[Owasp-leaders] Barracuda

OWASP LOS ANGELES richard.greenberg at owasp.org
Thu Feb 14 18:51:49 UTC 2019


Thanks Matt. You always provide a very thorough response.

We need to move away from hosting and embrace the cloud. We also should
persue Google. Slack has its place, but is no replacement for Mailman.

Richard Greenberg, CISSP
OWASP Global Board of Directors
President, OWASP Los Angeles
www.owaspla.org
President, ISSA Los Angeles www.issala.org
ISSA Honor Roll and Fellow
LinkedIn, https://www.linkedin.com/in/richardagreenberg
(424) 307-4440



On Wed, Feb 13, 2019, 1:03 PM Matt Tesauro <matt.tesauro at owasp.org> wrote:

> Dirk,
>
> Please don't conflate the reason (old OS & software) why recovering from
> the recent issue was problematic with the reasons to retire Mailman.
>
> Yes, we could move to a more recent LTS version of Ubuntu and continue to
> run Mailman 2.x largely the same as it is today.  However, this won't
> address the reasons why  Mailman should be retired.  Those include:
>
>    - Mailman sends passwords in the clear via email and requires a shared
>    password if 2+ people are list owners - hardly security best practice
>    - Site Admin of Mailman is via a single shared admin password, meaning
>    it's virtually impossible to find out who did what from an admin/staff
>    perspective
>    - This has been causing repeated angst in the community for years -
>    enough that I wrote about it in 2013 so I could just send a link when it
>    popped up again.
>    https://www.owasp.org/index.php/About_Mailman_at_OWASP
>    - The "old guard' of OWASP needs to realize that using Mailman makes
>    OWASP look completely out of touch with the next generation of AppSec
>    people.  Ask a 20-something about mail lists and they'll give you a blank
>    look. I include myself in that "old guard" - I just happen to be working
>    with a Univ student with my project and it's been enlightening to hear what
>    his age group thinks of mail lists and IT infrastructure in general.
>       - I'm sorry 'old guard" - what's really important is getting new,
>       young people involved in our community - and that means change and meeting
>       them were *they* participate on the Internet.  I get that I'm going
>       to be changing right with the rest of you since I'm definitely not 20 years
>       old anymore.
>    - OWASP's mission is to make AppSec visible.  Considering the very
>    small staff, running any server, that we can replace with an external
>    service offering, removes the sys admin burden from staff and actually
>    helps us in our mission.  Otherwise, we spend staff time on things that
>    aren't core to our mission.  This is called Opportunity Cost
>    <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and the
>    opportunity cost of running any IT service that requires hands-on admin
>    work by staff is too high.
>    - If you're tempted to chime in with "Let volunteers run it", I'd say
>    two things:
>       - Re-read that previous bullet and switch "staff" for "volunteer" -
>       the reason is still valid.  Volunteers should help on the mission not
>       administrivia.
>       - In the 10+ years I've been around OWASP, I've seen volunteer run
>       things go one of two ways:
>          - Run for a while, get forgotten and either go stale or get
>          hacked (yeah, that's happened in the past)
>          - Run for a while, then life changes for the volunteer(s) and it
>          gets handed off to staff.  This happened with Slack, this happened with
>          hosting the AppSec EU conference sites.  So even this positive outcome only
>          delays a return to managing IT systems
>       - Mailman at OWASP may hold a warm nostalgic feeling for people
>    that have bean around a while but its not what it used to be
>       - We have far more conversations happening on Slack today then we
>       do Mailman
>       - During restoring the current service, I looked at which lists had
>       received any email (legit or SPAM) in the last calendar year - *~80%
>       of the existing lists had not emails to them in the past year*.
