Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110403235710.GB10724@openwall.com>
Date: Mon, 4 Apr 2011 03:57:10 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Sun, Apr 03, 2011 at 11:58:21PM +0100, Benji wrote:
> This is pathetic.

It is, in certain ways, and I think some folks are amused by this
discussion thread (I sort of am) - but the issues leading to this, or to
possible alternatives which would be no better, are rather fundamental.
You see, this topic was brought up in here a month ago, and no one has
proposed anything obviously better.

> You've all just made your personal and 'work' email addresses targets

Right.  If Josh did not propose this public signup procedure, I probably
would not go for it, in part for that reason and in part just to avoid
the noise.  But when he did, I agreed.  It does not matter all that much
for security (it's not hard to figure out with good reliability who are
the security contacts for a certain Linux distro), but it partially
deals with the criticism towards vendor-sec (the "secrecy" around its
membership, which was not really secret anyway).

Besides, mail from the new list is sent encrypted.  Of course, it is
likely that some members are reading mail right on their SMTP servers
(so they have their PGP keys stored there), and attacks on their
computers are possible.  Yes, we could use some "security through
obscurity" by not revealing the initial subscriber list... but then we'd
be criticized for that.  You see, there's always someone complaining:
"hey, you could have done better by not revealing your e-mail addresses"
vs. "hey, you're relying on security through obscurity!"

BTW, I do not have my PGP private key on any server.  So breaking into
the @openwall.com mail server won't leak the new list's encrypted
messages (and all of them are encrypted).  However, it would possibly
leak this discussion (on list subscription) if it were private.  Would
that be any better?  Ditto for other members' e-mail addresses, who
would also have copies of the signup discussion messages.  For our
reputation, if that's what you care about (why?), I guess it's better to
have this discussion public right away.

> by having a ridiculous public 'signup' system,

Ridiculous, yes.  Yet indirectly demanded by those criticizing
vendor-sec's "secrecy".  Were their demands ridiculous?  No more than
your observation on this discussion thread, I guess.  Both are
"somewhat reasonable".

> and the fact you all feel the need to hide behind some sort of veil for
> security issues.

Huh?  Now you're with "the other" group that accuses "us" of "hiding"?

Oh, you mean discussions of the security issues themselves.  Obviously,
you do understand that we intend to discuss some of those in private for
reasons other than "hiding" ourselves from "responsibility" or whatever,
don't you?  This ridiculous public signup procedure was precisely a step
to make it easier to convince observers-who-care that the new list would
not be to discuss stuff we're ashamed of, but just for coordination on
not-yet-public security issues.

What is your opinion on making the list's archive public with a delay
(when the corresponding security issues are already public)?  Would you
call this ridiculous as well, because it is sort of a counterpart to the
public signup procedure, or would you consider it the proper "fix" to
whatever "hiding" issue you're seeing?

I don't mean to start a lengthy discussion thread with this (I won't
have time for it), let alone a flamewar, but I am trying to communicate
to you a few things that you might be missing, and I want to see if you
have something to propose.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.