[Owasp-leaders] Windows XP like OS

Dirk Wetter dirk at owasp.org
Thu Feb 14 20:48:06 UTC 2019

Hi Matt and all,

thanks first for bringing everything online again!. Matt.

With all due respect though, on some matters I have a different stance. See below.

On 13.02.19 22:03, Matt Tesauro wrote:
> Dirk, 
> Please don't conflate the reason (old OS & software) why recovering from the recent issue was
> problematic with the reasons to retire Mailman.

Well, it looked to me like there's such a big mess for years now -- again: we are talking
about an operating system which is five years out of support, out of patches. This is
exposed in the internet. And then I am reading repeatedly "we try something else."

>From this I drew the maybe wrong conclusion that probably what we have is so rotten, that one
might think it is easier to start over with something new.

And all I hear "mailman is bad" which I per se cannot agree with. If I start
arguing I don't get a reply.
> Yes, we could move to a more recent LTS version of Ubuntu and continue to run Mailman 2.x
> largely the same as it is today.  

I am asking you: How did we get there? Why did nobody in the past 5 years did an online
upgrade of the old OS??? For the non-Linux guys: It's ~3 commands on a running system and one
reboot. It is definitely less painful and way shorter and as one starts starting Windows 7 or
10 after 3-4 months.

I was really shocked that we as OWASP run such an old system? Wondering where the S in OWASP is?

> However, this won't address the reasons why  Mailman should
> be retired.  Those include:
>   * Mailman sends passwords in the clear via email and requires a shared password if 2+ people
>     are list owners - hardly security best practice

Come on! This appears to me focusing on a niche security problem compared to run a Windows XP
like OS exposed in the internet for almost five years (Ubuntu 10.10. and Windows XP support
both stopped in April 2014).

Secondly as mentioned before: This is unfortunately common practice but seems to not have a
large security relevance. Most people save their password in the browser or in a pw manager. So
the pw reset is not often taking place. When it's taking place I assume the PW is being reset
soon after. The only real vector is grabbing the pw from the wire which I agree would be bad.
But the window the attacker to get the pw from the/wire/ shouldn't be large.

There's of course the vector that the pw is being retrieved by an attacker from the users
INBOX.  But if the INBOX is owned 90% of any sw will fail too, except the SW using 2FA.

So this is a bugging issue and somewhat ugly, I agree, but should not be a big security concern.

>   * Site Admin of Mailman is via a single shared admin password, meaning it's virtually
>     impossible to find out who did what from an admin/staff perspective

For which scenario do you need accountability?

There are moderators and admins. Don't know how the lists has been setup but the lists I
maintained the techies have admin rights and moderators are the ones taking care of legitimate
and non-legitimate user requests. And that worked.

>   * This has been causing repeated angst in the community for years - enough that I wrote about
>     it in 2013 so I could just send a link when it popped up again.
>     https://www.owasp.org/index.php/About_Mailman_at_OWASP

yes, I answered you before. It doesn't make it any better if you repeat your initial stance.

See my take on this here:
http://lists.owasp.org/pipermail/owasp-leaders/2019-January/019610.html . Did I miss an answer
on this?

I am also afraid on security problems as discourse is relatively new. See here:

Worth to mention again that mailman is running on millions of servers around the
world. It's definitely no niche software.

>   * The "old guard' of OWASP needs to realize that using Mailman makes OWASP look completely
>     out of touch with the next generation of AppSec people.  Ask a 20-something about mail
>     lists and they'll give you a blank look. I include myself in that "old guard" - I just
>     happen to be working with a Univ student with my project and it's been enlightening to hear
>     what his age group thinks of mail lists and IT infrastructure in general.
>       o I'm sorry 'old guard" - what's really important is getting new, young people involved
>         in our community - and that means change and meeting them were _*they*_ participate on
>         the Internet.  
That is IMO nonsense. First of all: who's looking at a web interface of mailman and based on
that decides whether OWASP is any good?

Then: Most people read mails and don't use the UI. So what's the deal with the UI?

If you're saying we need icons and stuff because otherwise generation z looses interest?
This stance might be ok for marketing. But please keep in mind that OWASP is about
technology/security. Security has no icons. It's more or less science. And it's interesting
because the matter itself is interesting. If the matter doesn't appear interesting, catchy
icons won't help either.

>   * OWASP's mission is to make AppSec visible.  Considering the very small staff, running any
>     server, that we can replace with an external service offering, removes the sys admin burden
>     from staff and actually helps us in our mission.  Otherwise, we spend staff time on things
>     that aren't core to our mission.  This is called Opportunity Cost
>     <https://en.wikipedia.org/wiki/Opportunity_cost> in Economics and the opportunity cost of
>     running any IT service that requires hands-on admin work by staff is too high.

With all due respect -- and I don't have any clue of what you great things you do day by day --
but to me appears to me most important that we run up to date systems and keep them running and
have a reliable service like mail.

Looking at the current issues we have the mailman vs. discourse vs. whatever thing appears to
me a non-priority issue. Many days will be spent for solving a non-existing problem instead of
just migrating the current sw to a new machine which costs not more than half a day. It gives
us another couple of years before we migrate to mailman 3 or maybe another solution.

Wrt to other issues: I am concerned that https://2016.appsec.eu/ is still down. I think I
mentioned that before. It should be a year now. Also https://owaspsummit.org/ seems to be down
for months.

As in life we need to prioritize. To me as a volunteer mail sending in a reliable fashion is
important. It is important that systems with information are kept available and a secure.

If the burden is too high for our staff is too high we need additional resources.

Cheers, Dirk

OWASP Volunteer
Send me encrypted mails (Key ID 0xD0A74569)

More information about the OWASP-Leaders mailing list