[Owasp-board] REQUEST FOR COMMENTS/FW: My resignation from all owasp matters

Jeff Williams jeff.williams at owasp.org
Thu Jan 27 22:05:50 UTC 2011


Thank you Paolo!  Your thoughts mirror my interactions, which have been less extensive but equally perplexing.  We need to be sure not to overreact to those who would derail OWASP.  Of course we should listen to and have open debate about real issues, but getting distracted by nonsense is bad leadership too.  The history of Mike, Christian, and Yiannis shows that this kind of thing is possible.  In one way it is a sighn of our success.  Let's keep our eye on the ball and put all of our efforts into having a great Summit.

--Jeff




On Jan 27, 2011, at 4:46 PM, "Paulo Coimbra" <paulo.coimbra at owasp.org> wrote:

> Board,
> 
>  
> 
> Please allow me to step in to share a couple of thoughts regarding this ‘Yiannis’ episode since I have dealt directly with him in a few social and professional occasions, and, being so, have built a certainly subjective but nonetheless firm idea of his personality and I am feeling that it would not be fair to allow that Dinis alone supports the burden/responsibility for the current disruptive frame.
> 
>  
> 
> To be absolutely clear and for what it’s worth I have formed the idea that Yannis is tremendously complicated and inconsequent/incoherent. I’ve reached this conclusion through a few episodes but I’d like to keep the focus on two main ones.
> 
>  
> 
> As for the first one, roughly a year ago or so, when Yiannis decided that his project should be assessed, he contacted me insistently several times and vividly proposed we had lunch together to talk about it. Because I am always a bit swamped with my daily routines I tried to manage the issue through email as I always do but, given his insistence, I ultimately agreed and we met for lunch in central London. To say it as clear as possible, I have returned from the meeting with lots of perplexity since most of the time what Yiannis said hardly made any sense to me. If I understood well his speech he has advanced a thesis under which OWASP has been doing everything completely wrong and the entire community of app sec professionals, if not the entire world, was of his opinion. I’ve tried several times to ask him about concrete mistakes and responsibilities but in my opinion I have only got a set of reasonably incoherent mumbles. He jumped from saying that OWASP was being severely criticized by appec professionals to that OWASP’s path was not correct - I have however never concretely understood what the appec professionals were saying about OWASP or why the strategic direction of OWASP was so obviously wrong. Nevertheless I have opted for not supporting his vision and for encouraging him to address the leaders’ mailing list to discuss his concerns by saying I believed OWASP was an open organization in which the open debate was not only allowed but deeply stimulated. I also tried to change the chat’s theme to the operational questions we had to solve regarding the need to evaluate the projects he was leading.
> 
>  
> 
> Given this behaviour I have returned from this meeting puzzled and asking myself whether or not I had been in situation in which an OWASP contributor tried to evangelize and kettle me to some sort of ‘OWASP unhappy people’ club. I have also reflected if Yiannis was thinking in building an alternative to the current Board but ended up concluding that his speech was not enough structured, coherent or even legible to be the case. I’ve talked about this situation with Dinis and let him know about these subjective impressions of mine.
> 
>  
> 
> As for the second episode, it relates to the assessment process itself. However, as a previous point, I’d like to say that I have felt that working with Yiannis is tremendously difficult and that I have only experienced such burdensome when working with M. Boberski. So, to begin with and in Yiannis defence, I think it would only be fair if we kept in mind that the assessment of his project has begun when the GPC was updating its methodologies and that consequently he may have been, to a certain extent, victim of this circumstance. However, that being said, I am of the opinion that Yiannis was always absolutely non-collaborative. For example, he has kept himself insisting that his project should be assessed (and I always understood that he was saying his project should be immediately moved to Stable Quality) but it was a true nightmare to make him to accept that this process should begin by himself performing his own release assessment. Every single request we made, little or big, was always, but always, contested by him and this has gone through until he addressed our leaders mailing with an inflammatory mail (attached) with the illustrative subject of ‘Would the real OWASP please stand up!’ basically complaining about OWASP methodologies. In this time, I have told to him directly that requesting a couple of files (PDF + PPT), a roadmap and a self-assessment, in my view, couldn’t be seen as an asphyxiant burden of bureaucratic work. I am still of the same opinion, and I can say from my experience doing this work, that people usually don’t complain.
> 
>  
> 
> To conclude – I apologise for this long email – I’d like to synthesize my view by saying that in my subjective assessment Yiannis has shown to be a tremendously complicated person to deal with. I don’t know why but it clearly seems to me that something has antagonized him towards OWASP and that this antagonism has never stopped growing.   
> 
>  
> 
> Thanks,
> 
> - Paulo
> 
>  
> 
>  
> 
> Paulo Coimbra,
> 
> OWASP Project Manager
> 
>  
> 
> From: owasp-board-bounces at lists.owasp.org [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: quinta-feira, 27 de Janeiro de 2011 15:26
> To: OWASP Foundation Board List
> Subject: Re: [Owasp-board] My resignation from all owasp matters
> 
>  
> 
> The board is "corrupt" according to Yiannis. (below)?!!
> 
>  
> 
> Did this need to get to this point.
> 
>  
> 
> Again as leaders we need to listen more and not dictate.
> 
> First Mike Boberski now Yiannis....Houston we've got a problem.
> 
> 
>  
> 
> On 26 January 2011 20:59, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
> 
> Hey,
> 
> Not for me, I've taken the easy option and I am out; change this place
> if you can; some people do deserve to see it and I think you get
> what's happening.
> 
> Cheers,
> 
> ---------- Forwarded message ----------
> From: Yiannis Pavlosoglou <yiannis at owasp.org>
> Date: 26 January 2011 20:46
> Subject: Re: My resignation from all owasp matters
> To: Lorna Alamri <lorna.alamri at owasp.org>
> Cc: Colin Watson <colin.watson at owasp.org>, Joe Bernik
> <bernik at gmail.com>, "rex.booth" <rex.booth at us.gt.com>, David Campbell
> <dcampbell at owasp.org>, Georg Heß <georg.hess at artofdefence.com>, Sarah
> Baso <sarah.baso at owasp.org>
> 
> 
> My apologies Lorna,
> 
> There is a cardinal rule in information security, at least among my
> peers: you do not lie. Actually, here in London it has consequences,
> if you do lie, you don't work in this industry any more. Think about
> that, think about how many times you've been lied to in, say, the last
> 3 months.
> 
> You know better than most on this email, that we've spent a lot of
> time collecting logs, cross-correlating our actions, making sure we
> document what we do, one-to-one phone calls, etc. For what? Jeff
> decides and Dinis manipulates.
> 
> Bigger matters, like O2 and the money spent preaching about it, plus
> financial discrepancies (! we are a charity remember?) have not even
> been hinted upon, yet. People on this thread know exactly what I am
> talking about.
> 
> My personal opinion is that the owasp board needs to be dissolved and
> a new governing body needs to be established. They are far too
> corrupt!
> 
> Regardless, we've shown what the problem is, we offered to address it
> and we've proven where they should start. Now, all that said, don't we
> have better things to do?
> 
> Please let's leave it at that as I don't plan on following up on this
> thread (I don't even know how long this account will be active for:)
> 
> Thank you,
> 
> Yiannis
> 
> On 26 January 2011 15:26, Lorna Alamri <lorna.alamri at owasp.org> wrote:
> > Yiannis,
> > I understand your frustration and disgust, however I respectfully disagree
> > with your approach to a resolution. You are a respected OWASP leader that
> > many of us, myself especially, look to for guidance, so I am disappointed
> > that you will not be at the Summit to participate and bring these issues to
> > the large group for open discussion and resolution. There are several
> > working sessions at the Summit with a focus on some of the issues you have
> > eluded to in your e-mail.
> > As example:
> >
> > OWASP Board/Committee Governance
> > Professionalize OWASP
> > Should OWASP hire a Chief Executive Officer (CEO)?
> >
> > From that and some of the strings on the leaders list I am sure that you are
> > not the only one with these concerns. As a leader, its your obligation to be
> > heard, not just by the board, but by the other leaders who will be assembled
> > at the Summit. If we were all to throw our hands up in disgust and walk away
> > there would be no OWASP, but is that really a solution? Does it fix
> > anything? no. So I am asking you to lead by example, to come to the Summit
> > and work to right those issues that are so frustrating you.
> > I will support you in whatever your decision ultimately is, but hope that
> > you will reconsider.
> > Sincerely,
> > Lorna
> >
> >
> >
> >
> > On Tue, Jan 25, 2011 at 12:20 PM, Yiannis Pavlosoglou <yiannis at owasp.org>
> > wrote:
> >>
> >> Dear all,
> >>
> >> This email carries the news that I am resigning from all owasp related
> >> matters. We don't really have a resignation process, so this is the
> >> closest that we will come to this.
