[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Mon Feb 17 15:01:34 UTC 2014


In the scenario with Jim, unfortunately, there is no evidence to back up
his claim.  It is simply his word against your own.  To be clear, I did not
say that that his statement could not be considered.  I said that it
becomes a matter of integrity where we are left to judge which one of you
would be more likely to skew the truth.

At present, I'm sorry if you feel this was misquoted and quoted out of
context.  I have provided you with both an opportunity to correct the
context ("Did I somehow misinterpret your statements?") and to publicly
publish our conversation ("export our conversation from Skype and forward
the e-mails regarding contacting Andre as well so that others can inspect
this evidence"), but instead you have chosen to question my integrity.  I
have been very clear from the beginning that I am speaking with you as a
member of the OWASP Board and that our conversations have been recorded to
preserve evidence on behalf of both yourself and OWASP.  I would challenge
you to find any place in those communications where either you or I
mentioned that this was said in confidence.  I will pass these artifacts
along to the other Board members and yourself so that there is no further
questioning of my intent or integrity here, but will refrain from making
them public out of respect for you.  However, if you continue to question
my integrity in public, then these will become a matter of public record.

Again, Christian, I am not interested in playing games.  When we began this
journey, I offered my support, but with the condition that any attack on me
would result in the immediate termination of our communications.  You
crossed this line by questioning my integrity in your last e-mail.  While I
have lobbied fiercely for your reinstatement up until this point, under the
surmise that you've been misunderstood and misrepresented, I'm afraid that
our last mile has shown that we are on divergent paths.  Personally, I feel
that the inquiry was unfair, but I also feel that your actions afterward
were reprehensible and you are now showing with me the same disrespectful
behavior that you have shown with others in the past.  I do not believe
that it is in anyone's interests to continue this discussion at this time
as it has become non-productive and, quite frankly, negative.

The Board will vote on your request for reinstatement as is required by our
process.  I wish you all the best Christian.


