[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Sat Feb 15 07:21:06 UTC 2014


I hear you on 1 and 2, but I don't think they change what I said one way or
another.  I don't want to spend a lot of time harping on 3 because the goal
is to move forward here.  I didn't say that you were a BlackHat, I said
that time and time again you've proven to have at best poor judgement and
at worst poor moral character.  You may take offense to this, but this is
how many in the security community perceive you.  At a certain threshold
this becomes a decent indication that it is your problem and not theirs.

~josh


On Fri, Feb 14, 2014 at 10:37 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
>
> I just wanted to add:
>
> 1. Chris Schmidt states that I made several valuable contributions to
> OWASP prior to the Google Hacking Inquiry and that a significant
> change in my behaviour occurred as a direct result of how unfairly I
> was treated during the proceedings i.e.
> http://lists.owasp.org/pipermail/owasp-leaders/2012-January/006639.html
>
> 2. I made several positive contributions to the OWASP Leaders List
> after Jeff Williams announced my suspension i.e.
> https://lists.owasp.org/pipermail/owasp-leaders/2010-October/003857.html,
> https://lists.owasp.org/pipermail/owasp-leaders/2010-October/003858.html
> and
> https://lists.owasp.org/pipermail/owasp-leaders/2010-September/003593.html
> .
>
> It should be noted that Jeff, rather than demonstrate basic courtesy
> and notify me that he was intending to remove me from the
> owasp-leaders list due to the request from the inactive Chapter Leader
> Chris Gatford i.e.
> https://lists.owasp.org/pipermail/owasp-board/2010-October/003926.html.
>  Jeff continued to show me further disrespect when I attempted to
> resubscribe i.e.
> http://lists.owasp.org/pipermail/owasp-board/2010-November/009227.html
>
> Furthermore, this was after questioned had been asked about Dinis Cruz
> removing me from the OWASP Leaders List even though a number of
> inactive project leaders remain subscribed to this list i.e.
>
> https://lists.owasp.org/pipermail/owasp-google-hacking/2010-July/000053.html
>
> 3. I take considerable offence to your "BlackHat" comment about my ethics.
>
> I will remind the OWASP Board that Chris Gatford, who claims to be an
> ethical hacker e.g. http://www.youtube.com/watch?v=ErHpJ341mEI is
> known to fabricate evidence i.e.
>
> http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
> and has upheld the employment of Jody Melbourne, who has presented on
> topics such as "dealing with cyberbulling", after it was revealed he
> was harassing single mother Asher Wolf i.e.
> https://twitter.com/Asher_Wolf/status/390496181710635009
>
> To quote http://seclists.org/fulldisclosure/2013/Mar/204 below:
>
> "The log files were forwarded in full to Jody's employer, Hacklabs,
> who has reviewed them and decided that he remains a suitable person to
> consult in their clients' business. We urge you to read the below
> information and decide for yourself if Jody should be working in or
> for your company."
>
> On Sat, Feb 15, 2014 at 12:51 PM, Christian Heinrich
> <christian.heinrich at cmlh.id.au> wrote:
> > Josh,
> >
> > On Sat, Feb 15, 2014 at 2:57 AM, Josh Sokol <josh.sokol at owasp.org>
> wrote:
> >> Third, for a period of one year, we consider this a trial run and
> Christian refrains from seeking
> >> leadership roles within OWASP or from presenting as a representative of
> OWASP.  This is to
> >> minimize risk to the Foundation of potential ramifications if we are
> unsuccessful in this endeavor.
> >> Fourth, with the exception of above, Christian is to be treated as any
> other OWASP member
> >
> > For the moment I have no desire to lead an OWASP Project but have made
> > several positive contributions to OWASP Project i.e.
> > http://www.securecoding.org/pipermail/sc-l/2013/002945.html neither do
> > I have any desire to lead an OWASP Chapter in Australia and this is
> > solely due OWASP poor reputation with other Australian based
> > associations and conferences resulting from inaccurate accusations
> > made by Australian OWASP members i.e.
> > http://lists.owasp.org/pipermail/owasp-leaders/2010-July/003309.html
> >
> > However, the Google Hacking Inquiry has significantly defamed my high
> > standing within the Australian security community e.g.
> > http://beastorbuddha.com/2010/06/11/random-links-and-rants-9/,
> > http://2010.kiwicon.org/the-con/cfp/, etc which has also affected my
> > reputation overseas due to the global reach of OWASP and has directly
> > resulted in several lost job opportunities during the final referee
