[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Jim Manico jim.manico at owasp.org
Thu Dec 3 00:43:33 UTC 2015


I submitted a request to Kate/Claudia/Matt to have this redirected to 
the GitHub site ( https://github.com/OWASP/phpsec ) which clearly shows 
the project is inactive (and has security flaws) as well as a link to 
the old code tree if folks want to revive it.

- Jim


On 12/2/15 12:38 PM, Tony Turner wrote:
>
> This is still ongoing and needs another look. 
> https://github.com/OWASP/phpsec/issues/120#issuecomment-161396666
>
> Need the phpsec.owasp.org <http://phpsec.owasp.org> page updated 
> probably.
>
> On Nov 26, 2015 3:17 AM, "AF" <antonio.fontes at owasp.org 
> <mailto:antonio.fontes at owasp.org>> wrote:
>
>     s/GAMA/GAFA/
>
>     Sorry.
>     (sent with mobile, please excuse any excessive brevity or typo)
>     --
>     Antonio Fontes
>     OWASP Switzerland, board member
>     OWASP Geneva, chapter leader
>     skype: antonio.fontes
>
>     On November 26, 2015 8:30:17 AM GMT+01:00, AF
>     <antonio.fontes at owasp.org <mailto:antonio.fontes at owasp.org>> wrote:
>
>         Yes, agree. I'd rather see it flagged than not see it at all.
>
>         Cheers,
>         Antonio
>
>
>         PS: We all know that deleting content on user's request is
>         nope. GAMA are wonderful teachers ;)
>         (sent with mobile, please excuse any excessive brevity or typo)
>         --
>         Antonio Fontes
>         OWASP Switzerland, board member
>         OWASP Geneva, chapter leader
>         skype: antonio.fontes
>
>         On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico
>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>
>             The project is still live and will continue to be.
>
>             https://github.com/OWASP/phpsec
>
>             1) It's been labeled clearly as abandoned, which is fair
>             to say I think (In both GitHub and the Wiki).
>             2) The codebase has been deleted from the main branch
>             3) For anyone who wishes to revive this project, all the
>             code is in the project history
>
>             I think this is a fair balance of all concerns.
>
>             Aloha,
>             Jim
>
>
>             On 11/26/15 1:46 AM, Antonio Fontes wrote:
>>             Hi,
>>
>>             I agree with Abbas on this point.
>>
>>             OWASP has a responsibility to warn users when a library
>>             project is inactive, unmaintained and/or was identified
>>             as broken by experts in the domain (if it really is,
>>             disclaimer: I have only read the content posed in the
>>             leaders list).
>>
>>             However, I don't see a valid rationale behind the
>>             decision to suppress it entirely. Users don't get to
>>             decide what gets suppressed or not from the web,
>>             especially when the content doesn't belong to them, more
>>             especially when the argument is "it's not clean", and
>>             even more especially when the request for deletion comes
>>             from "crypto-experts" (I want to see the badge first).
>>
>>             Our mission as OWASP leaders is to lead, not to baby-sit
>>             people, who download code marked as unsafe and abandoned,
>>             and install it in their organization's systems.
>>
>>             If we abide by this rationale, then we should suppress
>>             all previous versions of the OWASP guides that are
>>             currently available for download as archives.
>>             Most of them are incomplete, do not cover the state of
>>             the art knowledge we have reached today, and many of them
>>             contain advice that is outdated.
>>
>>             regards,
>>             Antonio
>>
>>             --
>>             OWASP Geneva Chapter
>>             Contact:geneva at owasp.ch <mailto:geneva at owasp.ch>
>>             Twitter: @owasp_geneva
>>             Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>>             On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>>             >>All they want is to delete the code entirely, which doesn’t
>>>             make sense to me at all.
>>>
>>>             Abbas their point is, that is not responsible to leave
>>>             this open if no one is going to document or fix. I don't
>>>             think is responsible to leave an insecure library. And
>>>             Ii did take the time to read the issues they mentioned.
>>>
>>>              You  are the major responsible for your project, not
>>>             the users that pin pointed the issues nor they should go
>>>             and change when they have the opinion that the entire
>>>             library does not serve the purpose.
>>>
>>>             For people who wants to see whole thread can judge by
>>>             themselves
>>>             https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>>             I even defend you as volunteer but I have the opinion
>>>             that we have a responsibility towards users especially
>>>             if you have not worked in this project for more than a
>>>             year and have no time to fix issues in a security library.
>>>
>>>             Even Sven who was a contributor in this project accepted
>>>             that this library does not achieve its purpose and
>>>             should not be available to users, is just not responsible.
