[Owasp-board] FW: Moderators

Andrew van der Stock vanderaj at owasp.org
Mon Mar 12 18:17:36 UTC 2007

Hi folks,

What do you want to do?

My personal preference is to move to OWASP and try to re-grow from there. I
don¹t think we grow the OWASP brand at SF. The eyeballs have moved to WASC¹s
list, not SF¹s, and certainly not ours.



------ Forwarded Message
From: Andrew van der Stock <vanderaj at greebo.net>
Date: Mon, 12 Mar 2007 14:13:35 -0400
To: Andrew van der Stock <vanderaj at owasp.org>
Subject: Fwd: Moderators

Begin forwarded message:

> From: Alfred Huger <alfred_huger at symantec.com>
> Date: March 12, 2007 1:24:40 PM EDT
> To: Andrew Van Der Stock <vanderaj at greebo.net>
> Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers
> <dave.wichers at owasp.org>, <dinis.cruz at owasp.org>
> Subject: Re: Moderators
> Andrew, 
> First, thanks for spending the time writing such a detailed piece of email,
> it seems to be a day for it. I've been hammered with responses so I will
> keep this brief, not due to lack of concern but rather due to lack of time.
> On the issue of mailing list service, it was horrible. No excuses there,
> it's been fixed. It's going to change more in the future as I am trying to
> find a way to open up SF far more to public control.
> As for list ownership, I'll be to the point. The users who sign up to the
> lists here do so trusting SecurityFocus to own the access their information.
> You can always ask your users to move - and that's their choice. However we
> assert that we own access to the email addresses as given to us by our
> community. This aligns with our privacy policy and with our general ethos
> here on how we manage user information. Like I said, you can certainly ask
> people to move but we will not surrender their email addresses. My first
> concern is our user community and you need to think of it in terms of more
> than just your list. Nearly all of the users on your list are cross
> subscribed to other lists here so it's rarely if ever a question of an OWASP
> community issue but rather a larger one of the SF online community.
> I'd be happy to help you grow your presence on the SF site and it's list
> traffic or if you would like, you can query the userbase and move it. Likely
> in that case I would bring in another moderator and you would end up with a
> further bi-furcated list. Let me know your preference.
> Cheers,
> -al
> ---
> Alfred Huger   
> Vice President
> Security Response & Security Services
>> From: Andrew van der Stock <vanderaj at greebo.net>
>> Date: Mon, 12 Mar 2007 12:57:51 -0400
>> To: Alfred Huger <alfred_huger at symantec.com>
>> Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers
>> <dave.wichers at owasp.org>, <dinis.cruz at owasp.org>
>> Subject: Re: Moderators
>> Alfred,
>> We created the OWASP webappsec list during the SF spam debacle /
>> outages as at a certain point, it couldn't go on. Mark Curphey, as
>> OWASP leader, started the webappsec mail list in concert with SF way
>> back when OWASP had no infrastructure of its own.
>> Due to the excessive spam / unreliability / outages, we had made
>> plans with the community to move the list to OWASP as we now have
>> robust infrastructure which can handle the load. Most of the members
>> who replied to the poll message indicated that they wanted it at
>> OWASP by a significant margin (around 80%). The other responses were
>> webappsec.org (more on that later) at about 20% and SC-L about 2%.
>> However, that's all moot - at the last possible second, Mark Curphey
>> asked for help via a SF back channel (probably a personal contact of
>> his) and as history shows, things were quickly fixed. I was literally
>> in the process of drafting the "please move to..." e-mail when you
>> asked us not to make any changes, but more significantly from our
>> perspective, SF rapidly fixed our concerns in one fell swoop -
>> something that had taken months and many ignored e-mails. The saddest
>> part for me that it was fixed in less than a day when it became
>> obvious we were serious about moving, and not before. Although I am
>> sorry this became necessary, I hope you can see why we went down that
>> path. I can understand why you took me off moderation duties for a
>> little while and appreciate being re-appointed.
