Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 Mar 2011 19:12:24 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Vendor-sec hosting and future of closed lists

Hi folks,

As moderator of vendor-sec and one of the sysadmins of lst.de I noticed
a break-in into the lst.de machine last week, which was likely used to
sniff email traffic of vendor-sec. This incident probably happened on Jan 20
as confirmed by timestamp, but might have existed for longer.

As the system in use at lst.de is quite old and the admin team and myself
does not really have the time anymore to keep it on a secure level, we
would like to move the list to another hosting place.

I have disabled the specific backdoor, but as I am not sure how the
break-in happened it might reappear. So I recommend not mailing embargoed
issues to vendor-sec@....de at this time.


I have asked Solar Designer if he could take over hosting, and he was agreeing,
including a full GPG crypted setup.


However we found during this brainstorming that changes in the setup
of the vendor-sec list likely are good at this point in time.

The number of subscribers is high, and probably 80-100 people get vendor-sec
emails, making leaks by members always a possbility.

Also the usefulness of v-s in general has a bit diminished, especially with
oss-sec present and more active and more involved upstream projects doing
their own management. Mark J Cox has some stats for Redhat updates showing this.

(To use the threadmill metaphor, v-s does not help us vendors as much
with the speed of the patch threadmill as it did 5 - 10 years ago.)



So I would like to open up a discussion with _all_ OSS Security folks present.

- Is a closed vendor coordination like vendor-sec still needed at this time?

  Meaning: does the benefit of a closed group really outweigh the
  "left out feeling" of non members and its annoyances?

- If yes, would it be an idea to confine or split into lists of focus groups?
  (like Linux vendors, BSD vendors, all OSS source using vendors, etc?)

- Or of course the old option is open:
  Should we proceed with the current state as-is, but throw a bit more
  GPG encryption on top?

- What other options do we have or should we pursue?

At least SUSE, Redhat and Openwall are open for discussion.
Please discuss :)

Ciao, Marcus (vendor-sec moderator)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.