>       Mailman might be serving some of our community decently well but it's a
>       ever shrinking number.  The number are:
>          - 875 (previous) Total lists
>          - 181 lists with any sort of email in the last calendar year
>          (now the current total lists)
>          - 693 lists with no email for 1+ years
>       - Considering the recent vocal complaints about how unreliable
>    email sent to the lists, it's surprising to see the same people argue for
>    keeping this 'unreliable' service up and running
>    - Barracuda;s licensing (the anti-SPAM gateway upstream of Mailman)
>    has expired and Barracuda has not renewed the donation of those services.
>    I'm honestly surprised every time I can still log into their web control
>    panel - apparently they've not turned off our account (yet) but could at
>    any time.  Rough numbers show 2/3rds of inbound email to Mailman is SPAM.
>    I'd love to hand that problem off to Google or Discourse rather then spend
>    staff time (and money) as we do currently.  There's also no way I'd suggest
>    either running email without SPAM filtering or having staff spend time
>    running it themselves.
>
> Tangential reason why retiring Mailman is my current focus include:
>
>    - The fact that the current server is woefully out of date and setup
>    by someone else is a, to be nice, very "creative" fashion
>    - Rack is no longer donating their cloud services so we're paying a
>    premium to keep that server hosted there. I've been actively migrating
>    servers from Rackspace and this is the next one on my list.
>
> For options instead of Mailman:
>
> (1) Timur is correct, we get Google Groups for $0 cost as part of the G
> Suite for Charities package/donation from Google.  We have to spend $0 and
> 0 time doing sys admin work on Google Groups.
>
> (2) We also get a year of Discourse SaaS for ~7 months of Mailman hosting
> costs and we spend 0 time spent doing sys admin work.  Plus, Harold has
> already written some automation code against Discourse's REST API to make
> things easier going forward.
>
> Cheers!
>
> --
> -- Matt Tesauro
> *OWASP Foundation*
> Director of Community and Operations
> matt.tesauro at owasp.org
>
> Consider giving back, and supporting the open source community by becoming
> a member <https://www.owasp.org/index.php/Membership> or making a donation
> <https://www.owasp.org/index.php/Donate> today!
>
>
> On Wed, Feb 13, 2019 at 1:22 PM Timur 'x' Khrotko [owasp] <timur at owasp.org>
> wrote:
>
>> Dirk, darling, I may be totally wrong and superficial, correct me. Imo
>> there are several aspects of the situation, some actionable.
>>
>> 0) In what modern group communication format could the lists type of
>> exchange continue. My understanding is that mailing list remains.
>>
>> a) For the further operation the mailing list fictionally of the Gsuite
>> we use here is an organic option -imo, probably. And is a way more modern
>> solution ops-wise than anything paas-based.
>>
>> b) For the archive of the mailing list - you guys know the options better.
>>
>> c) Criticism regarding the ages old os wasn't my topic. And I rather
>> would like to thank Matt for his mitigating the critical situation!
>>
>> timur
>>
>>
>> On Wed, 13 Feb 2019 at 19:16, Dirk Wetter <dirk at owasp.org> wrote:
>>
>>>
>>> Timur,
>>>
>>> what are you talking about?
>>>
>>> We're running a 9year old OS out of support for five years -- exposed
>>> in the internet -- and this should be a reason to blame the SW ??
>>>
>>> As indicated: It should be a task for half a day or less to sync all the
>>> files
>>> from mailman to a modern Ubuntu or Debian system.
>>>
>>>
>>> Dirk
>>>
>>>
>>> On 13.02.19 18:23, Timur 'x' Khrotko [owasp] wrote:
>>> > * Matt already suggested to move to Google groups which is part of the
>>> gsuite if my
>>> > understanding is correct.
>>> >
>>> > On Wed, 13 Feb 2019 at 18:21, Frank Catucci <frank.catucci at owasp.org
>>> > <mailto:frank.catucci at owasp.org>> wrote:
>>> >
>>> >     Matt, et al.,
>>> >
>>> >     Can we (OWASP leaders, project leaders, etc.) not have a modern
