[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

AF antonio.fontes at owasp.org
Thu Nov 26 08:15:48 UTC 2015


s/GAMA/GAFA/

Sorry.
(sent with mobile, please excuse any excessive brevity or typo) 
--
Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
  skype: antonio.fontes

On November 26, 2015 8:30:17 AM GMT+01:00, AF <antonio.fontes at owasp.org> wrote:
>Yes, agree. I'd rather see it flagged than not see it at all.
>
>Cheers,
>Antonio
>
>
>PS: We all know that deleting content on  user's request is nope. GAMA
>are wonderful teachers ;)
>(sent with mobile, please excuse any excessive brevity or typo) 
>--
>Antonio Fontes
>OWASP Switzerland, board member
>OWASP Geneva, chapter leader
>  skype: antonio.fontes
>
>On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico
><jim.manico at owasp.org> wrote:
>>The project is still live and will continue to be.
>>
>>https://github.com/OWASP/phpsec
>>
>>1) It's been labeled clearly as abandoned, which is fair to say I
>think
>>
>>(In both GitHub and the Wiki).
>>2) The codebase has been deleted from the main branch
>>3) For anyone who wishes to revive this project, all the code is in
>the
>>
>>project history
>>
>>I think this is a fair balance of all concerns.
>>
>>Aloha,
>>Jim
>>
>>
>>On 11/26/15 1:46 AM, Antonio Fontes wrote:
>>> Hi,
>>>
>>> I agree with Abbas on this point.
>>>
>>> OWASP has a responsibility to warn users when a library project is 
>>> inactive, unmaintained and/or was identified as broken by experts in
>
>>> the domain (if it really is, disclaimer: I have only read the
>content
>>
>>> posed in the leaders list).
>>>
>>> However, I don't see a valid rationale behind the decision to
>>suppress 
>>> it entirely. Users don't get to decide what gets suppressed or not 
>>> from the web, especially when the content doesn't belong to them,
>>more 
>>> especially when the argument is "it's not clean", and even more 
>>> especially when the request for deletion comes from "crypto-experts"
>
>>> (I want to see the badge first).
>>>
>>> Our mission as OWASP leaders is to lead, not to baby-sit people, who
>
>>> download code marked as unsafe and abandoned, and install it in
>their
>>
>>> organization's systems.
>>>
>>> If we abide by this rationale, then we should suppress all previous 
>>> versions of the OWASP guides that are currently available for
>>download 
>>> as archives.
>>> Most of them are incomplete, do not cover the state of the art 
>>> knowledge we have reached today, and many of them contain advice
>that
>>
>>> is outdated.
>>>
>>> regards,
>>> Antonio
>>>
>>> --
>>> OWASP Geneva Chapter
>>> Contact:geneva at owasp.ch
>>> Twitter: @owasp_geneva
>>> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>>> >>All they want is to delete the code entirely, which doesn’t make
>>sense to me 
>>>> at all.
>>>>
>>>> Abbas their point is, that is not responsible to leave this open if
>
>>>> no one is going to document or fix. I don't think is responsible to
>
>>>> leave an insecure library. And Ii did take the time to read the 
>>>> issues they mentioned.
>>>>
>>>>  You  are the major responsible for your project, not the users
>that
>>
>>>> pin pointed the issues nor they should go and change when they have
>
>>>> the opinion that the entire library does not serve the purpose.
>>>>
>>>> For people who wants to see whole thread can judge by themselves
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>>
>>>> I even defend you as volunteer but I have the opinion that we have
>a
>>
>>>> responsibility towards users especially if you have not worked in 
>>>> this project for more than a year and have no time to fix issues in
>>a 
>>>> security library.
>>>>
>>>> Even Sven who was a contributor in this project accepted that this 
>>>> library does not achieve its purpose and should not be available to
>
>>>> users, is just not responsible.
>>>>
>>>> Sometimes we need to kill our darlings...
>>>>
>>>> Btw I'm just a contributor as you are.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org 
>>>> <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>>     I’m perfectly fine with criticising and QAing projects.
>>>>
>>>>     What I’m not fine with, is reading some blogs or posts
>>somewhere,
>>>>     without verifying their validity, and then putting the blame on
>>>>     our contributors without proper investigation.
