[Owasp-board] Fwd: OWASP Board decision that I don't agree with

Tobias tobias.gondrom at owasp.org
Sun Jan 5 00:13:17 UTC 2014


I see. And yes, you are oversimplifying here.

We live in a world of shades of grey.
And some decisions are not trivial. However, that does not allow us to
avoid them.
As even not making a decision will implicitly be seen as a decision, too.

Maybe we should develop a framework of how OWASP should react to certain
levels.
- E.g. OWASP could decide to not spend OWASP funds on supporting
individual orgs that actively work against the OWASP mission.
- e.g. OWASP could make a public statement when we perceive that our
core principles are clearly and severely harmed.
- not actively support orgs that actively work against our OWASP core
principles.

All the best, Tobias



On 04/01/14 23:44, Jim Manico wrote:
> Tobias,
>
> The point I am trying to make is that there are very few governments,
> companies and institutions that are innocent when it comes to the
> Snowden affair and similar issues.
>
> To punish one while taking money or supporting others seems to be a very
> mixed message at best.
>
> My arguments may be a bit off base, but the point I'm trying (badly) to
> make is very relevant.
>
> - Jim
>
>
>> Jim,
>>
>> please relax and calm down a bit and take a step back. Polemic is not
>> exactly helping the discussion.
>> And your comparisons are extremely weak.
>>
>> First, there is no OWASP England conference, I assume you are referring
>> to AppSecEU 2014 in Cambridge.
>> Second, when OWASP does host a conference in a country, that does
>> obviously not automatically imply support for each local countries
>> politics as if when we are speaking at another organisations "marketing"
>> event / conference.
>>
>> And just because many parties may do bad things, does not in turn mean
>> that we should drop all criticism and support every one of them without
>> questioning.
>>
>> Not everything is black or white.
>> Let's calm down a bit and have a nice cocktail first before we give up
>> all hope of making the world a little better/safer. ;-)
>>
>> Aloha, Tobias
>>
>>
>>
>> On 04/01/14 23:13, Jim Manico wrote:
>>> Should we also abort the OWASP England conference because of the GCHQ's
>>> capability and constant attack on google services? Should we also abort
>>> all five of the "five eyes" countries for being a part of this? Abort
>>> all telecoms? Abort France for trying to create fraudulent certificates
>>> and getting caught? Holy cow, the list would be huge.
>>>
>>> If you really want to get politically accurate here Dennis, the list of
>>> countries, companies and associations we need to keep away from will be
>>> a VERY long list.
>>>
>>> - Jim
>>>
>>>
>>>> Even if you removed all OWASP branding, I am not sure that I agree with the
>>>> participation. They literally took money to keep us unsafe. This is
>>>> directly in contrast to the OWASP mission.
>>>>
>>>> Sent from my mobile device, apologies for the brevity and spelling errors.
>>>> On Jan 4, 2014 1:11 PM, "Eoin Keary" <eoin.keary at owasp.org> wrote:
>>>>
>>>>> Tobias, this is not correct. The original request was to OWASP,
>>>>> Sarah/Kelly can clarify.
>>>>>
>>>>> Our material is OWASP branded with no commercial reference and is not part
>>>>> of any OWASP project such as the top 10.
>>>>>
>>>>> There was no vote but the consensus was to stay away from politics after I
>>>>> mentioned mikkos cancellation and proceed with the training.
>>>>>
>>>>> The training material is not the result of a project but our own work. The
>>>>> training material is freely available on the web donated by him and myself.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> On 4 Jan 2014, at 19:01, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>
>>>>> Eoin,
>>>>>
>>>>> to be clear on a few details:
>>>>> - to my attention there was a short exchange of about 12 emails (some off
>>>>> and some on the board mailing-list).
>>>>> - there was no vote and no agreement recorded in favour of OWASP as an org
>>>>> doing this.
>>>>> - in fact, in the email exchange (unfortunately offlist, following someone
>>>>> else move the thread offlist), I clearly stated my understanding was that
>>>>> Jim and Eoin are making the decision to go to RSA as individuals. (my email
>>>>> was on Dec-29). And that therefore it was their decision whether they want
>>>>> to go there or not. And I can not recall that this was contradicted at any
>>>>> time.
>>>>>
>>>>> Best regards, Tobias
>>>>>
>>>>>
>>>>> Ps.: The branding of the material is not relevant for this. In principle
>>>>> all OWASP material can be used freely by anybody. That does not imply that
>>>>> our organisation as a whole does sanction or support any specific company.
