[Governance] Termination - Request for Artifact(s)

Josh Sokol josh.sokol at owasp.org
Sat Feb 22 06:42:16 UTC 2014


Christian,

*"You are more than welcome to schedule an interview for on the record
> comment provided a list of question are agreed upon beforehand?*"
>

This was the exact purpose of these two previous interviews.  I'm not sure
what you thought the point of it was if it was not on the record.  I
certainly would not want to waste my time with a conversation that would
serve no purpose.  I could not possibly "induce" an audio interview that
you requested, and attended, knowing in advance that I had scheduled it via
GoToMeeting with the intent of recording it for our records as well as
yours.  To support this:

*"Not following the "O" in "OWASP" has bit us many times in the past and in
> a situation like this where claims have been made around character
> assassination, I feel quite strongly that all of these discussions should
> take place on record."* (
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012946.html)
>

AND

My statement about a public call was not a joke.  It was based on your
> request that this discussion be held in the light.  I can't speak for how
> the Board has done things in the past, but unless you specifically desire
> to have the discussions private, then I believe they shouldn't be.  My
> actions as a Board member should be performed in full view of the members
> who elected me.  Because of this, I have waived my right to privacy on this
> matter as well.  There is no alterior motive, only a desire for
> transparency.  (
> http://lists.owasp.org/pipermail/owasp-board/2014-January/013009.html)
>

And this from you, but it was not sent to the mailing list.  That said, all
of the Board members plus Kate and Sarah received it:

* I have no objection to recording the call provided I receive a list of
> questions prior so there aren't any "surprises" related to entrapment.* (Thu,
> Jan 16, 2014 at 7:34 PM "Re: Fwd: Josh & Christian - Conference Call")


You agreed to the call and you agreed to the recording.  It was only once
you got on the call that you cited "inducement" and I offered to terminate
the call at that point.

Your statement that you were not provided a list of questions is just
straight up lies and I'm going to call you on that as well.  I made several
attempts to allow you to generate the list of questions yourself due to
your threats of entrapment.

"I certainly would hate to be accused of entrapment.  That said, I want to
> ensure that you have the opportunity to speak your mind and worry that I
> may not ask the right questions for you to do so.  Perhaps it would make
> sense if you wrote down some questions for me to consider?  I could
> tailor them a bit if necessary (and will provide in advance of course) but
> it would both save me time in generating them myself and ensures that you
> have the opportunity to say what you need to say.  I will warn, however,
> that our conversation loses its candidness with this approach and it really
> becomes more like me taking a prepared statement rather than having a
> conversation.   But I would like to hear what you have to say, so if that's
> what you're comfortable with, it works for me." (Thu, Jan 16, 2014 at
> 9:55 PM "Re: Fwd: Josh & Christian - Conference Call")


When you failed to generate the list of questions, I responded as follows:

I would gladly hear your views on the Google Hacking inquiry and any
> assertions you have as to why the information in it may be inaccurate
> and/or the penalty unjust.  I would gladly hear your views on why you
> feel that your suspension ultimately turned into a full membership
> revocation.  I would gladly hear your views on why you feel that the
> membership revocation has lasted as long as it has.  More importantly, I
> would gladly hear your views on why you feel that the membership
> revocation should be lifted and your membership reinstated.  I would like
> to hear your views on the rationale behind the recent commotion on the
> mailing lists and private communications and why this is different from the
> activity which got your membership revoked previously.  And most important
> in my mind, I would like to hear your views on your intent should your
> membership me reinstated.  The Board reinstating your membership is
> equivalent to OWASP forgiving any past actions and is a statement that we
> are willing to move forward with you as part of the organization.  Are
> you willing and able to do the same?  Those are the questions that you
> should expect from me on the call since you do not seem interested in
> taking me up on my offer to allow you to generate the questions
> yourself.  (Sun, Jan 19, 2014 at 3:15 AM "Re: Fwd: Josh & Christian -
> Conference Call")
>

The questions for the second call were even more explicit:

"the following are the questions and topics that I would like to
> ask/discuss during our call later this week:
>
> 1) The original finding from the Google Hacking Inquiry was only that you
> had not published your source code.  The consequence, as determined by the
> Board, was a 3 month suspension of your OWASP membership.  Can you please
> tell me why you feel that the original 3 month suspension turned into a
> full membership revocation?
>
> 2) I believe the original revocation was supposed to have been for a two
> year term which would have ended several years ago.  Did you ask to have
> your membership reinstated?  Why do you feel that the revocation is still
> in place after that original revocation was up?
>
> 3) Even recently there have been negative communications from yourself to
> OWASP members both via the mailing list and in private.  Can you please
> explain your reasoning behind these negative communications?
>
> 4) You have requested of the Board to reinstate your OWASP membership.
> Can you please explain why you feel that the membership revocation should
> be lifted and your OWASP membership be reinstated?
>
> 5) Can you please tell me what your intent would be if the Board were to
> rule in favor of having your membership reinstated?  Would you participate
> in OWASP as a positive contributor?  Would you be willing to lay aside any
> negative feelings and abide by the OWASP Code of Ethics?"  (Wed, Jan 29,
> 2014 at 2:55 PM "Topics of Discussion for This Weeks Call")
>

