[Owasp-board] FW: Moderators

Andrew van der Stock vanderaj at owasp.org
Mon Mar 12 19:49:17 UTC 2007


I am friends with Jeremiah and at least acquainted with Robert Auger. Do I
have approval to talk to them about this?

I think our best bet is to get the forums running at OWASP and leave the
mail list to WASC if this is the case.

Thanks,
Andrew

On 3/12/07 3:43 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:

> I think we should drop the SF list (which is just about dead at the moment),
> don't try to rebuild (for now) the one at owasp (which is also dead), and
> build a bridge with the WASC guys and use that has our main recommended
> webappsec mainling list (even linking to it from our website),
> 
> After all the WASC is currently the best mailing list out there and I think
> that we are doing a good service to our members to make them aware of it. I
> know that some of you might not like this idea, but I think there there are a
> lot of good synergies with this move, and I do regularly get the question 'Are
> OWASP and WASC working against each other?'
> 
> This would be a good oportunity to build a bridge with WASC and to cross
> promote some of our activitities in there.
> 
> Dinis
> 
> On 3/12/07, Andrew van der Stock  <vanderaj at owasp.org> wrote:
>> Hi folks,
>> 
>> What do you want to do?
>> 
>> My personal preference is to move to OWASP and try to re-grow from there. I
>> don't think we grow the OWASP brand at SF. The eyeballs have moved to WASC's
>> list, not SF's, and certainly not ours.
>> 
>> Thoughts?
>> 
>> Thanks,
>> Andrew
>> 
>> ------ Forwarded Message
>> From: Andrew van der Stock <vanderaj at greebo.net>
>> Date: Mon, 12 Mar 2007 14:13:35 -0400
>> To: Andrew van der Stock <vanderaj at owasp.org>
>> Subject: Fwd: Moderators
>> 
>> 
>> 
>> Begin forwarded message:
>> 
>>> From: Alfred Huger < alfred_huger at symantec.com
>>> <mailto:alfred_huger at symantec.com> >
>>> Date: March 12, 2007 1:24:40 PM EDT
>>> To: Andrew Van Der Stock <vanderaj at greebo.net>
>>> Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers <
>>> dave.wichers at owasp.org <mailto:dave.wichers at owasp.org> >,
>>> <dinis.cruz at owasp.org>
>>> Subject: Re: Moderators
>>> 
>>>  
>>> 
>>> 
>>> Andrew, 
>>> 
>>> First, thanks for spending the time writing such a detailed piece of email,
>>> it seems to be a day for it. I've been hammered with responses so I will
>>> keep this brief, not due to lack of concern but rather due to lack of time.
>>> On the issue of mailing list service, it was horrible. No excuses there,
>>> it's been fixed. It's going to change more in the future as I am trying to
>>> find a way to open up SF far more to public control.
>>> 
>>> As for list ownership, I'll be to the point. The users who sign up to the
>>> lists here do so trusting SecurityFocus to own the access their information.
>>> You can always ask your users to move - and that's their choice. However we
>>> assert that we own access to the email addresses as given to us by our
>>> community. This aligns with our privacy policy and with our general ethos
>>> here on how we manage user information. Like I said, you can certainly ask
>>> people to move but we will not surrender their email addresses. My first
>>> concern is our user community and you need to think of it in terms of more
>>> than just your list. Nearly all of the users on your list are cross
>>> subscribed to other lists here so it's rarely if ever a question of an OWASP
>>> community issue but rather a larger one of the SF online community.
>>> 
>>> I'd be happy to help you grow your presence on the SF site and it's list
>>> traffic or if you would like, you can query the userbase and move it. Likely
>>> in that case I would bring in another moderator and you would end up with a
>>> further bi-furcated list. Let me know your preference.
>>> 
>>> 
>>> 
>>> Cheers,
>>> -al
>>> 
>>> 
>>> 
>>> 
>>> ---
>>> 
>>> Alfred Huger   
>>> Vice President
>>> Security Response & Security Services
>>> 
>>> 
>>>  
>>>> From: Andrew van der Stock < vanderaj at greebo.net
>>>> <mailto:vanderaj at greebo.net> >
>>>> Date: Mon, 12 Mar 2007 12:57:51 -0400
>>>> To: Alfred Huger <alfred_huger at symantec.com>
>>>> Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers
>>>> <dave.wichers at owasp.org>, < dinis.cruz at owasp.org
>>>> <mailto:dinis.cruz at owasp.org> >
>>>> Subject: Re: Moderators
>>>> 
>>>> Alfred,
>>>> 
>>>> We created the OWASP webappsec list during the SF spam debacle /
>>>> outages as at a certain point, it couldn't go on. Mark Curphey, as
>>>> OWASP leader, started the webappsec mail list in concert with SF way
>>>> back when OWASP had no infrastructure of its own.
>>>> 
>>>> Due to the excessive spam / unreliability / outages, we had made
>>>> plans with the community to move the list to OWASP as we now have
>>>> robust infrastructure which can handle the load. Most of the members
>>>> who replied to the poll message indicated that they wanted it at
>>>> OWASP by a significant margin (around 80%). The other responses were
>>>> webappsec.org <http://webappsec.org>  (more on that later) at about 20% and
>>>> SC-L about 2%.
>>>> 
>>>> However, that's all moot - at the last possible second, Mark Curphey
>>>> asked for help via a SF back channel (probably a personal contact of
>>>> his) and as history shows, things were quickly fixed. I was literally
>>>> in the process of drafting the "please move to..." e-mail when you
>>>> asked us not to make any changes, but more significantly from our
