[Owasp-leaders] Windows XP like OS
dirk at owasp.org
Thu Feb 14 20:48:06 UTC 2019
Hi Matt and all,
thanks first for bringing everything online again!. Matt.
With all due respect though, on some matters I have a different stance. See below.
On 13.02.19 22:03, Matt Tesauro wrote:
> Please don't conflate the reason (old OS & software) why recovering from the recent issue was
> problematic with the reasons to retire Mailman.
Well, it looked to me like there's such a big mess for years now -- again: we are talking
about an operating system which is five years out of support, out of patches. This is
exposed in the internet. And then I am reading repeatedly "we try something else."
>From this I drew the maybe wrong conclusion that probably what we have is so rotten, that one
might think it is easier to start over with something new.
And all I hear "mailman is bad" which I per se cannot agree with. If I start
arguing I don't get a reply.
> Yes, we could move to a more recent LTS version of Ubuntu and continue to run Mailman 2.x
> largely the same as it is today.
I am asking you: How did we get there? Why did nobody in the past 5 years did an online
upgrade of the old OS??? For the non-Linux guys: It's ~3 commands on a running system and one
reboot. It is definitely less painful and way shorter and as one starts starting Windows 7 or
10 after 3-4 months.
I was really shocked that we as OWASP run such an old system? Wondering where the S in OWASP is?
> However, this won't address the reasons why Mailman should
> be retired. Those include:
> * Mailman sends passwords in the clear via email and requires a shared password if 2+ people
> are list owners - hardly security best practice
Come on! This appears to me focusing on a niche security problem compared to run a Windows XP
like OS exposed in the internet for almost five years (Ubuntu 10.10. and Windows XP support
both stopped in April 2014).
Secondly as mentioned before: This is unfortunately common practice but seems to not have a
large security relevance. Most people save their password in the browser or in a pw manager. So
the pw reset is not often taking place. When it's taking place I assume the PW is being reset
soon after. The only real vector is grabbing the pw from the wire which I agree would be bad.
But the window the attacker to get the pw from the/wire/ shouldn't be large.
There's of course the vector that the pw is being retrieved by an attacker from the users
INBOX. But if the INBOX is owned 90% of any sw will fail too, except the SW using 2FA.
So this is a bugging issue and somewhat ugly, I agree, but should not be a big security concern.
> * Site Admin of Mailman is via a single shared admin password, meaning it's virtually
> impossible to find out who did what from an admin/staff perspective
For which scenario do you need accountability?
There are moderators and admins. Don't know how the lists has been setup but the lists I
maintained the techies have admin rights and moderators are the ones taking care of legitimate
and non-legitimate user requests. And that worked.
> * This has been causing repeated angst in the community for years - enough that I wrote about
> it in 2013 so I could just send a link when it popped up again.
yes, I answered you before. It doesn't make it any better if you repeat your initial stance.
See my take on this here:
http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019610.html . Did I miss an answer
I am also afraid on security problems as discourse is relatively new. See here:
Worth to mention again that mailman is running on millions of servers around the
world. It's definitely no niche software.
> * The "old guard' of OWASP needs to realize that using Mailman makes OWASP look completely
> out of touch with the next generation of AppSec people. Ask a 20-something about mail
> lists and they'll give you a blank look. I include myself in that "old guard" - I just
> happen to be working with a Univ student with my project and it's been enlightening to hear
> what his age group thinks of mail lists and IT infrastructure in general.
> o I'm sorry 'old guard" - what's really important is getting new, young people involved
> in our community - and that means change and meeting them were _*they*_ participate on
> the Internet.
That is IMO nonsense. First of all: who's looking at a web interface of mailman and based on
that decides whether OWASP is any good?
Then: Most people read mails and don't use the UI. So what's the deal with the UI?
If you're saying we need icons and stuff because otherwise generation z looses interest?
This stance might be ok for marketing. But please keep in mind that OWASP is about
technology/security. Security has no icons. It's more or less science. And it's interesting
because the matter itself is interesting. If the matter doesn't appear interesting, catchy
icons won't help either.
> * OWASP's mission is to make AppSec visible. Considering the very small staff, running any
> server, that we can replace with an external service offering, removes the sys admin burden
> from staff and actually helps us in our mission. Otherwise, we spend staff time on things
> that aren't core to our mission. This is called Opportunity Cost
> <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and the opportunity cost of
> running any IT service that requires hands-on admin work by staff is too high.
With all due respect -- and I don't have any clue of what you great things you do day by day --
but to me appears to me most important that we run up to date systems and keep them running and
have a reliable service like mail.
Looking at the current issues we have the mailman vs. discourse vs. whatever thing appears to
me a non-priority issue. Many days will be spent for solving a non-existing problem instead of
just migrating the current sw to a new machine which costs not more than half a day. It gives
us another couple of years before we migrate to mailman 3 or maybe another solution.
Wrt to other issues: I am concerned that https://2016.appsec.eu/ is still down. I think I
mentioned that before. It should be a year now. Also https://owaspsummit.org/ seems to be down
As in life we need to prioritize. To me as a volunteer mail sending in a reliable fashion is
important. It is important that systems with information are kept available and a secure.
If the burden is too high for our staff is too high we need additional resources.
Send me encrypted mails (Key ID 0xD0A74569)
More information about the OWASP-Leaders