> >>
> >> My work is done here; I feel that we have proved what the problem is.
> >>
> >> The reason is simple; in recent events we proved that on more than one
> >> occasion we dealt with a board member that was lying, cheating and
> >> insulting people in the process. When the response finally came back
> >> on "we have an issue unfolding" it was along the lines of "we are all
> >> under a lot of pressure" and "let's all try to be friends". Not good
> >> enough for me.
> >>
> >> This is under your umbrella of being "open" and on the excuse of
> >> organizing a summit.
> >>
> >> Unfortunately, I am so entrenched in the processes that it will not
> >> take a single step.
> >>
> >> * I am not be coming to the summit.
> >> * I will be giving this last lecture here in London
> >> * I will probably continue contributing some code to various projects
> >>
> >> When Dinis emailed "subere" to make JBroFuzz an owasp project (that's
> >> how owasp started for me believe it or not!) many years back, I went
> >> and read the mission statement before signing up. No where did it say
> >> that there is a monarchy at the very top, nor that all this is
> >> excusable on the fact that we are volunteers.
> >>
> >> For the record, you're a good crowd and I did attempt not to let the
> >> BS filter through. Apologies if this comes as a surprise to a few.
> >>
> >> Yiannis signing off.
> >>
> >>
> >> --
> >> Dr. Yiannis Pavlosoglou
> >> OWASP Global Industry Committee
> >> http://www.owasp.org/index.php/Global_Industry_Committee
> >
> >
> >
> > --
> > Lorna Alamri
> > OWASP Global Industry Committee
> > OWASP MSP: Host to OWASP AppSec USA 2011
> > September 20-23 Training, Talks, CTF, and Showroom
> > www.appsecusa.org
> > @appsecusa, @owaspmsp @OWASPSummit
> > Dir: 651-338-0243
> > skype: lorna.alamri
> > lorna.alamri at owasp.org
> >
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> =20
> 
> To be absolutely clear and for what it=92s worth I have formed the idea =
> that
> Yannis is tremendously complicated and inconsequent/incoherent. I=92ve =
> reached
> this conclusion through a few episodes but I=92d like to keep the focus =
> on two
> main ones.
> 
> =20
> 
> As for the first one, roughly a year ago or so, when Yiannis decided =
> that
> his project should be assessed, he contacted me insistently several =
> times
> and vividly proposed we had lunch together to talk about it. Because I =
> am
> always a bit swamped with my daily routines I tried to manage the issue
> through email as I always do but, given his insistence, I ultimately =
> agreed
> and we met for lunch in central London. To say it as clear as possible, =
> I
> have returned from the meeting with lots of perplexity since most of the
> time what Yiannis said hardly made any sense to me. If I understood well =
> his
> speech he has advanced a thesis under which OWASP has been doing =
> everything
> completely wrong and the entire community of app sec professionals, if =
> not
> the entire world, was of his opinion. I=92ve tried several times to ask =
> him
> about concrete mistakes and responsibilities but in my opinion I have =
> only
> got a set of reasonably incoherent mumbles. He jumped from saying that =
> OWASP
> was being severely criticized by appec professionals to that OWASP=92s =
> path
> was not correct - I have however never concretely understood what the =
> appec
> professionals were saying about OWASP or why the strategic direction of
> OWASP was so obviously wrong. Nevertheless I have opted for not =
> supporting
> his vision and for encouraging him to address the leaders=92 mailing =
> list to
> discuss his concerns by saying I believed OWASP was an open organization =
> in
> which the open debate was not only allowed but deeply stimulated. I also
> tried to change the chat=92s theme to the operational questions we had =
> to
> solve regarding the need to evaluate the projects he was leading.
> 
> =20
> 
> Given this behaviour I have returned from this meeting puzzled and =
> asking
> myself whether or not I had been in situation in which an OWASP =
> contributor
> tried to evangelize and kettle me to some sort of =91OWASP unhappy =
> people=92
> club. I have also reflected if Yiannis was thinking in building an
> alternative to the current Board but ended up concluding that his speech =
> was
> not enough structured, coherent or even legible to be the case. I=92ve =
> talked
> about this situation with Dinis and let him know about these subjective
> impressions of mine.=20
> 
> =20
> 
> As for the second episode, it relates to the assessment process itself.
> However, as a previous point, I=92d like to say that I have felt that =
> working
> with Yiannis is tremendously difficult and that I have only experienced =
> such
> burdensome when working with M. Boberski. So, to begin with and in =
> Yiannis
> defence, I think it would only be fair if we kept in mind that the
> assessment of his project has begun when the GPC was updating its
> methodologies and that consequently he may have been, to a certain =
> extent,
> victim of this circumstance. However, that being said, I am of the =
> opinion
> that Yiannis was always absolutely non-collaborative. For example, he =
> has
> kept himself insisting that his project should be assessed (and I always
> understood that he was saying his project should be immediately moved to
> Stable Quality) but it was a true nightmare to make him to accept that =
> this
> process should begin by himself performing his own release assessment. =
> Every
> single request we made, little or big, was always, but always, contested =
> by
> him and this has gone through until he addressed our leaders mailing =
> with an
> inflammatory mail (attached) with the illustrative subject of =91Would =
> the
> real OWASP please stand up!=92 basically complaining about OWASP
> methodologies. In this time, I have told to him directly that requesting =
> a
> couple of files (PDF + PPT), a roadmap and a self-assessment, in my =
> view,
> couldn=92t be seen as an asphyxiant burden of bureaucratic work. I am =
> still of
> the same opinion, and I can say from my experience doing this work, that
> people usually don=92t complain.=20
> 
> =20
> 
> To conclude =96 I apologise for this long email =96 I=92d like to =
> synthesize my
> view by saying that in my subjective assessment Yiannis has shown to be =
> a
> tremendously complicated person to deal with. I don=92t know why but it
> clearly seems to me that something has antagonized him towards OWASP and
> that this antagonism has never stopped growing.  =20
> 
> =20
> 
> Thanks,
> 
> - Paulo
> 
> =20
> 
> =20
> 
> Paulo Coimbra,
> 
> <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project =
> Manager
> 
> =20
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: quinta-feira, 27 de Janeiro de 2011 15:26
> To: OWASP Foundation Board List
> Subject: Re: [Owasp-board] My resignation from all owasp matters
> 
> =20
> 
> The board is "corrupt" according to Yiannis. (below)?!!
> 
> =20
> 
> Did this need to get to this point.
> 
> =20
> 
> Again as leaders we need to listen more and not dictate.
> 
> First Mike Boberski now Yiannis....Houston we've got a problem.
> 
> 
> =20
> 
> On 26 January 2011 20:59, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
> 
> Hey,
> 
> Not for me, I've taken the easy option and I am out; change this place
> if you can; some people do deserve to see it and I think you get
> what's happening.
> 
> Cheers,
> 
> ---------- Forwarded message ----------
> From: Yiannis Pavlosoglou <yiannis at owasp.org>
> Date: 26 January 2011 20:46
> Subject: Re: My resignation from all owasp matters
> To: Lorna Alamri <lorna.alamri at owasp.org>
> Cc: Colin Watson <colin.watson at owasp.org>, Joe Bernik
> <bernik at gmail.com>, "rex.booth" <rex.booth at us.gt.com>, David Campbell
> <dcampbell at owasp.org>, Georg He=DF <georg.hess at artofdefence.com>, Sarah
> Baso <sarah.baso at owasp.org>
> 
> 
> My apologies Lorna,
> 
> There is a cardinal rule in information security, at least among my
> peers: you do not lie. Actually, here in London it has consequences,
> if you do lie, you don't work in this industry any more. Think about
> that, think about how many times you've been lied to in, say, the last
> 3 months.
> 
> You know better than most on this email, that we've spent a lot of
> time collecting logs, cross-correlating our actions, making sure we
> document what we do, one-to-one phone calls, etc. For what? Jeff
> decides and Dinis manipulates.
> 
> Bigger matters, like O2 and the money spent preaching about it, plus
> financial discrepancies (! we are a charity remember?) have not even
> been hinted upon, yet. People on this thread know exactly what I am
> talking about.