>>>
>>>             Sometimes we need to kill our darlings...
>>>
>>>             Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>>             Regards
>>>
>>>             Johanna
>>>
>>>             On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi
>>>             <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>
>>>                 I’m perfectly fine with criticising and QAing projects.
>>>
>>>                 What I’m not fine with, is reading some blogs or
>>>                 posts somewhere, without verifying their validity,
>>>                 and then putting the blame on our contributors
>>>                 without proper investigation.
>>>
>>>                 This is not how we defend and motivate our community.
>>>
>>>                 Plus, the only solution for a “broken library” is
>>>                 either to fix it, or to announce it as broken. These
>>>                 gentlemen insisting on removing the library sounds
>>>                 like trolling to me. They even refuse to add a
>>>                 README file to the Github repo which clearly states
>>>                 that
>>>                 this project is inactive and insecure. All they want
>>>                 is to delete the code entirely, which doesn’t make
>>>                 sense to me at all.
>>>
>>>                 I’m unhappy with your post, because you say “they
>>>                 have valid points” without properly investgating.
>>>                 They think they didn’t make progress by trolling on
>>>                 Github, and now are using you to reflect this issue
>>>                 on the leaders list. You could’ve contacted me first
>>>                 and asked about this before going public with it.
>>>                 I’m very unhappy with the process you have taken for
>>>                 this, undermining a contributor completely.
>>>
>>>                 Regards
>>>                 -Abbas
>>>
>>>
>>>>                 On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>>                 <johanna.curiel at owasp.org
>>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>                 >>If you’d want to keep your “users” happy and your
>>>>                 “contributors” unhappy, you should think of a
>>>>                 commercial organisation instead of an open one.
>>>>
>>>>                 I think this is a very difficult balance to do. I
>>>>                 understand from your pov as contributor but fact
>>>>                 is, OWASP has also a reputation of being 'secure'
>>>>                 so probably the expectations are higher because we
>>>>                 preach security.
>>>>
>>>>                 Look ,I volunteer too but my proposals get
>>>>                 questioned and criticised  in a way that it feels
>>>>                 to me  like I've been questioned as an employee and
>>>>                 not a volunteer, but in a certain way, if you look
>>>>                 deeply, people questioning my proposals wants to
>>>>                 achieve goals that are aligned with OWASP mission.
>>>>                 And that means I have to work harder to present my
>>>>                 arguments. Not because the effort is 'volunteered'
>>>>                 means it does not hold certain responsabilities.
>>>>
>>>>                 Let  me ask you: Has this project ever been tested
>>>>                 to verify how well it works or not? Most projects
>>>>                 at OWASP does not have any form of QA. Security
>>>>                 libraries hold more responsibility in this case.
>>>>
>>>>                 This is a security library and if it contains
>>>>                 security issues then this is a problem. This does
>>>>                 not align with the mission, even if a lot of work
>>>>                 was put to create this project.
>>>>
>>>>                 I don't think they are trolling you. They have
>>>>                 valid points and their complain is that it is not
>>>>                 responsible to leave this library to be used if it
>>>>                 holds these issues or are not properly explained.
>>>>                 And is not only the crypto issue.
>>>>
>>>>                 Regards
>>>>
>>>>                 Johanna
>>>>
>>>>                 On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi
>>>>                 <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>>                     I agree with all of that.
>>>>
>>>>                     This is an open source project. If they find
>>>>                     issues, specially tiny issues that can be fixed
>>>>                     with a few lines of code,
>>>>                     they are welcome to do so. That is not grounds
>>>>                     for deleting a project.
>>>>
>>>>                     The way I see it, is that they are trolling,
>>>>                     and not helping. I have not created this
>>>>                     library, and I’m only defending it because it
>>>>                     is the right thing to do.
>>>>                     If you’d want to keep your “users” happy and
>>>>                     your “contributors” unhappy, you should think
>>>>                     of a commercial organization instead of an open
>>>>                     one.
>>>>
>>>>                     Regards
>>>>                     -Abbas
>>>>
>>>>>                     On Nov 25, 2015, at 1:25 PM, johanna curiel
>>>>>                     curiel <johanna.curiel at owasp.org
>>>>>                     <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>
>>>>>                     Abbas
>>>>>
>>>>>                     I think they made very strong points and the
>>>>>                     project is right now inactive since it has not
>>>>>                     been updated in more than a year.
>>>>>
>>>>>                     The people commenting on your project have
>>>>>                     themselves quite reputation too.