>> In the end, I am happy with the subsequent changes SF made to the
>> moderators <-> SF interface to make it work much more smoothly, the
>> uptime has been good, and the lack of spam is great. This is the
>> primary reason we've not made any moves to move on.
>> As per your request at the time, and despite SF's assertion of
>> ownership rights of the list - we believe it's at best 50/50 as the
>> list was started by the OWASP leader, and in general the moderators
>> have all been OWASP folks (with the exception of the dude who went
>> missing in action before me). However, we feel that it was best to
>> minimize the disruption to the webappsec community as our concerns
>> had been fixed. OWASP has not formally launched or announced the
>> list. We don't make it obvious that there is another list or ask any
>> of the members to move. We don't publicize the existence of the list
>> on the OWASP web site - new members of that list have to find it via
>> the mail man archive list.
>> During the outage episode, most folks moved to
>> websecurity at webappsec.org by themselves, a site run by the Web
>> Application Security Consortium (WASC), a vendor organization
>> directly competing with OWASP and not affiliated with us in any way.
>> Moving there was the second choice by the member's responses, but it
>> was only chosen by 17% of them, so I still find the fact that most of
>> them now post there is surprising. I know many of them were already
>> members so it wasn't hard for that subset. However, today,
>> webappsec.org has pretty much 99% of
>> webappsec at lists.securityfocus.com volume. webappsec at lists.owasp.org
>> has basically no traffic.
>> This is why it is important to be on the ball when moderators ask for
>> help - SF lost the initiative and subsequently the eyeballs by taking
>> the lists for granted, and OWASP lost a lot of community eyeballs
>> through a system we have no control over, and now we have SF
>> asserting ownership rights on the list. To top it off, we now have
>> another organization (not affiliated in any way with SF or OWASP)
>> taking advantage and gaining all the traffic and mind share. This is
>> not a good result for either side.
>> The things that went right this last year:
>> 1. Good stability, fast delivery of messages
>> 2. Lack of spam now that it is correctly configured
>> 3. Responsiveness of requests to Conrad and yourself
>> The things that went wrong this year:
>> 1. Loss of traffic to a competing site
>> 2. Loss of trust between us
>> How do you see webappsec going? Personally, the most pressing thing
>> we'd like to talk about is ownership of the list as we have a stake
>> in it and its good name for OWASP. We would like to formalize that
>> sooner than later.
>> I'd like to talk about ways we can use this as an opportunity for
>> both sides rather than any form of blame game. Let's try to regain
>> some of those lost eyeballs.
>> thanks,
>> Andrew
>> On Mar 12, 2007, at 11:44 AM, Alfred Huger wrote:
>>> Hey Andrew,
>>> I am glad to hear from you, for some reason I thought you had actually
>>> started the list you mod elsewhere. My apologies for sounding
>>> vacant on
>>> this, I know there are recent posts there but I was told that you
>>> ran the
>>> list in tandem with another site. Any clarity there?
>>> Cheers,
>>> al
>>> ---
>>> Alfred Huger
>>> Vice President
>>> Security Response & Security Services
>>>> From: Andrew van der Stock <vanderaj at greebo.net>
>>>> Date: Sun, 11 Mar 2007 16:51:00 -0500
>>>> To: Alfred Huger <alfred_huger at symantec.com>
>>>> Subject: Re: Moderators
>>>> Hi Al,
>>>> Any time this coming week is fine by me. 301 741 7408.
>>>> thanks,
>>>> Andrew
>>>> On Mar 9, 2007, at 1:33 PM, Alfred Huger wrote:
>>>>> All,
>>>>> I'd like to schedule some time with you to discuss your lists, the
>>>>> site
>>>>> performance and to hear your thoughts on what's wrong (and right)
>>>>> with how
>>>>> we are doing things right now. If you can respond back to me we can
>>>>> work out
>>>>> a time to talk.
>>>>> Cheers,
>>>>> al
>>>>> ---
>>>>> Alfred Huger
>>>>> Vice President
>>>>> Security Response & Security Services

------ End of Forwarded Message

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070312/d9d05503/attachment-0002.html>

More information about the Owasp-board mailing list