[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Sun Feb 16 02:44:54 UTC 2014


The problem that we have run into is that you have bullied and intimidated
people to the point where others are not willing to be publicly
acknowledged out of fear of retribution by you.  This is why I summarized
the collective feedback from everyone into the statement in my original
e-mail.  Nothing in there was single-sourced.  In fact, I'd venture to say
that there is a relative consensus from everyone that I've spoken with in
that regard.  And while I'd love to give you the opportunity to "cross
examine the witnesses", it's just not possible in this situation.  Hence,
why I stuck to generalized thoughts and feelings rather than specific
accusations.  This isn't an inquiry anymore.  This isn't a trial.  You
don't have to prove your innocence or guilt.  At present, you're not even
an OWASP member and despite being advised by some that talking with you
wasn't even a worthwhile exercise, I maintained that I wanted to give you
every opportunity possible to move forward in a positive fashion.

This isn't a game Christian.  Right now I believe that I am quite literally
the only person who is actively trying to get you reinstated.  As our
discussions progress, it becomes more and more clear to me that it is your
aggression and quest for vengeance that has turned people away.  Yes, I can
tailor some search results to bring up the Google Hacking Inquiry, but
that's not the point.  No perspective employer is ever going to type that
query into Google.  It is far more likely that they will search, as I did,
and come up with all of the other things I mentioned previously.  As I said
earlier, you need to take responsibility for your own actions and quit
blaming others.  Sure, others may have taken their "shot" at you, but the
only one currently keeping you down is you.

There were two points in your last e-mail where you outright threatened
additional negativity if OWASP does not do as you demand.  While I have
told you all along that I seek a positive outcome here, I absolutely do not
tolerate threats and I believe I've made that clear.  I offered two plans
which both offer a peaceful, mutually beneficial solution, albeit with some
conditions, and you have opted, instead, to continue down the same path of
threats and anger.  There was nothing there that was overly burdensome and
nothing that I consider too extreme given the issues we've had in the past,
regardless of the root cause.  I cannot support your request for
reinstatement under your terms, and since you've rejected my two proposals
for peace with additional negative sentiment, I'm unsure that there is
enough common ground for us to continue forward.  I feel that you are
heading in a direction that is clearly not aligned with OWASP's values and
ethics and can no longer support this effort.  I sincerely do appreciate
your time and willingness to speak openly and candidly with me and I wish
you all the best.


