[Owasp-board] Fwd: OWASP Board decision that I don't agree with

Jim Manico jim.manico at owasp.org
Sat Jan 4 23:13:56 UTC 2014


Should we also abort the OWASP England conference because of the GCHQ's
capability and constant attack on google services? Should we also abort
all five of the "five eyes" countries for being a part of this? Abort
all telecoms? Abort France for trying to create fraudulent certificates
and getting caught? Holy cow, the list would be huge.

If you really want to get politically accurate here Dennis, the list of
countries, companies and associations we need to keep away from will be
a VERY long list.

- Jim


> Even if you removed all OWASP branding, I am not sure that I agree with the
> participation. They literally took money to keep us unsafe. This is
> directly in contrast to the OWASP mission.
> 
> Sent from my mobile device, apologies for the brevity and spelling errors.
> On Jan 4, 2014 1:11 PM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
> 
>> Tobias, this is not correct. The original request was to OWASP,
>> Sarah/Kelly can clarify.
>>
>> Our material is OWASP branded with no commercial reference and is not part
>> of any OWASP project such as the top 10.
>>
>> There was no vote but the consensus was to stay away from politics after I
>> mentioned mikkos cancellation and proceed with the training.
>>
>> The training material is not the result of a project but our own work. The
>> training material is freely available on the web donated by him and myself.
>>
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 4 Jan 2014, at 19:01, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>> Eoin,
>>
>> to be clear on a few details:
>> - to my attention there was a short exchange of about 12 emails (some off
>> and some on the board mailing-list).
>> - there was no vote and no agreement recorded in favour of OWASP as an org
>> doing this.
>> - in fact, in the email exchange (unfortunately offlist, following someone
>> else move the thread offlist), I clearly stated my understanding was that
>> Jim and Eoin are making the decision to go to RSA as individuals. (my email
>> was on Dec-29). And that therefore it was their decision whether they want
>> to go there or not. And I can not recall that this was contradicted at any
>> time.
>>
>> Best regards, Tobias
>>
>>
>> Ps.: The branding of the material is not relevant for this. In principle
>> all OWASP material can be used freely by anybody. That does not imply that
>> our organisation as a whole does sanction or support any specific company.
>> E.g. anyone can use the OWASP Top-10 presentation (with the OWASP
>> branding) and present it at RSA or the next NSA conference for that matter.
>>
>>
>>
>>
>> On 04/01/14 18:10, Eoin Keary wrote:
>>
>>  Sorry tobias,
>>
>>  But we are delivering the training as OWASP.
>> OWASP was approached by RSA.
>> Our material is non commercial branded and branded with OWASP, donated by
>> Jim and Myself.
>>
>>  There was no vote but a debate started by myself which landed firmly in
>> favour of going ahead with it.
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 4 Jan 2014, at 17:53, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>>   No. There was no vote.
>>
>> And to be clear, my understanding was that everyone would be attending as
>> individuals and not as representatives of the board or OWASP.
>>
>> I am not quite sure how this perception came about. But we may have to
>> take clarifying action.
>> If other board members would concur, I would propose to make a simple
>> statement that OWASP leaders and members speaking at the RSA conference do
>> so as individuals and not in their function as representatives of OWASP.
>>
>> Best regards, Tobias
>>
>>
>> OWASP Global Board Member and Secretary of the Board
>>
>>
>>
>>
>> On 04/01/14 17:39, Tom Brennan - OWASP wrote:
>>
>> There was a vote ?
>>
>> On Jan 4, 2014, at 12:31 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>>   Many negative tweets re RSA an OWASP. (below).
>> As I brought this up already, are we sure we are making the right decision
>> by pushing forward with this?
>>
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> Begin forwarded message:
>>
>>  *From:* Sastry Tumuluri <sastry.tumuluri at owasp.org>
>> *Date:* 4 January 2014 16:48:50 GMT
>> *To:* "Kanwal Singh (WebMentors)" <kanwalsb at gmail.com>, Ravdeep Sodhi <
>> ravdeep.sodhi at ecoretechnos.com>, "Nishant Johar (EMOBX)" <nj at emobx.com>,
>> Rochak Chauhan <rochak.chauhan at owasp.org>
>> *Cc:* "Jim Manico (OWASP)" <jim.manico at owasp.org>, "Eoin Keary (OWASP)" <
>> eoin.keary at owasp.org>
>> *Subject:* *OWASP Board decision that I don't agree with*
>>
>>    Friends,
>>
>>  Please see the following full conversation on twitter:
>> https://twitter.com/EoinKeary/status/419111748424454145
>>
>>  Eoin Keary and Jim Manico (both OWASP board members) will be
>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>> to be present. Apparently, this was discussed at the OWASP board level; and
>> the board has decided to go ahead, keeping in mind the benefit to the
>> attending developers.
>>
>>  As you are aware, RSA is strongly suspected (we'll never be 100% sure,
>> I'm afraid) of being complicit with NSA in enabling fatal weakening of
>> crypto products. RSA has issued a sort of a denial that only deepens the
>> mistrust. As a protest, many leading speakers are cancelling their talks at
>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>> Jeffrey Carr and Josh Thomas.
>>
>>  At such a time, I am saddened by the OWASP board decision to support
>> RSAC by their presence. At a time when they had the opportunity to let the
>> world know how much they care for the Information Security profession
>> (esp., against weakening crypto); and how much they care about the privacy
>> of people (against NSA's unabashed spying on Americans & non-Americans
>> alike), the board has copped out using a flimsy rationalization ("benefit
>> of (a few) developers", many of who would rethink their attendance had
>> OWASP and more organizations didn't blink!").
>>
>>  I'm sure there was a heated debate. I'm sure all angles were considered.
>> However, this goes too deep for me to take it as "better men than me have
>> considered and decided". As a matter of my personal values, if the
>> situation doesn't change, I would no longer wish to continue as the OWASP
>> Chapter Lead. Please let me know if any of you would like to take over from
>> me.
>>
>>  I will also share my feelings with fellow chapter members at our next
>> chapter meeting on Jan 21st. Needless to say, no matter how things go, I
>> remain committed to the principles of our open and open-source infosec
>> community.
>>
>>  Best regards,
>>
>>  ==Sas3==
>>
>>   _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> 
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> 



More information about the Owasp-board mailing list