[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Sat Feb 15 06:56:27 UTC 2014


Christian,

I want to be clear that what I said was a summary of the points that I've
heard from individuals on both sides of the fence.  The goal was to remove
the background discussions and put it someplace where we could have a
constructive discussion with which to more forward.  To that regard, I
appreciate the calm and controlled response that you took here.  Thank you.

As I've already told you, my goal is to find a peaceful resolution to the
issue at hand.  Pursuing any action against Chris Gatford, the OWASP
Melbourne Chapter Leader, Dinis Cruz, or anyone else only redirects this
attention from one party to another.  I can't support a solution that makes
peace with one person by starting issues with another.  As I said in my
e-mail, there are "wrongs" on both sides and the only way that we can move
forward here is if both sides forgive and the slate is wiped clean.

I'm sorry that you feel that the Google Hacking Inquiry cannot be simply
struck from the record.  Yes, there are wayback machines that prevent
things from being erased entirely, but that doesn't mean that we should
just give in and do nothing.  And to be fair, I could say the same about
your earlier request to modify the inquiry.  My gut feeling here is that
while the inquiry is negative toward you, it's the least of your concerns.
A search for your name and "security" (what I'd probably search for a job
candidate) doesn't even show the inquiry in the first 10 pages of results
on Google.  It does, however, show numerous recounts of journalist arrests
associated with your hack of another security professional involving his
wife and child.  The Google Hacking Inquiry, in my opinion, is the least of
your concerns where your reputation is concerned.

As for the "one year" period, the only thing this applies to is leadership
positions and representing yourself as OWASP for speaking engagements.
It's not meant to be offensive, but rather, to ensure that we can ease you
back into things at a reasonable pace.  Following your example, it's more
like saying your sex offender isn't allowed to run for mayor or take up a
job running a daycare.  There are those who feel that it should be longer,
those who feel it should be shorter, but I picked one year because it
seemed to be a happy medium.

It is unreasonable to ask for a speaking slot at AppSecEU for so many
reasons.  I'm not sure what you think this would prove (your link is
inconclusive as to what you're trying to say here), but this is very
different from the "sit back and observe" desire that you had previously
expressed.  If this arrangement is going to work, then we need to ease you
back into the community and regain their trust before something like this
were to happen.

If you want to participate in an open working session, I'm fine with that.
If you want to avoid certain individuals, I think that's an excellent
idea.  Ultimately, I think the Board wants to make sure you can be a part
of the community without being a burden.  We don't have any expectations of
you over that of any other member.  My proposal is simple and fair.  If you
want to proceed with OWASP, any deal that we make on reinstatement is going
to be similar to what I set forth in my e-mail.