> 
> My personal opinion is that the owasp board needs to be dissolved and
> a new governing body n
> =20
> 
> As for the first one, roughly a year ago or so, when Yiannis decided =
> that
> his project should be assessed, he contacted me insistently several =
> times
> and vividly proposed we had lunch together to talk about it. Because I =
> am
> always a bit swamped with my daily routines I tried to manage the issue
> through email as I always do but, given his insistence, I ultimately =
> agreed
> and we met for lunch in central London. To say it as clear as possible, =
> I
> have returned from the meeting with lots of perplexity since most of the
> time what Yiannis said hardly made any sense to me. If I understood well =
> his
> speech he has advanced a thesis under which OWASP has been doing =
> everything
> completely wrong and the entire community of app sec professionals, if =
> not
> the entire world, was of his opinion. I=92ve tried several times to ask =
> him
> about concrete mistakes and responsibilities but in my opinion I have =
> only
> got a set of reasonably incoherent mumbles. He jumped from saying that =
> OWASP
> was being severely criticized by appec professionals to that OWASP=92s =
> path
> was not correct - I have however never concretely understood what the =
> appec
> professionals were saying about OWASP or why the strategic direction of
> OWASP was so obviously wrong. Nevertheless I have opted for not =
> supporting
> his vision and for encouraging him to address the leaders=92 mailing =
> list to
> discuss his concerns by saying I believed OWASP was an open organization =
> in
> which the open debate was not only allowed but deeply stimulated. I also
> tried to change the chat=92s theme to the operational questions we had =
> to
> solve regarding the need to evaluate the projects he was leading.
> 
> =20
> 
> Given this behaviour I have returned from this meeting puzzled and =
> asking
> myself whether or not I had been in situation in which an OWASP =
> contributor
> tried to evangelize and kettle me to some sort of =91OWASP unhappy =
> people=92
> club. I have also reflected if Yiannis was thinking in building an
> alternative to the current Board but ended up concluding that his speech =
> was
> not enough structured, coherent or even legible to be the case. I=92ve =
> talked
> about this situation with Dinis and let him know about these subjective
> impressions of mine.=20
> 
> =20
> 
> As for the second episode, it relates to the assessment process itself.
> However, as a previous point, I=92d like to say that I have felt that =
> working
> with Yiannis is tremendously difficult and that I have only experienced =
> such
> burdensome when working with M. Boberski. So, to begin with and in =
> Yiannis
> defence, I think it would only be fair if we kept in mind that the
> assessment of his project has begun when the GPC was updating its
> methodologies and that consequently he may have been, to a certain =
> extent,
> victim of this circumstance. However, that being said, I am of the =
> opinion
> that Yiannis was always absolutely non-collaborative. For example, he =
> has
> kept himself insisting that his project should be assessed (and I always
> understood that he was saying his project should be immediately moved to
> Stable Quality) but it was a true nightmare to make him to accept that =
> this
> process should begin by himself performing his own release assessment. =
> Every
> single request we made, little or big, was always, but always, contested =
> by
> him and this has gone through until he addressed our leaders mailing =
> with an
> inflammatory mail (attached) with the illustrative subject of =91Would =
> the
> real OWASP please stand up!=92 basically complaining about OWASP
> methodologies. In this time, I have told to him directly that requesting =
> a
> couple of files (PDF + PPT), a roadmap and a self-assessment, in my =
> view,
> couldn=92t be seen as an asphyxiant burden of bureaucratic work. I am =
> still of
> the same opinion, and I can say from my experience doing this work, that
> people usually don=92t complain.=20
> 
> =20
> 
> To conclude =96 I apologise for this long email =96 I=92d like to =
> synthesize my
> view by saying that in my subjective assessment Yiannis has shown to be =
> a
> tremendously complicated person to deal with. I don=92t know why but it
> clearly seems to me that something has antagonized him towards OWASP and
> that this antagonism has never stopped growing.  =20
> 
> =20
> 
> Thanks,
> 
> - Paulo
> 
> =20
> 
> =20
> 
> Paulo Coimbra,
> 
> <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project =
> Manager
> 
> =20
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: quinta-feira, 27 de Janeiro de 2011 15:26
> To: OWASP Foundation Board List
> Subject: Re: [Owasp-board] My resignation from all owasp matters
> 
> =20
> 
> The board is "corrupt" according to Yiannis. (below)?!!
> 
> =20
> 
> Did this need to get to this point.
> 
> =20
> 
> Again as leaders we need to listen more and not dictate.
> 
> First Mike Boberski now Yiannis....Houston we've got a problem.
> 
> 
> =20
> 
> On 26 January 2011 20:59, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
> 
> Hey,
> 
> Not for me, I've taken the easy option and I am out; change this place
> if you can; some people do deserve to see it and I think you get
> what's happening.
> 
> Cheers,
> 
> ---------- Forwarded message ----------
> From: Yiannis Pavlosoglou <yiannis at owasp.org>
> Date: 26 January 2011 20:46
> Subject: Re: My resignation from all owasp matters
> To: Lorna Alamri <lorna.alamri at owasp.org>
> Cc: Colin Watson <colin.watson at owasp.org>, Joe Bernik
> <bernik at gmail.com>, "rex.booth" <rex.booth at us.gt.com>, David Campbell
> <dcampbell at owasp.org>, Georg He=DF <georg.hess at artofdefence.com>, Sarah
> Baso <sarah.baso at owasp.org>
> 
> 
> My apologies Lorna,
> 
> There is a cardinal rule in information security, at least among my
> peers: you do not lie. Actually, here in London it has consequences,
> if you do lie, you don't work in this industry any more. Think about
> that, think about how many times you've been lied to in, say, the last
> 3 months.
> 
> You know better than most on this email, that we've spent a lot of
> time collecting logs, cross-correlating our actions, making sure we
> document what we do, one-to-one phone calls, etc. For what? Jeff
> decides and Dinis manipulates.
> 
> Bigger matters, like O2 and the money spent preaching about it, plus
> financial discrepancies (! we are a charity remember?) have not even
> been hinted upon, yet. People on this thread know exactly what I am
> talking about.
> 
> My personal opinion is that the owasp board needs to be dissolved and
> a new governing body needs to be established. They are far too
> corrupt!
> 
> Regardless, we've shown what the problem is, we offered to address it
> and we've proven where they should start. Now, all that said, don't we
> have better things to do?
> 
> Please let's leave it at that as I don't plan on following up on this
> thread (I don't even know how long this account will be active for:)
> 
> Thank you,
> 
> Yiannis
> 
> On 26 January 2011 15:26, Lorna Alamri <lorna.alamri at owasp.org> wrote:
>> Yiannis,
>> I understand your frustration and disgust, however I respectfully =
> disagree
>> with your approach to a resolution. You are a respected OWASP leader =
> that
>> many of us, myself especially, look to for guidance, so I am =
> disappointed
>> that you will not be at the Summit to participate and bring these =
> issues
> to
>> the large group for open discussion and resolution. There are several
>> working sessions at the Summit with a focus on some of the issues you =
> have
>> eluded to in your e-mail.
>> As example:
>> 
>> OWASP Board/Committee Governance
>> Professionalize OWASP
>> Should OWASP hire a Chief Executive Officer (CEO)?
>> 
>> From that and some of the strings on the leaders list I am sure that =
> you
> are
>> not the only one with these concerns. As a leader, its your obligation =
> to
> be
>> heard, not just by the board, but by the other leaders who will be
> assembled
>> at the Summit. If we were all to throw our hands up in disgust and =
> walk
> away
>> there would be no OWASP, but is that really a solution? Does it fix
>> anything? no. So I am asking you to lead by example, to come to the =
> Summit
>> and work to right those issues that are so frustrating you.
>> I will support you in whatever your decision ultimately is, but hope =
> that
>> you will reconsider.
>> Sincerely,
>> Lorna
>> 
>> 
>> 
>> 
>> On Tue, Jan 25, 2011 at 12:20 PM, Yiannis Pavlosoglou =
> <yiannis at owasp.org>
>> wrote:
>>> 
>>> Dear all,
>>> 
>>> This email carries the news that I am resigning from all owasp =
> related
>>> matters. We don't really have a resignation process, so this is the
>>> closest that we will come to this.
>>> 
>>> My work is done here; I feel that we have proved what the problem is.
>>> 
>>> The reason is simple; in recent events we proved that on more than =
> one
>>> occasion we dealt with a board member that was lying, cheating and
>>> insulting people in the process. When the response finally came back
>>> on "we have an issue unfolding" it was along the lines of "we are all
>>> under a lot of pressure" and "let's all try to be friends". Not good
>>> enough for me.
>>> 
>>> This is under your umbrella of being "open" and on the excuse of
>>> organizing a summit.
>>> 
>>> Unfortunately, I am so entrenched in the processes that it will not
>>> take a single step.
>>> 
>>> * I am not be coming to the summit.
