[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

AF antonio.fontes at owasp.org
Thu Nov 26 07:30:17 UTC 2015


Yes, agree. I'd rather see it flagged than not see it at all.

Cheers,
Antonio


PS: We all know that deleting content on  user's request is nope. GAMA are wonderful teachers ;)
(sent with mobile, please excuse any excessive brevity or typo) 
--
Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
  skype: antonio.fontes

On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico <jim.manico at owasp.org> wrote:
>The project is still live and will continue to be.
>
>https://github.com/OWASP/phpsec
>
>1) It's been labeled clearly as abandoned, which is fair to say I think
>
>(In both GitHub and the Wiki).
>2) The codebase has been deleted from the main branch
>3) For anyone who wishes to revive this project, all the code is in the
>
>project history
>
>I think this is a fair balance of all concerns.
>
>Aloha,
>Jim
>
>
>On 11/26/15 1:46 AM, Antonio Fontes wrote:
>> Hi,
>>
>> I agree with Abbas on this point.
>>
>> OWASP has a responsibility to warn users when a library project is 
>> inactive, unmaintained and/or was identified as broken by experts in 
>> the domain (if it really is, disclaimer: I have only read the content
>
>> posed in the leaders list).
>>
>> However, I don't see a valid rationale behind the decision to
>suppress 
>> it entirely. Users don't get to decide what gets suppressed or not 
>> from the web, especially when the content doesn't belong to them,
>more 
>> especially when the argument is "it's not clean", and even more 
>> especially when the request for deletion comes from "crypto-experts" 
>> (I want to see the badge first).
>>
>> Our mission as OWASP leaders is to lead, not to baby-sit people, who 
>> download code marked as unsafe and abandoned, and install it in their
>
>> organization's systems.
>>
>> If we abide by this rationale, then we should suppress all previous 
>> versions of the OWASP guides that are currently available for
>download 
>> as archives.
>> Most of them are incomplete, do not cover the state of the art 
>> knowledge we have reached today, and many of them contain advice that
>
>> is outdated.
>>
>> regards,
>> Antonio
>>
>> --
>> OWASP Geneva Chapter
>> Contact:geneva at owasp.ch
>> Twitter: @owasp_geneva
>> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>> >>All they want is to delete the code entirely, which doesn’t make
>sense to me 
>>> at all.
>>>
>>> Abbas their point is, that is not responsible to leave this open if 
>>> no one is going to document or fix. I don't think is responsible to 
>>> leave an insecure library. And Ii did take the time to read the 
>>> issues they mentioned.
>>>
>>>  You  are the major responsible for your project, not the users that
>
>>> pin pointed the issues nor they should go and change when they have 
>>> the opinion that the entire library does not serve the purpose.
>>>
>>> For people who wants to see whole thread can judge by themselves
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>> I even defend you as volunteer but I have the opinion that we have a
>
>>> responsibility towards users especially if you have not worked in 
>>> this project for more than a year and have no time to fix issues in
>a 
>>> security library.
>>>
>>> Even Sven who was a contributor in this project accepted that this 
>>> library does not achieve its purpose and should not be available to 
>>> users, is just not responsible.
>>>
>>> Sometimes we need to kill our darlings...
>>>
>>> Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org 
>>> <mailto:abiusx at owasp.org>> wrote:
>>>
>>>     I’m perfectly fine with criticising and QAing projects.
>>>
>>>     What I’m not fine with, is reading some blogs or posts
>somewhere,
>>>     without verifying their validity, and then putting the blame on
>>>     our contributors without proper investigation.
>>>
>>>     This is not how we defend and motivate our community.
>>>
>>>     Plus, the only solution for a “broken library” is either to fix
>>>     it, or to announce it as broken. These gentlemen insisting on
>>>     removing the library sounds like trolling to me. They even
>refuse
>>>     to add a README file to the Github repo which clearly states
>that
>>>     this project is inactive and insecure. All they want is to
>delete
>>>     the code entirely, which doesn’t make sense to me at all.
>>>
>>>     I’m unhappy with your post, because you say “they have valid
>>>     points” without properly investgating. They think they didn’t
>>>     make progress by trolling on Github, and now are using you to
>>>     reflect this issue on the leaders list. You could’ve contacted
>me
>>>     first and asked about this before going public with it. I’m very
>>>     unhappy with the process you have taken for this, undermining a
>>>     contributor completely.
>>>
>>>     Regards
>>>     -Abbas
>>>
>>>
>>>>     On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>wrote:
>>>>
>>>>     >>If you’d want to keep your “users” happy and your
>>>>     “contributors” unhappy, you should think of a
>>>>     commercial organisation instead of an open one.
>>>>
>>>>     I think this is a very difficult balance to do. I understand
>>>>     from your pov as contributor but fact is, OWASP has also a
>>>>     reputation of being 'secure' so probably the expectations are
>>>>     higher because we preach security.
>>>>
>>>>     Look ,I volunteer too but my proposals get questioned and
>>>>     criticised  in a way that it feels to me  like I've been
>>>>     questioned as an employee and not a volunteer, but in a certain
>>>>     way, if you look deeply, people questioning my proposals wants
>>>>     to achieve goals that are aligned with OWASP mission. And that
>>>>     means I have to work harder to present my arguments. Not
>because
>>>>     the effort is 'volunteered' means it does not hold certain
>>>>     responsabilities.
>>>>
>>>>     Let  me ask you: Has this project ever been tested to verify
>how
>>>>     well it works or not? Most projects at OWASP does not have any