> > phrase of the recruitment process.
> >
> > Furthermore, the smear of the Google Hacking Inquiry continues to this
> > day i.e. https://twitter.com/DinisCruz/status/366228396348411904 as
> > the root cause is yet to be addressed (this is stated in the OWASP
> > Google Hacking Inquiry) which is:
> >
> > 1. The primary issue which is Chris Gatford (the Chapter Leader of the
> > "inactive" OWASP Sydney Chapter) of which a large body of evidence
> > supports that he is the owner of the "unverified sources" cited in the
> > PDF and his spread of false rumour to influence an adverse and bias
> > proceeding against me i.e.
> > http://lists.owasp.org/pipermail/owasp-board/2010-June/008481.html
> >
> > 2. The secondary issue which is the continued marketing and promotion
> > of the commercial business of the OWASP Melbourne Chapter Leader i.e.
> > http://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
> >
> > 3. The third issue is the ulterior motive of Dinis Cruz i.e.
> > http://lists.owasp.org/pipermail/owasp-board/2011-January/009590.html,
> > in perpetuating the OWASP Google Hacking Inquiry above and beyond what
> > an OWASP member would consider reasonable i.e.
> > http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html
> > which is against OWASP Ethics.  Also, I am not the only OWASP Member
> > that Dinis has attacked in the past which is clearly in conflict and
> > an abuse of his position as a (former) OWASP Board Member.
> >
> > Therefore, I reject the notion that the OWASP Google Hacking Inquiry
> > simply be struck from the record as the artifacts can be recovered
> > using Wayback Machine, etc as it was published to the Internet.
> > Neither, does this action resolve the above three issues and this is
> > demonstrated when an OWASP Board Member has attempted to intervene
> > with "facts" related to particular incidents e.g.
> > https://lists.owasp.org/pipermail/owasp-leaders/2011-May/005281.html
> >
> > I would recommend that the OWASP Board consult with their PR Agent as
> > to wording of the replacement text of the OWASP Google Hacking Inquiry
> > that is reasonable for all involved.
> >
> > Furthermore, you [Josh] and others have cited that both periods of the
> > termination and suspension have had no effect and I have intentionally
> > exploited the end of each period.  Furthermore, I find the
> > recommendation of "another year" simply offensive as it is perceived
> > as similar to monitoring a "sex offender" while they integrate into
> > the general community.
> >
> > Therefore, I would like to propose the following resolution to be
> > undertaken during https://2014.appsec.eu/:
> >
> > 1. I be allowed to present at https://2014.appsec.eu/ on a reasonable
> > body or work related to OWASP (but not in the capacity as an OWASP
> > Project Leader but that of an end user).  This is to assess
> > http://lists.owasp.org/pipermail/owasp-board/2010-June/008481.html
> > which has been proven false during the Google Hacking Inquiry
> >
> > 2. I participate in a suitable OWASP focused working sessions similar
> > to that of the OWASP Project session held during OWASP EU 2009 (as an
> > OWASP member but not Chapter or Project Leader).
> >
> > 3. A separate closed working session is held to clarify the incorrect
> > perception of Andre Ludwig, Rex Booth et al in person (and depending
> > on their attendance).  You [Josh] and I may be able to resolve their
> > concerns prior to https://2014.appsec.eu/
> >
> > 4. I am not to be approached or come into direct contact (within
> > reason) with either Dinis Cruz, Tom Brennan, Arshan Dabirsiaghi or
> > Jeff Williams during https://2014.appsec.eu/
> >
> > 5. Sarah Baso, Dennis Grooves and the OWASP Board Members (excluding
> > Tom Brennan), etc will conduct a debrief with me at the conclusion of
> > https://2014.appsec.eu/  If a negative comment during  is received
> > https://2014.appsec.eu/ then I be provided with reasonable time to
> > respond in which to remove any bias from the witness.
> >
> > There is a risk that this may be tainted due to ongoing media coverage
> > of AusCERT since this is held in May i.e.
> >
> http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
> > but the above (point 5) manages this risk appropriately.  Furthermore,
> > I expect to have the CMC Police Integrity Unit reach a conclusion
> > before May 2014 which will absolve me beyond a reasonable doubt of any
> > wrong doing.
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140215/808905f0/attachment-0001.html>


More information about the Owasp-board mailing list