Josh Sokol

On Sun, Feb 16, 2014 at 11:52 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I don't remember if you said it during one of our calls, but you most
> certainly alluded to it in our recent Skype conversation and in your >
> requests for me to follow up with Andre Ludwig.  Here's an excerpt from one
> of those e-mails:
> >
> > "Once we have confirmation that Andre's source was Chris Gatford then it
> will make the public relations in restoring my reputation
> > within OWASP considerably easier because OWASP members will understand
> the root cause and ulterior motive of the inquiry of the > OWASP Google
> Hacking Project."
> >
> > And from our Skype conversation:
> >
> > "An eye for an eye"
> >
> > If you'd like, I would be happy to export our conversation from Skype
> and forward the e-mails regarding contacting Andre as well so
> > that others can inspect this evidence.  Did I somehow misinterpret your
> statements?
> In light of the recent thread of hearsay of a recorded call between
> Jim Manico and I i.e.
> http://lists.owasp.org/pipermail/owasp-board/2014-January/012949.html
> and you own judgement to strike this from the record I feel that I
> have been misquoted and quoted out of context.
> Why are you quoting a possible private discussion that you have not
> sought my permission to have disclosed on a public Mailing List in
> light of your repeated statements about respecting confidentially and
> associated disclosure?
> This is unbelievable.  I understand how
> http://www.smh.com.au/technology/technology-news/grubbs-story-privacy-news-and-the-strong-arm-of-the-law-20110518-1esn9.html
> felt now since you have sought to gain my trust Josh.
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > We also spoke at some length about the Google Hacking Inquiry on the
> call.  Your desire, at least at the time, was to leave the
> > document in tact and replace Jeff's summary with your own condoning the
> actions taken against you and implicating others in a
> > conspiracy against you.  I'm paraphrasing here, but I believe that was
> the gist of what you told me.  If you'd like to provide me with an >
> alternate wording, then I'd gladly entertain that, but my intent is to push
> for removal of the document altogether as I think it's served
> > whatever purpose it was intended and it's time to move on.  I would
> think that having it gone would make you happy in that the Google > queries
> you gave me earlier would no longer work to find any results.  I'm honestly
> not sure why you're wanting to fight that.
> No, no and no. I have continually used the wording of "non
> confrontational" and therefore does *not* represent the gist of what I
> have told you in the recorded conference calls.
> http://lists.owasp.org/pipermail/owasp-leaders/2011-May/005283.html is
> *not* the result of a Google Search Josh.
> Rather than you and I reach an agreement on what was discussed and
> then publish an agreed upon artefact you elected to "jump the gun" and
> publish what you think you might have heard? Again unbelievable
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I am well aware that Chris Gatford is no longer an OWASP Chapter leader.
>  I'm not sure you're understanding what exactly the
> > dependency is here.  It's not "Christian should not attempt to impugn
> the professional reputation of Chris Gatford."  It is "Christian will >
> abide by the same Code of Ethics that we expect for all OWASP members."
>  Part of that Code of Ethics includes verbiage saying that > OWASP members
> will not injure or impugn the professional reputation of colleagues.  Yes,
> the Code of Ethics were created in large
> > part due to circumstances around you, but it was because these values
> were implicit before and your situation forced the Foundation
> > to make them explicit.  You could very well be right that others have
> run awry of these Code of Ethics in the past, but unless there is . > a
> more current event that you are aware of, then I'm not sure it's worth the
> time and effort to pursue.  In any case, you can feel free to > forward
> your concerns to Martin Knobloch as OWASP's Compliance Officer and I'm sure
> he will give them proper, unbiased, attention.
> You have already allured to the OWASP Board conduct during the "Google
> Hacking Inquiry" was nothing more than poor judgement Josh.
> Well we all agree that the application of the Code of Ethics is based
> purely on selective judgement.
> https://www.owasp.org/index.php/Issues_Concerning_The_OWASP_Top_Ten_2013
> is a recent example of a clear violation of the Code of Ethics by Jeff
> Williams and Dave Wichers, specifically "Refrain from any activities
> which might constitute a conflict of interest or otherwise damage the
> reputation of employers, the information security profession, or the
> Association"
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Please do pass along the names and contact information of those in
> Australia who you feel would provide a positive reference for you. > I
> would be more than happy to speak with them.  That said, I can't say that
> it changes much at this point.  They may vouch for some > of the positive
> things that you've done, but, unfortunately, it doesn't remove any of the
> negatives which many have experienced.
> If you have followed a due diligence process here then you should have
> sought a list of witness to speak with first and then you could have
> challenged the negative statements from the single Australian witness
> you have spoken to.
> You have stated that they won't change your opinion?  The only reason
> that you would want to speak to them now is to appear fair Josh.
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I don't think there is a single person here who wants to moderate or
> even read your e-mail communications.  We don't want to have to > police
> any of our members.  Our expectation is that they are all adult enough to
> be able to police themselves.  Take note that there is > no moderation in
> my proposals.  Your actions would be judged against the Code of Ethics as
> we would any other OWASP member.
> > The only difference is that since you've been suspended in the past for
> poor judgement, another lapse in judgement would result in
> > your immediate dismissal.  If you have any questions about what
> constitutes a lapse in judgement, I've offered myself up as a liaison > and
> would be happy to help you with your communications, if you so desire.
>  Other than this, the only other stipulation is that you are > not allowed
> to hold an OWASP leadership position or present as a representative of
> OWASP for a period of one year.  If your desire is > to sit back and watch,
> as you had suggested on the call, then this shouldn't be an issue.  It also
> removes a platform for a wider
> > audience should have a lapse in judgement.
> You already moderate my correspondence on both the OpenSAMM and OWASP
> Top Ten Lists.
> I ask you to speak on my behalf to Andre Ludwig Josh and you denied
> that request without seeking any clarification.
> I have served my time and that period was two years.  You want to
> extend https://www.owasp.org/index.php/Membership_Revocation for
> another term (total of three years) even though I have expressed no
> desire to participate in these activities that I was excluded from
> except to present at the OWASP European Conference and that would be
> as member of the public.
> This is policing of a specific individual Josh.
> On Mon, Feb 17, 2014 at 3:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I truly believe that if what you're saying is true, and you want to move
> forward in a positive fashion with OWASP, then you have what I > believe to
> be two reasonable offers of co-existence.  There is nothing there that is
> shameful, inappropriate, or overly burdensome.  If
> > you're unable to meet these terms, then I'm afraid we have nothing left
> to discuss as your desire is to proceed in a direction that I
> > believe is unhealthy for both yourself and OWASP.
> Please let me know if I am unable to participate in the CFP the OWASP
> European Conference in 2014 or will be given unreasonable
> consideration if I submit a paper Josh?
> Can you please schedule a conference call ASAP?
> Please refrain from posting further correspondence on this matter to
> the OWASP Board Mailing List excluding this e-mail which I want
> published on my behalf until we have both agreed on a statement that
> can be released to the OWASP Board Josh?
> You have completely "jumped the gun" here.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140217/684afb13/attachment.html>

More information about the Owasp-board mailing list