[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation
AF
antonio.fontes at owasp.org
Thu Nov 26 08:15:48 UTC 2015
s/GAMA/GAFA/
Sorry.
(sent with mobile, please excuse any excessive brevity or typo)
--
Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
skype: antonio.fontes
On November 26, 2015 8:30:17 AM GMT+01:00, AF <antonio.fontes at owasp.org> wrote:
>Yes, agree. I'd rather see it flagged than not see it at all.
>
>Cheers,
>Antonio
>
>
>PS: We all know that deleting content on user's request is nope. GAMA
>are wonderful teachers ;)
>(sent with mobile, please excuse any excessive brevity or typo)
>--
>Antonio Fontes
>OWASP Switzerland, board member
>OWASP Geneva, chapter leader
> skype: antonio.fontes
>
>On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico
><jim.manico at owasp.org> wrote:
>>The project is still live and will continue to be.
>>
>>https://github.com/OWASP/phpsec
>>
>>1) It's been labeled clearly as abandoned, which is fair to say I
>think
>>
>>(In both GitHub and the Wiki).
>>2) The codebase has been deleted from the main branch
>>3) For anyone who wishes to revive this project, all the code is in
>the
>>
>>project history
>>
>>I think this is a fair balance of all concerns.
>>
>>Aloha,
>>Jim
>>
>>
>>On 11/26/15 1:46 AM, Antonio Fontes wrote:
>>> Hi,
>>>
>>> I agree with Abbas on this point.
>>>
>>> OWASP has a responsibility to warn users when a library project is
>>> inactive, unmaintained and/or was identified as broken by experts in
>
>>> the domain (if it really is, disclaimer: I have only read the
>content
>>
>>> posed in the leaders list).
>>>
>>> However, I don't see a valid rationale behind the decision to
>>suppress
>>> it entirely. Users don't get to decide what gets suppressed or not
>>> from the web, especially when the content doesn't belong to them,
>>more
>>> especially when the argument is "it's not clean", and even more
>>> especially when the request for deletion comes from "crypto-experts"
>
>>> (I want to see the badge first).
>>>
>>> Our mission as OWASP leaders is to lead, not to baby-sit people, who
>
>>> download code marked as unsafe and abandoned, and install it in
>their
>>
>>> organization's systems.
>>>
>>> If we abide by this rationale, then we should suppress all previous
>>> versions of the OWASP guides that are currently available for
>>download
>>> as archives.
>>> Most of them are incomplete, do not cover the state of the art
>>> knowledge we have reached today, and many of them contain advice
>that
>>
>>> is outdated.
>>>
>>> regards,
>>> Antonio
>>>
>>> --
>>> OWASP Geneva Chapter
>>> Contact:geneva at owasp.ch
>>> Twitter: @owasp_geneva
>>> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>>> >>All they want is to delete the code entirely, which doesn’t make
>>sense to me
>>>> at all.
>>>>
>>>> Abbas their point is, that is not responsible to leave this open if
>
>>>> no one is going to document or fix. I don't think is responsible to
>
>>>> leave an insecure library. And Ii did take the time to read the
>>>> issues they mentioned.
>>>>
>>>> You are the major responsible for your project, not the users
>that
>>
>>>> pin pointed the issues nor they should go and change when they have
>
>>>> the opinion that the entire library does not serve the purpose.
>>>>
>>>> For people who wants to see whole thread can judge by themselves
>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>>
>>>> I even defend you as volunteer but I have the opinion that we have
>a
>>
>>>> responsibility towards users especially if you have not worked in
>>>> this project for more than a year and have no time to fix issues in
>>a
>>>> security library.
>>>>
>>>> Even Sven who was a contributor in this project accepted that this
>>>> library does not achieve its purpose and should not be available to
>
>>>> users, is just not responsible.
>>>>
>>>> Sometimes we need to kill our darlings...
>>>>
>>>> Btw I'm just a contributor as you are.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org
>>>> <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>> I’m perfectly fine with criticising and QAing projects.
>>>>
>>>> What I’m not fine with, is reading some blogs or posts
>>somewhere,
>>>> without verifying their validity, and then putting the blame on
>>>> our contributors without proper investigation.
>>>>
>>>> This is not how we defend and motivate our community.
>>>>
>>>> Plus, the only solution for a “broken library” is either to fix
>>>> it, or to announce it as broken. These gentlemen insisting on
>>>> removing the library sounds like trolling to me. They even
>>refuse
>>>> to add a README file to the Github repo which clearly states
>>that
>>>> this project is inactive and insecure. All they want is to
>>delete
>>>> the code entirely, which doesn’t make sense to me at all.
>>>>
>>>> I’m unhappy with your post, because you say “they have valid
>>>> points” without properly investgating. They think they didn’t
>>>> make progress by trolling on Github, and now are using you to
>>>> reflect this issue on the leaders list. You could’ve contacted
>>me
>>>> first and asked about this before going public with it. I’m
>very
>>>> unhappy with the process you have taken for this, undermining a
>>>> contributor completely.
>>>>
>>>> Regards
>>>> -Abbas
>>>>
>>>>
>>>>> On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>wrote:
>>>>>
>>>>> >>If you’d want to keep your “users” happy and your
>>>>> “contributors” unhappy, you should think of a
>>>>> commercial organisation instead of an open one.
