email.
>> It's up to her.
>>
>> Also, although it wasn't said but I see it is implied by this email
>> thread, no one has any interest in looking at anyone's email. Interesting
>> discussion on whether it is even possible or not, but not relevant.
>>
>> Sarah can provide additional information. But this was all communicated
>> to Samantha through the exiting process.
>>
>>
>>
>>
>>
>> --
>> Michael Coates
>> @_mwc
>>
>>
>>
>> On Wed, Jun 11, 2014 at 11:22 AM, Dennis Groves <dennis.groves at owasp.org>
>> wrote:
>>
>>> This is all very interesting because Samantha is unable to access her
>>> OWASP email account anymore. It seems her password has been changed, and
>>> now we know the short list of people whom are liable...
>>>
>>> I hope the community will stand up for Samantha, she has done nothing
>>> but support the community, and yet the she has been forced to resign
>>> because of the treatment she was receiving by the board - and this is
>>> further indications that she is being targeted by the board. After all
>>> nobody in history of OWASP has ever been treated this way before.
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jun 11, 2014 at 9:30 AM, Dinis Cruz <dinis.cruz at owasp.org>
>>> wrote:
>>>
>>>> ok, cool, I mis-read your previous email
>>>>
>>>> well any email sent to lists.owasp.org should be public any way (since
>>>> there are no private lists, right?)
>>>>
>>>> Dinis
>>>>
>>>>
>>>> On 11 June 2014 17:28, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>>>>
>>>>>  or intercept the main Barracuda proxy traffic  (the first case would
>>>>> be noticeable by the user, the 2nd is much harder and only possible by a
>>>>> couple highly trusted individuals (like Matt))
>>>>>
>>>>> Correction:  Barracuda only filters the email for lists.owasp.org not
>>>>> @owasp.org addresses.  It was put in place to reduce the SPAM on the
>>>>> mail lists which has a separate SMTP flow from @owasp.org email.
>>>>>
>>>>> Look at the MX records for both domains and you will see the
>>>>> difference.
>>>>>
>>>>> So, I could read emails from @owasp.org addresses in Barracuda only
>>>>> if the email was headed for an @lists.owasp.org address e.g. one of
>>>>> our mail lists.
>>>>>
>>>>> I am still unsure why we have suddenly realized we using a 3rd party
>>>>> email host and all the trade-offs that entails.
>>>>>
>>>>> Per Kevin's email, there is always a point where trust must start.
>>>>>
>>>>> --
>>>>> -- Matt Tesauro
>>>>> OWASP WTE Project Lead
>>>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>> http://AppSecLive.org <http://appseclive.org/> - Community and
>>>>> Download site
>>>>> OWASP OpenStack Security Project Lead
>>>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>> On Jun 11, 2014 10:52 AM, "Dinis Cruz" <dinis.cruz at owasp.org> wrote:
>>>>>
>>>>>> inline
>>>>>>
>>>>>> On 11 June 2014 15:42, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> I'm not implying anything but maybe someone should also control the
>>>>>>> admins. Check and Balances:
>>>>>>>
>>>>>>
>>>>>> Yeah, but there are a number of different types of 'admins'
>>>>>>
>>>>>>
>>>>>>    - OWASP.org Admins (which btw I was one of them (a good number of
>>>>>>    years ago))
>>>>>>     - Google Admins
>>>>>>    - People/Orgs with Google SSL's Private Cert
>>>>>>    - People/Orgs with root access to Google's server (this includes
>>>>>>    Google employes, and exploits like How we got read access on
>>>>>>    Google’s production servers
>>>>>>    <http://blog.detectify.com/post/82370846588/how-we-got-read-access-on-googles-production-servers>
>>>>>>     )
>>>>>>    - People/Orgs with 0-days on gmail (i'm talking about web app
>>>>>>    vulns, like the ones from the OWASP Top 10)
>>>>>>
>>>>>>
>>>>>> Staring with OWASP.org Admins, its seems that they either need to
>>>>>> change the current pwd of the user (which should be noticeable)
>>>>>> or intercept the main Barracuda proxy traffic  (the first case would be
>>>>>> noticeable by the user, the 2nd is much harder and only possible by a
>>>>>> couple highly trusted individuals (like Matt))
>>>>>>
>>>>>> The other types of 'amin' are much harder to detect and control
>>>>>> since, by definition they will be done at the server
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> >Also, configuring a remote syslog server would provide an
>>>>>>> additional degree
>>>>>>> of assurance.  That also helps protect you should someone remotely
>>>>>>> exploit
>>>>>>> the mail server or web server, etc.
