Date: Mon, 4 Apr 2011 03:57:10 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list On Sun, Apr 03, 2011 at 11:58:21PM +0100, Benji wrote: > This is pathetic. It is, in certain ways, and I think some folks are amused by this discussion thread (I sort of am) - but the issues leading to this, or to possible alternatives which would be no better, are rather fundamental. You see, this topic was brought up in here a month ago, and no one has proposed anything obviously better. > You've all just made your personal and 'work' email addresses targets Right. If Josh did not propose this public signup procedure, I probably would not go for it, in part for that reason and in part just to avoid the noise. But when he did, I agreed. It does not matter all that much for security (it's not hard to figure out with good reliability who are the security contacts for a certain Linux distro), but it partially deals with the criticism towards vendor-sec (the "secrecy" around its membership, which was not really secret anyway). Besides, mail from the new list is sent encrypted. Of course, it is likely that some members are reading mail right on their SMTP servers (so they have their PGP keys stored there), and attacks on their computers are possible. Yes, we could use some "security through obscurity" by not revealing the initial subscriber list... but then we'd be criticized for that. You see, there's always someone complaining: "hey, you could have done better by not revealing your e-mail addresses" vs. "hey, you're relying on security through obscurity!" BTW, I do not have my PGP private key on any server. So breaking into the @openwall.com mail server won't leak the new list's encrypted messages (and all of them are encrypted). However, it would possibly leak this discussion (on list subscription) if it were private. Would that be any better? Ditto for other members' e-mail addresses, who would also have copies of the signup discussion messages. For our reputation, if that's what you care about (why?), I guess it's better to have this discussion public right away. > by having a ridiculous public 'signup' system, Ridiculous, yes. Yet indirectly demanded by those criticizing vendor-sec's "secrecy". Were their demands ridiculous? No more than your observation on this discussion thread, I guess. Both are "somewhat reasonable". > and the fact you all feel the need to hide behind some sort of veil for > security issues. Huh? Now you're with "the other" group that accuses "us" of "hiding"? Oh, you mean discussions of the security issues themselves. Obviously, you do understand that we intend to discuss some of those in private for reasons other than "hiding" ourselves from "responsibility" or whatever, don't you? This ridiculous public signup procedure was precisely a step to make it easier to convince observers-who-care that the new list would not be to discuss stuff we're ashamed of, but just for coordination on not-yet-public security issues. What is your opinion on making the list's archive public with a delay (when the corresponding security issues are already public)? Would you call this ridiculous as well, because it is sort of a counterpart to the public signup procedure, or would you consider it the proper "fix" to whatever "hiding" issue you're seeing? I don't mean to start a lengthy discussion thread with this (I won't have time for it), let alone a flamewar, but I am trying to communicate to you a few things that you might be missing, and I want to see if you have something to propose. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.