[Owasp-board] FW: Moderators

Dinis Cruz dinis at ddplus.net
Mon Mar 12 19:43:18 UTC 2007


I think we should drop the SF list (which is just about dead at the moment),
don't try to rebuild (for now) the one at owasp (which is also dead), and
build a bridge with the WASC guys and use that has our main recommended
webappsec mainling list (even linking to it from our website),

After all the WASC is currently the best mailing list out there and I think
that we are doing a good service to our members to make them aware of it. I
know that some of you might not like this idea, but I think there there are
a lot of good synergies with this move, and I do regularly get the question
'Are OWASP and WASC working against each other?'

This would be a good oportunity to build a bridge with WASC and to cross
promote some of our activitities in there.

Dinis

On 3/12/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>
>  Hi folks,
>
> What do you want to do?
>
> My personal preference is to move to OWASP and try to re-grow from there.
> I don't think we grow the OWASP brand at SF. The eyeballs have moved to
> WASC's list, not SF's, and certainly not ours.
>
> Thoughts?
>
> Thanks,
> Andrew
>
> ------ Forwarded Message
> *From: *Andrew van der Stock <vanderaj at greebo.net>
> *Date: *Mon, 12 Mar 2007 14:13:35 -0400
> *To: *Andrew van der Stock <vanderaj at owasp.org>
> *Subject: *Fwd: Moderators
>
>
>
> Begin forwarded message:
>
> *From: *Alfred Huger <alfred_huger at symantec.com>
> *Date: *March 12, 2007 1:24:40 PM EDT
> *To: *Andrew Van Der Stock <vanderaj at greebo.net>
> *Cc: *Jeff Williams <jeff.williams at owasp.org>, Dave Wichers <
> dave.wichers at owasp.org>, <dinis.cruz at owasp.org>
> *Subject: Re: Moderators
> *
>
>
>
> Andrew,
>
> First, thanks for spending the time writing such a detailed piece of
> email,
> it seems to be a day for it. I've been hammered with responses so I will
> keep this brief, not due to lack of concern but rather due to lack of
> time.
> On the issue of mailing list service, it was horrible. No excuses there,
> it's been fixed. It's going to change more in the future as I am trying to
> find a way to open up SF far more to public control.
>
> As for list ownership, I'll be to the point. The users who sign up to the
> lists here do so trusting SecurityFocus to own the access their
> information.
> You can always ask your users to move - and that's their choice. However
> we
> assert that we own access to the email addresses as given to us by our
> community. This aligns with our privacy policy and with our general ethos
> here on how we manage user information. Like I said, you can certainly ask
> people to move but we will not surrender their email addresses. My first
> concern is our user community and you need to think of it in terms of more
> than just your list. Nearly all of the users on your list are cross
> subscribed to other lists here so it's rarely if ever a question of an
> OWASP
> community issue but rather a larger one of the SF online community.
>
> I'd be happy to help you grow your presence on the SF site and it's list
> traffic or if you would like, you can query the userbase and move it.
> Likely
> in that case I would bring in another moderator and you would end up with
> a
> further bi-furcated list. Let me know your preference.
>
>
>
> Cheers,
> -al
>
>
>
>
> ---
>
> Alfred Huger
> Vice President
> Security Response & Security Services
>
>
>
>
> From: Andrew van der Stock <vanderaj at greebo.net>
> Date: Mon, 12 Mar 2007 12:57:51 -0400
> To: Alfred Huger <alfred_huger at symantec.com>
> Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers
> <dave.wichers at owasp.org>, <dinis.cruz at owasp.org>
> Subject: Re: Moderators
>
> Alfred,
>
> We created the OWASP webappsec list during the SF spam debacle /
> outages as at a certain point, it couldn't go on. Mark Curphey, as
> OWASP leader, started the webappsec mail list in concert with SF way
> back when OWASP had no infrastructure of its own.
>
> Due to the excessive spam / unreliability / outages, we had made
> plans with the community to move the list to OWASP as we now have
> robust infrastructure which can handle the load. Most of the members
> who replied to the poll message indicated that they wanted it at
> OWASP by a significant margin (around 80%). The other responses were
> webappsec.org (more on that later) at about 20% and SC-L about 2%.
>
> However, that's all moot - at the last possible second, Mark Curphey
> asked for help via a SF back channel (probably a personal contact of
> his) and as history shows, things were quickly fixed. I was literally
> in the process of drafting the "please move to..." e-mail when you
> asked us not to make any changes, but more significantly from our
