[Owasp-board] FW: Moderators

Dinis Cruz dinis at ddplus.net
Mon Mar 12 21:25:50 UTC 2007


fine with me.

OWASP: Wiki, blogs, chapters (with mailing lists), projects (with
mailing lists), forums, SpoC :)

WASC: webappsec mailing list (& a couple cool projects like their web
incident database and web firewall guide)

Dinis


On 3/12/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>
>  I am friends with Jeremiah and at least acquainted with Robert Auger. Do I
> have approval to talk to them about this?
>
>  I think our best bet is to get the forums running at OWASP and leave the
> mail list to WASC if this is the case.
>
>  Thanks,
>  Andrew
>
>  On 3/12/07 3:43 PM, "Dinis Cruz" <dinis at ddplus.net> wrote:
>
>
> I think we should drop the SF list (which is just about dead at the moment),
> don't try to rebuild (for now) the one at owasp (which is also dead), and
> build a bridge with the WASC guys and use that has our main recommended
> webappsec mainling list (even linking to it from our website),
>
>  After all the WASC is currently the best mailing list out there and I think
> that we are doing a good service to our members to make them aware of it. I
> know that some of you might not like this idea, but I think there there are
> a lot of good synergies with this move, and I do regularly get the question
> 'Are OWASP and WASC working against each other?'
>
>  This would be a good oportunity to build a bridge with WASC and to cross
> promote some of our activitities in there.
>
>  Dinis
>
>  On 3/12/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
>
> Hi folks,
>
>  What do you want to do?
>
>  My personal preference is to move to OWASP and try to re-grow from there. I
> don't think we grow the OWASP brand at SF. The eyeballs have moved to WASC's
> list, not SF's, and certainly not ours.
>
>  Thoughts?
>
>  Thanks,
>  Andrew
>
>  ------ Forwarded Message
>  From: Andrew van der Stock <vanderaj at greebo.net>
>  Date: Mon, 12 Mar 2007 14:13:35 -0400
>  To: Andrew van der Stock <vanderaj at owasp.org>
>  Subject: Fwd: Moderators
>
>
>
>  Begin forwarded message:
>
>
> From: Alfred Huger < alfred_huger at symantec.com
> <mailto:alfred_huger at symantec.com> >
>  Date: March 12, 2007 1:24:40 PM EDT
>  To: Andrew Van Der Stock <vanderaj at greebo.net>
>  Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers <
> dave.wichers at owasp.org <mailto:dave.wichers at owasp.org> >,
> <dinis.cruz at owasp.org>
>  Subject: Re: Moderators
>
>
>
>
>
>  Andrew,
>
>  First, thanks for spending the time writing such a detailed piece of email,
>  it seems to be a day for it. I've been hammered with responses so I will
>  keep this brief, not due to lack of concern but rather due to lack of time.
>  On the issue of mailing list service, it was horrible. No excuses there,
>  it's been fixed. It's going to change more in the future as I am trying to
>  find a way to open up SF far more to public control.
>
>  As for list ownership, I'll be to the point. The users who sign up to the
>  lists here do so trusting SecurityFocus to own the access their
> information.
>  You can always ask your users to move - and that's their choice. However we
>  assert that we own access to the email addresses as given to us by our
>  community. This aligns with our privacy policy and with our general ethos
>  here on how we manage user information. Like I said, you can certainly ask
>  people to move but we will not surrender their email addresses. My first
>  concern is our user community and you need to think of it in terms of more
>  than just your list. Nearly all of the users on your list are cross
>  subscribed to other lists here so it's rarely if ever a question of an
> OWASP
>  community issue but rather a larger one of the SF online community.
>
>  I'd be happy to help you grow your presence on the SF site and it's list
>  traffic or if you would like, you can query the userbase and move it.
> Likely
>  in that case I would bring in another moderator and you would end up with a
>  further bi-furcated list. Let me know your preference.
>
>
>
>  Cheers,
>  -al
>
>
>
>
>  ---
>
>  Alfred Huger
>  Vice President
>  Security Response & Security Services
>
>
>
>
> From: Andrew van der Stock < vanderaj at greebo.net
> <mailto:vanderaj at greebo.net> >
>  Date: Mon, 12 Mar 2007 12:57:51 -0400
>  To: Alfred Huger <alfred_huger at symantec.com>
>  Cc: Jeff Williams <jeff.williams at owasp.org>, Dave Wichers
>  <dave.wichers at owasp.org>, < dinis.cruz at owasp.org
> <mailto:dinis.cruz at owasp.org> >
>  Subject: Re: Moderators
>
>  Alfred,
>
>  We created the OWASP webappsec list during the SF spam debacle /
>  outages as at a certain point, it couldn't go on. Mark Curphey, as
>  OWASP leader, started the webappsec mail list in concert with SF way
>  back when OWASP had no infrastructure of its own.
>
>  Due to the excessive spam / unreliability / outages, we had made
>  plans with the community to move the list to OWASP as we now have
>  robust infrastructure which can handle the load. Most of the members
>  who replied to the poll message indicated that they wanted it at
>  OWASP by a significant margin (around 80%). The other responses were
>  webappsec.org <http://webappsec.org>  (more on that later) at about 20% and
> SC-L about 2%.
>
>
>  However, that's all moot - at the last possible second, Mark Curphey
