[Owasp-board] Fwd: OWASP Board decision that I don't agree with

Eoin Keary eoin.keary at owasp.org
Sat Jan 4 23:16:32 UTC 2014


Yes we need to be mature about this.
What is the benefit of training 300 developers vs not doing it?

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 4 Jan 2014, at 23:13, Jim Manico <jim.manico at owasp.org> wrote:

> Should we also abort the OWASP England conference because of the GCHQ's
> capability and constant attack on google services? Should we also abort
> all five of the "five eyes" countries for being a part of this? Abort
> all telecoms? Abort France for trying to create fraudulent certificates
> and getting caught? Holy cow, the list would be huge.
> 
> If you really want to get politically accurate here Dennis, the list of
> countries, companies and associations we need to keep away from will be
> a VERY long list.
> 
> - Jim
> 
> 
>> Even if you removed all OWASP branding, I am not sure that I agree with the
>> participation. They literally took money to keep us unsafe. This is
>> directly in contrast to the OWASP mission.
>> 
>> Sent from my mobile device, apologies for the brevity and spelling errors.
>> On Jan 4, 2014 1:11 PM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>> 
>>> Tobias, this is not correct. The original request was to OWASP,
>>> Sarah/Kelly can clarify.
>>> 
>>> Our material is OWASP branded with no commercial reference and is not part
>>> of any OWASP project such as the top 10.
>>> 
>>> There was no vote but the consensus was to stay away from politics after I
>>> mentioned mikkos cancellation and proceed with the training.
>>> 
>>> The training material is not the result of a project but our own work. The
>>> training material is freely available on the web donated by him and myself.
>>> 
>>> 
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 4 Jan 2014, at 19:01, Tobias <tobias.gondrom at owasp.org> wrote:
>>> 
>>> Eoin,
>>> 
>>> to be clear on a few details:
>>> - to my attention there was a short exchange of about 12 emails (some off
>>> and some on the board mailing-list).
>>> - there was no vote and no agreement recorded in favour of OWASP as an org
>>> doing this.
>>> - in fact, in the email exchange (unfortunately offlist, following someone
>>> else move the thread offlist), I clearly stated my understanding was that
>>> Jim and Eoin are making the decision to go to RSA as individuals. (my email
>>> was on Dec-29). And that therefore it was their decision whether they want
>>> to go there or not. And I can not recall that this was contradicted at any
>>> time.
>>> 
>>> Best regards, Tobias
>>> 
>>> 
>>> Ps.: The branding of the material is not relevant for this. In principle
>>> all OWASP material can be used freely by anybody. That does not imply that
>>> our organisation as a whole does sanction or support any specific company.
>>> E.g. anyone can use the OWASP Top-10 presentation (with the OWASP
>>> branding) and present it at RSA or the next NSA conference for that matter.
>>> 
>>> 
>>> 
>>> 
>>> On 04/01/14 18:10, Eoin Keary wrote:
>>> 
>>> Sorry tobias,
>>> 
>>> But we are delivering the training as OWASP.
>>> OWASP was approached by RSA.
>>> Our material is non commercial branded and branded with OWASP, donated by
>>> Jim and Myself.
>>> 
>>> There was no vote but a debate started by myself which landed firmly in
>>> favour of going ahead with it.
>>> 
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 4 Jan 2014, at 17:53, Tobias <tobias.gondrom at owasp.org> wrote:
>>> 
>>>  No. There was no vote.
>>> 
>>> And to be clear, my understanding was that everyone would be attending as
>>> individuals and not as representatives of the board or OWASP.
>>> 
>>> I am not quite sure how this perception came about. But we may have to
>>> take clarifying action.
>>> If other board members would concur, I would propose to make a simple
>>> statement that OWASP leaders and members speaking at the RSA conference do
>>> so as individuals and not in their function as representatives of OWASP.
>>> 
>>> Best regards, Tobias
>>> 
>>> 
>>> OWASP Global Board Member and Secretary of the Board
>>> 
>>> 
>>> 
>>> 
>>> On 04/01/14 17:39, Tom Brennan - OWASP wrote:
>>> 
>>> There was a vote ?
>>> 
>>> On Jan 4, 2014, at 12:31 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> 
>>>  Many negative tweets re RSA an OWASP. (below).
>>> As I brought this up already, are we sure we are making the right decision
>>> by pushing forward with this?
>>> 
>>> 
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> Begin forwarded message:
>>> 
>>> *From:* Sastry Tumuluri <sastry.tumuluri at owasp.org>
>>> *Date:* 4 January 2014 16:48:50 GMT
>>> *To:* "Kanwal Singh (WebMentors)" <kanwalsb at gmail.com>, Ravdeep Sodhi <
>>> ravdeep.sodhi at ecoretechnos.com>, "Nishant Johar (EMOBX)" <nj at emobx.com>,
>>> Rochak Chauhan <rochak.chauhan at owasp.org>
>>> *Cc:* "Jim Manico (OWASP)" <jim.manico at owasp.org>, "Eoin Keary (OWASP)" <
>>> eoin.keary at owasp.org>
>>> *Subject:* *OWASP Board decision that I don't agree with*
>>> 
>>>   Friends,
>>> 
>>> Please see the following full conversation on twitter:
>>> https://twitter.com/EoinKeary/status/419111748424454145
>>> 
>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>>> to be present. Apparently, this was discussed at the OWASP board level; and
>>> the board has decided to go ahead, keeping in mind the benefit to the
>>> attending developers.
>>> 
>>> As you are aware, RSA is strongly suspected (we'll never be 100% sure,
>>> I'm afraid) of being complicit with NSA in enabling fatal weakening of
>>> crypto products. RSA has issued a sort of a denial that only deepens the
>>> mistrust. As a protest, many leading speakers are cancelling their talks at
>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>>> Jeffrey Carr and Josh Thomas.
>>> 
>>> At such a time, I am saddened by the OWASP board decision to support
>>> RSAC by their presence. At a time when they had the opportunity to let the
>>> world know how much they care for the Information Security profession
>>> (esp., against weakening crypto); and how much they care about the privacy
>>> of people (against NSA's unabashed spying on Americans & non-Americans
>>> alike), the board has copped out using a flimsy rationalization ("benefit
>>> of (a few) developers", many of who would rethink their attendance had
>>> OWASP and more organizations didn't blink!").
>>> 
>>> I'm sure there was a heated debate. I'm sure all angles were considered.
>>> However, this goes too deep for me to take it as "better men than me have
>>> considered and decided". As a matter of my personal values, if the
>>> situation doesn't change, I would no longer wish to continue as the OWASP
>>> Chapter Lead. Please let me know if any of you would like to take over from
>>> me.
>>> 
>>> I will also share my feelings with fellow chapter members at our next
>>> chapter meeting on Jan 21st. Needless to say, no matter how things go, I
>>> remain committed to the principles of our open and open-source infosec
>>> community.
>>> 
>>> Best regards,
>>> 
>>> ==Sas3==
>>> 
>>>  _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 


More information about the Owasp-board mailing list