>>>>     form of QA. Security libraries hold more responsibility in this
>>>>     case.
>>>>
>>>>     This is a security library and if it contains security issues
>>>>     then this is a problem. This does not align with the mission,
>>>>     even if a lot of work was put to create this project.
>>>>
>>>>     I don't think they are trolling you. They have valid points and
>>>>     their complain is that it is not responsible to leave this
>>>>     library to be used if it holds these issues or are not properly
>>>>     explained. And is not only the crypto issue.
>>>>
>>>>     Regards
>>>>
>>>>     Johanna
>>>>
>>>>     On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi <abiusx at owasp.org
>>>>     <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>>         I agree with all of that.
>>>>
>>>>         This is an open source project. If they find issues,
>>>>         specially tiny issues that can be fixed with a few lines of
>>>>         code,
>>>>         they are welcome to do so. That is not grounds for deleting
>>>>         a project.
>>>>
>>>>         The way I see it, is that they are trolling, and not
>>>>         helping. I have not created this library, and I’m only
>>>>         defending it because it is the right thing to do.
>>>>         If you’d want to keep your “users” happy and your
>>>>         “contributors” unhappy, you should think of a commercial
>>>>         organization instead of an open one.
>>>>
>>>>         Regards
>>>>         -Abbas
>>>>
>>>>>         On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>>         <johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>         Abbas
>>>>>
>>>>>         I think they made very strong points and the project is
>>>>>         right now inactive since it has not been updated in more
>>>>>         than a year.
>>>>>
>>>>>         The people commenting on your project have themselves
>quite
>>>>>         reputation too.
>>>>>
>>>>>         I think if these issues cannot be fixed by you since you
>>>>>         are the leader and since the project is inactive, the best
>>>>>         is to warn users.
>>>>>         Sven who was a contributor also acknowledge the issues.
>>>>>
>>>>>         By the way , from complains of multiple PHP developers in
>>>>>         the github page of the project to now twitter means they
>>>>>         are not happy and they are trying to escalate their
>>>>>         concerns.Thats how I see this.
>>>>>
>>>>>         regards
>>>>>
>>>>>         Johanna
>>>>>
>>>>>         On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>>         <abiusx at owasp.org> wrote:
>>>>>
>>>>>             They are trying to troll the project.
>>>>>             Read the thread at
>>>>>            
>https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>             realize that.
>>>>>             We have provided ample opportunity for them to
>>>>>             contribute, fix, or help the project.
>>>>>             All they want is to take the project down, which I
>>>>>             obviously refuse.
>>>>>
>>>>>             I don’t think it really hurts OWASP reputation. If
>>>>>             anyone delves into the technical discussions that
>would
>>>>>             be apparent.
>>>>>             Regards
>>>>>             -Abbas
>>>>>
>>>>>>             On Nov 25, 2015, at 1:17 PM, johanna curiel curiel
>>>>>>             <johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>             Hi Erlend
>>>>>>
>>>>>>             We are aware of the issues and remediation is
>underway ;-)
>>>>>>
>>>>>>             regards
>>>>>>
>>>>>>             Johanna
>>>>>>
>>>>>>             On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>>             <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>                 Yup, it's bad.
>>>>>>
>>>>>>                 Johanna Curiel and Claudia are leading the charge
>>>>>>                 here. They are in the process of fully removing
>>>>>>                 the project from GitHub. As in, right now…
>>>>>>
>>>>>>                 - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 On 11/25/15 7:50 PM, erlend.oftedal at owasp.org
>wrote:
>>>>>>>                 Hi
>>>>>>>
>>>>>>>                 See
>>>>>>>                
>https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>>                 and the link in that message.
>>>>>>>
>>>>>>>                 According to the OWASP website the project is
>>>>>>>                 inactive, yet contributions are made on github,
>>>>>>>                 and there are no signs of the project status on
>>>>>>>                 github.
>>>>>>>                 The crypto code is bad, as voodooKobra rightly
>>>>>>>                 points out. With a known key and iv, this
>>>>>>>                 encryption is useless.
>>>>>>>                 And the code is referenced from stackoverflow++.
>>>>>>>
>>>>>>>                 When deactivating a project we need to make sure
>>>>>>>                 the deactivation is clearly visble on github as
>well.
>>>>>>>
>>>>>>>                 Best regards
>>>>>>>                 Erlend Oftedal
>>>>>>>                 OWASP Norway
>>>>>>>                 @webtonull
>>>>>>>
>>>>>>>
>>>>>>>                 _______________________________________________
>>>>>>>                 OWASP-Leaders mailing list
>>>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>                
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>                 _______________________________________________
>>>>>>                 OWASP-Leaders mailing list
>>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>>                
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>             _______________________________________________
>>>>>>             OWASP-Leaders mailing list
>>>>>>             OWASP-Leaders at lists.owasp.org
>>>>>>            
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>-- 
>Jim Manico
>Global Board Member
>OWASP Foundation
>https://www.owasp.org
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/32857d60/attachment-0001.html>


More information about the OWASP-Leaders mailing list