Your requests to assist you are just attempts to draw OWASP into your own
personal grudges with others.  The OWASP Board has no place in helping you
do whatever it is you think you're doing with these people and it is
completely out of the scope of your request for reinstatement, which you
have now requested us to drop.

I have absolutely nothing to hide and my e-mails above show that I have
made every attempt to make my communications with you completely
transparent.  It is you, Sir, that has requested that certain records not
be released in public.  If anyone is trying to hide something, it is you.

I support 100% whatever Martin would like to do here.  If that means taking
an independent inquiry, I am quite confident that he will come to the same
conclusions that everyone else has come to.

I find it repulsive that you say that the Board is taking shortcuts on
this.  I have spoken with over a dozen people related to you and your
behavior.  I have requested now, three times, the names and contact
information for those you would like me to speak who support you, and you
continue to ignore the request.  Just because I have refused to involve
myself or the Board in your personal grudges, does not mean that we've
taken the shortcut.  It means that I recognize that the scope of our
engagement was the Google Hacking Inquiry and your request for
reinstatement.  Everything else is simply your attempt to waste time and
deflect attention to others instead of yourself.

Given what I've stated above, let me be clear.  You have now elected to
take two shots at my integrity when I have been completely open about
everything here.  I no longer have the time to engage you in these
discussions as they are no longer productive and have again gone negative.
I'm going to ask you to please deal directly with Martin going forward as I
no longer feel that I can remain unbiased in this matter.  You've now taken
two shots at my integrity.  If you do it again, I would be happy to release
all records of our communications to the public as I have absolutely
nothing to hide.  It is you that has asked for them not to be shared.