>>> * I will be giving this last lecture here in London
>>> * I will probably continue contributing some code to various projects
>>> 
>>> When Dinis emailed "subere" to make JBroFuzz an owasp project (that's
>>> how owasp started for me believe it or not!) many years back, I went
>>> and read the mission statement before signing up. No where did it say
>>> that there is a monarchy at the very top, nor that all this is
>>> excusable on the fact that we are volunteers.
>>> 
>>> For the record, you're a good crowd and I did attempt not to let the
>>> BS filter through. Apologies if this comes as a surprise to a few.
>>> 
>>> Yiannis signing off.
>>> 
>>> 
>>> --
>>> Dr. Yiannis Pavlosoglou
>>> OWASP Global Industry Committee
>>> http://www.owasp.org/index.php/Global_Industry_Committee
>> 
>> 
>> 
>> --
>> Lorna Alamri
>> OWASP Global Industry Committee
>> OWASP MSP: Host to OWASP AppSec USA 2011
>> September 20-23 Training, Talks, CTF, and Showroom
>> www.appsecusa.org <http://www.appsecusa.org/>=20
>> @appsecusa, @owaspmsp @OWASPSummit
>> Dir: 651-338-0243
>> skype: lorna.alamri
>> lorna.alamri at owasp.org
>> 
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> 
> --=20
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> 
> ------=_NextPart_001_034F_01CBBE6B.A5A80060
> Content-Type: text/html;
>    charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
> xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
> http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Diso-8859-1"><meta name=3DGenerator content=3D"Microsoft Word =
> 12 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
>    {font-family:"Cambria Math";
>    panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
>    {font-family:Calibri;
>    panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
>    {font-family:Tahoma;
>    panose-1:2 11 6 4 3 5 4 4 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
>    {margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:12.0pt;
>    font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
>    {mso-style-priority:99;
>    color:blue;
>    text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
>    {mso-style-priority:99;
>    color:purple;
>    text-decoration:underline;}
> p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
>    {mso-style-priority:99;
>    mso-style-link:"Balloon Text Char";
>    margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:8.0pt;
>    font-family:"Tahoma","sans-serif";}
> span.BalloonTextChar
>    {mso-style-name:"Balloon Text Char";
>    mso-style-priority:99;
>    mso-style-link:"Balloon Text";
>    font-family:"Tahoma","sans-serif";}
> span.TextodebaloCarcter
>    {mso-style-name:"Texto de bal=E3o Car=E1cter";
>    mso-style-priority:99;
>    mso-style-link:"Texto de bal=E3o";
>    font-family:"Tahoma","sans-serif";}
> p.Textodebalo, li.Textodebalo, div.Textodebalo
>    {mso-style-name:"Texto de bal=E3o";
>    mso-style-link:"Texto de bal=E3o Car=E1cter";
>    margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:12.0pt;
>    font-family:"Times New Roman","serif";}
> span.EmailStyle21
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle22
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle23
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle24
>    {mso-style-type:personal-reply;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> .MsoChpDefault
>    {mso-style-type:export-only;
>    font-size:10.0pt;}
> @page WordSection1
>    {size:612.0pt 792.0pt;
>    margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
>    {page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-GB link=3Dblue =
> vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
> lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Board,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Please allow me to step in to share a couple of thoughts regarding =
> this ‘Yiannis’ episode since I have dealt directly with him =
> in a few social and professional occasions, and, being so, have built a =
> certainly subjective but nonetheless firm idea of his personality and I =
> am feeling that it would not be fair to allow that Dinis alone supports =
> the burden/responsibility for the current disruptive =
> frame.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>To be absolutely clear and for what it’s worth I have formed =
> the idea that Yannis is tremendously complicated and =
> inconsequent/incoherent. I’ve reached this conclusion through a =
> few episodes but I’d like to keep the focus on two main =
> ones.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>As for the first one, roughly a year ago or so, when Yiannis decided =
> that his project should be assessed, he contacted m</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>e</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'> insistently several times and vividly proposed we had lunch together =
> to talk about it. Because I am always a bit swamped with my daily =
> routines I tried to manage the issue through email as I always do but, =
> given his insistence, I ultimately agreed and we met for lunch in =
> central London. To say it as clear as possible, I have returned from the =
> meeting with lots of perplexity since most of the time what Yiannis said =
> hardly made any sense to me. If I understood well his speech he has =
> advanced a thesis under which OWASP has been doing everything completely =
> wrong and the entire community of app sec professionals, if not the =
> entire world, was of his opinion. I’ve tried several times to ask =
> him about concrete mistakes and responsibilities but in my opinion I =
> have only got a set of reasonably incoherent mumbles. He jumped from =
> saying that OWASP was being severely criticized by appec professionals =
> to that OWASP’s path was not correct - I have however never =
> concretely understood what the appec professionals were saying about =
> OWASP or why the strategic direction of OWASP was so obviously wrong. =
> Nevertheless I have opted for not supporting his vision and for =
> encouraging him to address the leaders’ mailing list to discuss =
> his concerns by saying I believed OWASP was an open organization in =
> which the open debate was not only allowed but deeply stimulated. I also =
> tried to change the chat’s theme to the operational questions we =
> had to solve regarding the need to evaluate the projects he was =
> leading.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Given this behaviour I have returned from this meeting puzzled and =
> asking myself whether or not I had been in situation in which an OWASP =
> contributor tried to evangelize and kettle me to some sort of =
> ‘OWASP unhappy people’ club. I have also reflected if =
> Yiannis was thinking in building an alternative to the current Board but =
> ended up concluding that his speech was not enough structured, coherent =
> or even legible to be the case. I’ve talked about this situation =
> with Dinis and let him know about these subjective impressions of mine. =
> <o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>As for the second episode, it relates to the assessment process =
> itself. However, as a previous point, I’d like to say that I have =
> felt that working with Yiannis is tremendously difficult and that I have =
> only </span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>experienced</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'> such burdensome when working with M. Boberski. So, to begin with and =
> in Yiannis defence, I think it would only be fair if we kept in mind =
> that the assessment of his project has begun when the GPC was updating =
> its methodologies and that consequently he may have been, to a certain =
> extent, victim of this circumstance. However, that being said, I am of =
> the opinion that Yiannis was always absolutely non-collaborative. For =
> example, he has kept himself insisting that his project should be =
> assessed (and I always understood that he was saying his project should =
> be immediately moved to Stable Quality) but it was a true nightmare to =
> make him to accept that this process should begin by himself performing =
> his own release assessment. Every single request we made, little or big, =
> was always, but always, contested by him and this has gone through until =
> he addressed our leaders mailing with an inflammatory mail (attached) =
> with the illustrative subject of ‘Would the real OWASP please =
> stand up!’ basically complaining about OWASP methodologies. In =
> this time, I have told to him directly that requesting a couple of files =
> (PDF + PPT), a roadmap and a self-assessment, in my view, couldn’t =
> be seen as an asphyxiant burden of bureaucratic work. I am still of the =
> same opinion, and I can say from my experience doing this work, that =
> people usually don’t complain. <o:p></o:p></span></p><p =
> class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>To conclude – I apologise for this long email – I’d =
> like to synthesize my view by saying that in my subjective assessment =
> Yiannis has shown to be a tremendously complicated person to deal with. =
> I don’t know why but it clearly seems to me that something has =
> antagonized him towards OWASP and that this antagonism has never stopped =
> growing.   <o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Thanks,<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>- Paulo<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Paulo Coimbra,<o:p></o:p></span></p><p class=3DMsoNormal><span =
> lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><a href=3D"http://www.owasp.org/index.php/User:Paulo_Coimbra"><span =
> lang=3DEN-GB>OWASP Project Manager</span></a></span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><div =
> style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
> 4.0pt'><div><div style=3D'border:none;border-top:solid #B5C4DF =
> 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal><b><span =
> lang=3DEN-US =
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
> </b><span lang=3DEN-US =
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a =
> href=3D"mailto:owasp-board-bounces at lists.owasp.org">owasp-board-bounces at l=
> ists.owasp.org</a> <a =
> href=3D"mailto:[mailto:owasp-board-bounces at lists.owasp.org]">[mailto:owas=
> p-board-bounces at lists.owasp.org]</a> <b>On Behalf Of =
> </b>Eoin<br><b>Sent:</b> quinta-feira, 27 de Janeiro de 2011 =
> 15:26<br><b>To:</b> OWASP Foundation Board List<br><b>Subject:</b> Re: =
> [Owasp-board] My resignation from all owasp =
> matters<o:p></o:p></span></p></div></div><p =
> class=3DMsoNormal><o:p> </o:p></p><div><p class=3DMsoNormal>The =
> board is "corrupt" according to Yiannis. =
> (below)?!!<o:p></o:p></p></div><div><p =
> class=3DMsoNormal> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>Did this need to get to this =
> point.<o:p></o:p></p></div><div><p =
> class=3DMsoNormal> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>Again as leaders we need to listen more and not =
> dictate.<o:p></o:p></p></div><div><p class=3DMsoNormal>First Mike =
> Boberski now Yiannis....Houston we've got a =
> problem.<o:p></o:p></p></div><div><p =
> class=3DMsoNormal><br> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>On 26 January 2011 20:59, Yiannis Pavlosoglou <<a =
> href
> =20
> 
> As for the first one, roughly a year ago or so, when Yiannis decided =
> that
> his project should be assessed, he contacted me insistently several =
> times
> and vividly proposed we had lunch together to talk about it. Because I =
> am
> always a bit swamped with my daily routines I tried to manage the issue
> through email as I always do but, given his insistence, I ultimately =
> agreed
> and we met for lunch in central London. To say it as clear as possible, =
> I
> have returned from the meeting with lots of perplexity since most of the
> time what Yiannis said hardly made any sense to me. If I understood well =
> his
> speech he has advanced a thesis under which OWASP has been doing =
> everything
> completely wrong and the entire community of app sec professionals, if =
> not
> the entire world, was of his opinion. I=92ve tried several times to ask =
> him
> about concrete mistakes and responsibilities but in my opinion I have =
> only
> got a set of reasonably incoherent mumbles. He jumped from saying that =
> OWASP
> was being severely criticized by appec professionals to that OWASP=92s =
> path
> was not correct - I have however never concretely understood what the =
> appec
> professionals were saying about OWASP or why the strategic direction of
> OWASP was so obviously wrong. Nevertheless I have opted for not =
> supporting
> his vision and for encouraging him to address the leaders=92 mailing =
> list to
> discuss his concerns by saying I believed OWASP was an open organization =
> in
> which the open debate was not only allowed but deeply stimulated. I also
> tried to change the chat=92s theme to the operational questions we had =
> to
> solve regarding the need to evaluate the projects he was leading.
