[Owasp-board] [Owasp-leaders] OWASP Board decision that I don't agree with

Michael Coates michael.coates at owasp.org
Wed Jan 15 12:47:49 UTC 2014


"What I didnt realize at the time was that OWASP email addresses are
reserved for chapter/project leaders, which meant that most OWASP members
were not able to vote :("

OWASP email addresses are not reserved for chapter/project leaders, they
are available to all OWASP members.
https://www.owasp.org/index.php/Individual_Member
https://www.owasp.org/index.php/Owasp.org_email_address

However, if people are having trouble getting the email address then that's
something we can look into.




--
Michael Coates
@_mwc



On Wed, Jan 15, 2014 at 4:35 AM, psiinon <psiinon at gmail.com> wrote:

> I've just closed the poll "Should OWASP give developer training at RSA?".
> It was somewhat overtaken by events, but I still think it was useful.
>
> A couple of points to note:
>
> The stats I've published on https://www.owasp.org/index.php/Polls are
> different to those on the Google Poll summary.
> This is because I've removed duplicate votes - unfortunately Google Polls
> dont prevent duplicate votes and the summary isnt updated if you remove the
> duplicates. Please let me know if I've made a mistake anywhere. FYI I just
> counted individuals latest votes.
>
> While I think the poll was useful it has shown up some significant
> disadvantages of using Google Polls for this sort of thing.
> We have to make the polls either open to everyone or restricted to those
> people with OWASP email accounts.
> I didnt want to do the former as I thought it was important to find out
> what OWASP members thought, not the internet as a whole.
> What I didnt realize at the time was that OWASP email addresses are
> reserved for chapter/project leaders, which meant that most OWASP members
> were not able to vote :(
> Sorry about that.
>
> I'm going to let the other poll run its course, but I'm not planning on
> starting any new polls using Google Polls as I think they dont give us what
> we need.
> Hopefully we'll have a better solution before too long that will allow us
> to easily canvas the opinions of all OWASP members - I think thats
> something that will be very beneficial to the organization.
>
> Simon
>
>
> On Thu, Jan 9, 2014 at 5:15 PM, Dirk Wetter <dirk at owasp.org> wrote:
>
>> Am 01/05/2014 12:47 PM, schrieb Rory McCune:
>> > Hi all,
>> >
>> > Long thread is long.  I'd make a couple of point on this.
>> >
>> > 1. I'm not sure I'd say that RSA completely denies what's been said, to
>> me their statement was written very "carefully", not to deny that the NSA
>> paid them $10 million to make Dual_EC_DRBG the default RNG in BSAFE.  All
>> you need to have for RSAs statement to be true and the allegations to be
>> true is that they didn't have the "intention" of weakening their product
>> i.e. they did take the money they did set the default algorithm but it
>> wasn't their intention to weaken their security.
>> >
>> > If they had wanted to deny the allegations they could just have said
>> "the NSA did not pay us $10 million to make that the default RNG" would
>> have been clear and unambiguous, the fact they didn't makes a reasonably
>> strong implication that they did.
>>
>> thx, for this point. One should definitely read those statements very
>> carefully. There
>> pops another example up in my head but that's too far off to mention
>> here. Completely
>> denying would also sound different to me. The term INTENTION is not
>> appropriate the way
>> it's being used at least.
>>
>> But also the response from RSA in September 2013 is remarkable: "RSA
>> determined it appropriate
>> to issue an advisory to all our RSA BSAFE [..]  customers recommending
>> they choose one of
>> the different cryptographic Pseudo-Random Number Generators (PRNG) built
>> into the RSA BSAFE
>> toolkit". Acknowledged it's broken, but all RSA does is a recommendation
>> -- what?
>>
>> To keep in mind: Since a long time Dual_EC_DRBG crypto community knew
>> it's broken! Read this
>> from almighty Bruce ;-) in 2007:
>> https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
>> "But today there's an even bigger stink brewing around Dual_EC_DRBG. In
>> an informal presentation (.pdf)
>> at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson
>> showed that the algorithm
>> contains a weakness that can only be described as a backdoor.". That was
>> no reason for BSAFE after
>> that to ship DUAL_EC_DRBG other than .... you do the math.
>>
>>
>> Cheers,
>>
>> Dirk
>>
>> >
>> > 2. A point from earlier in the thread that not attending would only be
>> noticed in the Infosec community.  Not sure that's the case. Definitely on
>> developer heavy sites like news.ycombinator.com <
>> http://news.ycombinator.com> the NSA/RSA/Snowden piece has been heavily