>>>>>>>
>>>>>>
>>>>>> But we can't do this for Google Gmail activities/traffic, right?
>>>>>>
>>>>>> I think we can only do this type of remote syslog and analysis (maybe
>>>>>> via AppSensor Analysis engine???) for the traffic that passes through our
>>>>>> Barracuda filters.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> I always look at my details activity to see control login. Those
>>>>>>> this help in case an admin logins to an gmail account?
>>>>>>>
>>>>>>
>>>>>> I think this will only help with the cases of your account login
>>>>>> details being compromised or if an OWASP.org admin changes your pwd
>>>>>> and logs in
>>>>>>
>>>>>> Dinis
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Jun 11, 2014 at 3:48 AM, Dinis Cruz <dinis.cruz at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Well Kevin, at the moment we have to trust those gmail sysadmins
>>>>>>>> and who controls them :)
>>>>>>>>
>>>>>>>> BTW, this is a great thread and really good example of how hard
>>>>>>>> topics and somewhat controversial questions can be debated in a nice,
>>>>>>>> civilised, respectful and educational way :)
>>>>>>>> On 11 Jun 2014 04:16, "Kevin W. Wall" <kevin.w.wall at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> On Tue, Jun 10, 2014 at 10:55 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>>> wrote:
>>>>>>>>> > I'm not sure.  I think that we need to apply a certain level of
>>>>>>>>> trust toward
>>>>>>>>> > Matt and the OWASP staff that they are not abusing this
>>>>>>>>> privilege (if it
>>>>>>>>> > even exists).  Maybe it's just me, but I don't see a lot of
>>>>>>>>> value in trying
>>>>>>>>> > to force a more stringent audit process on a staff that is
>>>>>>>>> already
>>>>>>>>> > overworked (especially with Samantha's departure) and hasn't
>>>>>>>>> shown any signs
>>>>>>>>> > of problems that I'm aware of.  I think we are all on the same
>>>>>>>>> page here in
>>>>>>>>> > terms of Dinis' stated expectations.  But I'm not one to turn
>>>>>>>>> down someone
>>>>>>>>> > who wants to contribute to something that they're passionate
>>>>>>>>> about, either,
>>>>>>>>> > so I'd support you if you're offering your time and assistance
>>>>>>>>> in the
>>>>>>>>> > proposed effort.
>>>>>>>>>
>>>>>>>>> One approach is that you could have all system administrators and
>>>>>>>>> anyone
>>>>>>>>> else with privileged access sign off on some special
>>>>>>>>> (to-be-written) addendum
>>>>>>>>> to the code-of-ethics that is specific to not abusing their powers.
>>>>>>>>> That's actually
>>>>>>>>> a pretty common thing within corporations.
>>>>>>>>>
>>>>>>>>> Also, configuring a remote syslog server would provide an
>>>>>>>>> additional degree
>>>>>>>>> of assurance.  That also helps protect you should someone remotely
>>>>>>>>> exploit
>>>>>>>>> the mail server or web server, etc.
>>>>>>>>>
>>>>>>>>> But I'd agree that it's probably pointless to go too far on this.
>>>>>>>>> Personally, I'm
>>>>>>>>> much more willing to trust Matt than I am to trust the hundreds of
>>>>>>>>> faceless
>>>>>>>>> administrators of the Gmail servers.
>>>>>>>>>
>>>>>>>>> -kevin
>>>>>>>>> --
>>>>>>>>> Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Dennis Groves <http://about.me/dennis.groves>, MSc
>>> Email me, <dennis.groves at owasp.org> or schedule a meeting
>>> <http://goo.gl/8sPIy>.
>>> *This email is licensed under a CC BY-ND 3.0
>>> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
>>> Stand up for your freedom to install free software.
>>> <http://www.fsf.org/campaigns/secure-boot/statement>
>>> Please do not send me Microsoft Office/Apple iWork documents.
>>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>>>
>>> <http://www.owasp.org/>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Dennis Groves <http://about.me/dennis.groves>, MSc
Email me, <dennis.groves at owasp.org> or schedule a meeting
<http://goo.gl/8sPIy>.
*This email is licensed under a CC BY-ND 3.0
<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
Stand up for your freedom to install free software.
<http://www.fsf.org/campaigns/secure-boot/statement>
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!

<http://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/40ced343/attachment-0001.html>


More information about the OWASP-Leaders mailing list