> 
> =20
> 
> Given this behaviour I have returned from this meeting puzzled and =
> asking
> myself whether or not I had been in situation in which an OWASP =
> contributor
> tried to evangelize and kettle me to some sort of =91OWASP unhappy =
> people=92
> club. I have also reflected if Yiannis was thinking in building an
> alternative to the current Board but ended up concluding that his speech =
> was
> not enough structured, coherent or even legible to be the case. I=92ve =
> talked
> about this situation with Dinis and let him know about these subjective
> impressions of mine.=20
> 
> =20
> 
> As for the second episode, it relates to the assessment process itself.
> However, as a previous point, I=92d like to say that I have felt that =
> working
> with Yiannis is tremendously difficult and that I have only experienced =
> such
> burdensome when working with M. Boberski. So, to begin with and in =
> Yiannis
> defence, I think it would only be fair if we kept in mind that the
> assessment of his project has begun when the GPC was updating its
> methodologies and that consequently he may have been, to a certain =
> extent,
> victim of this circumstance. However, that being said, I am of the =
> opinion
> that Yiannis was always absolutely non-collaborative. For example, he =
> has
> kept himself insisting that his project should be assessed (and I always
> understood that he was saying his project should be immediately moved to
> Stable Quality) but it was a true nightmare to make him to accept that =
> this
> process should begin by himself performing his own release assessment. =
> Every
> single request we made, little or big, was always, but always, contested =
> by
> him and this has gone through until he addressed our leaders mailing =
> with an
> inflammatory mail (attached) with the illustrative subject of =91Would =
> the
> real OWASP please stand up!=92 basically complaining about OWASP
> methodologies. In this time, I have told to him directly that requesting =
> a
> couple of files (PDF + PPT), a roadmap and a self-assessment, in my =
> view,
> couldn=92t be seen as an asphyxiant burden of bureaucratic work. I am =
> still of
> the same opinion, and I can say from my experience doing this work, that
> people usually don=92t complain.=20
> 
> =20
> 
> To conclude =96 I apologise for this long email =96 I=92d like to =
> synthesize my
> view by saying that in my subjective assessment Yiannis has shown to be =
> a
> tremendously complicated person to deal with. I don=92t know why but it
> clearly seems to me that something has antagonized him towards OWASP and
> that this antagonism has never stopped growing.  =20
> 
> =20
> 
> Thanks,
> 
> - Paulo
> 
> =20
> 
> =20
> 
> Paulo Coimbra,
> 
> <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project =
> Manager
> 
> =20
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: quinta-feira, 27 de Janeiro de 2011 15:26
> To: OWASP Foundation Board List
> Subject: Re: [Owasp-board] My resignation from all owasp matters
> 
> =20
> 
> The board is "corrupt" according to Yiannis. (below)?!!
> 
> =20
> 
> Did this need to get to this point.
> 
> =20
> 
> Again as leaders we need to listen more and not dictate.
> 
> First Mike Boberski now Yiannis....Houston we've got a problem.
> 
> 
> =20
> 
> On 26 January 2011 20:59, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
> 
> Hey,
> 
> Not for me, I've taken the easy option and I am out; change this place
> if you can; some people do deserve to see it and I think you get
> what's happening.
> 
> Cheers,
> 
> ---------- Forwarded message ----------
> From: Yiannis Pavlosoglou <yiannis at owasp.org>
> Date: 26 January 2011 20:46
> Subject: Re: My resignation from all owasp matters
> To: Lorna Alamri <lorna.alamri at owasp.org>
> Cc: Colin Watson <colin.watson at owasp.org>, Joe Bernik
> <bernik at gmail.com>, "rex.booth" <rex.booth at us.gt.com>, David Campbell
> <dcampbell at owasp.org>, Georg He=DF <georg.hess at artofdefence.com>, Sarah
> Baso <sarah.baso at owasp.org>
> 
> 
> My apologies Lorna,
> 
> There is a cardinal rule in information security, at least among my
> peers: you do not lie. Actually, here in London it has consequences,
> if you do lie, you don't work in this industry any more. Think about
> that, think about how many times you've been lied to in, say, the last
> 3 months.
> 
> You know better than most on this email, that we've spent a lot of
> time collecting logs, cross-correlating our actions, making sure we
> document what we do, one-to-one phone calls, etc. For what? Jeff
> decides and Dinis manipulates.
> 
> Bigger matters, like O2 and the money spent preaching about it, plus
> financial discrepancies (! we are a charity remember?) have not even
> been hinted upon, yet. People on this thread know exactly what I am
> talking about.
> 
> My personal opinion is that the owasp board needs to be dissolved and
> a new governing body needs to be established. They are far too
> corrupt!
> 
> Regardless, we've shown what the problem is, we offered to address it
> and we've proven where they should start. Now, all that said, don't we
> have better things to do?
> 
> Please let's leave it at that as I don't plan on following up on this
> thread (I don't even know how long this account will be active for:)
> 
> Thank you,
> 
> Yiannis
> 
> On 26 January 2011 15:26, Lorna Alamri <lorna.alamri at owasp.org> wrote:
>> Yiannis,
>> I understand your frustration and disgust, however I respectfully =
> disagree
>> with your approach to a resolution. You are a respected OWASP leader =
> that
>> many of us, myself especially, look to for guidance, so I am =
> disappointed
>> that you will not be at the Summit to participate and bring these =
> issues
> to
>> the large group for open discussion and resolution. There are several
>> working sessions at the Summit with a focus on some of the issues you =
> have
>> eluded to in your e-mail.
>> As example:
>> 
>> OWASP Board/Committee Governance
>> Professionalize OWASP
>> Should OWASP hire a Chief Executive Officer (CEO)?
>> 
>> From that and some of the strings on the leaders list I am sure that =
> you
> are
>> not the only one with these concerns. As a leader, its your obligation =
> to
> be
>> heard, not just by the board, but by the other leaders who will be
> assembled
>> at the Summit. If we were all to throw our hands up in disgust and =
> walk
> away
>> there would be no OWASP, but is that really a solution? Does it fix
>> anything? no. So I am asking you to lead by example, to come to the =
> Summit
>> and work to right those issues that are so frustrating you.
>> I will support you in whatever your decision ultimately is, but hope =
> that
>> you will reconsider.
>> Sincerely,
>> Lorna
>> 
>> 
>> 
>> 
>> On Tue, Jan 25, 2011 at 12:20 PM, Yiannis Pavlosoglou =
> <yiannis at owasp.org>
>> wrote:
>>> 
>>> Dear all,
>>> 
>>> This email carries the news that I am resigning from all owasp =
> related
>>> matters. We don't really have a resignation process, so this is the
>>> closest that we will come to this.
