[Owasp-board] My input on our response to CH

Jim Manico jim.manico at owasp.org
Fri Sep 4 21:52:37 UTC 2015


 > It would be helpful to have specific criteria for banning given our 
open policy.

I hear you Noreen.

The current anti-harassment policy is here. 
https://www.owasp.org/index.php/Governance/Conference_Policies#Anti_Harassment_Policy 
Any suggestions on how we should expand on it?

This is a REALLY tough one.

Just a thought... chapters have different tolerance levels based on 
various cultural issues and perspectives. Too specific of guidelines 
might be very poorly received.

I think "general criteria" is more appropriate than "specific criteria" 
for OWASP's global community. But having very specific steps in place to 
take if a chapter members think there is a problem (ie: have a good 
complaint process) is important.

And of course certain thing are just way out of the box regardless of 
culture (threats of violence and similar).

If anything is not covered by the current anti-harassment policy then 
lets change it!

Aloha,
Jim


On 9/4/15 9:48 AM, Noreen Whysel OWASP wrote:
> Not blocking. Moderation. Then ban the repeat offenders. It would be 
> helpful to have specific criteria for banning given our open policy.
>
> Noreen Whysel
> Community Manager
> OWASP Foundation
>
> On Sep 4, 2015, at 3:23 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> You're both right of course. We need to allow non OWASP email in our 
>> lists, but short term blocking of non-OWASP email as Michael 
>> describes is reasonable.
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org <https://www.owasp.org/>
>> Join me at AppSecUSA <http://appsecusa.org/> 2015!
>>
>> On Sep 4, 2015, at 8:46 AM, Noreen Whysel <noreen.whysel at owasp.org 
>> <mailto:noreen.whysel at owasp.org>> wrote:
>>
>>> The problem with requiring owasp.org <http://owasp.org> emails is 
>>> that the lists are supposed to be open, but not everyone affiliated 
>>> with OWASP qualifies for an owasp.org <http://owasp.org> email 
>>> (leaders and paid members only).
>>>
>>> Noreen Whysel
>>> Community Manager
>>> OWASP Foundation
>>>
>>> On Fri, Sep 4, 2015 at 2:18 PM, Michael Coates 
>>> <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>>
>>>     From a spam/bot blocking perspective
>>>     The easiest thing for us to do is to switch over to using
>>>     @owasp.org <http://owasp.org> email addresses. We can easily
>>>     configure the mailist to require admin confirmation and auto
>>>     reject non-owasp email addresses.
>>>
>>>     If we don't want to do that it is also easy to require
>>>     moderation for all subscriptions. A quick regex can stop obvious
>>>     spam iteration.
>>>
>>>     It would be interesting to see if a CAPTCHA approach for mailman
>>>     is possible. Yes, captcha can be defeated if someone tries hard
>>>     enough, but if we cut out more of the junk then that is still a win.
>>>
>>>
>>>     --
>>>     Michael Coates | @_mwc
>>>     <https://twitter.com/intent/user?screen_name=_mwc>
>>>     OWASP Global Board
>>>     Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San Francisco!
>>>
>>>
>>>
>>>
>>>     On Fri, Sep 4, 2015 at 10:52 AM, Noreen Whysel
>>>     <noreen.whysel at owasp.org <mailto:noreen.whysel at owasp.org>> wrote:
>>>
>>>         A few thoughts/questions:
>>>
>>>         Is it possible to map a Mailman subscription to an IP? If so
>>>         we could block or moderate an ip.
>>>
>>>         Mailman allows you to globally remove your email from all
>>>         lists in one click. Can the admin for the listserv do the
>>>         same in one click for a subscriber?
>>>
>>>         Are there any other spam catcher program that can look for
>>>         patterns in subscribe email accounts? Kate mentioned today
>>>         that some lists are reporting excessive subscribe requests
>>>         from random looking gmail accounts. Owasp-Manila has also
>>>         been hit by random gmail sign ups.
>>>
>>>         Look at other services we use as well. Slack had someone
>>>         playing with slackbot auto
>>>         It's recently. Someone set Slackbot to trigger Johanna's
>>>         survey every time a post included the words "and" or "the".
>>>         Johanna also mentioned some strange slackbot emoji behavior.
>>>         I didn't see any auto post rules set for emoji though.
>>>
>>>         There are dozens of potential services that someone with a
>>>         grudge could disturb. Does it make sense to put out an alert
>>>         to leaders to keep an eye out and report suspicious behavior?
>>>
>>>         Personally from a chapter development standpoint, my policy
>>>         is to do a nominal background check on people requesting to
>>>         start chapters, get Owasp.org <http://Owasp.org> emails or
>>>         start a mailing list. This typically means reviewing their
>>>         resume (required for starting a chapter), looking them up on
>>>         linked in or google News search, checking on any previous
>>>         Owasp involvement in the wiki or our member database, etc.
>>>         as well as checking with leaders and past leaders of a
>>>         chapter, do you know them, is this a good person. Similar
>>>         for volunteers for event booths, university outreach, etc.
>>>         This is especially important as chapter leaders ultimately
>>>         get to handle money. I've had someone in Nigeria ask to
>>>         restart chapters in Oregon and Canada, one of many examples.
