Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110404185427.GB14209@openwall.com>
Date: Mon, 4 Apr 2011 22:54:27 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Mon, Apr 04, 2011 at 07:32:12AM +0100, Benji wrote:
> Can I not be part of the group that thinks a public signup system for a
> mailing list that previously had the mail server owned due to the fact it
> was secret (showing interest in possibly owning users now that emails like
> mjo@...o.mi.org have been confirmed on the list) for a mailing list that is
> 'embargoed' when really it shouldn't be.

What do you mean by: "a mailing list that is 'embargoed' when really it
shouldn't be"?  Does this mean that you're actually against the very
existence of such a list?  I think it is important to know your opinion
on the main issues when we consider your opinion on the detail.

> >>What is your opinion on making the list's archive public with a delay (when  the corresponding security issues are already public)?
> 
> It would be better. In my opinion, delay would be 1-2 days.

What use is a delay of 1-2 days for members of such a list?  I mean, it
is of some use for high severity issues where the vendors would need to
throw whatever resources they can at resolving the issues ASAP, at
expense of slowing down work on other tasks (including other security
related tasks) and likely arriving at and releasing non-final fixes
(more like workarounds).

However, my proposal, which I am going to try to enforce, is to only
discuss medium-severity issues on this new list.  I think that an
embargo period of 1-2 days does not make sense for those; if that's all
we can afford, we can as well make them public right away.

> Vendor-sec
> (alternatives) should be a last resort in publishing issues, other projects
> don't get the same "privileges", and have to "make do" with oss-sec. If you
> really need such help 'co-ordinating' and fixing things, maybe you should
> have a policy to, release advisory/info first, then have a 'co-ordination'
> list.

No offense intended, but it sounds like you did not give the above much
thought, or maybe you did not explain it fully.

That said, I agree that a closed list should be a last resort, to be
used whenever other options are determined to be less appropriate for a
particular security issue.  Unfortunately, this determination is usually
made by just one person (whoever brings the issue to the list), so it is
likely to sometimes be "wrong".

> >>Do you really think anyone is gaining new information by discovering
> >>that, say, a member of the security team for a major distro will be on
> >>this mailing list?  Such information seems pretty obvious to me.
> 
> Yes Dan, but now we have private email accounts as well (by people who
> apparently don't like to use vendor email addresses) that are also signed up
> to this, allowing targeting and easy identification

Yes, we lost a security through obscurity layer here, which was
arguably nice to have.  I don't have strong feelings either way
(public subscriber info or not-right-away).

BTW, most of those same e-mail addresses were already exposed to whoever
broke into the vendor-sec machine.

> of probably less secure infrastructure.

My guess (based on partial knowledge) is that Mike's personal e-mail
infrastructure is actually more secure than his employer's.  You have a
valid point in general, though.

> Excuse my "trolling" if some of this has already been covered, I'm up early
> (for me) and thus can be slightly unintelligible.

It's OK.  In fact, comments/criticism such as yours is one of the
reasons why we're handling this discussion in public.  This might enable
us to arrive at something slightly better "next time".

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.