>>> email server implemented to
>>> >     run @owasp.org <http://owasp.org> email? Is that not a reasonable
>>> ask of OWASP and OWASP
>>> >     staff? Am I missing something here? This sounds like a very
>>> reasonable and actionable
>>> >     request to me...
>>> >
>>> >     Regards,
>>> >
>>> >     Frank
>>> >
>>> >
>>> >     On Tue, Feb 12, 2019 at 4:35 PM Matt Tesauro <
>>> matt.tesauro at owasp.org
>>> >     <mailto:matt.tesauro at owasp.org>> wrote:
>>> >
>>> >
>>> >         On Tue, Feb 12, 2019 at 4:03 AM Dirk Wetter <dirk at owasp.org
>>> <mailto:dirk at owasp.org>> wrote:
>>> >
>>> >             Hi all / Matt,
>>> >
>>> >             short update, see below. This time our germany list seems
>>> unknown.
>>> >
>>> >
>>> >         All of the lists were unknown for some time starting last
>>> night (GMT -6) - not just
>>> >         "our germany list".  The server that hosts mailman went down
>>> in a spectacular fashion.
>>> >         It took a while to get it back up but it's running again.
>>> Items which complicated things:
>>> >
>>> >           * that server's been running on the same VM since 2013
>>> >           * it's running an EOL/EOS OS (Ubuntu 10.04 - a 9 year old OS)
>>> >           * Rack's support does not cover Mailman and we're running an
>>> out of date version that
>>> >             is a major release behind current (2.x vs 3.x)
>>> >           * technically, Rack's support doesn't cover EOL/EOS OS'es
>>> but they still helped us
>>> >             get back online
>>> >           * the OS is so old, Rack's monitoring and backup agents are
>>> no longer supported nor
>>> >             run on the OS
>>> >           * the VM configuration and type used for that host is no
>>> longer offered by Rackspace
>>> >             causing complications which both caused the initial outage
>>> and complicated the
>>> >             restoring the server
>>> >           * since monitoring is no longer supported for that server,
>>> no alerts were sent when
>>> >             it went down
>>> >           * since the back agent can no longer run on a server that
>>> old, the most recent
>>> >             file-level backup is from July 17, 2017
>>> >           * Full VM image backups were still in place and working.
>>> However, restoring those
>>> >             backups to different type and configuration of VM caused
>>> issues that took working
>>> >             with Rack's support team to get resolved.
>>> >
>>> >         Even with all those strikes against it, it's up and running
>>> again.  Not too bad to have
>>> >         one (regrettably long) outage in 6 years.
>>> >
>>> >         Props to the several people on Rack's support team that helped
>>> me get the Mailman VM
>>> >         back up and running as they were able to do the 'behind the
>>> cloud'' work required to
>>> >         get the VM working again.
>>> >
>>> >         The system you seem to love to hate, Barracuda, spooled all
>>> the inbound email and that
>>> >         is flowing again.  Once the retry period is over and that
>>> spool is empty, things should
>>> >         return to normal. For a while, delivery of emails that came in
>>> during the outage may be
>>> >         delayed a bit.  Barracuda, BTW, is also unlicensed and
>>> continues to work without any
>>> >         agreement in place.  Thanks to Barracuda for now cutting us
>>> off.
>>> >
>>> >         I also added a block volume to that VM to allow for a
>>> file-level backup workaround as
>>> >         an interim solution while we wind down Mailman and retire it
>>> this year.
>>> >
>>> >             When do we get a reliable mail delivery system for our
>>> lists?
>>> >
>>> >
>>> >         Have you considered switching to Google Groups?  I'm pretty
>>> sure that Google has a
>>> >         slightly larger IT staff and budget than OWASP does.  There's
>>> also discourse.owasp.org
>>> >         <http://discourse.owasp.org> which is a SaaS alternative we
>>> have in place as well.  Or
>>> >         you could try the OWASP Slack instance too.
>>> >
>>> >         Thanks again for all your patience and understanding.
>>> >
>>> >         Cheers!
>>> >
