[Governance] JOSH SOKOL - CEASE AND DESIST CONTACT WITH CHRIS GATFORD

Martin Knobloch martin.knobloch at owasp.org
Wed Feb 26 15:59:21 UTC 2014


All,

Of course OWASP is Open and all are free to post what they want, in
exception of personal insults and what is in conflict with the OWASP ethics
etc.
Of course I do understand if you feel the need to defend. But as this is
currently going... it is actually going nowhere.

It is not my intention to restrict from freedom of speak, but have urged
you all to stop replying to each other, as this is not helping any of you /
us!
Therefore, again, I ask you to cease fire!

With kind regards,
-martin



On Wed, Feb 26, 2014 at 4:37 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> As the origination of this thread was Christian's attempts to seek
> vengeance upon me via allegations of ethical violations, I wanted to bring
> this thread back to those original allegations and stop trying to skirt the
> issue at hand with these other distractions.
>
> As Josh's insists on citing
>> https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethicsthen I would like to *formally
>> request to bring Josh to account with his stated ethics* specifically:
>>
>>    - *Perform all professional activities and duties in accordance with
>>    all applicable laws and the highest ethical principles;*
>>    - *Refrain from any activities which might constitute a conflict of
>>    interest or otherwise damage the reputation of employers, the information
>>    security profession, or the Association;*
>>    - *Not intentionally injure or impugn the professional reputation of
>>    practice of colleagues, clients, or employers;*
>>    - *Treat everyone with respect and dignity; and*
>>    - *To avoid relationships that impair -- or may appear to impair --
>>    OWASP's objectivity and independence.*
>>
>>
> This is simply a restatement of the OWASP Code of Ethics which I maintain
> that I hold in the highest regard and have not violated.  My reasonable
> request for the following, based on the non-specific allegation, continues
> to be ignored:
>
>
> 1) What law or ethical principle have I broken?
> 2) Where is my conflict of interest or how have I damaged the reputation
> of employers, the profession, or the association?
> 3) How have I INTENTIONALLY injured or impugned the professional
> reputation of colleagues, clients, or employers?  Who?
> 4) Who have I been disrespectful to and in what way?
> 5) What relationship do I have that impairs OWASPs objectivity and
> independence?
>
> The only "evidence" presented was that Christian spoke with his mom who
> received multiple phone calls from the police who, upon inquiry, said
> something about Chris Gatford and Internet Security.
>
> The agreed timeline is that Josh Sokol contacted Chris Gatford without
>> my knowledge and at the conclusion of their conference call Chris then
>> walked the one block from his office in Manly Corso to Manly Corso
>> Police Station to file a false complaint that is possibly supported by
>>
>> the adverse comments Josh Sokol made against me during their recorded
>> conference call.
>>
>
> I do not agree with this timeline.  If the contention is that Chris
> Gatford concluded the call and then walked to the police station to file a
> complaint, then this would be easily backed by the police report showing
> the same date and similar time to my call with Chris Gatford.  Likewise,
> the police report should show my name along with Chris' statements
> pertaining to my comments.  If Christian can produce this police report,
> then I will gladly take it up with the NSW police (if the contact is
> provided to me) and clarify with them the comments that I did or did not
> make.  As for the recorded conversation with Chris Gatford, I will gladly
> tender that into evidence as I only asked questions and never made
> statements presuming guilt or innocence.  My call was conducted in a
> professional manner and, while the call cannot be released for public
> consumption, other Board members who have heard the call have come forth to
> that regard.  Unless Christian can provide answers to the five specific
> questions above, as well as the police report showing evidence of the
> purported timeline and crime, this allegation is baseless speculation and
> pure libel.
>
> ~josh
>
>
> On Wed, Feb 26, 2014 at 8:48 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> There were no photos of his "wife on holiday" (has a hidden meaning
>>> which you can disclose with Google) or his kids in the bath (i.e.
>>> child pornography).  It was a fabrication that was made by Chris
>>> Gatford.
>>>
>>
>> I would like for Christian to point out where I said "wife on holiday" or
>> "kids in the bath".  I said neither nor did I imply it.  Still, I would say
>> that hacking into a photo sharing site in order to disclose pictures of
>> another persons wife and kids is ethically sketchy at best and criminal at
>> worst.
>>
>>
>> Again, my Tweets are clearly labelled "Protected" which is commonly
>>> understood to be not for publication i.e.
>>>
>>> http://feedback.storify.com/knowledgebase/articles/236987-what-is-storify-s-policy-for-editing-or-deleting-s
>>>
>>
>>
>> *In a presentation entitled "For God Your Soul... For Me Your Flesh" at
>> the AusCERT security conference on the Gold Coast, security expert
>> Christian Heinrich demonstrated how he had gained access to the
>> privacy-protected Facebook photos of the wife of HackLabs director Chris
>> Gatford.  *
>>
>> *[snip]Heinrich, who works as an IT security contractor, admitted he did
>> not like Gatford but said that, because Gatford presented himself as a
>> security expert, he should be accountable for what is posted online. "I
>> have no ethical qualms about publishing the photos," he said. "They are in
>> the public domain."*
>>
>> (
>> http://www.theherald.com.au/story/926302/security-experts-go-to-war-wife-targeted/
>> )
>>
>> Christian, by his own admission, feels that even privacy-protected
