[Owasp-board] [Governance] [Owasp-leaders] NIST, the NSA and fun with crypto reviews

Martin Knobloch martin.knobloch at owasp.org
Mon Jun 1 08:05:49 UTC 2015


‎Christian, 

There was more to the decision not to continue the free training at the RSA Conference . 
Yes, there where many  calls ‎from the community not to speak at the RSA Conference due to the accusations, but there where restrictions by the RSA‎ Conference.

Cheers, 
-martin

  Original Message  
From: Christian Heinrich
Sent: maandag 1 juni 2015 04:49
To: johanna curiel curiel
Cc: governance at lists.owasp.org; OWASP Foundation Board List
Subject: Re: [Governance] [Owasp-leaders] NIST, the NSA and fun with crypto reviews

Johanna,

"@johnwilander @sastrytumuluri @EoinKeary @_mwc The ethics of this is
complex. Punish RSA but accept DHS funding? That's a mixed message."
to quote https://twitter.com/manicode/status/419621371312734209

I also note that http://www.rsaconference.com/speakers/james-manico
was the "VP of Security Architecture, WhiteHat Security" yet presented
http://www.rsaconference.com/events/eu13/agenda/sessions/551/top-ten-proactive-software-controls
as an OWASP Project Leader which is a conflict of interest.

If OWASP votes in the negative then I would expect that
https://www.rsaconference.com/events/us15/agenda/sessions/1847/securing-the-internet-of-things-mapping-iot-attack
would be withdrawn and OWASP also cease its relationship with
http://createyournextcustomer.com/brands/black-hat/ too.


On Sun, May 31, 2015 at 7:12 PM, Christian Heinrich
<christian.heinrich at cmlh.id.au> wrote:
> Joanna,
>
> If you consider
> http://www.wsj.com/articles/chinese-university-denies-any-involvement-in-economic-espionage-1432214829
> against the University of Wisconsin then one's freedom fighter is
> another one's terrorist.
>
> I have no issue with SWAMP or
> https://www.owasp.org/index.php/Category:OWASP_Source_Code_Review_OWASP_Projects_Project
> i.e. the vendor Fortify/HP, for that matter.
>
> The core issue is that after the RSA Conference was exonerated both
> Jim and Josh (and possibly others) have continued their selective
> judgement against this conference.
>
> On Sun, May 31, 2015 at 1:53 PM, johanna curiel curiel
> <johanna.curiel at owasp.org> wrote:
>> Hi Christian
>>
>> The SWAMP is not a projects from the department of Homeland Security, this
>> initiative is funded by this organization. It is a project form the
>> University of Wisconsin
>>
>> I'm using this to run assesmemts and builds to check the quality of our
>> projects, is free and it works very well for this purpose
>> I'm a volunteer and my major goal is to help maintain a healthy level of
>> quality and support to owasp projects. These kind of tools help us to
>> automate this, this is the reason for using them.
>>
>> I just hope this clarifies your point of view regarding how I use swamp
>> for quality assurance and testing
>>
>> Regards
>>
>> Johanna
>>
>>
>> On Saturday, May 30, 2015, Christian Heinrich
>> <christian.heinrich at cmlh.id.au> wrote:
>>>
>>> Jim,
>>>
>>> I would like to call you out on this too
>>> https://www.owasp.org/index.php/SWAMP_OWASP since this OWASP
>>> supporting the Department of Homeland Security :)
>>>
>>> I would OWASP like to reconsider the recent offer from RSA Conference
>>> in view of my recent correspondence i.e.
>>> http://lists.owasp.org/pipermail/governance/2015-May/000580.html
>>>
>>> Otherwise, this is unfair and completely bias for OWASP to support one
>>> but not the other who has been proven beyond a reasonable doubt to be
>>> innocent.
>>>
>>> On Sun, Sep 15, 2013 at 10:28 AM, Wong Onn Chee <ocwong at usa.net> wrote:
>>> > FYI, folks.
>>> >
>>> > Best Regards
>>> > Onn Chee
>>> >
>>> > "I say all security vulnerabilities are software-based. Prove me wrong
>>> > if you dare"
>>> >
>>> >
>>> >
>>> > -------- Original Message --------
>>> > Subject: [Owasp-leaders] NIST, the NSA and fun with crypto
>>> > reviews
>>> > Date: Sat, 14 Sep 2013 19:28:01 -0400
>>> > From: Jim Manico
>>> >
>>> >
>>> >
>>> > I am personally aborting NIST standards when I can.
>>> >
>>> > From AES -> Serpent and Twofish
>>> > http://en.wikipedia.org/wiki/Serpent_(cipher) and
>>> > http://en.wikipedia.org/wiki/Twofish
>>> > From SHA -> Whirlpool
>>> > http://en.wikipedia.org/wiki/Whirlpool_(cryptography)
>>> >
>>> > And as for the NSA subverting crypto standards, take a look at our own
>>> > experience at the ESAPI for Java project.
>>> >
>>> > Back in June 2010 the NSA graciously agreed to review the crypto of the
>>> > ESAPI for Java project:
>>> >
>>> >> [Esapi-dev] NSA to perform ESAPI review
>>> >> http://lists.owasp.org/pipermail/esapi-dev/2010-June/000816.html
>>> >
>>> > The made a few suggestions to make it "stronger" but otherwise validated
>>> > our implementation.
>>> >
>>> > Now flash forward to this month.
>>> >
>>> >> [Esapi-dev] ESAPI Java and Authenticated encryption implementation
>>> >> http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
>>> >
>>> > They did not add anything that was malicious, but Ooops! they missed
>>> > something important.
>>> >
>>> > The has been fixed, however.
>>> >
>>> >> [Esapi-dev] Crypto and the "ESAPI for Java" release 2.1.0
>>> >> http://lists.owasp.org/pipermail/esapi-dev/2013-September/002291.html
>>> >
>>> > We live in interesting times.
>>> >
>>> > Aloha,
>>> > Jim
>>> >
>>> >> FYI: From NY Times <http://j.mp/1degxpA>:
>>> >>
>>> >>> Cryptographers have long suspected that the [NSA] planted
>>> >>> vulnerabilities
>>> >>> in a standard adopted in 2006 by the National Institute of Standards
>>> >>> and
>>> >>> Technology and later by the International Organization for
>>> >>> Standardization,
>>> >>> which has 163 countries as members.
>>> >>
>>> >>
>>> >> Note that I am explicitly not stating an opinion, just forwarding
>>> >> potentially related information.
>>> >>
>>> >>
>>> >> On Fri, Sep 13, 2013 at 3:02 PM, Bev Corwin wrote:
>>> >>
>>> >>> NIST seeks early adopters of draft cybersecurity framework
>>> >>>
>>> >>>
>>> >>>
>>> >>> http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-seeks-early-adopters-of-draft-cybersecurity-framework/menu-id-1075.html#!
>>> >>>
>>> >>> Bev
>>> >>>
>>> >
>>> > _______________________________________________
>>> > Owasp-singapore mailing list
>>> > Owasp-singapore at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-singapore
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Governance mailing list
Governance at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/governance


More information about the Owasp-board mailing list