>> played and indeed last night when this thread kicked off Errata security's
>> piece on boycotting RSA was the top post on the site.
>> >
>> > 3. An alternative to training at RSA that's been mentioned a couple of
>> times, i.e. doing it at a different venue, seems plausible.  Would it maybe
>> be possible to do it as B-Sides SF which happens at the same time ?
>> >
>> > 4. A good point earlier about the DHS grants.  If we're happy with
>> that, then it seems tricky to say that we're not happy with this.
>> >
>> > Cheers
>> >
>> > Rory
>> >
>> >
>> > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico <jim.manico at owasp.org<mailto:
>> jim.manico at owasp.org>> wrote:
>> >
>> >     By the way everyone, RSA completely denies these allegations.
>> >
>> >
>> >
>> >     …“we also categorically state that we have never entered into any
>> contract or engaged in any project with the intention of weakening RSA’s
>> products, or introducing potential ‘backdoors’ into our products for
>> anyone’s use.” - https://blogs.rsa.com/news-media-2/rsa-response/
>> >
>>
>> >
>> >
>> >
>> >     It’s tough to know who to trust these days, but I do want to put
>> RSA’s official comment on the table for consideration.
>> >
>> >
>> >
>> >     Cheers,
>> >
>> >     -          Jim
>> >
>> >
>> >
>> >     *From:*Josh Sokol [mailto:josh.sokol at owasp.org <mailto:
>> josh.sokol at owasp.org>]
>> >     *Sent:* Saturday, January 04, 2014 5:04 PM
>> >     *To:* Eoin Keary
>> >     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant
>> Johar (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
>> >     *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision
>> that I don't agree with
>> >
>> >
>> >
>> >     My apologies in the delay in responding to this.  I've been on the
>> road all day today and will be slow to respond tomorrow as well.
>> >
>> >     First off, let me admit that while my term hadn't officially begun
>> yet, I am one of the Board members who encouraged Jim and Eoin to move
>> forward with the training.  My rationale for this was simple; OWASP's
>> mission is to make software security visible, so that individuals and
>> organizations worldwide can make informed decisions about true software
>> security risks.  The core of this statement being VISBILITY.  We need to
>> find and take advantage of as many ways as possible to raise the visibility
>> of security risks.  Our mission says nothing about making political
>> statements.  It says nothing about ethical business practices.  Our mission
>> can certainly be amended to reflect other imperatives, if so desired by our
>> membership, but until that day we need to prevent mission scope creep.
>> >
>> >     Now, since our mission is making software security visible, we
>> simply have to ask ourselves if we better serve this mission by:
>> >
>> >     1) Performing a free training at a major conference, thereby
>> increasing our exposure to people who haven't heard of OWASP before and
>> enlightening them to software security risks that they likely were not
>> aware of before.
>> >
>> >     2) Taking a stance against a company where some evidence may imply
>> that they took a bribe to sacrifice security in one of their products.
>> >
>> >     Let me be clear on #2.  I don't agree that what RSA did is right,
>> if it is true.  In fact, I have made the explicit decision to not do
>> business with RSA in my day job because there are many other options out
>> there and it's just not worth the risk.  But my passive decision to not
>> purchase from RSA is very different than OWASP reneging on our agreement
>> and making a public statement about their ethics.
>> >
>> >     So, given these two options, my gut is that OWASP's mission will be
>> best served by #1.  It doesn't mean that we're supporting RSA.  It doesn't
>> mean that we agree with unethical business practices.  It just means that
>> we are doing the best we can to make application security visible.  If that
>> means piggy-backing on the massive marketing effort they put into the
>> conference or the infrastructure that supports it, I'm ok with that.  I
>> understand that others may object to this on ethical grounds, and that's
>> fine, but as a non-profit organization, we have a mandate to stay true to
>> our mission, not to speak out against whatever the latest security headline
>> is.
>> >
>> >     I do have one question about this training for clarification.  The
>> training is FREE for anyone who would like to attend and not just for RSA
>> attendees, correct?  My assumption is the former, but if the latter, this
>> changes things significantly in my opinion.
>> >
>> >     ~josh
>> >
>> >
>> >
>> >     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org<mailto:
>> eoin.keary at owasp.org>> wrote:
>> >
>> >         Good point.
>> >         Bottom line is we want people to build secure code. Delivering
