[Owasp-leaders] My expectation is that nobody is reading my @owasp.org emails

Jim Manico jim.manico at owasp.org
Tue Jul 1 08:12:42 UTC 2014


Dennis,

I have access to board files but do not have admin access to any other 
OWASP system as far I know. Only staff has access to social media, 
salesforce and other OWASP systems. I want to make sure your concerns 
are addressed, can you give me a little more idea as to how I can help 
here? I think this is more of a Matt question, again, I really do not 
have access to the vast majority of OWASP systems as far as I can tell.

I hope you are well.

Regards,
Jim

On 7/1/14, 3:52 PM, Dennis Groves wrote:
> Indeed this is a big problem, real security is based in the foundation 
> of 'separation of duty'. Please see my project "OWASP security 
> principles" - - this is a giant failure for OWASP.  If we can not 
> differentiate between Samantha the person and Samantha the employee - 
> why should should any body listen to OWASPL
>
>  isn't Jim an expert on RBAC?; why is this not under control?
>
> Dennis
>
>
> On Wed, Jun 11, 2014 at 7:51 PM, Matt Tesauro <mtesauro at gmail.com 
> <mailto:mtesauro at gmail.com>> wrote:
>
>     Abbas,
>
>     Be careful when you argue from the specific (your experiences) to
>     the general (others experiences).
>
>     You've worked for progressive and quite generous employers.
>
>     For one of my past employers, I lost access (all access, email,
>     VPN, etc) ~30 minutes after I gave my 2 week notice.
>      Understandable but it actually made it quite difficult for me to
>     cleanly hand off all the things I had in various stages with
>     clients.  Even worse because I was a remote employee.  I wanted to
>     do the right thing but my lack of access made that much harder
>     then it had to be.
>
>     --
>     -- Matt Tesauro
>     OWASP WTE Project Lead
>     _https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project_
>
>
>     http://AppSecLive.org - Community and Download site
>     OWASP OpenStack Security Project Lead
>     https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
>     On Wed, Jun 11, 2014 at 7:29 PM, Abbas Naderi <abiusx at owasp.org
>     <mailto:abiusx at owasp.org>> wrote:
>
>         Well you could ask her to take all her data and remove
>         anything else before forcing it. If you OWASP does not trust
>         its former employees to this extent, whats keeping them from
>         leaking all the internal information they got in the process?
>         There should be at least a good level of trust between them.
>
>         All the corporations I've been at (and have seen) leave the
>         address in place for at least one year. We use our corporate
>         emails for many matters, not just corporate business. Any
>         violation of the privacy or basic access is not tolerated.
>
>         -Abbas
>         ______________________________________________________________
>         *Notice:***This message is *digitally signed*, its
>         *source* and *integrity* are verifiable.
>         If you mail client does not support S/MIME verification, it
>         will display a file (smime.p7s), which includes the X.509
>         certificate and the signature body.  Read more at Certified
>         E-Mail with Comodo and Thunderbird
>         <http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>         AbiusX.com <http://AbiusX.com>
>
>         On Jun 11, 2014, at 6:42 PM, Michael Coates
>         <michael.coates at owasp.org <mailto:michael.coates at owasp.org>>
>         wrote:
>
>>         Correct. Samantha's no longer an employee of OWASP. Sarah
>>         worked to transition ownership of google docs and system
>>         access to foundation controls. Samantha's old email account
>>         also now has an autoreply so anyone that would be reaching
>>         out to her know who to contact.
>>
>>         Removing email access is not an unexpected action and is
>>         standard for any organization. Facebook had a similar
>>         situation on how to handle employees email when they left
>>         (since they were using FB email accounts). They ended up
>>         changing domains for corp employees. In our case, Samantha
>>         can ask for another owasp.org <http://owasp.org/> email
>>         address if she'd like to keep using an owasp email account.
>>         Or as some people chose to do she can use a different email.
>>         It's up to her.
>>
>>         Also, although it wasn't said but I see it is implied by this
>>         email thread, no one has any interest in looking at anyone's
>>         email. Interesting discussion on whether it is even possible
>>         or not, but not relevant.
>>
>>         Sarah can provide additional information. But this was all
>>         communicated to Samantha through the exiting process.
>>
>>
>>
>>
>>
>>         --
>>         Michael Coates
>>         @_mwc
>>
>>
>>
>>         On Wed, Jun 11, 2014 at 11:22 AM, Dennis Groves
>>         <dennis.groves at owasp.org <mailto:dennis.groves at owasp.org>> wrote:
>>
>>             This is all very interesting because Samantha is unable
>>             to access her OWASP email account anymore. It seems her
>>             password has been changed, and now we know the short list
>>             of people whom are liable...
>>
>>             I hope the community will stand up for Samantha, she has
>>             done nothing but support the community, and yet the she
>>             has been forced to resign because of the treatment she
>>             was receiving by the board - and this is further
>>             indications that she is being targeted by the board.
>>             After all nobody in history of OWASP has ever been
>>             treated this way before.
>>
>>
>>
>>
>>
>>             On Wed, Jun 11, 2014 at 9:30 AM, Dinis Cruz
>>             <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>> wrote:
>>
>>                 ok, cool, I mis-read your previous email
>>
>>                 well any email sent to lists.owasp.org
>>                 <http://lists.owasp.org/> should be public any way
>>                 (since there are no private lists, right?)
>>
>>                 Dinis
>>
>>
>>                 On 11 June 2014 17:28, Matt Tesauro
>>                 <matt.tesauro at owasp.org
>>                 <mailto:matt.tesauro at owasp.org>> wrote:
>>
>>                      or intercept the main Barracuda proxy traffic
>>                      (the first case would be noticeable by the user,
