[Owasp-board] Vote Request - OWASP Participation at RSA (Update)

Tom Brennan tomb at owasp.org
Wed Jan 8 14:06:15 UTC 2014


I love the community poll -- disappointed that the "vote" has already
happened.

On Wed, Jan 8, 2014 at 9:03 AM, psiinon <psiinon at gmail.com> wrote:
> Current proposed close date is Jan 14, which I put on
> https://www.owasp.org/index.php/Polls ;)
> I also put that you have to have an OWASP email account to vote, but I'm
> still getting a load of requests to share the poll.
> *sigh* ;)
>
> Simon
>
>
> On Wed, Jan 8, 2014 at 1:57 PM, Tom Brennan <tomb at owasp.org> wrote:
>>
>> Simon,
>>
>> When does this public community vote close?
>>
>>
>> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmN7t2D5ENBddFhrNGw2d29wdDhJeUo2VWR5OEtINkE#gid=0
>>
>>
>>
>>
>>
>> On Tue, Jan 7, 2014 at 5:16 PM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>> > Tobias & Board,
>> >
>> > Here are the updated votes.
>> > We have 3 YES votes, 1 NO vote, 2 abstain and Fabio's vote is unclear.
>> >
>> > This vote has quorum 6 of 7 board members vote recorded (Fabio's vote
>> > pending) and a majority of the votes (3 of 5) voted in favor of the
>> > measure.
>> > Unless there are any other comments we should move forward with this
>> > finalized vote. Tobias, as Secretary any further comments on this vote?
>> > Can
>> > you record the results?
>> >
>> >
>> > Vote Proposal:
>> >
>> > OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
>> > This may place our training at risk, but if permitted we will still
>> > provide
>> > the free training at RSA and the OWASP speaking slot.
>> >
>> > Vote Results:
>> >
>> > Michael - Yes
>> > Tom - No
>> > Tobias - Yes
>> > Fabio - clarification needed*
>> >
>> > Josh - Yes
>> > Jim - abstain
>> > Eoin - abstain
>> >
>> >
>> > From Fabio's email:
>> > "But for the time being, my decision stands to go ahead as planned." I'd
>> > interpret this as a NO to the proposal, but no vote has been recorded
>> > until
>> > Fabio clarifies.
>> >
>> >
>> > --
>> > Michael Coates
>> > @_mwc
>> >
>> >
>> >
>> > On Tue, Jan 7, 2014 at 10:33 AM, Michael Coates
>> > <michael.coates at owasp.org>
>> > wrote:
>> >>
>> >> Board,
>> >>
>> >> Here is the current status of the vote:
>> >>
>> >> Michael - Yes
>> >> Tom - No vote cast or opinion stated
>> >> Tobias - Yes
>> >> Fabio - clarification needed
>> >> Josh - Yes
>> >> Jim - abstain
>> >> Eoin - abstain
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Michael Coates
>> >> @_mwc
>> >>
>> >>
>> >>
>> >> On Tue, Jan 7, 2014 at 8:32 AM, Michael Coates
>> >> <michael.coates at owasp.org>
>> >> wrote:
>> >>>
>> >>> Fabio,
>> >>>
>> >>> Thanks for your thoughts and reading through the thread of discussion.
>> >>>
>> >>> Can you clarify your position in regards to the proposed vote? In
>> >>> addition to whether or not OWASP provides the free training there is
>> >>> also
>> >>> the element of co-marketing with RSA. Sarah provided all the details
>> >>> here
>> >>>
>> >>> (http://lists.owasp.org/pipermail/owasp-board/2014-January/012876.html)
>> >>>
>> >>> The proposed vote is to cancel the co-marketing contract and, if
>> >>> possible, still provide the free training. This specifically means
>> >>> OWASP
>> >>> would be at RSA; however, we would not be engaging in any promotion of
>> >>> the
>> >>> event per the contract outlined in Sarah's email.
>> >>>
>> >>> Here is the exact wording proposed:
>> >>>
>> >>>
>> >>> OWASP will terminate the co-marketing agreement with RSA for RSA 2014.
>> >>> This may place our training at risk, but if permitted we will still
>> >>> provide the free training at RSA and the OWASP speaking slot.
>> >>>
>> >>>
>> >>>
>> >>> Thanks,
>> >>> Michael
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Tue, Jan 7, 2014 at 6:23 AM, Fabio Cerullo <fcerullo at owasp.org>
>> >>> wrote:
>> >>>>
>> >>>> Hey guys
>> >>>>
>> >>>> Apologies for the silence in the last couple of days. It took me a
>> >>>> while
>> >>>> to read the whole thread and reviewing external sources as well while
>> >>>> on the
>> >>>> road.
>> >>>>
>> >>>> As Eoin's just stated below, we need to take an 'in or out' decision.
>> >>>>
>> >>>> Cancelling the contract but maybe delivering training is not an
>> >>>> option.
>> >>>>
>> >>>> To his question "Are we to support RSAC this year given the
>> >>>> allegations?"
>> >>>>
>> >>>> I would personally vote YES. My reasoning is as follows:
>> >>>>
>> >>>> - There is no concrete evidence about the allegations of a payout.
>> >>>> - RSA is firmly refuting any accusations.
>> >>>> - i still believe in the premise: "Innocent until proven guilty"
>> >>>>
>> >>>> I'm also monitoring the poll created by Simon to get a feel of the
>> >>>> Community and there is no clear distinction between one opinion or
>> >>>> the
>> >>>> other. If the Community strongly believes we should pull out, and as
>> >>>> a
>> >>>> matter of principles, I might be inclined to change my decision and
>> >>>> vote NO
>> >>>> instead. But for the time being, my decision stands to go ahead as
>> >>>> planned.
>> >>>>
>> >>>> In any case, if we (OWASP) are dropping our support and making an
>> >>>> official statement about 'weaking crypto in products is bad' I would