>>>>
>>>>     This is not how we defend and motivate our community.
>>>>
>>>>     Plus, the only solution for a “broken library” is either to fix
>>>>     it, or to announce it as broken. These gentlemen insisting on
>>>>     removing the library sounds like trolling to me. They even
>>refuse
>>>>     to add a README file to the Github repo which clearly states
>>that
>>>>     this project is inactive and insecure. All they want is to
>>delete
>>>>     the code entirely, which doesn’t make sense to me at all.
>>>>
>>>>     I’m unhappy with your post, because you say “they have valid
>>>>     points” without properly investgating. They think they didn’t
>>>>     make progress by trolling on Github, and now are using you to
>>>>     reflect this issue on the leaders list. You could’ve contacted
>>me
>>>>     first and asked about this before going public with it. I’m
>very
>>>>     unhappy with the process you have taken for this, undermining a
>>>>     contributor completely.
>>>>
>>>>     Regards
>>>>     -Abbas
>>>>
>>>>
>>>>>     On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>wrote:
>>>>>
>>>>>     >>If you’d want to keep your “users” happy and your
>>>>>     “contributors” unhappy, you should think of a
>>>>>     commercial organisation instead of an open one.
>>>>>
>>>>>     I think this is a very difficult balance to do. I understand
>>>>>     from your pov as contributor but fact is, OWASP has also a
>>>>>     reputation of being 'secure' so probably the expectations are
>>>>>     higher because we preach security.
>>>>>
>>>>>     Look ,I volunteer too but my proposals get questioned and
>>>>>     criticised  in a way that it feels to me  like I've been
>>>>>     questioned as an employee and not a volunteer, but in a
>certain
>>>>>     way, if you look deeply, people questioning my proposals wants
>>>>>     to achieve goals that are aligned with OWASP mission. And that
>>>>>     means I have to work harder to present my arguments. Not
>>because
>>>>>     the effort is 'volunteered' means it does not hold certain
>>>>>     responsabilities.
>>>>>
>>>>>     Let  me ask you: Has this project ever been tested to verify
>>how
>>>>>     well it works or not? Most projects at OWASP does not have any
>>>>>     form of QA. Security libraries hold more responsibility in
>this
>>>>>     case.
>>>>>
>>>>>     This is a security library and if it contains security issues
>>>>>     then this is a problem. This does not align with the mission,
>>>>>     even if a lot of work was put to create this project.
>>>>>
>>>>>     I don't think they are trolling you. They have valid points
>and
>>>>>     their complain is that it is not responsible to leave this
>>>>>     library to be used if it holds these issues or are not
>properly
>>>>>     explained. And is not only the crypto issue.
>>>>>
>>>>>     Regards
>>>>>
>>>>>     Johanna
>>>>>
>>>>>     On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi
><abiusx at owasp.org
>>>>>     <mailto:abiusx at owasp.org>> wrote:
>>>>>
>>>>>         I agree with all of that.
>>>>>
>>>>>         This is an open source project. If they find issues,
>>>>>         specially tiny issues that can be fixed with a few lines
>of
>>>>>         code,
>>>>>         they are welcome to do so. That is not grounds for
>deleting
>>>>>         a project.
>>>>>
>>>>>         The way I see it, is that they are trolling, and not
>>>>>         helping. I have not created this library, and I’m only
>>>>>         defending it because it is the right thing to do.
>>>>>         If you’d want to keep your “users” happy and your
>>>>>         “contributors” unhappy, you should think of a commercial
>>>>>         organization instead of an open one.
>>>>>
>>>>>         Regards
>>>>>         -Abbas
>>>>>
>>>>>>         On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>>>         <johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>         Abbas
>>>>>>
>>>>>>         I think they made very strong points and the project is
>>>>>>         right now inactive since it has not been updated in more
>>>>>>         than a year.
>>>>>>
>>>>>>         The people commenting on your project have themselves
>>quite
>>>>>>         reputation too.
>>>>>>
>>>>>>         I think if these issues cannot be fixed by you since you