>>>
>>>         I also encourage people to use their Owasp.org
>>>         <http://Owasp.org> email to sign up for the wiki account,
>>>         since that implies they a have already been vetted or at
>>>         least paid a member fee to get gmail access.
>>>
>>>         Is this sufficient?are there other ways to monitor activity
>>>         without turning into cops or making people feel unfairly
>>>         scrutinized?
>>>
>>>         Noreen Whysel
>>>         Community Manager
>>>         OWASP Foundation
>>>
>>>         On Sep 4, 2015, at 11:45 AM, johanna curiel curiel
>>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>>         wrote:
>>>
>>>>         I'm just curious
>>>>
>>>>         How can OWASP avoid if he uses another email accounts/fake
>>>>         names addresses to gain access?
>>>>
>>>>         I think access to the wiki has to be very strong supervised
>>>>         including a background check of the person requesting access
>>>>
>>>>         Any ideas or procedures that are already in place?
>>>>
>>>>         regards
>>>>
>>>>         Johanna
>>>>
>>>>         On Fri, Sep 4, 2015 at 11:25 AM, Matt Tesauro
>>>>         <matt.tesauro at owasp.org <mailto:matt.tesauro at owasp.org>> wrote:
>>>>
>>>>             And the screenshot...
>>>>
>>>>             Rushing to get back to work doesn't actually buy you
>>>>             more time ; )
>>>>
>>>>             --
>>>>             -- Matt Tesauro
>>>>             OWASP WTE Project Lead
>>>>             http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>             http://AppSecLive.org - Community and Download site
>>>>             OWASP OpenStack Security Project Lead
>>>>             https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>
>>>>             On Fri, Sep 4, 2015 at 10:24 AM, Matt Tesauro
>>>>             <matt.tesauro at owasp.org
>>>>             <mailto:matt.tesauro at owasp.org>> wrote:
>>>>
>>>>                 >I'm assuming wiki editing has been revoked?
>>>>
>>>>                 Good point about the wiki - its actually designed
>>>>                 to clean up bad/malicious edits so the damage
>>>>                 potential is far less but I went ahead and blocked
>>>>                 his user account. See screenshot.
>>>>
>>>>                 For the curious, his wiki contributions are at:
>>>>                 https://www.owasp.org/index.php/Special:Contributions/Cmlh
>>>>
>>>>                 -- Cheers
>>>>
>>>>                 --
>>>>                 -- Matt Tesauro
>>>>                 OWASP WTE Project Lead
>>>>                 http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>>                 http://AppSecLive.org - Community and Download site
>>>>                 OWASP OpenStack Security Project Lead
>>>>                 https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>>
>>>>                 On Fri, Sep 4, 2015 at 10:07 AM, Matt Konda
>>>>                 <matt.konda at owasp.org
>>>>                 <mailto:matt.konda at owasp.org>> wrote:
>>>>
>>>>                     Hi.
>>>>
>>>>                     Wow.  I was slow to respond to this whole
>>>>                     series of events because I didn't have prior
>>>>                     direct exposure to this individual. Lucky me.
>>>>
>>>>                     First, I'm glad we (esp. Matt T.) have taken
>>>>                     care of part of the problem through mechanics.
>>>>                     Thanks all for dealing with that, especially
>>>>                     Josh for invoking the bylaws to trigger the
>>>>                     action.
>>>>
>>>>                     Second, is there further action required with
>>>>                     regard to CH? I'm assuming we keep our eyes out
>>>>                     for disruptive behavior for a bit and just
>>>>                     catch it and take action quickly.  I'm assuming
>>>>                     wiki editing has been revoked?
>>>>
>>>>                     Third, are there other open issues (people)
>>>>                     like this that we should deal with proactively?
>>>>
>>>>                     Fourth, what can we do to handle this prior to
>>>>                     the face to face meeting?  As painful as it is
>>>>                     over email, I would really rather focus on
>>>>                     positive and constructive things we can be
>>>>                     doing (like proposals for wiki overhaul and
>>>>                     investments in projects) than re-hashing blow
>>>>                     by blow the words of people we don't want to be
>>>>                     part of the community.  Is there a legitimate
>>>>                     legal risk here?
>>>>
>>>>                     Thanks,
>>>>                     Matt
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     Owasp-board mailing list
>>>>                     Owasp-board at lists.owasp.org
>>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Owasp-board mailing list
>>>>             Owasp-board at lists.owasp.org
>>>>             <mailto:Owasp-board at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>         _______________________________________________
>>>>         Owasp-board mailing list
>>>>         Owasp-board at lists.owasp.org
>>>>         <mailto:Owasp-board at lists.owasp.org>
>>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150904/faa31853/attachment-0001.html>


More information about the Owasp-board mailing list