> perspective, SF rapidly fixed our concerns in one fell swoop -
> something that had taken months and many ignored e-mails. The saddest
> part for me that it was fixed in less than a day when it became
> obvious we were serious about moving, and not before. Although I am
> sorry this became necessary, I hope you can see why we went down that
> path. I can understand why you took me off moderation duties for a
> little while and appreciate being re-appointed.
>
> In the end, I am happy with the subsequent changes SF made to the
> moderators <-> SF interface to make it work much more smoothly, the
> uptime has been good, and the lack of spam is great. This is the
> primary reason we've not made any moves to move on.
>
> As per your request at the time, and despite SF's assertion of
> ownership rights of the list - we believe it's at best 50/50 as the
> list was started by the OWASP leader, and in general the moderators
> have all been OWASP folks (with the exception of the dude who went
> missing in action before me). However, we feel that it was best to
> minimize the disruption to the webappsec community as our concerns
> had been fixed. OWASP has not formally launched or announced the
> list. We don't make it obvious that there is another list or ask any
> of the members to move. We don't publicize the existence of the list
> on the OWASP web site - new members of that list have to find it via
> the mail man archive list.
>
> During the outage episode, most folks moved to
> websecurity at webappsec.org by themselves, a site run by the Web
> Application Security Consortium (WASC), a vendor organization
> directly competing with OWASP and not affiliated with us in any way.
> Moving there was the second choice by the member's responses, but it
> was only chosen by 17% of them, so I still find the fact that most of
> them now post there is surprising. I know many of them were already
> members so it wasn't hard for that subset. However, today,
> webappsec.org has pretty much 99% of
> webappsec at lists.securityfocus.com volume. webappsec at lists.owasp.org
> has basically no traffic.
>
> This is why it is important to be on the ball when moderators ask for
> help - SF lost the initiative and subsequently the eyeballs by taking
> the lists for granted, and OWASP lost a lot of community eyeballs
> through a system we have no control over, and now we have SF
> asserting ownership rights on the list. To top it off, we now have
> another organization (not affiliated in any way with SF or OWASP)
> taking advantage and gaining all the traffic and mind share. This is
> not a good result for either side.
>
> The things that went right this last year:
>
> 1. Good stability, fast delivery of messages
> 2. Lack of spam now that it is correctly configured
> 3. Responsiveness of requests to Conrad and yourself
>
> The things that went wrong this year:
>
> 1. Loss of traffic to a competing site
> 2. Loss of trust between us
>
> How do you see webappsec going? Personally, the most pressing thing
> we'd like to talk about is ownership of the list as we have a stake
> in it and its good name for OWASP. We would like to formalize that
> sooner than later.
>
> I'd like to talk about ways we can use this as an opportunity for
> both sides rather than any form of blame game. Let's try to regain
> some of those lost eyeballs.
>
> thanks,
> Andrew
>
> On Mar 12, 2007, at 11:44 AM, Alfred Huger wrote:
>
>
>
>
>
> Hey Andrew,
>
> I am glad to hear from you, for some reason I thought you had actually
> started the list you mod elsewhere. My apologies for sounding
> vacant on
> this, I know there are recent posts there but I was told that you
> ran the
> list in tandem with another site. Any clarity there?
>
> Cheers,
> al
>
> ---
>
> Alfred Huger
> Vice President
> Security Response & Security Services
>
>
>
>
> From: Andrew van der Stock <vanderaj at greebo.net>
> Date: Sun, 11 Mar 2007 16:51:00 -0500
> To: Alfred Huger <alfred_huger at symantec.com>
> Subject: Re: Moderators
>
> Hi Al,
>
> Any time this coming week is fine by me. 301 741 7408.
>
> thanks,
> Andrew
>
> On Mar 9, 2007, at 1:33 PM, Alfred Huger wrote:
>
>
>
>
>
> All,
>
> I'd like to schedule some time with you to discuss your lists, the
> site
> performance and to hear your thoughts on what's wrong (and right)
> with how
> we are doing things right now. If you can respond back to me we can
> work out
> a time to talk.
>
> Cheers,
> al
>
> ---
>
> Alfred Huger
> Vice President
> Security Response & Security Services
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------ End of Forwarded Message
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070312/ce624963/attachment-0002.html>


More information about the Owasp-board mailing list