>>> 
>>> My work is done here; I feel that we have proved what the problem is.
>>> 
>>> The reason is simple; in recent events we proved that on more than =
> one
>>> occasion we dealt with a board member that was lying, cheating and
>>> insulting people in the process. When the response finally came back
>>> on "we have an issue unfolding" it was along the lines of "we are all
>>> under a lot of pressure" and "let's all try to be friends". Not good
>>> enough for me.
>>> 
>>> This is under your umbrella of being "open" and on the excuse of
>>> organizing a summit.
>>> 
>>> Unfortunately, I am so entrenched in the processes that it will not
>>> take a single step.
>>> 
>>> * I am not be coming to the summit.
>>> * I will be giving this last lecture here in London
>>> * I will probably continue contributing some code to various projects
>>> 
>>> When Dinis emailed "subere" to make JBroFuzz an owasp project (that's
>>> how owasp started for me believe it or not!) many years back, I went
>>> and read the mission statement before signing up. No where did it say
>>> that there is a monarchy at the very top, nor that all this is
>>> excusable on the fact that we are volunteers.
>>> 
>>> For the record, you're a good crowd and I did attempt not to let the
>>> BS filter through. Apologies if this comes as a surprise to a few.
>>> 
>>> Yiannis signing off.
>>> 
>>> 
>>> --
>>> Dr. Yiannis Pavlosoglou
>>> OWASP Global Industry Committee
>>> http://www.owasp.org/index.php/Global_Industry_Committee
>> 
>> 
>> 
>> --
>> Lorna Alamri
>> OWASP Global Industry Committee
>> OWASP MSP: Host to OWASP AppSec USA 2011
>> September 20-23 Training, Talks, CTF, and Showroom
>> www.appsecusa.org <http://www.appsecusa.org/>=20
>> @appsecusa, @owaspmsp @OWASPSummit
>> Dir: 651-338-0243
>> skype: lorna.alamri
>> lorna.alamri at owasp.org
>> 
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> --
> Dr. Yiannis Pavlosoglou
> OWASP Global Industry Committee
> http://www.owasp.org/index.php/Global_Industry_Committee
> 
> 
> 
> 
> --=20
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> 
> ------=_NextPart_001_034F_01CBBE6B.A5A80060
> Content-Type: text/html;
>    charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
> xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
> http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Diso-8859-1"><meta name=3DGenerator content=3D"Microsoft Word =
> 12 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
>    {font-family:"Cambria Math";
>    panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
>    {font-family:Calibri;
>    panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
>    {font-family:Tahoma;
>    panose-1:2 11 6 4 3 5 4 4 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
>    {margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:12.0pt;
>    font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
>    {mso-style-priority:99;
>    color:blue;
>    text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
>    {mso-style-priority:99;
>    color:purple;
>    text-decoration:underline;}
> p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
>    {mso-style-priority:99;
>    mso-style-link:"Balloon Text Char";
>    margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:8.0pt;
>    font-family:"Tahoma","sans-serif";}
> span.BalloonTextChar
>    {mso-style-name:"Balloon Text Char";
>    mso-style-priority:99;
>    mso-style-link:"Balloon Text";
>    font-family:"Tahoma","sans-serif";}
> span.TextodebaloCarcter
>    {mso-style-name:"Texto de bal=E3o Car=E1cter";
>    mso-style-priority:99;
>    mso-style-link:"Texto de bal=E3o";
>    font-family:"Tahoma","sans-serif";}
> p.Textodebalo, li.Textodebalo, div.Textodebalo
>    {mso-style-name:"Texto de bal=E3o";
>    mso-style-link:"Texto de bal=E3o Car=E1cter";
>    margin:0cm;
>    margin-bottom:.0001pt;
>    font-size:12.0pt;
>    font-family:"Times New Roman","serif";}
> span.EmailStyle21
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle22
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle23
>    {mso-style-type:personal;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> span.EmailStyle24
>    {mso-style-type:personal-reply;
>    font-family:"Calibri","sans-serif";
>    color:#1F497D;}
> .MsoChpDefault
>    {mso-style-type:export-only;
>    font-size:10.0pt;}
> @page WordSection1
>    {size:612.0pt 792.0pt;
>    margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
>    {page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-GB link=3Dblue =
> vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
> lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Board,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Please allow me to step in to share a couple of thoughts regarding =
> this ‘Yiannis’ episode since I have dealt directly with him =
> in a few social and professional occasions, and, being so, have built a =
> certainly subjective but nonetheless firm idea of his personality and I =
> am feeling that it would not be fair to allow that Dinis alone supports =
> the burden/responsibility for the current disruptive =
> frame.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>To be absolutely clear and for what it’s worth I have formed =
> the idea that Yannis is tremendously complicated and =
> inconsequent/incoherent. I’ve reached this conclusion through a =
> few episodes but I’d like to keep the focus on two main =
> ones.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>As for the first one, roughly a year ago or so, when Yiannis decided =
> that his project should be assessed, he contacted m</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>e</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'> insistently several times and vividly proposed we had lunch together =
> to talk about it. Because I am always a bit swamped with my daily =
> routines I tried to manage the issue through email as I always do but, =
> given his insistence, I ultimately agreed and we met for lunch in =
> central London. To say it as clear as possible, I have returned from the =
> meeting with lots of perplexity since most of the time what Yiannis said =
> hardly made any sense to me. If I understood well his speech he has =
> advanced a thesis under which OWASP has been doing everything completely =
> wrong and the entire community of app sec professionals, if not the =
> entire world, was of his opinion. I’ve tried several times to ask =
> him about concrete mistakes and responsibilities but in my opinion I =
> have only got a set of reasonably incoherent mumbles. He jumped from =
> saying that OWASP was being severely criticized by appec professionals =
> to that OWASP’s path was not correct - I have however never =
> concretely understood what the appec professionals were saying about =
> OWASP or why the strategic direction of OWASP was so obviously wrong. =
> Nevertheless I have opted for not supporting his vision and for =
> encouraging him to address the leaders’ mailing list to discuss =
> his concerns by saying I believed OWASP was an open organization in =
> which the open debate was not only allowed but deeply stimulated. I also =
> tried to change the chat’s theme to the operational questions we =
> had to solve regarding the need to evaluate the projects he was =
> leading.<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Given this behaviour I have returned from this meeting puzzled and =
> asking myself whether or not I had been in situation in which an OWASP =
> contributor tried to evangelize and kettle me to some sort of =
> ‘OWASP unhappy people’ club. I have also reflected if =
> Yiannis was thinking in building an alternative to the current Board but =
> ended up concluding that his speech was not enough structured, coherent =
> or even legible to be the case. I’ve talked about this situation =
> with Dinis and let him know about these subjective impressions of mine. =
> <o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>As for the second episode, it relates to the assessment process =
> itself. However, as a previous point, I’d like to say that I have =
> felt that working with Yiannis is tremendously difficult and that I have =
> only </span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>experienced</span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'> such burdensome when working with M. Boberski. So, to begin with and =
> in Yiannis defence, I think it would only be fair if we kept in mind =
> that the assessment of his project has begun when the GPC was updating =
> its methodologies and that consequently he may have been, to a certain =
> extent, victim of this circumstance. However, that being said, I am of =
> the opinion that Yiannis was always absolutely non-collaborative. For =
> example, he has kept himself insisting that his project should be =
