[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Mon Feb 17 04:41:07 UTC 2014


I don't remember if you said it during one of our calls, but you most
certainly alluded to it in our recent Skype conversation and in your
requests for me to follow up with Andre Ludwig.  Here's an excerpt from one
of those e-mails:

"Once we have confirmation that Andre's source was Chris Gatford then it
will make the public relations in restoring my reputation within OWASP
considerably easier because OWASP members will understand the root cause
and ulterior motive of the inquiry of the OWASP Google Hacking Project."

And from our Skype conversation:

"An eye for an eye"

If you'd like, I would be happy to export our conversation from Skype and
forward the e-mails regarding contacting Andre as well so that others can
inspect this evidence.  Did I somehow misinterpret your statements?

We also spoke at some length about the Google Hacking Inquiry on the call.
Your desire, at least at the time, was to leave the document in tact and
replace Jeff's summary with your own condoning the actions taken against
you and implicating others in a conspiracy against you.  I'm paraphrasing
here, but I believe that was the gist of what you told me.  If you'd like
to provide me with an alternate wording, then I'd gladly entertain that,
but my intent is to push for removal of the document altogether as I think
it's served whatever purpose it was intended and it's time to move on.  I
would think that having it gone would make you happy in that the Google
queries you gave me earlier would no longer work to find any results.  I'm
honestly not sure why you're wanting to fight that.

I am well aware that Chris Gatford is no longer an OWASP Chapter leader.
I'm not sure you're understanding what exactly the dependency is here.
It's not "Christian should not attempt to impugn the professional
reputation of Chris Gatford."  It is "Christian will abide by the same Code
of Ethics that we expect for all OWASP members."  Part of that Code of
Ethics includes verbiage saying that OWASP members will not injure or
impugn the professional reputation of colleagues.  Yes, the Code of Ethics
were created in large part due to circumstances around you, but it was
because these values were implicit before and your situation forced the
Foundation to make them explicit.  You could very well be right that others
have run awry of these Code of Ethics in the past, but unless there is a
more current event that you are aware of, then I'm not sure it's worth the
time and effort to pursue.  In any case, you can feel free to forward your
concerns to Martin Knobloch as OWASP's Compliance Officer and I'm sure he
will give them proper, unbiased, attention.

Please do pass along the names and contact information of those in
Australia who you feel would provide a positive reference for you.  I would
be more than happy to speak with them.  That said, I can't say that it
changes much at this point.  They may vouch for some of the positive things
that you've done, but, unfortunately, it doesn't remove any of the
negatives which many have experienced.

I don't think there is a single person here who wants to moderate or even
read your e-mail communications.  We don't want to have to police any of
our members.  Our expectation is that they are all adult enough to be able
to police themselves.  Take note that there is no moderation in my
proposals.  Your actions would be judged against the Code of Ethics as we
would any other OWASP member.  The only difference is that since you've
been suspended in the past for poor judgement, another lapse in judgement
would result in your immediate dismissal.  If you have any questions about
what constitutes a lapse in judgement, I've offered myself up as a liaison
and would be happy to help you with your communications, if you so desire.
Other than this, the only other stipulation is that you are not allowed to
hold an OWASP leadership position or present as a representative of OWASP
for a period of one year.  If your desire is to sit back and watch, as you
had suggested on the call, then this shouldn't be an issue.  It also
removes a platform for a wider audience should have a lapse in judgement.

I truly believe that if what you're saying is true, and you want to move
forward in a positive fashion with OWASP, then you have what I believe to
be two reasonable offers of co-existence.  There is nothing there that is
shameful, inappropriate, or overly burdensome.  If you're unable to meet
these terms, then I'm afraid we have nothing left to discuss as your desire
is to proceed in a direction that I believe is unhealthy for both yourself
and OWASP.


On Sun, Feb 16, 2014 at 5:50 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
> I do *not* have an intent to pursue a vengeance campaign against Chris
> Gatford.  I fail to see how that would help either me or OWASP.
> If you are unable to cite where the interview I stated this then can I
> request that you please stop misquoting me.
> Neither do I understand why you will not accept an example of how the
> the text of the Google Hacking Inquiry modified in a non confrontation
> way which is proposed for consideration and discussion (not the
> definitive version) that resolve the issue(s) you noted about it
> previously.
> You are also aware that Chris Gatford is no longer a Chapter Leader
> due to his extended inactivity since its formation in 2005 but please
> let me know what his dependency to me rejoining OWASP?
> Furthermore, you are yet to interview any witnesses in Australia who
> are aware of my positive involvement in OWASP?
> The OWASP Code of Ethics were created in direct response to the poor
> treatment that
> http://blog.diniscruz.com/2012/10/why-do-others-think-that-im-hard-to.html
> as documented at
> https://lists.owasp.org/pipermail/owasp-board/2010-October/009157.html
> Please let me know how the conduct of other OWASP members below is not
> subject to the OWASP Code of Ethics also and is therefore within the
> definition of selective judgement:
> 1. http://lists.owasp.org/pipermail/owasp-board/2009-May/007510.html
> 2. http://lists.owasp.org/pipermail/owasp-board/2010-June/008376.html
> 3. http://lists.owasp.org/pipermail/owasp-board/2010-October/009194.html
> 4. http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
> I would welcome moderation of correspondence originating from my
> @owasp.org e-mail address for a period of one year to alleviate the
> unfounded fears of the OWASP Member of which I am unaware of their
> identity or concerns.  I believe this compromise is a more restrictive
> than what you have proposed in which to protect OWASP.  This is *not*
> an ultimatum, rather a proposal for discussion and consideration.
> I therefore request that his period commence from 20 June 2014 which
> will also allow you to consider the unfounded concern related to
> http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
> of which my innocent has been proven beyond a reasonable doubt in
> light of the "hearsay" media coverage.
> You are more than welcome to schedule a recorded conference call in
> which to discuss?  I also grant you the unrestricted right to release
> the recording of this specific conference call that is scheduled in
> the immedidate future.
> On Sun, Feb 16, 2014 at 4:39 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Unfortunately, you are not in a position to give the OWASP Board
> ultimatums.
> > I have already effectively offered you #1, but you disagreed with the
> > message to replace the inquiry and you fail to understand that no OWASP
> > member is without restriction.  All of us are bound by the OWASP Code of
> > Ethics.  So your request to rejoin without restriction is a paradox that
> we
> > are incapable of entertaining.  Especially in knowing that your intent
> is to
> > continue to pursue a vengeance campaign against Chris Gatford which is in
> > direct violation of our Code of Conduct.
> >
> > In addition, your return represents a significant amount of risk given
> your
> > behavior in both the far and recent past and you have yet to show any
> effort
> > to prove otherwise.  To the contrary, your last two e-mails show a clear
> > intention to threaten OWASP if a decision is not made in your favor.  You
> > have what I believe to be two reasonable offers of peaceful co-existence
> > that have already received votes of support from Dennis Groves and Martin
> > Knobloch.  If you're unable to meet these terms, then I'm afraid we have
> > nothing left to discuss as your desire is to proceed in a direction that
> I
> > believe is unhealthy for both yourself and OWASP.  That said, I do
> > appreciate your time and wish you all the best going forward.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140216/908de872/attachment.html>

More information about the Owasp-board mailing list