>> documents are in the public domain.  That said, it doesn't matter in this
>> case as this tweet was sent to Jim Manico while in service on the OWASP
>> Board of Directors.  It shows a clear intent to do damage to the OWASP
>> Foundation.
>>
>>
>> Jim receives advice from someone in his family who works at the IRS,
>>> who he consulted (and was subsequently corrected by) for his recent
>>> failed attack against the OWASP Top Ten and Aspect Security.
>>>
>>> Google "Jim Manico" IRS inurl:owasp-board for references
>>
>>
>> The Google query returns two results.  Neither of which proves anything
>> about anything.  I see no ethical issues here.  Christian does not mention
>> Jim's specific ethical violation nor does he provide any evidence to
>> directly support a violation.  This should be summarily dismissed.
>>
>> This is clearly dated in January 2011 and well before Josh or Jim
>>> become OWASP Board Members and furthermore "i.e." indicates "for
>>> instance" meaning in the present time.
>>>
>>> This is at best Josh clutching at straws since I also provided the URL.
>>>
>>
>> This was a deliberate attempt to mislead the reader into believing that
>> Yiannis said something that he did not say.  This is merely Christian's
>> opinion and nothing more.  I will withdraw my request that it be tendered
>> into evidence as Christian fabricating evidence based on his clarification,
>> but would request that he be cautioned to be more explicit in the future
>> rather than saying someone said something, providing a link, and then
>> putting another statement in quotation marks next to it.
>>
>> Can someone please let me know why Yiannis is still an OWASP Member in
>>> light of his continued violations of the OWASP Code of Ethics but I
>>> know the answer is selective judgement right Josh and Jim?
>>>
>>
>> The OWASP Board does not and should not chase after individuals for
>> ethics violations.  In general, we are a community of volunteers and should
>> trust that our volunteers are doing the right thing.  The OWASP Code of
>> Ethics was meant to serve as an explicit reminder of things that we all
>> should be doing without having to be reminded.  However, in cases where
>> specific ethical concerns have been raised, the Board will use the Code of
>> Ethics as a guideline to determine if a violation has occurred.  I am not
>> aware of a formal ethics complaint against Yiannis as no complaint has been
>> brought forth during my tenure as a Board member and I fail to see the
>> relevance of this in a thread where it is me, not Yiannis, who has been
>> accused of an ethical violation.  I would recommend that Christian start a
>> new thread on the governance list with his allegations of ethical
>> violations against Yiannis and not place them in this one.
>>
>> ~josh
>>
>>
>> On Wed, Feb 26, 2014 at 12:44 AM, Christian Heinrich <
>> christian.heinrich at cmlh.id.au> wrote:
>>
>>> On Wed, Feb 26, 2014 at 4:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>> > For the record, Christian is comparing disclosing pictures of a
>>> security
>>> > practitioners wife and kids by hacking into a photo sharing site with
>>> making
>>> > threats of damage to the OWASP Foundation via a tweet to an OWASP Board
>>> > member.  To say that these are the same because they are both "Social
>>> Media"
>>> > represents a gross misunderstanding of ethics in general.
>>>
>>> There were no photos of his "wife on holiday" (has a hidden meaning
>>> which you can disclose with Google) or his kids in the bath (i.e.
>>> child pornography).  It was a fabrication that was made by Chris
>>> Gatford.
>>>
>>> Furthermore, Chris Gatford's former employer endorses my action too
>>> i.e.
>>> http://www.zdnet.com/penetration-testing-employees-social-media-to-improve-policy-7000017234/
>>>
>>> The fact is Chris can't present
>>> https://www.slideshare.net/ChrisGatford/social-media-abuse-hacking and
>>> then not be held to account.
>>>
>>> Again, my Tweets are clearly labelled "Protected" which is commonly
>>> understood to be not for publication i.e.
>>>
>>> http://feedback.storify.com/knowledgebase/articles/236987-what-is-storify-s-policy-for-editing-or-deleting-s
>>>
>>> On Wed, Feb 26, 2014 at 4:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>> > Again, Christian is making wild claims of ethics violations without
>>> even
>>> > calling out the specific violations or providing evidence of the
>>> violation.
>>> > Does anyone know or understand what Christian is saying about the IRS
>>> and
>>> > OWASP/Jim Manico?
>>>
>>> Jim receives advice from someone in his family who works at the IRS,
>>> who he consulted (and was subsequently corrected by) for his recent
>>> failed attack against the OWASP Top Ten and Aspect Security.
>>>
>>> Google "Jim Manico" IRS inurl:owasp-board for references
>>>
>>> On Wed, Feb 26, 2014 at 4:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>> > To be clear, this actually says "Jeff decides and Dinis manipulates".
>>> > Yiannis says nothing about Josh or Jim.  This is an outright lie by
>>> > Christian.  Martin, please tender this into evidence as an example of
>>> > Christian fabricating evidence.
>>>
>>> This is clearly dated in January 2011 and well before Josh or Jim
>>> become OWASP Board Members and furthermore "i.e." indicates "for
>>> instance" meaning in the present time.
>>>
>>> This is at best Josh clutching at straws since I also provided the URL.
>>>
>>> Can someone please let me know why Yiannis is still an OWASP Member in
>>> light of his continued violations of the OWASP Code of Ethics but I
>>> know the answer is selective judgement right Josh and Jim?
>>>
>>> BTW, I support Yiannis %100 and Jim found no ethical qualms in
>>> scheduling an interview with him on JBroFuzz to support his election
>>> to the OWASP Board.
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>>>
>>
>>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20140226/529c5ba8/attachment-0001.html>


More information about the Governance mailing list