> assessed (and I always understood that he was saying his project should =
> be immediately moved to Stable Quality) but it was a true nightmare to =
> make him to accept that this process should begin by himself performing =
> his own release assessment. Every single request we made, little or big, =
> was always, but always, contested by him and this has gone through until =
> he addressed our leaders mailing with an inflammatory mail (attached) =
> with the illustrative subject of ‘Would the real OWASP please =
> stand up!’ basically complaining about OWASP methodologies. In =
> this time, I have told to him directly that requesting a couple of files =
> (PDF + PPT), a roadmap and a self-assessment, in my view, couldn’t =
> be seen as an asphyxiant burden of bureaucratic work. I am still of the =
> same opinion, and I can say from my experience doing this work, that =
> people usually don’t complain. <o:p></o:p></span></p><p =
> class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>To conclude – I apologise for this long email – I’d =
> like to synthesize my view by saying that in my subjective assessment =
> Yiannis has shown to be a tremendously complicated person to deal with. =
> I don’t know why but it clearly seems to me that something has =
> antagonized him towards OWASP and that this antagonism has never stopped =
> growing.   <o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Thanks,<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>- Paulo<o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'>Paulo Coimbra,<o:p></o:p></span></p><p class=3DMsoNormal><span =
> lang=3DPT =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><a href=3D"http://www.owasp.org/index.php/User:Paulo_Coimbra"><span =
> lang=3DEN-GB>OWASP Project Manager</span></a></span><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
> D'><o:p> </o:p></span></p><div =
> style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
> 4.0pt'><div><div style=3D'border:none;border-top:solid #B5C4DF =
> 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=3DMsoNormal><b><span =
> lang=3DEN-US =
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
> </b><span lang=3DEN-US =
> style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a =
> href=3D"mailto:owasp-board-bounces at lists.owasp.org">owasp-board-bounces at l=
> ists.owasp.org</a> <a =
> href=3D"mailto:[mailto:owasp-board-bounces at lists.owasp.org]">[mailto:owas=
> p-board-bounces at lists.owasp.org]</a> <b>On Behalf Of =
> </b>Eoin<br><b>Sent:</b> quinta-feira, 27 de Janeiro de 2011 =
> 15:26<br><b>To:</b> OWASP Foundation Board List<br><b>Subject:</b> Re: =
> [Owasp-board] My resignation from all owasp =
> matters<o:p></o:p></span></p></div></div><p =
> class=3DMsoNormal><o:p> </o:p></p><div><p class=3DMsoNormal>The =
> board is "corrupt" according to Yiannis. =
> (below)?!!<o:p></o:p></p></div><div><p =
> class=3DMsoNormal> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>Did this need to get to this =
> point.<o:p></o:p></p></div><div><p =
> class=3DMsoNormal> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>Again as leaders we need to listen more and not =
> dictate.<o:p></o:p></p></div><div><p class=3DMsoNormal>First Mike =
> Boberski now Yiannis....Houston we've got a =
> problem.<o:p></o:p></p></div><div><p =
> class=3DMsoNormal><br> <o:p></o:p></p></div><div><p =
> class=3DMsoNormal>On 26 January 2011 20:59, Yiannis Pavlosoglou <<a =
> href=3D"mailto:yiannis at owasp.org">yiannis at owasp.org</a>> =
> wrote:<o:p></o:p></p><p class=3DMsoNormal>Hey,<br><br>Not for me, I've =
> taken the easy option and I am out; change this place<br>if you can; =
> some people do deserve to see it and I think you get<br>what's =
> happening.<br><br>Cheers,<br><br>---------- Forwarded message =
> ----------<br>From: Yiannis Pavlosoglou <<a =
> href=3D"mailto:yiannis at owasp.org">yiannis at owasp.org</a>><br>Date: 26 =
> January 2011 20:46<br>Subject: Re: My resignation from all owasp =
> matters<br>To: Lorna Alamri <<a =
> href=3D"mailto:lorna.alamri at owasp.org">lorna.alamri at owasp.org</a>><br>=
> Cc: Colin Watson <<a =
> href=3D"mailto:colin.watson at owasp.org">colin.watson at owasp.org</a>>, =
> Joe Bernik<br><<a =
> href=3D"mailto:bernik at gmail.com">bernik at gmail.com</a>>, =
> "rex.booth" <<a =
> href=3D"mailto:rex.booth at us.gt.com">rex.booth at us.gt.com</a>>, David =
> Campbell<br><<a =
> href=3D"mailto:dcampbell at owasp.org">dcampbell at owasp.org</a>>, Georg =
> He=DF <<a =
> href=3D"mailto:georg.hess at artofdefence.com">georg.hess at artofdefence.com</=
> a>>, Sarah<br>Baso <<a =
> href=3D"mailto:sarah.baso at owasp.org">sarah.baso at owasp.org</a>><br><br>=
> <br>My apologies Lorna,<br><br>There is a cardinal rule in information =
> security, at least among my<br>peers: you do not lie. Actually, here in =
> London it has consequences,<br>if you do lie, you don't work in this =
> industry any more. Think about<br>that, think about how many times =
> you've been lied to in, say, the last<br>3 months.<br><br>You know =
> better than most on this email, that we've spent a lot of<br>time =
> collecting logs, cross-correlating our actions, making sure =
> we<br>document what we do, one-to-one phone calls, etc. For what? =
> Jeff<br>decides and Dinis manipulates.<br><br>Bigger matters, like O2 =
> and the money spent preaching about it, plus<br>financial discrepancies =
> (! we are a charity remember?) have not even<br>been hinted upon, yet. =
> People on this thread know exactly what I am<br>talking about.<br><br>My =
> personal opinion is that the owasp board needs to be dissolved and<br>a =
> new governing body needs to be established. They are far =
> too<br>corrupt!<br><br>Regardless, we've shown what the problem is, we =
> offered to address it<br>and we've proven where they should start. Now, =
> all that said, don't we<br>have better things to do?<br><br>Please let's =
> leave it at that as I don't plan on following up on this<br>thread (I =
> don't even know how long this account will be active for:)<br><br>Thank =
> you,<br><br>Yiannis<br><br>On 26 January 2011 15:26, Lorna Alamri <<a =
> href=3D"mailto:lorna.alamri at owasp.org">lorna.alamri at owasp.org</a>> =
> wrote:<br>> Yiannis,<br>> I understand your frustration and =
> disgust, however I respectfully disagree<br>> with your approach to a =
> resolution. You are a respected OWASP leader that<br>> many of us, =
> myself especially, look to for guidance, so I am disappointed<br>> =
> that you will not be at the Summit to participate and bring these issues =
> to<br>> the large group for open discussion and resolution. There are =
> several<br>> working sessions at the Summit with a focus on some of =
> the issues you have<br>> eluded to in your e-mail.<br>> As =
> example:<br>><br>> OWASP Board/Committee Governance<br>> =
> Professionalize OWASP<br>> Should OWASP hire a Chief Executive =
> Officer (CEO)?<br>><br>> From that and some of the strings on the =
> leaders list I am sure that you are<br>> not the only one with these =
> concerns. As a leader, its your obligation to be<br>> heard, not just =
> by the board, but by the other leaders who will be assembled<br>> at =
> the Summit. If we were all to throw our hands up in disgust and walk =
> away<br>> there would be no OWASP, but is that really a solution? =
> Does it fix<br>> anything? no. So I am asking you to lead by example, =
> to come to the Summit<br>> and work to right those issues that are so =
> frustrating you.<br>> I will support you in whatever your decision =
> ultimately is, but hope that<br>> you will reconsider.<br>> =
> Sincerely,<br>> Lorna<br>><br>><br>><br>><br>> On Tue, =
> Jan 25, 2011 at 12:20 PM, Yiannis Pavlosoglou <<a =
> href=3D"mailto:yiannis at owasp.org">yiannis at owasp.org</a>><br>> =
> wrote:<br>>><br>>> Dear all,<br>>><br>>> This =
> email carries the news that I am resigning from all owasp =
> related<br>>> matters. We don't really have a resignation process, =
> so this is the<br>>> closest that we will come to =
> this.<br>>><br>>> My work is done here; I feel that we have =
> proved what the problem is.<br>>><br>>> The reason is =
> simple; in recent events we proved that on more than one<br>>> =
> occasion we dealt with a board member that was lying, cheating =
> and<br>>> insulting people in the process. When the response =
> finally came back<br>>> on "we have an issue unfolding" =
> it was along the lines of "we are all<br>>> under a lot of =
> pressure" and "let's all try to be friends". Not =
> good<br>>> enough for me.<br>>><br>>> This is under =
> your umbrella of being "open" and on the excuse of<br>>> =
> organizing a summit.<br>>><br>>> Unfortunately, I am so =
> entrenched in the processes that it will not<br>>> take a single =
> step.<br>>><br>>> * I am not be coming to the =
