[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Fri Feb 14 17:30:14 UTC 2014


I agree that the Google Hacking Inquiry itself and Christian's behavior
afterward (along with the consequences) are two separate, but related,
topics.  I addressed my thoughts on this in a separate thread here:



On Fri, Feb 14, 2014 at 10:51 AM, Martin Knobloch <martin.knobloch at owasp.org
> wrote:

> Hi Josh, board,
> For the options you mentioned:
> Great wording and solution! The rules are clear, there is a clear
> probation period, with the only but hard request to behave according the
> OWASP ethics, if the 2nd option - call it the path of forgiveness, is
> chosen by all parties.
> We now have rules of consequences what if any individual is proven and
> found guilty acting in conflict to the OWASP ethics ( judging this case)
> This should be extended to legal entities as companies or corporations
> acting in conflict of those (e.g. cooperate sponsors).
> IMHO, this should be attached to the OWASP regulations for reinstatement
> after a reasonable period of exclusion (I thought this had been set in the
> regulations for a time period of 1 year).
> About the inquiry:
> I do not judge the decision of the previous board to be correct or not. I
> just wonder about the inquiry, as it seem to focus purely on the Google
> Hacking project.
> At the sidelines I have been able to follow this case form the early
> start. The exclusion of Christian, if I am recall correctly, was not due to
> the "Google Hacking Project" or result of the inquiries around that.
> For what I recall, it was as result of Christians actions at the
> Australian GovCert conference, those to be highly conflicting with the
> OWASP ethics.
> ..just wondering as I seem to miss this part in your inquiries!
> Anyhow, and I think your proposal is mature and professional.
> In case this to be excepted by both parties it must be monitored by
> someone, I understand you volunteered to do so.
> Cheers,
> -martin
> On Fri, Feb 14, 2014 at 4:57 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> There's been a lot of private messages floating around lately.  I
>> understand that due to the sensitivity of certain topics, not everything
>> that we do as a Board can be done entirely in the public light, but I do
>> feel that it's extremely important to be as transparent as possible.  Thus,
>> what follows is an attempt to summarize concerns and desires on behalf of
>> everyone involved in Christian's request for reinstatement in a manner that
>> does not reflect on any one individual.  I feel that I've dedicated enough
>> time to this subject to be as much an expert as any and I feel confident
>> that I know the thoughts, feelings, and rationales on both sides of the
>> fence here.  Feel free to respond back as you see fit.
>> *Christian:*
>> Much of what you've said and done in both public and private is
>> deplorable.  In the world of security, where your morals and ethics are the
>> only thing that keeps you from passing as a BlackHat, time and time again
>> you've proven to have at best poor judgement and at worst poor moral
>> character.  You can try to rationalize it by saying that you have been
>> wronged and deserve justice, but the fact is that these words and actions
>> are yours and yours alone.  You may have been provoked, you may have been
>> bullied, but what people see, what people hold onto, is how you handle
>> yourself when that happens.  I've now spoken with numerous people who had
>> close dealings with you and there is one recurring theme that *all* have
>> mentioned.  No topic is off limits with you when it comes to insults and
>> insinuations and you have no issue with burning bridges as you go.  With
>> the global security community (and especially OWASP) being as small and
>> close-knit as it is, it should be no surprise that your actions with one
>> individual could have a ripple effect with others.  Reputations in this
>> industry are built just as much on who you are as a person as on what
>> you're technically capable of.  Even the best and brightest can be
>> ostracized from a community if they continually serve on the side of
>> negativity.  Thus, I implore you in public as I have already counseled you
>> in private, to set aside this quest for justice as it continually leads you
>> down the path of negativity.  While you may feel that you've hit rock
>> bottom here, I feel that you will continue to stay there until you can
>> reshape your attitude and approach to people.  You have the power to make
>> your situation better, but that will be done with forgiveness and not
>> vengeance.
>> *Board:*
>> While it's true that Christian has said and done some deplorable things,
>> he is not a monster, he is a person with thoughts and feelings like any
>> other.  He feels that an injustice has been done and that it has cost him
>> his job and reputation.  If being married has taught me anything, it's that
>> feelings aren't a "right" or a "wrong", but how something affects our
