[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Fri Feb 14 15:57:04 UTC 2014

There's been a lot of private messages floating around lately.  I
understand that due to the sensitivity of certain topics, not everything
that we do as a Board can be done entirely in the public light, but I do
feel that it's extremely important to be as transparent as possible.  Thus,
what follows is an attempt to summarize concerns and desires on behalf of
everyone involved in Christian's request for reinstatement in a manner that
does not reflect on any one individual.  I feel that I've dedicated enough
time to this subject to be as much an expert as any and I feel confident
that I know the thoughts, feelings, and rationales on both sides of the
fence here.  Feel free to respond back as you see fit.

Much of what you've said and done in both public and private is
deplorable.  In the world of security, where your morals and ethics are the
only thing that keeps you from passing as a BlackHat, time and time again
you've proven to have at best poor judgement and at worst poor moral
character.  You can try to rationalize it by saying that you have been
wronged and deserve justice, but the fact is that these words and actions
are yours and yours alone.  You may have been provoked, you may have been
bullied, but what people see, what people hold onto, is how you handle
yourself when that happens.  I've now spoken with numerous people who had
close dealings with you and there is one recurring theme that *all* have
mentioned.  No topic is off limits with you when it comes to insults and
insinuations and you have no issue with burning bridges as you go.  With
the global security community (and especially OWASP) being as small and
close-knit as it is, it should be no surprise that your actions with one
individual could have a ripple effect with others.  Reputations in this
industry are built just as much on who you are as a person as on what
you're technically capable of.  Even the best and brightest can be
ostracized from a community if they continually serve on the side of
negativity.  Thus, I implore you in public as I have already counseled you
in private, to set aside this quest for justice as it continually leads you
down the path of negativity.  While you may feel that you've hit rock
bottom here, I feel that you will continue to stay there until you can
reshape your attitude and approach to people.  You have the power to make
your situation better, but that will be done with forgiveness and not

While it's true that Christian has said and done some deplorable things, he
is not a monster, he is a person with thoughts and feelings like any
other.  He feels that an injustice has been done and that it has cost him
his job and reputation.  If being married has taught me anything, it's that
feelings aren't a "right" or a "wrong", but how something affects our
mental or physical state.  Our choice now, just like in a marriage, is to
determine whether it benefits the greater good more to ignore these
feelings and dismiss the individual or to try to help them to feel
different and hopefully better.  To be fair, I think that either approach
is valid, but I think that the path you take here says a lot about your own
character.  I'd also say that how you handle such a situation when it
arises will likely determine your relationship with said individual going
forward (ie. does your marriage end in divorce, losing half your stuff, and
split custody of the kids).  So, I'd ask you to think about what you
ultimately want out of this situation.  Do you want to pursue the path that
might allow us to reconcile our differences and make things better for
everyone or do you want to make the individual feel belittled and
unimportant?  You have the power to show some compassion and help a person
who is down to change their life for the better.

In my opinion, there are clear "wrongs" on both sides here.  We all need to
own up to our actions and be willing to forgive if we are ever to move
forward here.  Christian, this means taking personal accountability for the
things that you've said and done and making a best effort to to do better
going forward.  Board, this means recognizing that Christian may have said
and done some things out of desperation and despair and being willing to
provide him with support and guidance so that he can adhere to our Code of
Ethics moving forward.  Both sides need to consider this a "cease fire" and
need to be willing to "wipe the slate clean" in order to move forward.

The time has come for us to lay this issue to rest one way or another.  I
don't want to deal with this same thing again in six months time and don't
want another Board to have to deal with it six years from now either.  So,
I have two proposals here:

1) If either the Board feels that Christian cannot be changed or Christian
feels that he cannot change himself, then I propose we just go our separate
ways indefinitely.  No more temporary revocations or requests for
reinstatement.  They only serve as a continual reminder for all parties of
the hassles and heartaches involved here.  From Christian's perspective, we
can say that he walked away by his own accord and from OWASP's perspective
we can provide private documentation for future Boards of this mutual
arrangement to exist separately.  There should be no "bashing" by or
against either side going forward.

2) If Christian feels that he can change his behavior and the Board would
be willing to provide an opportunity for him to do so, then I propose that
we provide Christian with the reinstatement that he seeks under the
following terms.  First, Christian *must* acknowledge that he understands
and will adhere to the terms set forth in the OWASP Code of Ethics.  This
is an expectation for all OWASP members and is non-negotiable.  I will
point out that this explicitly means dropping any activities that would
intentionally injure or impugn the professional reputation of colleagues,
clients, or employers.  Second, I will personally offer myself up as a
Board representative to help guide Christian toward success.  I feel that
we've developed a decent working relationship and I hope that he feels the
same way about me.  Third, for a period of one year, we consider this a
trial run and Christian refrains from seeking leadership roles within OWASP
or from presenting as a representative of OWASP.  This is to minimize risk
to the Foundation of potential ramifications if we are unsuccessful in this
endeavor.  Fourth, with the exception of above, Christian is to be treated
as any other OWASP member.  No announcements about his return attempts to
seek approval from the community.  We don't do this with others and
shouldn't make a big deal out of it for him either.  Fifth, since strict
adherence to the OWASP Code of Ethics is our policy, any attempt to
willfully violate this by Christian, at any point in the future, will
result in his immediate expulsion from OWASP with a ban on reinstatement.
While I would normally feel that this is excessive, I think that we've
already wasted precious cycles on this issue and am not willing to spend
any more on additional violations going forward.

There you have it.  My summary of the situation and my conclusions on how
to best move forward.  There's a path of dissolution and a path of
cooperation.  I'd welcome additional, open, discussion on the topic, but
would like to keep this focused on the future and not the past.  Cool?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/469fae2b/attachment.html>

More information about the Owasp-board mailing list