[Owasp-board] Josh & Christian - Conference Call

Josh Sokol josh.sokol at owasp.org
Thu Jan 16 06:06:02 UTC 2014


Yes, the Board has not voted yet on your reinstatement.  Voting is reserved
for the Board meetings so that we have ample time to research and make
informed decisions.  Exceptions have been made where an urgent decision is
needed, but I don't see that as the case here.  We are trying to coordinate
schedules for next month.  It is nontrivial to get seven people from six
timezones together for a three hour meeting.  This isn't a reflection on
you or an attempt to stall.  It is due process.  We will request that Sarah
put a vote for your reinstatement on the agenda for our next meeting.

In terms of the suspension not being defined in the Bylaws, I believe
you're probably right, but also that its largely irrelevant.  The Bylaws
are the defined process in handling known situations.  Things like how to
handle thw situation where a Board member resigns.  I'm guessing that when
they were drafted, nobody ever expected to need a section on suspension of
a member.  The act of your suspension should have been based on a vote of
the Board.  The act of changing the Bylaws should have been a separate
vote.  My understanding is that the rule was written because of your
situation in order to define policy going forward.  It was not applied to
you.  If you believe that this is not the case then I can check the Board
records for that vote and see.

I'm not sure why you're fixated on overturning the result of the Google
Hacking Inquiry.  When I look at it, it came out largely in your favor.
The only thing I saw in there was that they said that they could not find
that the source code was been made public.  Are you contending that it
was?  The conclusion was something like a 3 month suspension for that.  I'm
admittedly very foggy on what transpired after that to cause your
membership to be revoked completely.  I'd welcome your thoughts on that.
In any case, those results seemed really minor to me.

You are absolutely right that I made an assumption about what you wanted.
For that, I am sorry.  I felt that I was in a better position than most of
the others to hear you out on this since I am completely unfamiliar with
any of this.  You have already stated your thoughts about Michael, Tom,
Eoin, and Jim.  I'm not sure how you could expect them to remain unbiased
after you said those things.

I am actually a bit insulted that you thought I would just parrot your
words for you.  My offer to help you was based on a desire to hear your
concerns and bring to light some of the things you are blowing the whistle
on.  I came into this with no biases, but each time you direct your anger
at me, belittle me, or contradict a previous statement, I begin to
formulate my own opinions.  Please keep that in mind as you speak to me
going forward.  While we may have had a misunderstanding, I have shown you
nothing but respect and compassion and I expect the same in return if you
would like my assistance.

You are absolutely right that the OWASP Board is not an independent
arbitrator.  My obligation, first and foremost, as a Board member, is to
serve the Foundation.  I never claimed anything different.  But I do
believe that it is in the Foundations best interest to hear you out on
this.  To be an unbiased opinion and study the facts as presented to me.  I
can be fair and unbiased without being independent.  To be completely
honest, and I think they'd admit it outright, I'm not sure the old Board
members can say the same thing.  That said, I can't blame them as it seems
you've made a number of personal attacks against them.  This is why I asked
for them to hold on your request for a vote so I could create a special
committee to look into your situation.   I'm fairly confident that if you
push for a "decide now" that the answer will be "No".  Though, you seem
like a very smart guy and I'm guessing that you're expecting that.  I'm not
going to force help upon someone if they don't want it, but if your goal is
really to be heard by people willing to listen and with the power to affect
change, then me, Tobias, and Fabio are your best bet right now.

My statement about a public call was not a joke.  It was based on your
request that this discussion be held in the light.  I can't speak for how
the Board has done things in the past, but unless you specifically desire
to have the discussions private, then I believe they shouldn't be.  My
actions as a Board member should be performed in full view of the members
who elected me.  Because of this, I have waived my right to privacy on this
matter as well.  There is no alterior motive, only a desire for

I will investigate with Michael and Sarah why your records were not made
public.   If you requested it, then it should have been so.

This isn't about what I want.  I want to help you.  I want to listen to
what you have to say, internalize, and then take appropriate action.  Not
knowing what you have to say, I can't really say what action is appropriate.

You said that you have already highlighted how I have damaged you several
times now and how this it was totally avoidable.  If anything I'd say we
had a misunderstanding.  I've apologized and told you that it was
unintended and I meant no harm.  Hopefully you can accept my apology and we
can move forward with this.

So where does this leave us?  I'm honestly not sure.  If a simple
misunderstanding of your desires can leave you damaged by me, I'm concerned
about our relationship going forward.  I realize that it may be asking a
lot for you to trust someone that you don't know, but that's exactly what
I'm doing with you.  I trust that you and I can have a civilized
conversation about all this and I trust that you will see my desire to help
and will have some amount of patience working with me.  So, what is your
proposal to proceed?  Do we work together on this?  Do we start with your
five questions or something else?  Are you ok with staying a Board decision
to allow us time to truly investigate your concerns or do you want to push
a vote and get it done with based on the information currently
available?    Do you want this to be an open process so that others are
free to witness it and draw their own conclusions?   And, probably the most
important question, what is the end result here that would make you happy?