> summit.<br>>> * I will be giving this last lecture here in =
> London<br>>> * I will probably continue contributing some code to =
> various projects<br>>><br>>> When Dinis emailed =
> "subere" to make JBroFuzz an owasp project (that's<br>>> =
> how owasp started for me believe it or not!) many years back, I =
> went<br>>> and read the mission statement before signing up. No =
> where did it say<br>>> that there is a monarchy at the very top, =
> nor that all this is<br>>> excusable on the fact that we are =
> volunteers.<br>>><br>>> For the record, you're a good crowd =
> and I did attempt not to let the<br>>> BS filter through. =
> Apologies if this comes as a surprise to a few.<br>>><br>>> =
> Yiannis signing off.<br>>><br>>><br>>> --<br>>> =
> Dr. Yiannis Pavlosoglou<br>>> OWASP Global Industry =
> Committee<br>>> <a =
> href=3D"http://www.owasp.org/index.php/Global_Industry_Committee" =
> target=3D"_blank">http://www.owasp.org/index.php/Global_Industry_Committe=
> e</a><br>><br>><br>><br>> --<br>> Lorna Alamri<br>> =
> OWASP Global Industry Committee<br>> OWASP MSP: Host to OWASP AppSec =
> USA 2011<br>> September 20-23 Training, Talks, CTF, and =
> Showroom<br>> <a href=3D"http://www.appsecusa.org/" =
> target=3D"_blank">www.appsecusa.org</a><br>> @appsecusa, @owaspmsp =
> @OWASPSummit<br>> Dir: 651-338-0243<br>> skype: =
> lorna.alamri<br>> <a =
> href=3D"mailto:lorna.alamri at owasp.org">lorna.alamri at owasp.org</a><br>>=
> <br><br><br><br>--<br>Dr. Yiannis Pavlosoglou<br>OWASP Global Industry =
> Committee<br><a =
> href=3D"http://www.owasp.org/index.php/Global_Industry_Committee" =
> target=3D"_blank">http://www.owasp.org/index.php/Global_Industry_Committe=
> e</a><br><span style=3D'color:#888888'><br><br><br>--<br>Dr. Yiannis =
> Pavlosoglou<br>OWASP Global Industry Committee<br><a =
> href=3D"http://www.owasp.org/index.php/Global_Industry_Committee" =
> target=3D"_blank">http://www.owasp.org/index.php/Global_Industry_Committe=
> e</a></span><o:p></o:p></p></div><p class=3DMsoNormal><br><br =
> clear=3Dall><br>-- <br>Eoin Keary<br>OWASP Global Board Member<br>OWASP =
> Code Review Guide Lead Author<br><br>Sent from my i-Transmogrifier<br><a =
> href=3D"http://asg.ie/">http://asg.ie/</a><br><a =
> href=3D"https://twitter.com/EoinKeary">https://twitter.com/EoinKeary</a><=
> o:p></o:p></p></div></div></body></html>
> ------=_NextPart_001_034F_01CBBE6B.A5A80060--
> 
> ------=_NextPart_000_034E_01CBBE6B.A5A80060
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 7bit
> Content-Disposition: attachment
> 
> Received: (qmail 19409 invoked by uid 98); 17 Sep 2009 15:33:22 -0000
> Received: from unknown (HELO lcasey.com) (127.0.0.1)
>    by 127.0.0.1 with SMTP; Thu, 17 Sep 2009 11:33:24 -0400
> Received: (qmail 19415 invoked by uid 98); 17 Sep 2009 15:33:24 -0000
> Received: from unknown (HELO ml1.lcasey.com) (172.22.0.105)
>    by 172.22.0.44 with SMTP; Thu, 17 Sep 2009 11:33:22 -0400
> Received: by 10.102.149.23 with SMTP id w23mr277962mud.38.1253202032920; Thu, 
>    17 Sep 2009 08:40:32 -0700 (PDT)
> Received: by bwz4 with SMTP id 4so403409bwz.0
>    for <owasp-leaders at lists.owasp.org>;
>    Thu, 17 Sep 2009 08:40:33 -0700 (PDT)
> Received: from mail-bw0-f208.google.com ([209.85.218.208])
>    by ml1lists.owasp.org with ESMTP; 17 Sep 2009 11:41:49 -0400
> Received: from unknown (HELO lcasey.com) ([172.22.0.44])
>    by ml1.lcasey.com with SMTP; 17 Sep 2009 11:41:52 -0400
> Received: by 10.216.17.84 with SMTP id i62cs319668wei;
>    Thu, 17 Sep 2009 08:40:56 -0700 (PDT)
> Received: by 10.224.23.131 with SMTP id r3mr393307qab.273.1253202055789;
>    Thu, 17 Sep 2009 08:40:55 -0700 (PDT)
> Received: from ml1.lcasey.com (uslec-66-255-82-5.cust.uslec.net [66.255.82.5])
>    by mx.google.com with ESMTP id 16si310498qyk.0.2009.09.17.08.40.54; 
>    Thu, 17 Sep 2009 08:40:55 -0700 (PDT)
> Return-Path: <yiannis at owasp.org>
> Reply-To: <owasp-leaders at lists.owasp.org>
> From: "Yiannis Pavlosoglou" <yiannis at owasp.org>
> Sender: <owasp-leaders-bounces at lists.owasp.org>
> To: <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Would the real OWASP please stand up!
> Date: Thu, 17 Sep 2009 15:40:32 -0000
> Message-ID: <c0e2a8470909170840j6aa9345dp545a2b19f8c6aae8 at mail.gmail.com>
> MIME-Version: 1.0
> Content-Type: text/plain;
>    charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Office Outlook 12.0
> Thread-Index: Aco3rT8KXOQzbfm/SAW5iFAQiQRCWw==
> List-Help: <mailto:owasp-leaders-request at lists.owasp.org?subject=help>
> List-Unsubscribe: <https://lists.owasp.org/mailman/listinfo/owasp-leaders>,
>    <mailto:owasp-leaders-request at lists.owasp.org?subject=unsubscribe>
> X-BeenThere: owasp-leaders at lists.owasp.org
> X-IronPort-AV: E=Sophos;i="4.44,404,1249272000";    d="scan'208";a="2944868"
> X-Mailman-Version: 2.1.8
> X-IronPort-Anti-Spam-Filtered: true
> X-IronPort-Anti-Spam-Result: AkwDAPP0sUrRVdrQkGdsb2JhbACQGQGKUD8BAQEBCQkMBxMDw3uEHAU
> List-Subscribe: <https://lists.owasp.org/mailman/listinfo/owasp-leaders>,
>    <mailto:owasp-leaders-request at lists.owasp.org?subject=subscribe>
> 
> So I am sitting there coding away.. A little fuzzer, no more no less,
> 16 versions later, pet project, adding some new .NET payloads, new
> encodings, etc.
> 
> In the process I am wondering what happened to OWASP, how come and no
> one finding vulnerabilities in web applications, respects this
> organization anymore?
> 
> * You turn up to any other security meeting, you don't even mention
> the acronym without getting looked badly upon
> * People actually tell me that they avoid going to particular chapter
> meetings, because they are sick and tired of presenters implicitly
> trying to sell their own company/service/tool
> * Project leaders are thinking of pulling their projects from OWASP,
> because they are not into filling pamphlets, presentation slides and
> assessment criteria; simply they've got a new cool hack for, say, .NET
> input validation, embedded in a python script, document it and it just
> works! Did you ever see a pamphlet for apache 1.3.27?
> * Chapter leaders do not want to go their own folks and ask for
> donations; people that they have been together with from the beginning
> of their security careers
> 
> And then just as I am about to give up on committees and boards and
> members and leaders, I wiz through the testing guide v_22, page 888
> and I see a true gem; I download the latest version of orizon and
> notice that workaround that would have saved me in the last web
> application assessment.
> 
> Is it too much to ask for, cutting through all of this and focusing on
> that magic phrase, web application security?
> 
> You want a marketing department? Go hire one! The time that it takes
> me to add double encoding payloads for sharepoint into JBroFuzz is the
> time wasted on self assessment criteria. Project leader's ego aside,
> which one is better?
> 
> And whatever happened to being humble and modest if you are good at
> what you do, especially in information security.. Blow your own
> trumpet, if you've got something to say, not stale news please.
> 
> Yes, continue to evolve and expand OWASP, do make us all proud, but
> setup some ground rules to address and harvest knowledge coming in
> from the ground. More importantly, get rid of all these silly silly
> red tape equivalents. Do not establish anything new (e.g. committees)
> without rules on how somebody will loose their status.
> 
> And then comes the ultimate excuse, "it was out there for all to
> comment while we were setting up X". But how can I even comment, when
> your definition of X is ill-defined? When you didn't listen on the
> problems that its predecessor Y created. If you look at the
> power/responsibility ratio in other open source communities (say the
> linux kernel) mistakes are guaranteed not to be repeated again. Still
> in OWASP, JBroFuzz, still filling in forms, still not release quality.
> Paulo is promising that this will be the last time. What was another
> true gem that came my way, along the lines of, "we simply don't know
> what version your tool is, you need to tell us". Sincerely, if the
> about box is not enough? Go google it!
> 
> It seems to me a couple of years down the line, it was the tip of the
> iceberg trying to get a simple, silly fuzzer to release quality level;
> in understanding the real OWASP and seeing how many others, globally,
> from founder equivalent level to the non-member level feel partially
> similar. Any chance of a change?
> 
> 
> Here are a few
> uld be assessed, he contacted me insistently several =
> times
> and vividly proposed we had lunch together to talk about it. Because I =
> am
> always a bit swamped
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110127/1a695373/attachment-0002.html>


More information about the Owasp-board mailing list