~josh


On Fri, Feb 21, 2014 at 11:01 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
>
> You "induced" an audio interview you refused to accept a written statement
> by stating that this was the only way the OWASP Board would allow me to
> tender a statement.
>
> I was awarded a formal certificate int the conduct of witness interviews
> by the Queensland Police and inducement is considered highly unethical and
> the reason why it is clarified as [not] a condition of the interview as
> demonstrated within
> http://www.smh.com.au/technology/technology-news/journalists-facebook-arrest-transcript-of-police-interview-20110518-1esrr.html<http://www.smh.com.au/technology/technology-news/journalists-facebook-arrest-transcript-of-police-interview-20110518-1esrr.html#ixzz2u1TiBQ9C>
>
> I have never been provided a list of questions otherwise I would have
> provided written responses but you did provide one "surprise" question
> without any reasonable notice period which I addressed too.
>
> I have made numerous offers to schedule a conference call in which to
> repeat the "*assist me with a number of very conservative clarifications
> of my reputation with Brad Causey, Andre Ludwig, etc so they can act as my
> referees and ambassadors within OWASP in the future*." statement I made
> within
> http://lists.owasp.org/pipermail/governance/2014-February/000329.html  I
> don't know how I can make this intent appear any less conservative or non
> confrontational.
>
> If you had nothing to hide then you would support Martin in undertaking an
> independent inquiry of the termination process.
>
> The conduct of the OWASP Board in conducting the termination is dubious at
> best and you have again demonstrated the OWASP Board desire to take
> shortcuts without consideration of the facts of the matter to arrive at an
> premeditated outcome.
>
> On Sat, Feb 22, 2014 at 2:36 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Christian,
>>
>> *I do not grant permission for the two interviews to be published to the
>> public record.  Neither was I ever informed that their distribution was for
>> the public record and I requested  that I *not* be recorded and any consent
>> given is inducement.  You are more than welcome to schedule an interview
>> for on the record comment provided a list of question are agreed upon
>> beforehand?*
>>
>> This is fine.  My statement in each of the calls was that they were being
>> recorded to preserve evidence on behalf of both yourself and OWASP and the
>> contents would be provided to other Board members and our Executive
>> Director in order to assist with your request for reinstatement.  The
>> questions I asked were provided to you before the call with one exception
>> that I offered you not to answer if you so chose.  You did, in fact, agree
>> to the recording of the call (your consent is recorded).  Your claims of
>> inducement are baseless as you were given the option as to whether you
>> wanted to proceed or not.  There were no threats held over your head other
>> than it needed to be recorded in order to obtain evidence for your request
>> for reinstatement and no recording meant no evidence.  It would have been
>> pointless.  So, to be clear, the recordings will absolutely be used by the
>> Board in our decision making process.  We will not make the recordings
>> public, per your request, but it will be made clear that the Board
>> considered additional evidence that you requested not be made public in
>> making our decision.
>>
>> My original offer to assist was to try to obtain evidence so that I could
>> make an informed decision on your request for reinstatement.  Along the
>> way, I did recognize that the Google Hacking Inquiry no longer served the
>> purpose that it once did and I am happy to aide in having it removed so
>> that you may move on with your life.  All of this other stuff that you are
>> saying, all of the requests to pursue people based on allegations from
>> years ago, I cannot support.  My goal was to find a peaceful resolution
>> between yourself and OWASP.  I offered two plans that both received support
>> from those outside of the Board, but it is clear that your quest for
>> "justice" stands in the way of any attempts for a peaceful resolution.
>> Thus, as I stated previously, I believe that our paths have diverged and I
>> am incapable of aiding you going forward.  I thank you for taking the time
>> to engage me both in e-mail and over the phone and feel that I now have
>> enough information to make an informed decision on the subject.  I did
>> request your additional supporting sources, to make sure I was as thorough
>> as possible, but as you never provided these to me I'm afraid I will have
>> to make due with the data that you have provided to me.  Feel free to pass
>> those on if you feel so inclined, but otherwise, I don't think we have
>> anything else to discuss.  I wish you all the best, Christian.
>>
>> ~josh
>>
>>
>> On Fri, Feb 21, 2014 at 7:52 PM, Christian Heinrich <
>> christian.heinrich at cmlh.id.au> wrote:
>>
>>> Martin,
>>>
>>> I would to formally request that you to undertake an independent
>>> review of my suspension and termination from OWASP.
>>>
>>> The focus and scope will be on the within the e-mail I recently sent
>>> to this [governance] mailing list and I have highlighted the major
>>> points within
>>> http://lists.owasp.org/pipermail/governance/2014-February/000326.html
>>> (bolding may not render correctly as the e-mail was HTML).
>>>
>>> I have no intention to rejoin OWASP until this matter is resolved but
>>> I would like to participate as a member of the public and speak at
>>> https://2014.appsec.eu/ and the OWASP Board have declared that in
>>> light of the exclusion lapsing in January this will continue
>>> indefinitely and therefore I am excluded from presenting at this
>>> event.
>>>
>>> Therefore, I don't want this drag out like the Inquiry Google Hacking
>>> Project which should have taken "a few hours work" at most.
>>>
>>> Is this timeline reasonable to you?
>>>
>>> The issue related to SourceForge vs GitHub is secondary and I have
>>> tendered the evidence that infers that Aspect Security sought to offer
>>> their commercial services to SourceForge during the tender issued by
>>> the OWASP GPC.
>>>
>>> On Sat, Feb 22, 2014 at 12:49 AM, Martin Knobloch
>>> <martin.knobloch at owasp.org> wrote:
>>> > Hi Christian,
>>> >
>>> > Just to makes things clear, you do email me as in my role of
>>> compliance /
>>> > whistle blower officer?
>>> > Please state clearly if this request to me as in my obligation of the
>>> above
>>> > mentioned, or as fellow OWASP member!
>>> >
>>> > Some parts of your email are not clear to me. Excuse if this is caused
>>> my
>>> > level of understanding the English language, I am not a native speaker
>>> as
>>> > you know.
>>> > Therefore, I have to first ask you some questions, for me to fully
>>> > understand your request:
>>> >
>>> > What is in your opinion the relation of the "Queensland and NSW State
>>> > Governments"  regulations?
>>> >
>>> > As OWASP is not incorporated in Australia, I wonder about the
>>> relevance.
>>> > With other words, do you suggest OWASP has to follow regulations
>>> outside of
>>> > the US?
>>> >
>>> > What does IRS stands for?
>>> > In what view is the request of for information by Dinis, Dennis and
>>> Josh you
>>> > refer to, relevant?
>>> >
>>> > I fail to understand to point of this reference
>>> >
>>> > What artifact does not exist you refer to by "Michael has also been
>>> offered
>>> > the opportunity to state that this artifact does not exist..."?
>>> >
>>> > But most importantly, what it your request?
>>> > I fail to understand your question:
>>> >  "Can you assist so that the selective judgement of the OWASP Board
>>> doesn't
>>> > affect the well being of another OWASP member?"
>>> > Could you rephrase your question please?
>>> >
>>> > Please understand, I am asking this in order to fully understand your
>>> email.
>>> > If you prefer, we can schedule a  call in private!
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>
>>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20140222/c0c43778/attachment-0001.html>


More information about the Governance mailing list