[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Jim Manico jim.manico at owasp.org
Wed Nov 25 18:31:32 UTC 2015


Abbas,

I know these gentlemen well, and I read their comments. I do not feel 
these are trolls (at all). In fact, they are leaders in applied 
cryptography. No one is saying these things to hurt you or hurt OWASP, 
they are genuinely concerned and are trying to help.

But by all means, if you feel these comments are not accurate, would you 
care to discuss some of the details on list here? This could lead to 
good technical discussion.

Aloha,

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org




On 11/25/15 8:20 PM, Abbas Naderi wrote:
> They are trying to troll the project.
> Read the thread at 
> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to 
> realize that.
> We have provided ample opportunity for them to contribute, fix, or 
> help the project.
> All they want is to take the project down, which I obviously refuse.
>
> I don’t think it really hurts OWASP reputation. If anyone delves into 
> the technical discussions that would be apparent.
> Regards
> -Abbas
>
>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel 
>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>> Hi Erlend
>>
>> We are aware of the issues and remediation is underway ;-)
>>
>> regards
>>
>> Johanna
>>
>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico <jim.manico at owasp.org 
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     Yup, it's bad.
>>
>>     Johanna Curiel and Claudia are leading the charge here. They are
>>     in the process of fully removing the project from GitHub. As in,
>>     right now…
>>
>>     - Jim
>>
>>
>>
>>     On 11/25/15 7:50 PM, erlend.oftedal at owasp.org
>>     <mailto:erlend.oftedal at owasp.org> wrote:
>>>     Hi
>>>
>>>     See https://twitter.com/voodooKobra/status/669537889500311553
>>>     and the link in that message.
>>>
>>>     According to the OWASP website the project is inactive, yet
>>>     contributions are made on github, and there are no signs of the
>>>     project status on github.
>>>     The crypto code is bad, as voodooKobra rightly points out. With
>>>     a known key and iv, this encryption is useless.
>>>     And the code is referenced from stackoverflow++.
>>>
>>>     When deactivating a project we need to make sure the
>>>     deactivation is clearly visble on github as well.
>>>
>>>     Best regards
>>>     Erlend Oftedal
>>>     OWASP Norway
>>>     @webtonull
>>>
>>>
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/3011d77f/attachment-0001.html>


More information about the OWASP-Leaders mailing list