~josh


On Fri, Feb 14, 2014 at 7:51 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
>
> On Sat, Feb 15, 2014 at 2:57 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Third, for a period of one year, we consider this a trial run and
> Christian refrains from seeking
> > leadership roles within OWASP or from presenting as a representative of
> OWASP.  This is to
> > minimize risk to the Foundation of potential ramifications if we are
> unsuccessful in this endeavor.
> > Fourth, with the exception of above, Christian is to be treated as any
> other OWASP member
>
> For the moment I have no desire to lead an OWASP Project but have made
> several positive contributions to OWASP Project i.e.
> http://www.securecoding.org/pipermail/sc-l/2013/002945.html neither do
> I have any desire to lead an OWASP Chapter in Australia and this is
> solely due OWASP poor reputation with other Australian based
> associations and conferences resulting from inaccurate accusations
> made by Australian OWASP members i.e.
> http://lists.owasp.org/pipermail/owasp-leaders/2010-July/003309.html
>
> However, the Google Hacking Inquiry has significantly defamed my high
> standing within the Australian security community e.g.
> http://beastorbuddha.com/2010/06/11/random-links-and-rants-9/,
> http://2010.kiwicon.org/the-con/cfp/, etc which has also affected my
> reputation overseas due to the global reach of OWASP and has directly
> resulted in several lost job opportunities during the final referee
> phrase of the recruitment process.
>
> Furthermore, the smear of the Google Hacking Inquiry continues to this
> day i.e. https://twitter.com/DinisCruz/status/366228396348411904 as
> the root cause is yet to be addressed (this is stated in the OWASP
> Google Hacking Inquiry) which is:
>
> 1. The primary issue which is Chris Gatford (the Chapter Leader of the
> "inactive" OWASP Sydney Chapter) of which a large body of evidence
> supports that he is the owner of the "unverified sources" cited in the
> PDF and his spread of false rumour to influence an adverse and bias
> proceeding against me i.e.
> http://lists.owasp.org/pipermail/owasp-board/2010-June/008481.html
>
> 2. The secondary issue which is the continued marketing and promotion
> of the commercial business of the OWASP Melbourne Chapter Leader i.e.
> http://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
>
> 3. The third issue is the ulterior motive of Dinis Cruz i.e.
> http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html,
> in perpetuating the OWASP Google Hacking Inquiry above and beyond what
> an OWASP member would consider reasonable i.e.
> http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html
> which is against OWASP Ethics.  Also, I am not the only OWASP Member
> that Dinis has attacked in the past which is clearly in conflict and
> an abuse of his position as a (former) OWASP Board Member.
>
> Therefore, I reject the notion that the OWASP Google Hacking Inquiry
> simply be struck from the record as the artifacts can be recovered
> using Wayback Machine, etc as it was published to the Internet.
> Neither, does this action resolve the above three issues and this is
> demonstrated when an OWASP Board Member has attempted to intervene
> with "facts" related to particular incidents e.g.
> https://lists.owasp.org/pipermail/owasp-leaders/2011-May/005281.html
>
> I would recommend that the OWASP Board consult with their PR Agent as
> to wording of the replacement text of the OWASP Google Hacking Inquiry
> that is reasonable for all involved.
>
> Furthermore, you [Josh] and others have cited that both periods of the
> termination and suspension have had no effect and I have intentionally
> exploited the end of each period.  Furthermore, I find the
> recommendation of "another year" simply offensive as it is perceived
> as similar to monitoring a "sex offender" while they integrate into
> the general community.
>
> Therefore, I would like to propose the following resolution to be
> undertaken during https://2014.appsec.eu/:
>
> 1. I be allowed to present at https://2014.appsec.eu/ on a reasonable
> body or work related to OWASP (but not in the capacity as an OWASP
> Project Leader but that of an end user).  This is to assess
> http://lists.owasp.org/pipermail/owasp-board/2010-June/008481.html
> which has been proven false during the Google Hacking Inquiry
>
> 2. I participate in a suitable OWASP focused working sessions similar
> to that of the OWASP Project session held during OWASP EU 2009 (as an
> OWASP member but not Chapter or Project Leader).
>
> 3. A separate closed working session is held to clarify the incorrect
> perception of Andre Ludwig, Rex Booth et al in person (and depending
> on their attendance).  You [Josh] and I may be able to resolve their
> concerns prior to https://2014.appsec.eu/
>
> 4. I am not to be approached or come into direct contact (within
> reason) with either Dinis Cruz, Tom Brennan, Arshan Dabirsiaghi or
> Jeff Williams during https://2014.appsec.eu/
>
> 5. Sarah Baso, Dennis Grooves and the OWASP Board Members (excluding
> Tom Brennan), etc will conduct a debrief with me at the conclusion of
> https://2014.appsec.eu/  If a negative comment during  is received
> https://2014.appsec.eu/ then I be provided with reasonable time to
> respond in which to remove any bias from the witness.
>
> There is a risk that this may be tainted due to ongoing media coverage
> of AusCERT since this is held in May i.e.
>
> http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
> but the above (point 5) manages this risk appropriately.  Furthermore,
> I expect to have the CMC Police Integrity Unit reach a conclusion
> before May 2014 which will absolve me beyond a reasonable doubt of any
> wrong doing.
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140215/45758240/attachment.html>


More information about the Owasp-board mailing list