 On Jan 15, 2014 10:28 PM, "Christian Heinrich" <
christian.heinrich at cmlh.id.au> wrote:

> Josh,
> I see the questions related to the voting undertaken by the OWASP
> Board about my termination have still not been address neither has my
> membership been reinstated.
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > While I know that rehashing negative old memories brings up new negative
> > emotions, I'm not sure that it is possible for us to come to a rational
> > conclusion on this without doing so.  I can promise you that Tobias and I
> > will look into each and every point you make here.  I can promise that we
> > will be fair and objective.  I can promise that we will take into
> > consideration your side of all of this in making any decisions.  And I
> can
> > push for the Board to hold on any vote due to potential biases until
> Tobias,
> > myself, and any unbiased others can come to a conclusion on this matter.
>  I
> > would like to do this in the open, as you suggest in this e-mail, so that
> > there is no questioning of the desires or motivations behind this.  If
> your
> > desire, as you stated, is to rewrite the Google Hacking Inquiry, I don't
> > think that I can promise this.
> I highly doubt the validity of your statement related to  the Google
> Hacking Inquiry i.e.
> Aspect Security suspended me so he could assume leadership of the ASVS
> project as correlated to these events on 27 September i.e.
> http://blog.alexisfitzg.com/2010/09/owasp-asvs-level-0-no-verification.html
> vs
> http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2010-September/000274.html
> The Google Hacking Inquiry was completed on 9 September i.e.
> http://lists.owasp.org/pipermail/owasp-board/2010-September/009036.html,
> odd that Aspect Security would allow almost twenty days to lapse.
> Furthermore, the act of suspension was never defined as an OWASP By-Law.
> I would like to highlight that Michael Coates allowed Jeff Williams to
> put his version of events in the OWASP Board Meeting Minutes related
> to OWASP Top Ten 2013.
> Please let me know why the actual "truth" is not applicable to the
> Google Hacking Inquiry in light of the above?
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Taking the above actions will no doubt involve substantial time and
> effort
> > on our part.  It will also require you to aide us along this path and
> speak
> > with us, candidly, about your thoughts, feelings, and motivations.  I've
> > already tried to kick start this once and was met with your sentiment
> that I
> > was destroying your quality of life by doing so.  I apologized and
> withdrew
> > my request for the Board to hold on the vote to allow us to speak with
> you
> > on the matter.  Now you are coming back saying that:
> No, you made an assumption about what you think I might want.
> I was intending to speak to only you who would then repeat me like a
> parrot (because I already knew what could go wrong if you ad-lib like
> Jim Manico who had already made the exact same mistake you have made
> when he spammed the leaders list without my authorisation or knowledge
> and where I could neither defend myself (since I am not a member of
> the Leaders List).
> Apparently the Google Hacking Project is a "few hours work" but Dinis
> Cruz wasted infinite OWASP resources on it and then the additional
> unneeded politics and clarifications I have to issue on it at least
> once a month now.
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > "I accept the offer of a conference call with both yourself and Josh,
> > together or separate, and extend my availability for multiple conference
> > calls.  Therefore, please schedule these conference call as soon as
> > possible."
> Yes, I restated this request twice.  The negotiation that could have
> taken place was overtaken with your recommendation to the OWASP Board
> (without my prior consultation)
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I want to help you Christian, but can't do so if you change your mind or
> > blame us for destroying your quality of life by engaging you.  Thus, I
> ask
> > you, are you sure, given all of the above, that you would like for
> myself,
> > Tobias, and other neutral parties, to involve ourselves in this affair in
> > order to address the questions which you specifically laid out in your
> last
> > communication?
> OWASP destroyed my life when Dinis Cruz published inaccurate,
> unsubstantiated and libel comment without any regard for due process
> or natural justice to the OWASP Leaders List about the Google Hacking
> Project when he had met me in HITB Amsterdam and I was clearly
> distressed and fully complaint in the demands made by the OWASP Board
> (when members such as Tom Brennan were in relation to the OWASP PCI
> Project)  where I clearly stated "I do not want my innocence proven as
> it will come at to higher personal cost" and I offered to resign from
> The OWASP Board are not an independent arbitrator.
> Understand, there is nothing that the OWASP Board can do to harm my
> career and quality of life because these have been destroyed, neither
> can I leave Australia to restart my career like Andrew van der Stock
> because the international community is under the false impression that
> I "difficult to work with" due to the OWASP Google Hacking Project.
> I was considered one of the top five security professionals here in
> Australia prior to joining OWASP.  As you see within
> https://twitter.com/cmlh_/status/29136860850  you can work out from
> this tweet who was behind the Google Hacking Inquiry and that
> https://twitter.com/cmlh_ described me as industry "legend"
