[Owasp-leaders] My expectation is that nobody is reading my at owasp.org emails

Tony UV tonyuv at owasp.org
Fri Jun 13 17:30:16 UTC 2014


+1 w/ Matt

One persons experience shouldn't be suggested as prescriptive de facto rule. 

Sent from mobile device

-----Original Message-----
From: "Matt Tesauro" <mtesauro at gmail.com>
Sent: ‎6/‎12/‎2014 12:01 AM
To: "Abbas Naderi" <abiusx at owasp.org>
Cc: "OWASP Leaders List" <owasp-leaders at lists.owasp.org>; "Timur 'x' Khrotko (owasp)" <timur at owasp.org>
Subject: Re: [Owasp-leaders] My expectation is that nobody is reading my at owasp.org emails

Abbas, 


Be careful when you argue from the specific (your experiences) to the general (others experiences).


You've worked for progressive and quite generous employers.


For one of my past employers, I lost access (all access, email, VPN, etc) ~30 minutes after I gave my 2 week notice.  Understandable but it actually made it quite difficult for me to cleanly hand off all the things I had in various stages with clients.  Even worse because I was a remote employee.  I wanted to do the right thing but my lack of access made that much harder then it had to be.


--
-- Matt Tesauro

OWASP WTE Project Lead
https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project



On Wed, Jun 11, 2014 at 7:29 PM, Abbas Naderi <abiusx at owasp.org> wrote:

Well you could ask her to take all her data and remove anything else before forcing it. If you OWASP does not trust its former employees to this extent, whats keeping them from leaking all the internal information they got in the process? There should be at least a good level of trust between them.


All the corporations I’ve been at (and have seen) leave the address in place for at least one year. We use our corporate emails for many matters, not just corporate business. Any violation of the privacy or basic access is not tolerated.


-Abbas

______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com


On Jun 11, 2014, at 6:42 PM, Michael Coates <michael.coates at owasp.org> wrote:


Correct. Samantha's no longer an employee of OWASP. Sarah worked to transition ownership of google docs and system access to foundation controls. Samantha's old email account also now has an autoreply so anyone that would be reaching out to her know who to contact.


Removing email access is not an unexpected action and is standard for any organization. Facebook had a similar situation on how to handle employees email when they left (since they were using FB email accounts). They ended up changing domains for corp employees. In our case, Samantha can ask for another owasp.org email address if she'd like to keep using an owasp email account. Or as some people chose to do she can use a different email. It's up to her.


Also, although it wasn't said but I see it is implied by this email thread, no one has any interest in looking at anyone's email. Interesting discussion on whether it is even possible or not, but not relevant.



Sarah can provide additional information. But this was all communicated to Samantha through the exiting process.









--
Michael Coates
@_mwc





On Wed, Jun 11, 2014 at 11:22 AM, Dennis Groves <dennis.groves at owasp.org> wrote:

This is all very interesting because Samantha is unable to access her OWASP email account anymore. It seems her password has been changed, and now we know the short list of people whom are liable...


I hope the community will stand up for Samantha, she has done nothing but support the community, and yet the she has been forced to resign because of the treatment she was receiving by the board - and this is further indications that she is being targeted by the board. After all nobody in history of OWASP has ever been treated this way before.









On Wed, Jun 11, 2014 at 9:30 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

ok, cool, I mis-read your previous email


well any email sent to lists.owasp.org should be public any way (since there are no private lists, right?)


Dinis



On 11 June 2014 17:28, Matt Tesauro <matt.tesauro at owasp.org> wrote:

 or intercept the main Barracuda proxy traffic  (the first case would be noticeable by the user, the 2nd is much harder and only possible by a couple highly trusted individuals (like Matt))
Correction:  Barracuda only filters the email for lists.owasp.org not @owasp.org addresses.  It was put in place to reduce the SPAM on the mail lists which has a separate SMTP flow from @owasp.org email.
Look at the MX records for both domains and you will see the difference.
So, I could read emails from @owasp.org addresses in Barracuda only if the email was headed for an @lists.owasp.org address e.g. one of our mail lists.
I am still unsure why we have suddenly realized we using a 3rd party email host and all the trade-offs that entails.
Per Kevin's email, there is always a point where trust must start.
--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
On Jun 11, 2014 10:52 AM, "Dinis Cruz" <dinis.cruz at owasp.org> wrote:

inline


On 11 June 2014 15:42, johanna curiel curiel <johanna.curiel at owasp.org> wrote:



I'm not implying anything but maybe someone should also control the admins. Check and Balances:


Yeah, but there are a number of different types of 'admins'


OWASP.org Admins (which btw I was one of them (a good number of years ago))

Google Admins

People/Orgs with Google SSL's Private Cert

People/Orgs with root access to Google's server (this includes Google employes, and exploits like How we got read access on Google’s production servers )

People/Orgs with 0-days on gmail (i'm talking about web app vulns, like the ones from the OWASP Top 10)



Staring with OWASP.org Admins, its seems that they either need to change the current pwd of the user (which should be noticeable) or intercept the main Barracuda proxy traffic  (the first case would be noticeable by the user, the 2nd is much harder and only possible by a couple highly trusted individuals (like Matt))


The other types of 'amin' are much harder to detect and control since, by definition they will be done at the server
 


>Also, configuring a remote syslog server would provide an additional degree
of assurance.  That also helps protect you should someone remotely exploit
the mail server or web server, etc.


But we can't do this for Google Gmail activities/traffic, right? 


I think we can only do this type of remote syslog and analysis (maybe via AppSensor Analysis engine???) for the traffic that passes through our Barracuda filters.
 


I always look at my details activity to see control login. Those this help in case an admin logins to an gmail account?


I think this will only help with the cases of your account login details being compromised or if an OWASP.org admin changes your pwd and logs in


Dinis
 


regards


Johanna



On Wed, Jun 11, 2014 at 3:48 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

Well Kevin, at the moment we have to trust those gmail sysadmins and who controls them :)
BTW, this is a great thread and really good example of how hard topics and somewhat controversial questions can be debated in a nice, civilised, respectful and educational way :)
On 11 Jun 2014 04:16, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:

On Tue, Jun 10, 2014 at 10:55 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> I'm not sure.  I think that we need to apply a certain level of trust toward
> Matt and the OWASP staff that they are not abusing this privilege (if it
> even exists).  Maybe it's just me, but I don't see a lot of value in trying
> to force a more stringent audit process on a staff that is already
> overworked (especially with Samantha's departure) and hasn't shown any signs
> of problems that I'm aware of.  I think we are all on the same page here in
> terms of Dinis' stated expectations.  But I'm not one to turn down someone
> who wants to contribute to something that they're passionate about, either,
> so I'd support you if you're offering your time and assistance in the
> proposed effort.

One approach is that you could have all system administrators and anyone
else with privileged access sign off on some special (to-be-written) addendum
to the code-of-ethics that is specific to not abusing their powers.
That's actually
a pretty common thing within corporations.

Also, configuring a remote syslog server would provide an additional degree
of assurance.  That also helps protect you should someone remotely exploit
the mail server or web server, etc.

But I'd agree that it's probably pointless to go too far on this.
Personally, I'm
much more willing to trust Matt than I am to trust the hundreds of faceless
administrators of the Gmail servers.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

[The entire original message is not included.]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140613/792a6886/attachment-0001.html>


More information about the OWASP-Leaders mailing list