>>                     the 2nd is much harder and only possible by a
>>                     couple highly trusted individuals (like Matt))
>>
>>                     Correction: Barracuda only filters the email for
>>                     lists.owasp.org <http://lists.owasp.org/> not
>>                     @owasp.org <http://owasp.org/> addresses.  It was
>>                     put in place to reduce the SPAM on the mail lists
>>                     which has a separate SMTP flow from @owasp.org
>>                     <http://owasp.org/> email.
>>
>>                     Look at the MX records for both domains and you
>>                     will see the difference.
>>
>>                     So, I could read emails from @owasp.org
>>                     <http://owasp.org/> addresses in Barracuda only
>>                     if the email was headed for an @lists.owasp.org
>>                     <http://lists.owasp.org/> address e.g. one of our
>>                     mail lists.
>>
>>                     I am still unsure why we have suddenly realized
>>                     we using a 3rd party email host and all the
>>                     trade-offs that entails.
>>
>>                     Per Kevin's email, there is always a point where
>>                     trust must start.
>>
>>                     --
>>                     -- Matt Tesauro
>>                     OWASP WTE Project Lead
>>                     http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>                     http://AppSecLive.org <http://appseclive.org/> -
>>                     Community and Download site
>>                     OWASP OpenStack Security Project Lead
>>                     https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>>                     On Jun 11, 2014 10:52 AM, "Dinis Cruz"
>>                     <dinis.cruz at owasp.org
>>                     <mailto:dinis.cruz at owasp.org>> wrote:
>>
>>                         inline
>>
>>                         On 11 June 2014 15:42, johanna curiel curiel
>>                         <johanna.curiel at owasp.org
>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>
>>
>>                             I'm not implying anything but maybe
>>                             someone should also control the admins.
>>                             Check and Balances:
>>
>>
>>                         Yeah, but there are a number of different
>>                         types of 'admins'
>>
>>                           * OWASP.org <http://OWASP.org> Admins
>>                             (which btw I was one of them (a good
>>                             number of years ago))
>>                           * Google Admins
>>                           * People/Orgs with Google SSL's Private Cert
>>                           * People/Orgs with root access to Google's
>>                             server (this includes Google employes,
>>                             and exploits like How we got read access
>>                             on Google's production servers
>>                             <http://blog.detectify.com/post/82370846588/how-we-got-read-access-on-googles-production-servers> )
>>                           * People/Orgs with 0-days on gmail (i'm
>>                             talking about web app vulns, like the
>>                             ones from the OWASP Top 10)
>>
>>
>>                         Staring with OWASP.org <http://OWASP.org>
>>                         Admins, its seems that they either need to
>>                         change the current pwd of the user (which
>>                         should be noticeable) or intercept the main
>>                         Barracuda proxy traffic  (the first case
>>                         would be noticeable by the user, the 2nd is
>>                         much harder and only possible by a couple
>>                         highly trusted individuals (like Matt))
>>
>>                         The other types of 'amin' are much harder to
>>                         detect and control since, by definition they
>>                         will be done at the server
>>
>>
>>                             >Also, configuring a remote syslog server
>>                             would provide an additional degree
>>                             of assurance.  That also helps protect
>>                             you should someone remotely exploit
>>                             the mail server or web server, etc.
>>
>>
>>                         But we can't do this for Google Gmail
>>                         activities/traffic, right?
>>
>>                         I think we can only do this type of remote
>>                         syslog and analysis (maybe via AppSensor
>>                         Analysis engine???) for the traffic that
>>                         passes through our Barracuda filters.
>>
>>
>>                             I always look at my details activity to
>>                             see control login. Those this help in
>>                             case an admin logins to an gmail account?
>>
>>
>>                         I think this will only help with the cases of
>>                         your account login details being compromised
>>                         or if an OWASP.org <http://OWASP.org> admin
>>                         changes your pwd and logs in
>>
>>                         Dinis
>>
>>
>>                             regards
>>
>>                             Johanna
>>
>>
>>                             On Wed, Jun 11, 2014 at 3:48 AM, Dinis
>>                             Cruz <dinis.cruz at owasp.org
>>                             <mailto:dinis.cruz at owasp.org>> wrote:
>>
>>                                 Well Kevin, at the moment we have to
>>                                 trust those gmail sysadmins and who
>>                                 controls them :)
>>
>>                                 BTW, this is a great thread and
>>                                 really good example of how hard
>>                                 topics and somewhat controversial
>>                                 questions can be debated in a nice,
>>                                 civilised, respectful and educational
>>                                 way :)
>>
>>                                 On 11 Jun 2014 04:16, "Kevin W. Wall"
>>                                 <kevin.w.wall at gmail.com
>>                                 <mailto:kevin.w.wall at gmail.com>> wrote:
>>