>> this message under the same roof as RSA does not dilute the quality of the
>> class delivered.
>> >         There is no black and white, only shades of grey :)
>> >
>> >
>> >
>> >         Eoin Keary
>> >         Owasp Global Board
>> >         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>> >
>> >         On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org<mailto:
>> jim.manico at owasp.org>> wrote:
>> >
>> >         > Another issue that is tangential.
>> >         >
>> >         > We are applying for several big money DHS grants. These help
>> keep the foundation running.
>> >         >
>> >         > Should be reject all of these grants because of the Snowden
>> affair? It we abort RSA but continue to take DHS money, then we send a
>> mixed message.
>> >         >
>> >         > Aloha,
>> >         > Jim
>> >         >
>> >         >> I strongly support Sastry on this one.
>> >         >>
>> >         >> You might be participating as individuals, but people see
>> you guys as the OWASP Board, and that’s something that many of us don’t
>> like to be the image of OWASP.
>> >         >>
>> >         >> Thanks
>> >         >> -Abbas
>> >         >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org<mailto:
>> eoin.keary at owasp.org>> wrote:
>> >         >>
>> >         >>> To be clear, there was no recorded vote on this but a
>> debate.
>> >         >>>
>> >         >>> I started the debate after reading about Mikko. (Even
>> though I was delivering the training with Jim and it is my material).
>> >         >>>
>> >         >>> The majority of board of OWASP feels getting involved in
>> politics is wrong and wanted to push ahead with the training.
>> >         >>>
>> >         >>> So if feelings are strong we need to vote on this ASAP? as
>> leaders of OWASP. A formal board vote? Executive decision from Sarah, our
>> executive director.
>> >         >>>
>> >         >>>
>> >         >>>
>> >         >>> Eoin Keary
>> >         >>> Owasp Global Board
>> >         >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>> >         >>>
>> >         >>>
>> >         >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <
>> sastry.tumuluri at owasp.org <mailto:sastry.tumuluri at owasp.org>> wrote:
>> >         >>>
>> >         >>>> Friends,
>> >         >>>>
>> >         >>>> Please see the following full conversation on twitter:
>> >         >>>> https://twitter.com/EoinKeary/status/419111748424454145
>> >         >>>>
>> >         >>>> Eoin Keary and Jim Manico (both OWASP board members) will
>> be presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>> to be present. Apparently, this was discussed at the OWASP board level; and
>> the board has decided to go ahead, keeping in mind the benefit to the
>> attending developers.
>> >         >>>>
>> >         >>>> As you are aware, RSA is strongly suspected (we'll never
>> be 100% sure, I'm afraid) of being complicit with NSA in enabling fatal
>> weakening of crypto products. RSA has issued a sort of a denial that only
>> deepens the mistrust. As a protest, many leading speakers are cancelling
>> their talks at the upcoming RSAC 2014. Among them are (to my knowledge)
>> Mikko Hypponen, Jeffrey Carr and Josh Thomas.
>> >         >>>>
>> >         >>>> At such a time, I am saddened by the OWASP board decision
>> to support RSAC by their presence. At a time when they had the opportunity
>> to let the world know how much they care for the Information Security
>> profession (esp., against weakening crypto); and how much they care about
>> the privacy of people (against NSA's unabashed spying on Americans &
>> non-Americans alike), the board has copped out using a flimsy
>> rationalization ("benefit of (a few) developers", many of who would rethink
>> their attendance had OWASP and more organizations didn't blink!").
>> >         >>>>
>> >         >>>> I'm sure there was a heated debate. I'm sure all angles
>> were considered. However, this goes too deep for me to take it as "better
>> men than me have considered and decided". As a matter of my personal
>> values, if the situation doesn't change, I would no longer wish to continue
>> as the OWASP Chapter Lead. Please let me know if any of you would like to
>> take over from me.
>> >         >>>>
>> >         >>>> I will also share my feelings with fellow chapter members
>> at our next chapter meeting on Jan 21st. Needless to say, no matter how
>> things go, I remain committed to the principles of our open and open-source
>> infosec community.
>> >         >>>>
>> >         >>>> Best regards,
>> >         >>>>
>> >         >>>> ==Sas3==
>> >         >>> _______________________________________________
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140115/85722f7d/attachment-0001.html>


More information about the Owasp-board mailing list