[Owasp-leaders] Windows XP like OS

Dirk Wetter dirk at owasp.org
Thu Feb 14 20:48:06 UTC 2019


Hi Matt and all,

thanks first for bringing everything online again!. Matt.

With all due respect though, on some matters I have a different stance. See below.

On 13.02.19 22:03, Matt Tesauro wrote:
> Dirk, 
> 
> Please don't conflate the reason (old OS & software) why recovering from the recent issue was
> problematic with the reasons to retire Mailman.

Well, it looked to me like there's such a big mess for years now -- again: we are talking
about an operating system which is five years out of support, out of patches. This is
exposed in the internet. And then I am reading repeatedly "we try something else."

>From this I drew the maybe wrong conclusion that probably what we have is so rotten, that one
might think it is easier to start over with something new.

And all I hear "mailman is bad" which I per se cannot agree with. If I start
arguing I don't get a reply.
> Yes, we could move to a more recent LTS version of Ubuntu and continue to run Mailman 2.x
> largely the same as it is today.  

I am asking you: How did we get there? Why did nobody in the past 5 years did an online
upgrade of the old OS??? For the non-Linux guys: It's ~3 commands on a running system and one
reboot. It is definitely less painful and way shorter and as one starts starting Windows 7 or
10 after 3-4 months.

I was really shocked that we as OWASP run such an old system? Wondering where the S in OWASP is?


> However, this won't address the reasons why  Mailman should
> be retired.  Those include:
> 
>   * Mailman sends passwords in the clear via email and requires a shared password if 2+ people
>     are list owners - hardly security best practice

Come on! This appears to me focusing on a niche security problem compared to run a Windows XP
like OS exposed in the internet for almost five years (Ubuntu 10.10. and Windows XP support
both stopped in April 2014).

Secondly as mentioned before: This is unfortunately common practice but seems to not have a
large security relevance. Most people save their password in the browser or in a pw manager. So
the pw reset is not often taking place. When it's taking place I assume the PW is being reset
soon after. The only real vector is grabbing the pw from the wire which I agree would be bad.
But the window the attacker to get the pw from the/wire/ shouldn't be large.

There's of course the vector that the pw is being retrieved by an attacker from the users
INBOX.  But if the INBOX is owned 90% of any sw will fail too, except the SW using 2FA.

So this is a bugging issue and somewhat ugly, I agree, but should not be a big security concern.

>   * Site Admin of Mailman is via a single shared admin password, meaning it's virtually
>     impossible to find out who did what from an admin/staff perspective

For which scenario do you need accountability?

There are moderators and admins. Don't know how the lists has been setup but the lists I
maintained the techies have admin rights and moderators are the ones taking care of legitimate
and non-legitimate user requests. And that worked.

>   * This has been causing repeated angst in the community for years - enough that I wrote about
>     it in 2013 so I could just send a link when it popped up again.
>     https://www.owasp.org/index.php/About_Mailman_at_OWASP

yes, I answered you before. It doesn't make it any better if you repeat your initial stance.

See my take on this here:
http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019610.html . Did I miss an answer
on this?

I am also afraid on security problems as discourse is relatively new. See here:
http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019599.html

Worth to mention again that mailman is running on millions of servers around the
world. It's definitely no niche software.

>   * The "old guard' of OWASP needs to realize that using Mailman makes OWASP look completely
>     out of touch with the next generation of AppSec people.  Ask a 20-something about mail
>     lists and they'll give you a blank look. I include myself in that "old guard" - I just
>     happen to be working with a Univ student with my project and it's been enlightening to hear
>     what his age group thinks of mail lists and IT infrastructure in general.
>       o I'm sorry 'old guard" - what's really important is getting new, young people involved
>         in our community - and that means change and meeting them were _*they*_ participate on
>         the Internet.  
That is IMO nonsense. First of all: who's looking at a web interface of mailman and based on
that decides whether OWASP is any good?

Then: Most people read mails and don't use the UI. So what's the deal with the UI?

If you're saying we need icons and stuff because otherwise generation z looses interest?
This stance might be ok for marketing. But please keep in mind that OWASP is about
technology/security. Security has no icons. It's more or less science. And it's interesting
because the matter itself is interesting. If the matter doesn't appear interesting, catchy
icons won't help either.

>   * OWASP's mission is to make AppSec visible.  Considering the very small staff, running any
>     server, that we can replace with an external service offering, removes the sys admin burden
>     from staff and actually helps us in our mission.  Otherwise, we spend staff time on things
>     that aren't core to our mission.  This is called Opportunity Cost
>     <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and the opportunity cost of
>     running any IT service that requires hands-on admin work by staff is too high.

With all due respect -- and I don't have any clue of what you great things you do day by day --
but to me appears to me most important that we run up to date systems and keep them running and
have a reliable service like mail.

Looking at the current issues we have the mailman vs. discourse vs. whatever thing appears to
me a non-priority issue. Many days will be spent for solving a non-existing problem instead of
just migrating the current sw to a new machine which costs not more than half a day. It gives
us another couple of years before we migrate to mailman 3 or maybe another solution.

Wrt to other issues: I am concerned that https://2016.appsec.eu/ is still down. I think I
mentioned that before. It should be a year now. Also https://owaspsummit.org/ seems to be down
for months.


As in life we need to prioritize. To me as a volunteer mail sending in a reliable fashion is
important. It is important that systems with information are kept available and a secure.

If the burden is too high for our staff is too high we need additional resources.


Cheers, Dirk


-- 
OWASP Volunteer
Send me encrypted mails (Key ID 0xD0A74569)
@drwetter



More information about the OWASP-Leaders mailing list