[Governance] [Owasp-board] OWASP statement on security: your opinion? - until Monday 14:00 CST

Christian Heinrich christian.heinrich at cmlh.id.au
Sat May 30 02:42:35 UTC 2015

Jim and Josh,

Can I ask that you desist from spreading false information and rumor
within http://lists.owasp.org/pipermail/owasp-board/2015-May/015500.html

As per http://csrc.nist.gov/groups/ST/crypto-review/index.html, the
only person who continued to complain that the NSA was attempting to
subvert this process without any supporting evidence was ironically
Ron Rivest, who "sold out" RSA.

The driver of this ulterior motive against NIST was
https://password-hashing.net/.  Their team of "experts" includes Marsh
Ray who had not attended a security conference (ShmooCon) and had very
little experience prior to January 2010 (I know this because he,
Michael Dahn and I had dinner together).  You may also want to
consider the lack and slow progress of
http://istruecryptauditedyet.com/ as Matthew Green held onto donations
for an extended period of time.

I'd be most interested in how you would feel if RSA said to OWASP we
will not be continuing our relationship with OWASP based on

On Fri, Aug 22, 2014 at 7:40 PM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Tobias,
> On Thu, Jan 30, 2014 at 7:36 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> I wouldn't want to hold you back. The other discussion with Josh and the
>> board has nothing to do with the PR, so if you think the OWASP community got
>> it wrong or that we made an "error", please feel free to distance yourself
>> from the statement or "refresh the webappsec community of what you think"
>> anytime you like etc. That is your personal choice. No need to wait for
>> after the other matter has been resolved.
> In an ironic twist Bruce Schneier independently reached the same
> "reasonable" conclusion as I i.e.
> "My guess is that RSA didn't know anything was amiss and when a large
> customer comes in with technical changes that don’t really matter you
> just do them. I think RSA was more a victim here, and I think it's
> been unfortunate that over the last couple of months they haven't been
> able to tell their story clearly." as quoted in
> http://www.theregister.co.uk/2014/02/27/qa_schneier_on_trust_nsa_spying_and_the_end_of_us_internet_hegemony/
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact

Christian Heinrich


More information about the Governance mailing list