>>>>>>         are the leader and since the project is inactive, the
>best
>>>>>>         is to warn users.
>>>>>>         Sven who was a contributor also acknowledge the issues.
>>>>>>
>>>>>>         By the way , from complains of multiple PHP developers in
>>>>>>         the github page of the project to now twitter means they
>>>>>>         are not happy and they are trying to escalate their
>>>>>>         concerns.Thats how I see this.
>>>>>>
>>>>>>         regards
>>>>>>
>>>>>>         Johanna
>>>>>>
>>>>>>         On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>>>         <abiusx at owasp.org> wrote:
>>>>>>
>>>>>>             They are trying to troll the project.
>>>>>>             Read the thread at
>>>>>>            
>>https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>>             realize that.
>>>>>>             We have provided ample opportunity for them to
>>>>>>             contribute, fix, or help the project.
>>>>>>             All they want is to take the project down, which I
>>>>>>             obviously refuse.
>>>>>>
>>>>>>             I don’t think it really hurts OWASP reputation. If
>>>>>>             anyone delves into the technical discussions that
>>would
>>>>>>             be apparent.
>>>>>>             Regards
>>>>>>             -Abbas
>>>>>>
>>>>>>>             On Nov 25, 2015, at 1:17 PM, johanna curiel curiel
>>>>>>>             <johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>             Hi Erlend
>>>>>>>
>>>>>>>             We are aware of the issues and remediation is
>>underway ;-)
>>>>>>>
>>>>>>>             regards
>>>>>>>
>>>>>>>             Johanna
>>>>>>>
>>>>>>>             On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>>>             <jim.manico at owasp.org> wrote:
>>>>>>>
>>>>>>>                 Yup, it's bad.
>>>>>>>
>>>>>>>                 Johanna Curiel and Claudia are leading the
>charge
>>>>>>>                 here. They are in the process of fully removing
>>>>>>>                 the project from GitHub. As in, right now…
>>>>>>>
>>>>>>>                 - Jim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                 On 11/25/15 7:50 PM, erlend.oftedal at owasp.org
>>wrote:
>>>>>>>>                 Hi
>>>>>>>>
>>>>>>>>                 See
>>>>>>>>                
>>https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>>>                 and the link in that message.
>>>>>>>>
>>>>>>>>                 According to the OWASP website the project is
>>>>>>>>                 inactive, yet contributions are made on github,
>>>>>>>>                 and there are no signs of the project status on
>>>>>>>>                 github.
>>>>>>>>                 The crypto code is bad, as voodooKobra rightly
>>>>>>>>                 points out. With a known key and iv, this
>>>>>>>>                 encryption is useless.
>>>>>>>>                 And the code is referenced from
>stackoverflow++.
>>>>>>>>
>>>>>>>>                 When deactivating a project we need to make
>sure
>>>>>>>>                 the deactivation is clearly visble on github as
>>well.
>>>>>>>>
>>>>>>>>                 Best regards
>>>>>>>>                 Erlend Oftedal
>>>>>>>>                 OWASP Norway
>>>>>>>>                 @webtonull
>>>>>>>>
>>>>>>>>
>>>>>>>>                 _______________________________________________
>>>>>>>>                 OWASP-Leaders mailing list
>>>>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>                
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>>                 _______________________________________________
>>>>>>>                 OWASP-Leaders mailing list
>>>>>>>                 OWASP-Leaders at lists.owasp.org
>>>>>>>                
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>>             _______________________________________________
>>>>>>>             OWASP-Leaders mailing list
>>>>>>>             OWASP-Leaders at lists.owasp.org
>>>>>>>            
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>-- 
>>Jim Manico
>>Global Board Member
>>OWASP Foundation
>>https://www.owasp.org
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>OWASP-Leaders mailing list
>>OWASP-Leaders at lists.owasp.org
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/65cfc159/attachment-0001.html>


More information about the OWASP-Leaders mailing list