>>> >         -- Matt Tesauro
>>> >
>>> >
>>> >
>>> >             Dirk
>>> >
>>> >
>>> >             -------- Forwarded Message --------
>>> >             Subject:        Delivery Status Notification (Failure)
>>> >             Date:   Tue, 12 Feb 2019 01:13:15 -0800 (PST)
>>> >             From:   Mail Delivery Subsystem <
>>> mailer-daemon at googlemail.com
>>> >             <mailto:mailer-daemon at googlemail.com>>
>>> >             To:     dirk at owasp.org <mailto:dirk at owasp.org>
>>> >
>>> >
>>> >
>>> >             Error Icon
>>> >
>>> >
>>> >                 Address not found
>>> >
>>> >             Your message wasn't delivered to *
>>> owasp-germany at lists.owasp.org
>>> >             <mailto:owasp-germany at lists.owasp.org>* because the
>>> address couldn't
>>> >             be found, or is unable to receive mail.
>>> >
>>> >             The response from the remote server was:
>>> >
>>> >             550 permanent failure for one or more recipients (
>>> owasp-germany at lists.owasp.org:550
>>> >             <http://[email protected]:550> 5.1.1
>>> >             <owasp-germany at lists.owasp.org <mailto:
>>> owasp-germany at lists.owasp.org>>... User unknown)
>>> >
>>> >
>>> >             Attached Message Part
>>> >
>>> >             Reporting-MTA: dns; googlemail.com <http://googlemail.com>
>>> >             Received-From-MTA: dns; dirk at owasp.org <mailto:
>>> dirk at owasp.org>
>>> >             Arrival-Date: Tue, 12 Feb 2019 01:13:12 -0800 (PST)
>>> >             X-Original-Message-ID: <
>>> 2326a30c-8ecb-5ea2-65d6-87b549c23f6a at owasp.org
>>> >             <mailto:2326a30c-8ecb-5ea2-65d6-87b549c23f6a at owasp.org>>
>>> >
>>> >             Final-Recipient: rfc822; owasp-germany at lists.owasp.org
>>> >             <mailto:owasp-germany at lists.owasp.org>
>>> >             Action: failed
>>> >             Status: 5.0.0
>>> >             Remote-MTA: dns; d15006a.ess.barracudanetworks.com
>>> >             <http://d15006a.ess.barracudanetworks.com>.
>>> (209.222.82.126, the
>>> >              server for the domain lists.owasp.org <
>>> http://lists.owasp.org>.)
>>> >             Diagnostic-Code: smtp; 550 permanent failure for one or
>>> more recipients
>>> >             (owasp-germany at lists.owasp.org:550 <
>>> http://[email protected]:550> 5.1.1
>>> >             <owasp-germany at lists.owasp.org <mailto:
>>> owasp-germany at lists.owasp.org>>... User unknown)
>>> >             Last-Attempt-Date: Tue, 12 Feb 2019 01:13:15 -0800 (PST)
>>> >
>>> >
>>> >
>>> >
>>> >             --
>>> >             OWASP Volunteer
>>> >             Send me encrypted mails (Key ID 0xD0A74569)
>>> >             @drwetter
>>> >
>>> >         _______________________________________________
>>> >         OWASP-Leaders mailing list
>>> >         OWASP-Leaders at lists.owasp.org <mailto:
>>> OWASP-Leaders at lists.owasp.org>
>>> >         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> >
>>> >     This message may contain confidential information - you should
>>> handle it accordingly.
>>> >     _______________________________________________
>>> >     OWASP-Leaders mailing list
>>> >     OWASP-Leaders at lists.owasp.org <mailto:
>>> OWASP-Leaders at lists.owasp.org>
>>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> > --
>>> >
>>> > secmachine․net #wepowersecdev
>>>
>>> --
>>> OWASP Volunteer
>>> Send me encrypted mails (Key ID 0xD0A74569)
>>> @drwetter
>>>
>>>
>>> --
>>> This message may contain confidential information - you should handle it
>>> accordingly.
>>>
>> --
>>
>> secmachine․net #wepowersecdev
>>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP-Global-BOD" group.
> To post to this group, send email to owaspbod at owasp.org.
> To view this discussion on the web visit
> https://groups.google.com/a/owasp.org/d/msgid/owaspbod/CAJq9yoTejx83x8-jd5-jCiSPJnzB5khFbbrAjrR3fFn%3Dmh4XGg%40mail.gmail.com
> <https://groups.google.com/a/owasp.org/d/msgid/owaspbod/CAJq9yoTejx83x8-jd5-jCiSPJnzB5khFbbrAjrR3fFn%3Dmh4XGg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20190214/f09b9ab3/attachment-0001.html>


More information about the OWASP-Leaders mailing list