Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 09 Sep 2020 14:49:42 +0000
From: "The Doctor [412/724/301/703/415/510]" <drwho@...tadpt.net>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Open Source Tool | vPrioritization | Risk Prioritization Framework


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, September 8, 2020 6:03 PM, Alex Gaynor <alex.gaynor@...il.com> wrote:

> Oh they have a policy. It says that systems will be patched in a timely
> manner. And then the kind accountants who perform the audits say, "Great
> policy, this is fully compliant, have an ATO and a gold star". And then

I wish I could not confirm this.  In the assignments I was given, this was the rule
and not the exception.

> random things all over the place are not patched at all because federal IT
> departments have astonishly poor automation practices, extremely limited

A lot of that seems to boil down to "You want to run this random piece of software
to automate the job we're paying you to do?  Forget it."  There is also the odd
"We won't run any software that doesn't have <some number of expensive independent
code audits and certifications> and what you want to do doesn't have those (even
though you claim they do, we think you're lying)."

> reuse of systems across distinct projects (contracts) within the agency and

Secure data erasure and platform disposal practices have something to do with this.

> there is nothing approaching a comprehensive way for a federal agency to
> answer "did we deploy the updated struts for all of our stuff".

With a side order of "the contractors we hired for this stuff should be on top of it,"
even when they're not the prime on the contract anymore.

The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
The old world is dying, and the new world struggles to be born. Now is the time of monsters.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.