[Owasp-board] Fwd: OWASP Board decision that I don't agree with

Jim Manico jim.manico at owasp.org
Sat Jan 4 23:27:02 UTC 2014


Yes, we are formal reps of OWASP for this event. :)


> Jim,
> 
> I am sorry, but what did you think is the meaning of "attending as
> individuals"?
> The whole point was to understand whether you speak there as individuals
> or as representatives of OWASP. 
> If you are as you now state representing OWASP, you would obviously not
> be attending as individuals. (In conferences and organisations this
> should be reasonably well understood.)
> 
> Best regards, Tobias
> 
> 
> 
> On 04/01/14 23:15, Jim Manico wrote:
>> Tobias,
>>
>> Think of it this way. OWASP is being asked by RSA to do an "association
>> event" which they offer to several other associations the day before RSA.
>>
>> Eoin, Michale and myself have agreed as individuals to do this, but we
>> are indeed representing OWASP.
>>
>> - Jim
>>
>>
>>> Eoin,
>>>
>>> to be clear on a few details:
>>> - to my attention there was a short exchange of about 12 emails (some
>>> off and some on the board mailing-list).
>>> - there was no vote and no agreement recorded in favour of OWASP as an
>>> org doing this.
>>> - in fact, in the email exchange (unfortunately offlist, following
>>> someone else move the thread offlist), I clearly stated my understanding
>>> was that Jim and Eoin are making the decision to go to RSA as
>>> individuals. (my email was on Dec-29). And that therefore it was their
>>> decision whether they want to go there or not. And I can not recall that
>>> this was contradicted at any time.
>>>
>>> Best regards, Tobias
>>>
>>>
>>> Ps.: The branding of the material is not relevant for this. In principle
>>> all OWASP material can be used freely by anybody. That does not imply
>>> that our organisation as a whole does sanction or support any specific
>>> company.
>>> E.g. anyone can use the OWASP Top-10 presentation (with the OWASP
>>> branding) and present it at RSA or the next NSA conference for that matter.
>>>
>>>
>>>
>>>
>>> On 04/01/14 18:10, Eoin Keary wrote:
>>>> Sorry tobias,
>>>>
>>>> But we are delivering the training as OWASP.
>>>> OWASP was approached by RSA.
>>>> Our material is non commercial branded and branded with OWASP, donated
>>>> by Jim and Myself.
>>>>
>>>> There was no vote but a debate started by myself which landed firmly
>>>> in favour of going ahead with it.
>>>>
>>>>
>>>>
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>>
>>>>
>>>> On 4 Jan 2014, at 17:53, Tobias <tobias.gondrom at owasp.org
>>>> <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>
>>>>> No. There was no vote.
>>>>>
>>>>> And to be clear, my understanding was that everyone would be
>>>>> attending as individuals and not as representatives of the board or
>>>>> OWASP.
>>>>>
>>>>> I am not quite sure how this perception came about. But we may have
>>>>> to take clarifying action.
>>>>> If other board members would concur, I would propose to make a simple
>>>>> statement that OWASP leaders and members speaking at the RSA
>>>>> conference do so as individuals and not in their function as
>>>>> representatives of OWASP.
>>>>>
>>>>> Best regards, Tobias
>>>>>
>>>>>
>>>>> OWASP Global Board Member and Secretary of the Board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 04/01/14 17:39, Tom Brennan - OWASP wrote:
>>>>>> There was a vote ?
>>>>>>
>>>>>> On Jan 4, 2014, at 12:31 PM, Eoin Keary <eoin.keary at owasp.org
>>>>>> <mailto:eoin.keary at owasp.org>> wrote:
>>>>>>
>>>>>>> Many negative tweets re RSA an OWASP. (below).
>>>>>>> As I brought this up already, are we sure we are making the right