>>                                     On Tue, Jun 10, 2014 at 10:55 PM,
>>                                     Josh Sokol <josh.sokol at owasp.org
>>                                     <mailto:josh.sokol at owasp.org>> wrote:
>>                                     > I'm not sure.  I think that we
>>                                     need to apply a certain level of
>>                                     trust toward
>>                                     > Matt and the OWASP staff that
>>                                     they are not abusing this
>>                                     privilege (if it
>>                                     > even exists).  Maybe it's just
>>                                     me, but I don't see a lot of
>>                                     value in trying
>>                                     > to force a more stringent audit
>>                                     process on a staff that is already
>>                                     > overworked (especially with
>>                                     Samantha's departure) and hasn't
>>                                     shown any signs
>>                                     > of problems that I'm aware of.
>>                                      I think we are all on the same
>>                                     page here in
>>                                     > terms of Dinis' stated
>>                                     expectations.  But I'm not one to
>>                                     turn down someone
>>                                     > who wants to contribute to
>>                                     something that they're passionate
>>                                     about, either,
>>                                     > so I'd support you if you're
>>                                     offering your time and assistance
>>                                     in the
>>                                     > proposed effort.
>>
>>                                     One approach is that you could
>>                                     have all system administrators
>>                                     and anyone
>>                                     else with privileged access sign
>>                                     off on some special
>>                                     (to-be-written) addendum
>>                                     to the code-of-ethics that is
>>                                     specific to not abusing their powers.
>>                                     That's actually
>>                                     a pretty common thing within
>>                                     corporations.
>>
>>                                     Also, configuring a remote syslog
>>                                     server would provide an
>>                                     additional degree
>>                                     of assurance.  That also helps
>>                                     protect you should someone
>>                                     remotely exploit
>>                                     the mail server or web server, etc.
>>
>>                                     But I'd agree that it's probably
>>                                     pointless to go too far on this.
>>                                     Personally, I'm
>>                                     much more willing to trust Matt
>>                                     than I am to trust the hundreds
>>                                     of faceless
>>                                     administrators of the Gmail servers.
>>
>>                                     -kevin
>>                                     --
>>                                     Blog:
>>                                     http://off-the-wall-security.blogspot.com/
>>                                     NSA: All your crypto bit are
>>                                     belong to us.
>>                                     _______________________________________________
>>                                     OWASP-Leaders mailing list
>>                                     OWASP-Leaders at lists.owasp.org
>>                                     <mailto:OWASP-Leaders at lists.owasp.org>
>>                                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>                                 _______________________________________________
>>                                 OWASP-Leaders mailing list
>>                                 OWASP-Leaders at lists.owasp.org
>>                                 <mailto:OWASP-Leaders at lists.owasp.org>
>>                                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>                         _______________________________________________
>>                         OWASP-Leaders mailing list
>>                         OWASP-Leaders at lists.owasp.org
>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>                 _______________________________________________
>>                 OWASP-Leaders mailing list
>>                 OWASP-Leaders at lists.owasp.org
>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>             -- 
>>             Dennis Groves <http://about.me/dennis.groves>, MSc
>>             Email me, <mailto:dennis.groves at owasp.org> or schedule a
>>             meeting <http://goo.gl/8sPIy>.
>>             /This email is licensed under a CC BY-ND 3.0
>>             <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license./
>>             Stand up for your freedom to install free software.
>>             <http://www.fsf.org/campaigns/secure-boot/statement>
>>             Please do not send me Microsoft Office/Apple iWork
>>             documents.
>>             Send OpenDocument
>>             <http://fsf.org/campaigns/opendocument/> instead!
>>
>>             <http://www.owasp.org/>
>>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me, <mailto:dennis.groves at owasp.org> or schedule a meeting 
> <http://goo.gl/8sPIy>.
> /This email is licensed under a CC BY-ND 3.0 
> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license./
> Stand up for your freedom to install free software. 
> <http://www.fsf.org/campaigns/secure-boot/statement>
> Please do not send me Microsoft Office/Apple iWork documents.
> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>
> <http://www.owasp.org/>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/287b6b0f/attachment-0001.html>


More information about the OWASP-Leaders mailing list