[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Jim Manico jim.manico at owasp.org
Wed Nov 25 18:39:53 UTC 2015


 > They are not trolling? Then how come we had this conversation with 
two of them a few days ago,
and when they didn’t find the result they were seeking, they just added 
4-5 more friends to repeat the same arguments on the same issue thread 
on github?
I call that trolling.

Some may call it seeking more expert opinions....

 > What do you mean they are leaders in applied cryptography?

Several of these gentlemen work on various standards, actually. My 
understanding is that you have significant expertise in this area as 
well, so I'm listening. :)

 > The library then replaces that password with an encrypted version 
with a key that is hardcoded. The only purpose is to mask the password 
so that it is not leaked by a quick look at the code (e.g presentations, 
etc.)

Hard coding a password or key in a security library does not seem 
reasonable, what I am I missing? Shouldn't this be configurable or more?

- Jim

On 11/25/15 8:35 PM, Abbas Naderi wrote:
> They are not trolling? Then how come we had this conversation with two 
> of them a few days ago,
> and when they didn’t find the result they were seeking, they just 
> added 4-5 more friends to repeat the same arguments on the same issue 
> thread on github?
> I call that trolling.
>
> What do you mean they are leaders in applied cryptography?
>
> Technical details:
> We have a library in the code, the role of which is to mask sensitive 
> information. The developers have to use it specifically, e.g
>
> sensitive_information(“this is my password”).
>
> The library then replaces that password with an encrypted version with 
> a key that is hardcoded. The only purpose is to mask the password so 
> that it is not leaked by a quick look at the code (e.g presentations, 
> etc.)
>
> Unfortunately the library is named Encryption instead of 
> sensitive_information, although the function is named confidentialString.
>
> Their proposed solution is to remove the library. Mine is to rename 
> the library. They agree with my solution but don’t agree with doing 
> it, they just want the entire library brought down.
>
> What part of that sounds logical to you?
>
> -Abbas
>
>
>> On Nov 25, 2015, at 1:31 PM, Jim Manico <jim.manico at owasp.org 
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>> Abbas,
>>
>> I know these gentlemen well, and I read their comments. I do not feel 
>> these are trolls (at all). In fact, they are leaders in applied 
>> cryptography. No one is saying these things to hurt you or hurt 
>> OWASP, they are genuinely concerned and are trying to help.
>>
>> But by all means, if you feel these comments are not accurate, would 
>> you care to discuss some of the details on list here? This could lead 
>> to good technical discussion.
>>
>> Aloha,
>> -- 
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>>
>>
>>
>> On 11/25/15 8:20 PM, Abbas Naderi wrote:
>>> They are trying to troll the project.
>>> Read the thread at 
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to 
>>> realize that.
>>> We have provided ample opportunity for them to contribute, fix, or 
>>> help the project.
>>> All they want is to take the project down, which I obviously refuse.
>>>
>>> I don’t think it really hurts OWASP reputation. If anyone delves 
>>> into the technical discussions that would be apparent.
>>> Regards
>>> -Abbas
>>>
>>>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel 
>>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> Hi Erlend
>>>>
>>>> We are aware of the issues and remediation is underway ;-)
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico <jim.manico at owasp.org> 
>>>> wrote:
>>>>
>>>>     Yup, it's bad.
>>>>
>>>>     Johanna Curiel and Claudia are leading the charge here. They
>>>>     are in the process of fully removing the project from GitHub.
>>>>     As in, right now…
>>>>
>>>>     - Jim
>>>>
>>>>
>>>>
>>>>     On 11/25/15 7:50 PM, erlend.oftedal at owasp.org wrote:
>>>>>     Hi
>>>>>
>>>>>     See https://twitter.com/voodooKobra/status/669537889500311553
>>>>>     and the link in that message.
>>>>>
>>>>>     According to the OWASP website the project is inactive, yet
>>>>>     contributions are made on github, and there are no signs of
>>>>>     the project status on github.
>>>>>     The crypto code is bad, as voodooKobra rightly points out.
>>>>>     With a known key and iv, this encryption is useless.
>>>>>     And the code is referenced from stackoverflow++.
>>>>>
>>>>>     When deactivating a project we need to make sure the
>>>>>     deactivation is clearly visble on github as well.
>>>>>
>>>>>     Best regards
>>>>>     Erlend Oftedal
>>>>>     OWASP Norway
>>>>>     @webtonull
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>     _______________________________________________
>>>>     OWASP-Leaders mailing list
>>>>     OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/80d4adf8/attachment-0001.html>


More information about the OWASP-Leaders mailing list