> For the record, and since Dins Cruz claimed I pissed people off in
> Australia which has been disputed by both Justin Derry and Andrew van
> der Stock, both https://twitter.com/AISA_MAN and
> https://twitter.com/AISA_MAN are the fake twitter accounts against
> @ChrisGatford.  There are several more but as
> http://cmlh.id.au/post/58775224768/microserfz-doxed demonstrates he
> tends to destroy evidence or fabricate evidence i.e.
> http://www.theaustralian.com.au/technology/queensland-police-file-still-open-on-smh-hack-story/story-e6frgakx-1226322314514
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>  > 1. The wiki page is dated from 14 February 2012 i.e.
> >
> https://www.owasp.org/index.php?title=Membership_Revocation&action=history
> > which more than a month after my membership was revoked and therefore
> > much like law how can this be applied retrospectively?
> >
> > 2. If the OWASP Board would like to continue with this action
> > then I would like to bring to your attention the "No Retaliation"
> section of
> > https://www.owasp.org/index.php/Governance/Whistleblower_Policy and
> > therefore declare my termination invalid and unjust since having my
> > "membership [be] taken into consideration by the BoD under Article
> > 4.0.3 of the OWASP Bylaws." as quoted from
> > http://lists.owasp.org/pipermail/owasp-leaders/2012-January/006624.html
> > is simply retaliation undertaken by Chris Schmidt?
> >
> > 3. Furthermore, the OWASP Board deliberately made no attempt to inform
> > me of this Agenda Item and neither was I informed until many days
> > later when I could no longer sign into Google Apps for @owasp.org?
> > This circumstances of this termination action have been requested
> > numerous times, most recently in October 2013 i.e.
> > http://lists.owasp.org/pipermail/owasp-board/2013-October/012398.html
> > and I have still not been provided with this artifact.
> >
> > 4. 4.0.3 was not a ratified bylaw and this agenda item at the OWASP
> > Board Meeting appears to be discussed at the eleven hour and last
> > minute based on the timestamp of 10 January 2012 at 11:55 i.e.
> > https://www.owasp.org/index.php?title=January_9,_2012&oldid=122606
> > which is well past the Board Meeting date held 9 January 2012?  I
> > would welcome the OWASP Board provide the recording which disputes
> > this and if not why is the case?
> >
> > 5. From the 14 February 2012 and onwards the OWASP Board made no
> > attempt to inform me what
> > https://www.owasp.org/index.php?title=Membership_Revocation the
> > objective measure is for "pending approval by the board" the inception
> > of this wiki page (14 February).  Therefore can the OWASP Board
> > indicate how their vote is not subjective and bias?
> Requesting that I have to agree to a bias process first for the OWASP
> Board to address these questions indicates that the OWASP Board are
> unfair, bias and are not intending to follow due process.
> I learnt this lesson when I released my source code from the Google
> Hacking Project against my own judgement as the Project Leader which
> allowed Chris Gatford and Jody Melbourne to create further attacks.
> Do let me know when Trey Ford is releasing the deliverables for the
> OWASP PCI Project?
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > If your answer is yes, you would like us to proceed, then I will once
> again
> > work with you and Tobias to schedule a call in order to discuss, and will
> > gladly open the call up to the community for review.  Since there were
> > concerns previously about your privacy in this matter, to the extent of
> > using your membership number and not your name in the public
> documentation,
> > I'd also like for you to acknowledge your waiver of any right to privacy,
> > being that you've requested this discussion be held in a public forum.
>  If
> > we can agree that:
> Is this a joke?
> You want to release a subjective conference call so that the OWASP
> Board can claim it was supported in its decision to decline my
> membership based on subjective judgement from the community where I
> can't defend myself?  I would suggest you review what happened when
> Jim Manico attempted this (poorly) because it is something else being
> judged by people who you have never met.
> There was never a claim to privacy and I have stated several time
> before for Michael Coates and Sarah Baso to release the full
> documentation related to my termination.  This is simply their cover
> and diversion as I won the appeal of my termination.
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > 1) You would like for me to proceed with holding a vote in order to
> discuss
> > with you AND
> > 2) You waive any right to privacy on this matter so that it can be held
> in a
> > public forum
> You can do whatever you want Josh.
> On Thu, Jan 16, 2014 at 2:07 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > I will gladly work to proceed on your behalf.  The caveat is that if you
> > again state that I am somehow harming you by trying to help you, my offer
> > will be rescinded, and the Board will vote based on the information
> > currently available.  Are we agreed?
> I have already highlight how you have damaged me several times now and
> how this was totally avoidable.
> I would be interested to know how the Google Hacking Inquiry helped me
> or OWASP for that matter?  There is your answer.
> Please reinstate my membership today and @owasp.org e-mail address?
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140116/171836ae/attachment-0001.html>

More information about the Owasp-board mailing list