>>>>>
>>>>> I think this is a very difficult balance to do. I understand
>>>>> from your pov as contributor but fact is, OWASP has also a
>>>>> reputation of being 'secure' so probably the expectations are
>>>>> higher because we preach security.
>>>>>
>>>>> Look ,I volunteer too but my proposals get questioned and
>>>>> criticised in a way that it feels to me like I've been
>>>>> questioned as an employee and not a volunteer, but in a
>certain
>>>>> way, if you look deeply, people questioning my proposals wants
>>>>> to achieve goals that are aligned with OWASP mission. And that
>>>>> means I have to work harder to present my arguments. Not
>>because
>>>>> the effort is 'volunteered' means it does not hold certain
>>>>> responsabilities.
>>>>>
>>>>> Let me ask you: Has this project ever been tested to verify
>>how
>>>>> well it works or not? Most projects at OWASP does not have any
>>>>> form of QA. Security libraries hold more responsibility in
>this
>>>>> case.
>>>>>
>>>>> This is a security library and if it contains security issues
>>>>> then this is a problem. This does not align with the mission,
>>>>> even if a lot of work was put to create this project.
>>>>>
>>>>> I don't think they are trolling you. They have valid points
>and
>>>>> their complain is that it is not responsible to leave this
>>>>> library to be used if it holds these issues or are not
>properly
>>>>> explained. And is not only the crypto issue.
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi
><abiusx at owasp.org
>>>>> <mailto:abiusx at owasp.org>> wrote:
>>>>>
>>>>> I agree with all of that.
>>>>>
>>>>> This is an open source project. If they find issues,
>>>>> specially tiny issues that can be fixed with a few lines
>of
>>>>> code,
>>>>> they are welcome to do so. That is not grounds for
>deleting
>>>>> a project.
>>>>>
>>>>> The way I see it, is that they are trolling, and not
>>>>> helping. I have not created this library, and I’m only
>>>>> defending it because it is the right thing to do.
>>>>> If you’d want to keep your “users” happy and your
>>>>> “contributors” unhappy, you should think of a commercial
>>>>> organization instead of an open one.
>>>>>
>>>>> Regards
>>>>> -Abbas
>>>>>
>>>>>> On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>>> <johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Abbas
>>>>>>
>>>>>> I think they made very strong points and the project is
>>>>>> right now inactive since it has not been updated in more
>>>>>> than a year.
>>>>>>
>>>>>> The people commenting on your project have themselves
>>quite
>>>>>> reputation too.
>>>>>>
>>>>>> I think if these issues cannot be fixed by you since you
>>>>>> are the leader and since the project is inactive, the
>best
>>>>>> is to warn users.
>>>>>> Sven who was a contributor also acknowledge the issues.
>>>>>>
>>>>>> By the way , from complains of multiple PHP developers in
>>>>>> the github page of the project to now twitter means they
>>>>>> are not happy and they are trying to escalate their
>>>>>> concerns.Thats how I see this.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>>> <abiusx at owasp.org> wrote:
>>>>>>
>>>>>> They are trying to troll the project.
>>>>>> Read the thread at
>>>>>>
>>https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>> realize that.
>>>>>> We have provided ample opportunity for them to
>>>>>> contribute, fix, or help the project.
>>>>>> All they want is to take the project down, which I
>>>>>> obviously refuse.
>>>>>>
>>>>>> I don’t think it really hurts OWASP reputation. If
>>>>>> anyone delves into the technical discussions that
>>would
>>>>>> be apparent.
>>>>>> Regards
>>>>>> -Abbas
>>>>>>
>>>>>>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel
>>>>>>> <johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>> Hi Erlend
>>>>>>>
>>>>>>> We are aware of the issues and remediation is
>>underway ;-)
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>>> <jim.manico at owasp.org> wrote:
>>>>>>>
>>>>>>> Yup, it's bad.
>>>>>>>
>>>>>>> Johanna Curiel and Claudia are leading the
>charge
>>>>>>> here. They are in the process of fully removing
>>>>>>> the project from GitHub. As in, right now…
>>>>>>>
>>>>>>> - Jim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org
>>wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> See
>>>>>>>>
>>https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>>> and the link in that message.
>>>>>>>>
>>>>>>>> According to the OWASP website the project is
>>>>>>>> inactive, yet contributions are made on github,
>>>>>>>> and there are no signs of the project status on
>>>>>>>> github.
>>>>>>>> The crypto code is bad, as voodooKobra rightly
>>>>>>>> points out. With a known key and iv, this
>>>>>>>> encryption is useless.
>>>>>>>> And the code is referenced from
>stackoverflow++.
>>>>>>>>
>>>>>>>> When deactivating a project we need to make
>sure
>>>>>>>> the deactivation is clearly visble on github as
>>well.
>>>>>>>>
>>>>>>>> Best regards
>>>>>>>> Erlend Oftedal
>>>>>>>> OWASP Norway
>>>>>>>> @webtonull
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>--
>>Jim Manico
>>Global Board Member
>>OWASP Foundation
>>https://www.owasp.org
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>OWASP-Leaders mailing list
>>OWASP-Leaders at lists.owasp.org
>>https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/65cfc159/attachment-0001.html>
More information about the OWASP-Leaders
mailing list