[Owasp-board] Getting it all out in the open

Josh Sokol josh.sokol at owasp.org
Tue Feb 18 19:52:01 UTC 2014


It uses parties (plural) because I don't believe that you were the only one
who has been damaged by the inquiry.  In fact, I believe it was you who
first suggested the notion of "What good has this inquiry done for OWASP?"
Throughout the years, many people have had to deal with the inquiry itself
as well as the fallout from it.  I can personally attest that my
experience, as a result of the inquiry, has been exhausting on the mental
front and it has taken a considerable amount of time away from the things
that I actually enjoy doing.  Thus, I would say that I, too, have been
damaged by this inquiry and I don't believe that you or I are alone in this
either.  This is not an apology to you.  It is an apology to everyone who
has been affected by the inquiry.  And, to repeat myself from earlier,
putting your name in the "placeholder" text calls attention back to the
inquiry that we are all trying to move beyond.

I appreciate and accept your apology for my perception of you being
unreasonable.  I'm glad that you've called attention to my recent change in
attitude as this was directly influenced by my perceived unreasonable
behavior on your part.  In the interest of reason, please allow me to
summarize my current thoughts here.

My goal is to find a peaceful solution to our current situation that
benefits both OWASP and yourself.  What you need to understand is that
whatever solution I attempt to broker needs to be approved not only by you,
but also by the rest of the OWASP Board.  I have been engaged in
conversations that, unfortunately, you were not privy to and I have a good
idea as to what it will take to bring both sides together.  I assure you
that the plan which I presented here was by no means the most restrictive
that has been suggested.  In fact, I'd say that it is still likely pushing
the bounds on what the Board, and a number of other members of the OWASP
Foundation, would be comfortable with here.  That said, peace often
requires compromise and that is what I was suggesting.  I understand that
you would prefer a less restrictive policy, but I'm not even sure that I
can garner the support for the one that I suggested, let alone what you
suggested instead.  And based on my review of the evidence that I have
sought and what has been presented to me, this represents the extent of
where I personally feel comfortable here.  If you believe it is reasonable,
then I will attempt to garner the support necessary for it.  If you believe
it is still unreasonable, then I would revert back to my proposal #1 to
agree to disagree and amicably move along on our separate paths.

As for your request to present at AppSecEU, we would currently defer to the
OWASP Membership Revocation Policy (
https://www.owasp.org/index.php/Membership_Revocation).  This policy states
that "A revoked member is disqualified from participating in OWASP CFPs and
from speaking at a Global or regional AppSec conference as well as chapter
meetings for a period not less than 24 months."  My interpretation of this
policy would be that you would not currently be allowed, as a revoked
member, to participate in the AppSecEU CFP.  To be clear, this is not me
making a judgement on your revocation or actions past, present, or future.
This is simply me stating policy that was laid out prior to me being
elected as an OWASP Board member.  My assumption is that this restriction
would likely not be lifted should you elect not to have your membership
reinstated.  The only path that I would personally support for a revoked
member to present at an OWASP conference is one where they have already
demonstrated their understanding of why they were revoked and have
demonstrated that they would no longer undertake such actions again.