>>>> perspective, SF rapidly fixed our concerns in one fell swoop -
>>>> something that had taken months and many ignored e-mails. The saddest
>>>> part for me that it was fixed in less than a day when it became
>>>> obvious we were serious about moving, and not before. Although I am
>>>> sorry this became necessary, I hope you can see why we went down that
>>>> path. I can understand why you took me off moderation duties for a
>>>> little while and appreciate being re-appointed.
>>>> 
>>>> In the end, I am happy with the subsequent changes SF made to the
>>>> moderators <-> SF interface to make it work much more smoothly, the
>>>> uptime has been good, and the lack of spam is great. This is the
>>>> primary reason we've not made any moves to move on.
>>>> 
>>>> As per your request at the time, and despite SF's assertion of
>>>> ownership rights of the list - we believe it's at best 50/50 as the
>>>> list was started by the OWASP leader, and in general the moderators
>>>> have all been OWASP folks (with the exception of the dude who went
>>>> missing in action before me). However, we feel that it was best to
>>>> minimize the disruption to the webappsec community as our concerns
>>>> had been fixed. OWASP has not formally launched or announced the
>>>> list. We don't make it obvious that there is another list or ask any
>>>> of the members to move. We don't publicize the existence of the list
>>>> on the OWASP web site - new members of that list have to find it via
>>>> the mail man archive list.
>>>> 
>>>> During the outage episode, most folks moved to
>>>> websecurity at webappsec.org by themselves, a site run by the Web
>>>> Application Security Consortium (WASC), a vendor organization
>>>> directly competing with OWASP and not affiliated with us in any way.
>>>> Moving there was the second choice by the member's responses, but it
>>>> was only chosen by 17% of them, so I still find the fact that most of
>>>> them now post there is surprising. I know many of them were already
>>>> members so it wasn't hard for that subset. However, today,
>>>> webappsec.org <http://webappsec.org>  has pretty much 99% of
>>>> webappsec at lists.securityfocus.com volume. webappsec at lists.owasp.org
>>>> has basically no traffic.
>>>> 
>>>> This is why it is important to be on the ball when moderators ask for
>>>> help - SF lost the initiative and subsequently the eyeballs by taking
>>>> the lists for granted, and OWASP lost a lot of community eyeballs
>>>> through a system we have no control over, and now we have SF
>>>> asserting ownership rights on the list. To top it off, we now have
>>>> another organization (not affiliated in any way with SF or OWASP)
>>>> taking advantage and gaining all the traffic and mind share. This is
>>>> not a good result for either side.
>>>> 
>>>> The things that went right this last year:
>>>> 
>>>> 1. Good stability, fast delivery of messages
>>>> 2. Lack of spam now that it is correctly configured
>>>> 3. Responsiveness of requests to Conrad and yourself
>>>> 
>>>> The things that went wrong this year:
>>>> 
>>>> 1. Loss of traffic to a competing site
>>>> 2. Loss of trust between us
>>>> 
>>>> How do you see webappsec going? Personally, the most pressing thing
>>>> we'd like to talk about is ownership of the list as we have a stake
>>>> in it and its good name for OWASP. We would like to formalize that
>>>> sooner than later.
>>>> 
>>>> I'd like to talk about ways we can use this as an opportunity for
>>>> both sides rather than any form of blame game. Let's try to regain
>>>> some of those lost eyeballs.
>>>> 
>>>> thanks,
>>>> Andrew
>>>> 
>>>> On Mar 12, 2007, at 11:44 AM, Alfred Huger wrote:
>>>> 
>>>>  
>>>>> 
>>>>> 
>>>>> Hey Andrew,
>>>>> 
>>>>> I am glad to hear from you, for some reason I thought you had actually
>>>>> started the list you mod elsewhere. My apologies for sounding
>>>>> vacant on
>>>>> this, I know there are recent posts there but I was told that you
>>>>> ran the
>>>>> list in tandem with another site. Any clarity there?
>>>>> 
>>>>> Cheers,
>>>>> al
>>>>> 
>>>>> ---
>>>>> 
>>>>> Alfred Huger
>>>>> Vice President
>>>>> Security Response & Security Services
>>>>> 
>>>>> 
>>>>>  
>>>>>> From: Andrew van der Stock < vanderaj at greebo.net
>>>>>> <mailto:vanderaj at greebo.net> >
>>>>>> Date: Sun, 11 Mar 2007 16:51:00 -0500
>>>>>> To: Alfred Huger <alfred_huger at symantec.com>
>>>>>> Subject: Re: Moderators
>>>>>> 
>>>>>> Hi Al,
>>>>>> 
>>>>>> Any time this coming week is fine by me. 301 741 7408.
>>>>>> 
>>>>>> thanks,
>>>>>> Andrew
>>>>>> 
>>>>>> On Mar 9, 2007, at 1:33 PM, Alfred Huger wrote:
>>>>>> 
>>>>>>  
>>>>>>> 
>>>>>>> 
>>>>>>> All,
>>>>>>> 
>>>>>>> I'd like to schedule some time with you to discuss your lists, the
>>>>>>> site
>>>>>>> performance and to hear your thoughts on what's wrong (and right)
>>>>>>> with how
>>>>>>> we are doing things right now. If you can respond back to me we can
>>>>>>> work out
>>>>>>> a time to talk.
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> al
>>>>>>> 
>>>>>>> ---
>>>>>>> 
>>>>>>> Alfred Huger
>>>>>>> Vice President
>>>>>>> Security Response & Security Services
>>>>>>> 
>>>>>>>  
>>>>>> 
>>>>>>  
>>>>> 
>>>>>  
>>>> 
>>>>  
>>> 
>>>  
>> 
>> 
>> 
>> ------ End of Forwarded Message
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-board
>> 
> 
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070312/6e193dac/attachment-0002.html>


More information about the Owasp-board mailing list