Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 30 Aug 2012 19:04:35 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Stripe Capture the Flag

Hi,

Thank you all for the feedback on this sort of postings.  Besides the
feedback we've seen in here, I also got two off-list replies, both from
active list members (who wanted to keep the number of postings in this
thread down, hence did not post to the list):

One person suggested that CTF announcements be approved selectively -
most CTF announcements rejected (especially those requiring physical
presence and scheduled for a specific time, since few people are
able to participate in those), but some interesting ones accepted
(especially online infosec games available to play any time).

The other person felt strongly that all of them should be rejected, so
that we have a high-quality discussion list.

(The above is my interpretation of the responses.  I am not posting them
verbatim as I'd need to ask permission first, which I am too lazy to do.)

On Fri, Aug 24, 2012 at 08:29:10AM +0200, Filip Palian wrote:
> As many may think, it's not cve-designation list only (obviously I
> may be wrong about that).

This list is definitely not meant to be limited to CVE assignments.
I'd like to see more discussion in here - preferably of specific
technical issues rather than of policies and such (thus, I'd like this
message I am posting now to be more of an exception than the rule).

> In the other hand, it would be sad to see oss-security list turning
> into the place, where people are writing walktroughs, spoilers and
> asks for help (which IMHO would be unavoidable).
> Filtering all the garbage could be overhelming for moderators.

Well, we're not receiving any of these so far, and in fact let me dare
to post this link:

http://www.reddit.com/r/netsec/comments/z188v/stripe_web_security_ctf_is_over_i_wrote_up/

which in turn includes links to several writeups / walk-throughs for
Stripe CTF.  Warning: those who want to play the CTF for real should
avoid visiting those links prematurely.

> Maybe you will consider launching a dedicated list for CTFs only?

I'm not seeing enough demand for this.  Besides, doesn't such a list
already exist?  I must admit I'm not aware of one.  Perhaps not only for
CTFs, but also for other "similar" stuff we're rejecting: conference and
(e-)magazine CFPs, (e-)magazine issue announcements, repeated security
tool announcements (new versions).  It'd have to be limited to those
"weird" topics only, and exclude postings that would be on topic for
oss-security and other lists. %-)  (Excluding other topics would be
difficult as any posting may result in discussion that would include
postings on-topic for another list.  A (bad) solution could be to keep
that list announcement-only, rejecting any follow-ups.)  Would anyone
want to be on that list?  What could it be called?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.