>>>>>
>>>>>                     I think if these issues cannot be fixed by you
>>>>>                     since you are the leader and since the project
>>>>>                     is inactive, the best is to warn users.
>>>>>                     Sven who was a contributor also acknowledge
>>>>>                     the issues.
>>>>>
>>>>>                     By the way , from complains of multiple PHP
>>>>>                     developers in the github page of the project
>>>>>                     to now twitter means they are not happy and
>>>>>                     they are trying to escalate their
>>>>>                     concerns.Thats how I see this.
>>>>>
>>>>>                     regards
>>>>>
>>>>>                     Johanna
>>>>>
>>>>>                     On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>>                     <abiusx at owasp.org <mailto:abiusx at owasp.org>>
>>>>>                     wrote:
>>>>>
>>>>>                         They are trying to troll the project.
>>>>>                         Read the thread at
>>>>>                         https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>                         realize that.
>>>>>                         We have provided ample opportunity for
>>>>>                         them to contribute, fix, or help the project.
>>>>>                         All they want is to take the project down,
>>>>>                         which I obviously refuse.
>>>>>
>>>>>                         I don’t think it really hurts OWASP
>>>>>                         reputation. If anyone delves into the
>>>>>                         technical discussions that would be apparent.
>>>>>                         Regards
>>>>>                         -Abbas
>>>>>
>>>>>>                         On Nov 25, 2015, at 1:17 PM, johanna
>>>>>>                         curiel curiel <johanna.curiel at owasp.org
>>>>>>                         <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>>
>>>>>>                         Hi Erlend
>>>>>>
>>>>>>                         We are aware of the issues and
>>>>>>                         remediation is underway ;-)
>>>>>>
>>>>>>                         regards
>>>>>>
>>>>>>                         Johanna
>>>>>>
>>>>>>                         On Wed, Nov 25, 2015 at 1:54 PM, Jim
>>>>>>                         Manico <jim.manico at owasp.org
>>>>>>                         <mailto:jim.manico at owasp.org>> wrote:
>>>>>>
>>>>>>                             Yup, it's bad.
>>>>>>
>>>>>>                             Johanna Curiel and Claudia are
>>>>>>                             leading the charge here. They are in
>>>>>>                             the process of fully removing the
>>>>>>                             project from GitHub. As in, right now…
>>>>>>
>>>>>>                             - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>>                             On 11/25/15 7:50 PM,
>>>>>>                             erlend.oftedal at owasp.org
>>>>>>                             <mailto:erlend.oftedal at owasp.org> wrote:
>>>>>>>                             Hi
>>>>>>>
>>>>>>>                             See
>>>>>>>                             https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>>                             and the link in that message.
>>>>>>>
>>>>>>>                             According to the OWASP website the
>>>>>>>                             project is inactive, yet
>>>>>>>                             contributions are made on github,
>>>>>>>                             and there are no signs of the
>>>>>>>                             project status on github.
>>>>>>>                             The crypto code is bad, as
>>>>>>>                             voodooKobra rightly points out. With
>>>>>>>                             a known key and iv, this encryption
>>>>>>>                             is useless.
>>>>>>>                             And the code is referenced from
>>>>>>>                             stackoverflow++.
>>>>>>>
>>>>>>>                             When deactivating a project we need
>>>>>>>                             to make sure the deactivation is
>>>>>>>                             clearly visble on github as well.
>>>>>>>
>>>>>>>                             Best regards
>>>>>>>                             Erlend Oftedal
>>>>>>>                             OWASP Norway
>>>>>>>                             @webtonull
>>>>>>>
>>>>>>>
>>>>>>>                             _______________________________________________
>>>>>>>                             OWASP-Leaders mailing list
>>>>>>>                             OWASP-Leaders at lists.owasp.org
>>>>>>>                             <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>                             _______________________________________________
>>>>>>                             OWASP-Leaders mailing list
>>>>>>                             OWASP-Leaders at lists.owasp.org
>>>>>>                             <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>                             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>                         _______________________________________________
>>>>>>                         OWASP-Leaders mailing list
>>>>>>                         OWASP-Leaders at lists.owasp.org
>>>>>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             OWASP-Leaders mailing list
>>>             OWASP-Leaders at lists.owasp.org
>>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>             -- 
>             Jim Manico
>             Global Board Member
>             OWASP Foundation
>             https://www.owasp.org
>
>             ------------------------------------------------------------------------
>
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     _______________________________________________ OWASP-Leaders
>     mailing list OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/3a7d3b1c/attachment-0001.html>


More information about the OWASP-Leaders mailing list