>>>>>>> decision by pushing forward with this?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Eoin Keary
>>>>>>> Owasp Global Board
>>>>>>> +353 87 977 2988
>>>>>>>
>>>>>>>
>>>>>>> Begin forwarded message:
>>>>>>>
>>>>>>>> *From:* Sastry Tumuluri <sastry.tumuluri at owasp.org
>>>>>>>> <mailto:sastry.tumuluri at owasp.org>>
>>>>>>>> *Date:* 4 January 2014 16:48:50 GMT
>>>>>>>> *To:* "Kanwal Singh (WebMentors)" <kanwalsb at gmail.com
>>>>>>>> <mailto:kanwalsb at gmail.com>>, Ravdeep Sodhi
>>>>>>>> <ravdeep.sodhi at ecoretechnos.com
>>>>>>>> <mailto:ravdeep.sodhi at ecoretechnos.com>>, "Nishant Johar (EMOBX)"
>>>>>>>> <nj at emobx.com <mailto:nj at emobx.com>>, Rochak Chauhan
>>>>>>>> <rochak.chauhan at owasp.org <mailto:rochak.chauhan at owasp.org>>
>>>>>>>> *Cc:* "Jim Manico (OWASP)" <jim.manico at owasp.org
>>>>>>>> <mailto:jim.manico at owasp.org>>, "Eoin Keary (OWASP)"
>>>>>>>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
>>>>>>>> *Subject:* *OWASP Board decision that I don't agree with*
>>>>>>>>
>>>>>>>> Friends,
>>>>>>>>
>>>>>>>> Please see the following full conversation on twitter: 
>>>>>>>> https://twitter.com/EoinKeary/status/419111748424454145
>>>>>>>>
>>>>>>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>>>>>>>> presenting/conducting 4 hrs of free-of-cost AppSec training at the
>>>>>>>> RSA Conference, 2014. Michael Coates, Chairman of the OWASP Board
>>>>>>>> is also said to be present. Apparently, this was discussed at the
>>>>>>>> OWASP board level; and the board has decided to go ahead, keeping
>>>>>>>> in mind the benefit to the attending developers.
>>>>>>>>
>>>>>>>> As you are aware, RSA is strongly suspected (we'll never be 100%
>>>>>>>> sure, I'm afraid) of being complicit with NSA in enabling fatal
>>>>>>>> weakening of crypto products. RSA has issued a sort of a denial
>>>>>>>> that only deepens the mistrust. As a protest, many leading
>>>>>>>> speakers are cancelling their talks at the upcoming RSAC 2014.
>>>>>>>> Among them are (to my knowledge) Mikko Hypponen, Jeffrey Carr and
>>>>>>>> Josh Thomas.
>>>>>>>>
>>>>>>>> At such a time, I am saddened by the OWASP board decision to
>>>>>>>> support RSAC by their presence. At a time when they had the
>>>>>>>> opportunity to let the world know how much they care for the
>>>>>>>> Information Security profession (esp., against weakening crypto);
>>>>>>>> and how much they care about the privacy of people (against NSA's
>>>>>>>> unabashed spying on Americans & non-Americans alike), the board
>>>>>>>> has copped out using a flimsy rationalization ("benefit of (a few)
>>>>>>>> developers", many of who would rethink their attendance had OWASP
>>>>>>>> and more organizations didn't blink!"). 
>>>>>>>>
>>>>>>>> I'm sure there was a heated debate. I'm sure all angles were
>>>>>>>> considered. However, this goes too deep for me to take it as
>>>>>>>> "better men than me have considered and decided". As a matter of
>>>>>>>> my personal values, if the situation doesn't change, I would no
>>>>>>>> longer wish to continue as the OWASP Chapter Lead. Please let me
>>>>>>>> know if any of you would like to take over from me. 
>>>>>>>>
>>>>>>>> I will also share my feelings with fellow chapter members at our
>>>>>>>> next chapter meeting on Jan 21st. Needless to say, no matter how
>>>>>>>> things go, I remain committed to the principles of our open and
>>>>>>>> open-source infosec community.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>> ==Sas3==
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
> 



More information about the Owasp-board mailing list