>> mental or physical state.  Our choice now, just like in a marriage, is to
>> determine whether it benefits the greater good more to ignore these
>> feelings and dismiss the individual or to try to help them to feel
>> different and hopefully better.  To be fair, I think that either approach
>> is valid, but I think that the path you take here says a lot about your own
>> character.  I'd also say that how you handle such a situation when it
>> arises will likely determine your relationship with said individual going
>> forward (ie. does your marriage end in divorce, losing half your stuff, and
>> split custody of the kids).  So, I'd ask you to think about what you
>> ultimately want out of this situation.  Do you want to pursue the path that
>> might allow us to reconcile our differences and make things better for
>> everyone or do you want to make the individual feel belittled and
>> unimportant?  You have the power to show some compassion and help a person
>> who is down to change their life for the better.
>> *All:*
>> In my opinion, there are clear "wrongs" on both sides here.  We all need
>> to own up to our actions and be willing to forgive if we are ever to move
>> forward here.  Christian, this means taking personal accountability for the
>> things that you've said and done and making a best effort to to do better
>> going forward.  Board, this means recognizing that Christian may have said
>> and done some things out of desperation and despair and being willing to
>> provide him with support and guidance so that he can adhere to our Code of
>> Ethics moving forward.  Both sides need to consider this a "cease fire" and
>> need to be willing to "wipe the slate clean" in order to move forward.
>> *Conclusion:*
>> The time has come for us to lay this issue to rest one way or another.  I
>> don't want to deal with this same thing again in six months time and don't
>> want another Board to have to deal with it six years from now either.  So,
>> I have two proposals here:
>> 1) If either the Board feels that Christian cannot be changed or
>> Christian feels that he cannot change himself, then I propose we just go
>> our separate ways indefinitely.  No more temporary revocations or requests
>> for reinstatement.  They only serve as a continual reminder for all parties
>> of the hassles and heartaches involved here.  From Christian's perspective,
>> we can say that he walked away by his own accord and from OWASP's
>> perspective we can provide private documentation for future Boards of this
>> mutual arrangement to exist separately.  There should be no "bashing" by or
>> against either side going forward.
>> 2) If Christian feels that he can change his behavior and the Board would
>> be willing to provide an opportunity for him to do so, then I propose that
>> we provide Christian with the reinstatement that he seeks under the
>> following terms.  First, Christian *must* acknowledge that he
>> understands and will adhere to the terms set forth in the OWASP Code of
>> Ethics.  This is an expectation for all OWASP members and is
>> non-negotiable.  I will point out that this explicitly means dropping any
>> activities that would intentionally injure or impugn the professional
>> reputation of colleagues, clients, or employers.  Second, I will personally
>> offer myself up as a Board representative to help guide Christian toward
>> success.  I feel that we've developed a decent working relationship and I
>> hope that he feels the same way about me.  Third, for a period of one year,
>> we consider this a trial run and Christian refrains from seeking leadership
>> roles within OWASP or from presenting as a representative of OWASP.  This
>> is to minimize risk to the Foundation of potential ramifications if we are
>> unsuccessful in this endeavor.  Fourth, with the exception of above,
>> Christian is to be treated as any other OWASP member.  No announcements
>> about his return attempts to seek approval from the community.  We don't do
>> this with others and shouldn't make a big deal out of it for him either.
>> Fifth, since strict adherence to the OWASP Code of Ethics is our policy,
>> any attempt to willfully violate this by Christian, at any point in the
>> future, will result in his immediate expulsion from OWASP with a ban on
>> reinstatement.  While I would normally feel that this is excessive, I think
>> that we've already wasted precious cycles on this issue and am not willing
>> to spend any more on additional violations going forward.
>> There you have it.  My summary of the situation and my conclusions on how
>> to best move forward.  There's a path of dissolution and a path of
>> cooperation.  I'd welcome additional, open, discussion on the topic, but
>> would like to keep this focused on the future and not the past.  Cool?
>> Thanks!
>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/3fb6a6bf/attachment.html>

More information about the Owasp-board mailing list