Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Mon, 18 Feb 2008 22:16:53 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: wiki

On Mon, Feb 18, 2008 at 08:56:16AM -0700, Vincent Danen wrote:
> Hmmm... so where's the Openwall vendor info, eh?  <wink wink>  =)

Added.

Earlier today, I wrote:

> >Also, I've noticed what I think is a major issue with the wiki -
> >although it is configured to obfuscate e-mail addresses, it only does so
> >when displaying the latest revision of a page.  Older revisions and page
> >source appear with the e-mail addresses intact, ready to be grabbed by a
> >"spambot".

It turned out that the older revisions were also subject to automated
e-mail address obfuscation, and the reason I got confused was that I was
looking specifically at the welcome page where you did not enter this
list's address in the DokuWiki-supported format right away.  And it only
obfuscates e-mail addresses it recognizes - not anything with an @-sign.
So we need to be very careful about this - e-mail addresses must be
entered as <user@...mple.org> - with the angle brackets.  Anyway, I went
ahead and corrected this in the old revisions for the welcome page
(using VIM on files in the attic) - I hope you don't mind.

As to page source, I've disabled the view source / export raw feature.
Of course, logged in users with page editing rights can view the source
with non-obfuscated e-mail addresses anyway, but let's hope "spambots"
are not that good yet - and at a later time we might want to (or have
to) revoke page editing rights for new user accounts anyway.

> > ... I think that some of the content to add would be list charter for
> >oss-security (Josh?) and official(?) or primary description of
> >vendor-sec.  For the latter, we can take the text from the recently
> >created Wikipedia page - http://en.wikipedia.org/wiki/Vendor-sec - then
> >have the Wikipedia page backed by the already-public info on our wiki.
> 
> These sound like good ideas to me.  Particularly the bit on vendor-sec.

OK, so who is to create the page on vendor-sec?  It'd be great if the
same people who edited the Wikipedia page would do it, but Steve Kemp
did not join us on this list - and I can't force people to join... OK,
maybe I can ask him about that.

> I think for this to become effective, we need to expose it more

We'll definitely expose the oss-security wiki.  I am going to mention it
in one of Openwall news items and in an announcement list posting.

> and at the same time we can expose vendor-sec a little bit more too.

Yes, this is what will happen, and it appears that vendor-sec members
are either for greater exposure or feel neutral about it.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