On Sat, Feb 15, 2014 at 6:29 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I want to be clear that what I said was a summary of the points that I've
> > heard from individuals on both sides of the fence.  The goal was to
> remove
> > the background discussions and put it someplace where we could have a
> > constructive discussion with which to more forward.  To that regard, I
> > appreciate the calm and controlled response that you took here.  Thank
> you.
> At the moment it is my word against theirs (and the sources remain
> unknown to me).
> Neither have you approach me to seek sources who would be able to
> represent me in a better light.
> If this was an conducted under independent arbitration then I would be
> able to cross examine each witness that you have spoken to.
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > As I've already told you, my goal is to find a peaceful resolution to the
> > issue at hand.  Pursuing any action against Chris Gatford, the OWASP
> > Melbourne Chapter Leader, Dinis Cruz, or anyone else only redirects this
> > attention from one party to another.  I can't support a solution that
> makes
> > peace with one person by starting issues with another.  As I said in my
> > e-mail, there are "wrongs" on both sides and the only way that we can
> move
> > forward here is if both sides forgive and the slate is wiped clean.
> I predicted that when a future incident about me is raised, such as
> the result of the conclusion of the Queensland Police CMC Police
> Integrity Unit, then OWASP Members will doubt their conclusion because
> OWASP went out of it way to defame me with the Google Hacking Inquiry.
> Therefore, this process will be a complete waste of everyone time
> because history has proven that the above does occur.
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I'm sorry that you feel that the Google Hacking Inquiry cannot be simply
> > struck from the record.  Yes, there are wayback machines that prevent
> things
> > from being erased entirely, but that doesn't mean that we should just
> give
> > in and do nothing.  And to be fair, I could say the same about your
> earlier
> > request to modify the inquiry.  My gut feeling here is that while the
> > inquiry is negative toward you, it's the least of your concerns.  A
> search
> > for your name and "security" (what I'd probably search for a job
> candidate)
> > doesn't even show the inquiry in the first 10 pages of results on Google.
> > It does, however, show numerous recounts of journalist arrests associated
> > with your hack of another security professional involving his wife and
> > child.  The Google Hacking Inquiry, in my opinion, is the least of your
> > concerns where your reputation is concerned.
> I suggest you search for "OWASP CMLH" or "OWASP Google Hacking
> Project" then and come back to me?
> I find it odd that you support the version of events of Chris Gatford
> even though he turned a blind eye to the abuse that his own employee
> against Asher Wolf who is a single mother.
> Again, you demonstrate bias in your observations since you failed to
> consider the other side of the story i.e.
> http://www.crikey.com.au/2011/05/19/journo-arrest-recipe-for-clicks-turns-into-a-recipe-for-disaster/?wpmp_switcher=mobile
> ,
> http://www.abc.net.au/unleashed/2719142.html, etc
> For the record, the photos were obtained in April 2010 which
> correlates to the date when the timeframe of the OWASP Google Hacking
> Inquiry.
> If the OWASP Google Hacking Inquiry is removed then I will ensure that
> the public raise questions as to why it was removed and for what
> purpose.  I suggest you reconsider this decision because I disagree
> with it.
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > As for the "one year" period, the only thing this applies to is
> leadership
> > positions and representing yourself as OWASP for speaking engagements.
>  It's
> > not meant to be offensive, but rather, to ensure that we can ease you
> back
> > into things at a reasonable pace.  Following your example, it's more like
> > saying your sex offender isn't allowed to run for mayor or take up a job
> > running a daycare.  There are those who feel that it should be longer,
> those
> > who feel it should be shorter, but I picked one year because it seemed
> to be
> > a happy medium.
> Has it worked in the past? No, its a dumb idea Josh as I will just
> plan my retaliation during this yearly time period as I feel I am
> being treated like http://en.wikipedia.org/wiki/Colored
> The OWASP Board is to treat me with the same respect as other members
> in a fashion that was prior to the OWASP Google Hacking Inquiry.
> If you agreed to clarify the "background" of the Google Hacking
> Inquiry on my behalf to other who have asked questions by me then
> there will be no issue about me expressed by other OWASP members. In
> fact, Dinis Cruz, Andre Ludwig, Arshan, etc might become my biggest
> supporters because their doubt has been clarified before it becomes an
> issue.
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > It is unreasonable to ask for a speaking slot at AppSecEU for so many
> > reasons.  I'm not sure what you think this would prove (your link is
> > inconclusive as to what you're trying to say here), but this is very
> > different from the "sit back and observe" desire that you had previously
> > expressed.  If this arrangement is going to work, then we need to ease
> you
> > back into the community and regain their trust before something like this
> > were to happen.
> That's due to perception of Andre Ludwig and others that the videos of
> me speaking represented self promotion, which the Google Hacking
> Inquiry found to be false.
> The video at Appsec USA 2008 clearly demonstrates that I am able to
> handle my critics (in this case Arshan) in a reasonable fashion.  Let
> them reach their own conclusion that they are wrong about me.
> On Sat, Feb 15, 2014 at 5:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > If you want to participate in an open working session, I'm fine with
> that.
> > If you want to avoid certain individuals, I think that's an excellent
> idea.
> > Ultimately, I think the Board wants to make sure you can be a part of the
> > community without being a burden.  We don't have any expectations of you
> > over that of any other member.  My proposal is simple and fair.  If you
> want
> > to proceed with OWASP, any deal that we make on reinstatement is going
> to be
> > similar to what I set forth in my e-mail.
> I'm sorry, but your proposal is another burden to me which resolves
> nothing and has demonstrated your bias due to your position as an
> OWASP Board Member.  The same claim about not knowing me was made by
> Dinis Cruz at the commencement of the Google Hacking Inquiry and we
> see the result of that today.
> Please don't consider this my final response in this matter as I
> consider my proposal much less damaging than the alternate resolution
> that I will undertake.
> I am all for the path of lest resistance and best resolution.
> I would urge you to reconsider and I am available to discuss during a
> conference call because I believe that some information is still
> missing from your understanding.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140215/073f348a/attachment.html>

More information about the Owasp-board mailing list