>>>>> E.g. anyone can use the OWASP Top-10 presentation (with the OWASP
>>>>> branding) and present it at RSA or the next NSA conference for that matter.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 04/01/14 18:10, Eoin Keary wrote:
>>>>>
>>>>>  Sorry tobias,
>>>>>
>>>>>  But we are delivering the training as OWASP.
>>>>> OWASP was approached by RSA.
>>>>> Our material is non commercial branded and branded with OWASP, donated by
>>>>> Jim and Myself.
>>>>>
>>>>>  There was no vote but a debate started by myself which landed firmly in
>>>>> favour of going ahead with it.
>>>>>
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> On 4 Jan 2014, at 17:53, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>
>>>>>   No. There was no vote.
>>>>>
>>>>> And to be clear, my understanding was that everyone would be attending as
>>>>> individuals and not as representatives of the board or OWASP.
>>>>>
>>>>> I am not quite sure how this perception came about. But we may have to
>>>>> take clarifying action.
>>>>> If other board members would concur, I would propose to make a simple
>>>>> statement that OWASP leaders and members speaking at the RSA conference do
>>>>> so as individuals and not in their function as representatives of OWASP.
>>>>>
>>>>> Best regards, Tobias
>>>>>
>>>>>
>>>>> OWASP Global Board Member and Secretary of the Board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 04/01/14 17:39, Tom Brennan - OWASP wrote:
>>>>>
>>>>> There was a vote ?
>>>>>
>>>>> On Jan 4, 2014, at 12:31 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>
>>>>>   Many negative tweets re RSA an OWASP. (below).
>>>>> As I brought this up already, are we sure we are making the right decision
>>>>> by pushing forward with this?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>  *From:* Sastry Tumuluri <sastry.tumuluri at owasp.org>
>>>>> *Date:* 4 January 2014 16:48:50 GMT
>>>>> *To:* "Kanwal Singh (WebMentors)" <kanwalsb at gmail.com>, Ravdeep Sodhi <
>>>>> ravdeep.sodhi at ecoretechnos.com>, "Nishant Johar (EMOBX)" <nj at emobx.com>,
>>>>> Rochak Chauhan <rochak.chauhan at owasp.org>
>>>>> *Cc:* "Jim Manico (OWASP)" <jim.manico at owasp.org>, "Eoin Keary (OWASP)" <
>>>>> eoin.keary at owasp.org>
>>>>> *Subject:* *OWASP Board decision that I don't agree with*
>>>>>
>>>>>    Friends,
>>>>>
>>>>>  Please see the following full conversation on twitter:
>>>>> https://twitter.com/EoinKeary/status/419111748424454145
>>>>>
>>>>>  Eoin Keary and Jim Manico (both OWASP board members) will be
>>>>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>>>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>>>>> to be present. Apparently, this was discussed at the OWASP board level; and
>>>>> the board has decided to go ahead, keeping in mind the benefit to the
>>>>> attending developers.
>>>>>
>>>>>  As you are aware, RSA is strongly suspected (we'll never be 100% sure,
>>>>> I'm afraid) of being complicit with NSA in enabling fatal weakening of
>>>>> crypto products. RSA has issued a sort of a denial that only deepens the
>>>>> mistrust. As a protest, many leading speakers are cancelling their talks at
>>>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>>>>> Jeffrey Carr and Josh Thomas.
>>>>>
>>>>>  At such a time, I am saddened by the OWASP board decision to support
>>>>> RSAC by their presence. At a time when they had the opportunity to let the
>>>>> world know how much they care for the Information Security profession
>>>>> (esp., against weakening crypto); and how much they care about the privacy
>>>>> of people (against NSA's unabashed spying on Americans & non-Americans
>>>>> alike), the board has copped out using a flimsy rationalization ("benefit
>>>>> of (a few) developers", many of who would rethink their attendance had
>>>>> OWASP and more organizations didn't blink!").
>>>>>
>>>>>  I'm sure there was a heated debate. I'm sure all angles were considered.
>>>>> However, this goes too deep for me to take it as "better men than me have
>>>>> considered and decided". As a matter of my personal values, if the
>>>>> situation doesn't change, I would no longer wish to continue as the OWASP
>>>>> Chapter Lead. Please let me know if any of you would like to take over from
>>>>> me.
>>>>>
>>>>>  I will also share my feelings with fellow chapter members at our next
>>>>> chapter meeting on Jan 21st. Needless to say, no matter how things go, I
>>>>> remain committed to the principles of our open and open-source infosec
>>>>> community.
>>>>>
>>>>>  Best regards,
>>>>>
>>>>>  ==Sas3==
>>>>>
>>>>>   _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board



More information about the Owasp-board mailing list