On Mon, Feb 17, 2014 at 11:29 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
> I have provided how I reached the conclusion related to the missing
> "placeholder" text.  I would like my name quoted in this text as
> parties (plural) indicates that there is more than a single person.
> I never stated that you where unreasonable and if you have perceived
> this then please accept my apology?  However, your recent behaviour
> becoming of concern.
> I responded to each section of your e-mail and asked you to forward it
> to the OWASP Board on my behalf therefore you were and are able to
> review or seek clarification on my correspondence prior to its
> submission to the OWASP Board of which I am responding to a public
> record that you made without my prior consultation.
> I do not want my membership reinstated at this point in time and I
> have requested this be considered in June 2014 so that I can present
> at the upcoming OWASP EU.  I am awaiting confirmation if this is in
> scope of your proposed restrictions to my future dealing with OWASP if
> I elect to not become an OWASP member?
> http://lists.owasp.org/pipermail/owasp-board/2014-January/013031.html
> demonstrates Tobias preferred approach is to seek clarification and
> approval on all the facts before thinking out aloud.
> On Tue, Feb 18, 2014 at 3:44 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Christian,
> >
> > The ">" characters that you see on the mailing list archive (assuming you
> > meant
> > http://lists.owasp.org/pipermail/owasp-board/2014-February/013107.html)
> are
> > from an HTML e-mail in Google where that was quoted text being
> translated to
> > pure text for the mailing list archive.  They have nothing to do with me
> > being unreasonable.
> >
> > The no direct reference to you was intentional so that the inquiry does
> not
> > continue to haunt you as it has in the past.  New people will be unable
> to
> > associate it with you and people who are already familiar will only see
> the
> > replacement text.  I believe that, knowing how search engines function,
> this
> > is a completely reasonable step for this statement.
> >
> > Sounds like, based on your "reasonable interpretation" above, we can
> > reasonably assume that you quickly glanced over this e-mail, hearing only
> > what you wanted to hear, responding before you had a chance to read it in
> > it's entirety, never seeking clarification from me, and also missing the
> > part where I also said:
> >
> > On top of the above, it is clear that Christian feels that the Inquiry
> has
> > affected his ability to work as well as his general state of well being.
> > If this is true, then it is in direct contradiction to the OWASP Code of
> > Ethics where we state that OWASP members should not intentionally injure
> or
> > impugn the professional reputation of our colleagues.  I don't think that
> > it is rational for us to question whether this is or is not true, and
> > therefore feel like our best course of action is to assume that it is and
> > work to correct the situation.  My proposal is to remove the Google
> Hacking
> > Inquiry document and any reference documentation as well that is on the
> > OWASP public website.  In it's stead, I would like to place the following
> > text:
> >
> > This part was not in ">" characters and it clearly referenced your name
> > before calling out that the text following was the replacement text.   I
> > don't think it gets much clearer than that.
> >
> > My role here is to obtain the evidence from you that I need in order to
> make
> > a decision on your request for reinstatement.  As part of this, I have
> come
> > to the conclusion that the Google Hacking Inquiry no longer serves the
> > purpose that it was originally intended and I was seeking a consensus
> from
> > the Board in order to have it removed.  To my knowledge, I am not
> required
> > to consult with you before I consult with the Board on any topic.
> >
> > As for you saying that my e-mail lacked prioritization and was confusing
> in
> > order to create bias, I'm afraid you may have again fallen victim to the
> > HTML vs plain text conundrum I mentioned above.  See where it says "*
> Google
> > Hacking Inquiry *"?  That was where the message was structured to
> highlight
> > the paragraph where I specifically made statements about the Google
> Hacking
> > Inquiry and it was bolded and underlined.  See where it says "* Request
> for
> > Reinstatement *"?  That's where I made statements about your request for
> > reinstatement.  I don't write e-mails that are slapped together with
> random
> > links and are not well thought out in advance.  That said, if there are
> > others monitoring the Board list who felt that my e-mail was unreasonably
> > formatted, lacked prioritization, or attempted to create a bias, I would
> be
> > more than willing to accept that feedback and will work to do better next
> > time.  You will not hurt my feelings in the slightest.
> >
> > I agree that Tobias has done a fantastic job so far as well and am glad
> that
> > you feel that he has aided in highlighting the nuances that weren't
> > clarified or highlighted by me.  The OWASP Board, like any other team,
> > consists of people from many different backgrounds and abilities.
>  Hearing
> > that Tobias has helped to fill in the gaps that I may have left behind
> is a
> > testament to good teamwork and I am grateful to him for the assistance
> that
> > he has been able to provide us.
> >
> > ~josh
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140218/f75c770e/attachment-0001.html>

More information about the Owasp-board mailing list