>  asked for help via a SF back channel (probably a personal contact of
>  his) and as history shows, things were quickly fixed. I was literally
>  in the process of drafting the "please move to..." e-mail when you
>  asked us not to make any changes, but more significantly from our
>  perspective, SF rapidly fixed our concerns in one fell swoop -
>  something that had taken months and many ignored e-mails. The saddest
>  part for me that it was fixed in less than a day when it became
>  obvious we were serious about moving, and not before. Although I am
>  sorry this became necessary, I hope you can see why we went down that
>  path. I can understand why you took me off moderation duties for a
>  little while and appreciate being re-appointed.
>
>  In the end, I am happy with the subsequent changes SF made to the
>  moderators <-> SF interface to make it work much more smoothly, the
>  uptime has been good, and the lack of spam is great. This is the
>  primary reason we've not made any moves to move on.
>
>  As per your request at the time, and despite SF's assertion of
>  ownership rights of the list - we believe it's at best 50/50 as the
>  list was started by the OWASP leader, and in general the moderators
>  have all been OWASP folks (with the exception of the dude who went
>  missing in action before me). However, we feel that it was best to
>  minimize the disruption to the webappsec community as our concerns
>  had been fixed. OWASP has not formally launched or announced the
>  list. We don't make it obvious that there is another list or ask any
>  of the members to move. We don't publicize the existence of the list
>  on the OWASP web site - new members of that list have to find it via
>  the mail man archive list.
>
>  During the outage episode, most folks moved to
>  websecurity at webappsec.org by themselves, a site run by the Web
>  Application Security Consortium (WASC), a vendor organization
>  directly competing with OWASP and not affiliated with us in any way.
>  Moving there was the second choice by the member's responses, but it
>  was only chosen by 17% of them, so I still find the fact that most of
>  them now post there is surprising. I know many of them were already
>  members so it wasn't hard for that subset. However, today,
>  webappsec.org <http://webappsec.org>  has pretty much 99% of
>
>  webappsec at lists.securityfocus.com volume.
> webappsec at lists.owasp.org
>  has basically no traffic.
>
>  This is why it is important to be on the ball when moderators ask for
>  help - SF lost the initiative and subsequently the eyeballs by taking
>  the lists for granted, and OWASP lost a lot of community eyeballs
>  through a system we have no control over, and now we have SF
>  asserting ownership rights on the list. To top it off, we now have
>  another organization (not affiliated in any way with SF or OWASP)
>  taking advantage and gaining all the traffic and mind share. This is
>  not a good result for either side.
>
>  The things that went right this last year:
>
>  1. Good stability, fast delivery of messages
>  2. Lack of spam now that it is correctly configured
>  3. Responsiveness of requests to Conrad and yourself
>
>  The things that went wrong this year:
>
>  1. Loss of traffic to a competing site
>  2. Loss of trust between us
>
>  How do you see webappsec going? Personally, the most pressing thing
>  we'd like to talk about is ownership of the list as we have a stake
>  in it and its good name for OWASP. We would like to formalize that
>  sooner than later.
>
>  I'd like to talk about ways we can use this as an opportunity for
>  both sides rather than any form of blame game. Let's try to regain
>  some of those lost eyeballs.
>
>  thanks,
>  Andrew
>
>  On Mar 12, 2007, at 11:44 AM, Alfred Huger wrote:
>
>
>
>
>
>  Hey Andrew,
>
>  I am glad to hear from you, for some reason I thought you had actually
>  started the list you mod elsewhere. My apologies for sounding
>  vacant on
>  this, I know there are recent posts there but I was told that you
>  ran the
>  list in tandem with another site. Any clarity there?
>
>  Cheers,
>  al
>
>  ---
>
>  Alfred Huger
>  Vice President
>  Security Response & Security Services
>
>
>
>
> From: Andrew van der Stock < vanderaj at greebo.net
> <mailto:vanderaj at greebo.net> >
>
>  Date: Sun, 11 Mar 2007 16:51:00 -0500
>  To: Alfred Huger <alfred_huger at symantec.com>
>  Subject: Re: Moderators
>
>  Hi Al,
>
>  Any time this coming week is fine by me. 301 741 7408.
>
>  thanks,
>  Andrew
>
>  On Mar 9, 2007, at 1:33 PM, Alfred Huger wrote:
>
>
>
>
>
>  All,
>
>  I'd like to schedule some time with you to discuss your lists, the
>  site
>  performance and to hear your thoughts on what's wrong (and right)
>  with how
>  we are doing things right now. If you can respond back to me we can
>  work out
>  a time to talk.
>
>  Cheers,
>  al
>
>  ---
>
>  Alfred Huger
>  Vice President
>  Security Response & Security Services
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>  ------ End of Forwarded Message
>
>  _______________________________________________
>  Owasp-board mailing list
>  Owasp-board at lists.owasp.org
>  http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>


-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org



More information about the Owasp-board mailing list