>> >>>> highly
>> >>>> recommend for this document to be reviewed by a solicitor or
>> >>>> qualified
>> >>>> professional before making it public. I don't feel is OWASP position
>> >>>> to
>> >>>> accuse companies of any wrongdoings based on news articles or blog
>> >>>> posts.
>> >>>>
>> >>>> Regards
>> >>>> Fabio
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> El Tuesday, January 7, 2014, Eoin escribió:
>> >>>>>
>> >>>>> I am not voting but the topic that is up for vote is wrong in my
>> >>>>> opinion.
>> >>>>>
>> >>>>> Some media, people in general will see OWASP participation in RSA as
>> >>>>> negative, hence the debate.
>> >>>>> Cancelling a contract does not really cut it. its "window dressing."
>> >>>>>
>> >>>>> Either we  (OWASP) are engaging with RSAC or not, its that simple.
>> >>>>>
>> >>>>> Delivering anything at RSAC shall be interpreted as a sign of
>> >>>>> support,
>> >>>>> this is the root cause of the debate: Are we to support RSAC this
>> >>>>> year given
>> >>>>> the allegations? (contract is circumstantial).
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On 7 January 2014 00:42, Tobias <tobias.gondrom at owasp.org> wrote:
>> >>>>>
>> >>>>> My vote is: Yes. OWASP shall terminate the co-marketing agreement
>> >>>>> with
>> >>>>> RSA for RSA 2014.
>> >>>>>
>> >>>>> My reasons are:
>> >>>>>
>> >>>>> 1. community feedback and discussion (there seems to be a
>> >>>>> significant
>> >>>>> part of the community concerned about this) Note: I would have loved
>> >>>>> to see
>> >>>>> an OWASP community poll on this before making this decision to get a
>> >>>>> better
>> >>>>> feel for the wishes of our community, but acknowledge Michael's
>> >>>>> request that
>> >>>>> we need to decide this urgently.
>> >>>>>
>> >>>>> 2. we have an alternative (as outlined in Sarah's email, BSides)
>> >>>>> that
>> >>>>> can fulfil the goal equally.
>> >>>>>
>> >>>>> 3. I understand that there is a lot of uncertainty about RSA's level
>> >>>>> of
>> >>>>> involvement. And I don't feel in a position to make a final
>> >>>>> judgement about
>> >>>>> this. And as often with secrecy, we possibly never will be.
>> >>>>> But in this case we don't have to have final judgement. The
>> >>>>> co-marketing agreement is quite extensive and could be seen as
>> >>>>> active
>> >>>>> endorsement. To follow such an agreement we would need to have a
>> >>>>> very high
>> >>>>> level of confidence and trust in the other party. So already a
>> >>>>> reasonable
>> >>>>> shadow of doubt is sufficient grounds, to distance OWASP in this
>> >>>>> case from a
>> >>>>> very active co-marketing agreement with the company RSA, to avoid
>> >>>>> being
>> >>>>> interpreted as an active endorsement of a commercial entity
>> >>>>> currently under
>> >>>>> review. And we should abstain from actively endorsing RSA for the
>> >>>>> time
>> >>>>> being, until all facts of the case have been properly examined
>> >>>>> (note: not by
>> >>>>> us, as we are not an investigative body).
>> >>>>>
>> >>>>> In addition to that:
>> >>>>> I propose that OWASP should prepare and release a press release or
>> >>>>> public statement that OWASP thinks weakening or undermining crypto
>> >>>>> is a
>> >>>>> really bad idea. (I will be happy to assist with the preparation of
>> >>>>> the
>> >>>>> text.) This press release shall advocate our general OWASP
>> >>>>> principles and
>> >>>>> shall _not_ mention RSA, the RSA conference or any other company by
>> >>>>> name.
>> >>>>> (personal note: btw. RSA should have no problem with such a press
>> >>>>> release,
>> >>>>> as they officially deny any such activities...)
>> >>>>>
>> >>>>> All the best, Tobias
>> >>>>>
>> >>>>>
>> >>>>> Tobias Gondrom
>> >>>>> Owasp Global Board
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On 06/01/14 23:51, Michael Coates wrote:
>> >>>>>
>> >>>>> "OWASP will terminate the co-marketing agreement with RSA for RSA
>> >>>>> 2014.
>> >>>>> This may place our training at risk, but if permitted we will still
>> >>>>> provide the free training at RSA and the OWASP speaking slot."
>> >>>>>
>> >>>>> Michael - Yes
>> >>>>> Tom -
>> >>>>> Tobias -
>> >>>>> Fabio -
>> >>>>> Josh - Yes
>> >>>>> Jim - abstain
>> >>>>> Eoin - abstain
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Michael Coates
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Jan 6, 2014 at 3:47 PM, Eoin Keary <eoin.keary at owasp.org>
>> >>>>> wrote:
>> >>>>>
>> >>>>> Same here, I can't vote, I believe as the class delivery and
>> >>>>> material
>> >>>>> is mine and it would be a conflict.
>> >>>>> I would be a "no" if I could.
>> >>>>>
>> >>>>> Not sure why participation in an event requires a vote given other
>> >>>>> events did not require such....
>> >>>>>
>> >>>>> My view is based on
>> >>>>>
>> >>>>> 1.
>> >>>>>
>> >>>>> --
>> >>>>> Eoin Keary
>> >>>>> OWASP Member
>> >>>>> https://twitter.com/EoinKeary
>> >>>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Owasp-board mailing list
>> >>>> Owasp-board at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>>
>> >>>
>> >>
>> >
>
>
>
>
> --
> OWASP ZAP Project leader


More information about the Owasp-board mailing list