<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    > It would be helpful to have specific criteria for banning given
    our open policy.<br>
    <br>
    I hear you Noreen.<br>
    <br>
    The current anti-harassment policy is here.
    <a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Governance/Conference_Policies#Anti_Harassment_Policy">https://www.owasp.org/index.php/Governance/Conference_Policies#Anti_Harassment_Policy</a>
    Any suggestions on how we should expand on it?<br>
    <br>
    This is a REALLY tough one.<br>
    <br>
    Just a thought... chapters have different tolerance levels based on
    various cultural issues and perspectives. Too specific of guidelines
    might be very poorly received. <br>
    <br>
    I think "general criteria" is more appropriate than "specific
    criteria" for OWASP's global community. But having very specific
    steps in place to take if a chapter members think there is a problem
    (ie: have a good complaint process) is important.<br>
    <br>
    And of course certain thing are just way out of the box regardless
    of culture (threats of violence and similar). <br>
    <br>
    If anything is not covered by the current anti-harassment policy
    then lets change it!<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 9/4/15 9:48 AM, Noreen Whysel OWASP
      wrote:<br>
    </div>
    <blockquote
      cite="mid:385742B0-EBAF-4227-9070-3B42A1F4B0A3@owasp.org"
      type="cite">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div>Not blocking. Moderation. Then ban the repeat offenders. It
        would be helpful to have specific criteria for banning given our
        open policy.<br>
        <br>
        Noreen Whysel
        <div>Community Manager</div>
        <div>OWASP Foundation</div>
      </div>
      <div><br>
        On Sep 4, 2015, at 3:23 PM, Jim Manico <<a
          moz-do-not-send="true" href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <meta http-equiv="content-type" content="text/html;
            charset=utf-8">
          <div>You're both right of course. We need to allow non OWASP
            email in our lists, but short term blocking of non-OWASP
            email as Michael describes is reasonable.<br>
            <div>--</div>
            <div>Jim Manico</div>
            <div>
              <div apple-content-edited="true" class="">
                <div class="" style="word-wrap: break-word;
                  -webkit-nbsp-mode: space; -webkit-line-break:
                  after-white-space;">
                  <div class=""><span style="background-color: rgba(255,
                      255, 255, 0);">Global Board Member</span></div>
                  <span style="background-color: rgba(255, 255, 255,
                    0);">OWASP Foundation</span>
                  <div class=""><a moz-do-not-send="true"
                      href="https://www.owasp.org/" class=""
                      style="background-color: rgba(255, 255, 255, 0);"><font
                        color="#000000">https://www.owasp.org</font></a></div>
                </div>
              </div>
              <div class=""><span style="background-color: rgba(255,
                  255, 255, 0);">Join me at <a moz-do-not-send="true"
                    href="http://appsecusa.org/" target="_blank"
                    class="">AppSecUSA</a> 2015!</span></div>
            </div>
          </div>
          <div><br>
            On Sep 4, 2015, at 8:46 AM, Noreen Whysel <<a
              moz-do-not-send="true"
              href="mailto:noreen.whysel@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:noreen.whysel@owasp.org">noreen.whysel@owasp.org</a></a>>
            wrote:<br>
            <br>
          </div>
          <blockquote type="cite">
            <div>
              <div dir="ltr">The problem with requiring <a
                  moz-do-not-send="true" href="http://owasp.org">owasp.org</a>
                emails is that the lists are supposed to be open, but
                not everyone affiliated with OWASP qualifies for an <a
                  moz-do-not-send="true" href="http://owasp.org">owasp.org</a>
                email (leaders and paid members only).</div>
              <div class="gmail_extra"><br clear="all">
                <div>
                  <div class="gmail_signature">
                    <div dir="ltr">
                      <div>Noreen Whysel</div>
                      <div>Community Manager</div>
                      <div>OWASP Foundation</div>
                    </div>
                  </div>
                </div>
                <br>
                <div class="gmail_quote">On Fri, Sep 4, 2015 at 2:18 PM,
                  Michael Coates <span dir="ltr"><<a
                      moz-do-not-send="true"
                      href="mailto:michael.coates@owasp.org"
                      target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:michael.coates@owasp.org">michael.coates@owasp.org</a></a>></span>
                  wrote:<br>
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div dir="ltr">
                      <div>From a spam/bot blocking perspective</div>
                      The easiest thing for us to do is to switch over
                      to using @<a moz-do-not-send="true"
                        href="http://owasp.org" target="_blank">owasp.org</a>
                      email addresses. We can easily configure the
                      mailist to require admin confirmation and auto
                      reject non-owasp email addresses. 
                      <div><br>
                      </div>
                      <div>If we don't want to do that it is also easy
                        to require moderation for all subscriptions. A
                        quick regex can stop obvious spam iteration.</div>
                      <div><br>
                      </div>
                      <div>It would be interesting to see if a CAPTCHA
                        approach for mailman is possible. Yes, captcha
                        can be defeated if someone tries hard enough,
                        but if we cut out more of the junk then that is
                        still a win.</div>
                    </div>
                    <div class="gmail_extra"><br clear="all">
                      <div>
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div dir="ltr">
                                    <div>
                                      <div dir="ltr"><br>
                                        --<br>
                                        Michael Coates | <a
                                          moz-do-not-send="true"
                                          href="https://twitter.com/intent/user?screen_name=_mwc"
                                          target="_blank">@_mwc</a><br>
                                      </div>
                                      <div>OWASP Global Board<br>
                                      </div>
                                      <div dir="ltr">
                                        <div>Join me at <a
                                            moz-do-not-send="true"
                                            href="http://AppSecUSA.org"
                                            target="_blank">AppSecUSA</a>
                                          2015 in San Francisco!</div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                          <br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <div>
                        <div class="h5">
                          <br>
                          <div class="gmail_quote">On Fri, Sep 4, 2015
                            at 10:52 AM, Noreen Whysel <span dir="ltr"><<a
                                moz-do-not-send="true"
                                href="mailto:noreen.whysel@owasp.org"
                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:noreen.whysel@owasp.org">noreen.whysel@owasp.org</a></a>></span>
                            wrote:<br>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div dir="auto">
                                <div>A few thoughts/questions:</div>
                                <div><br>
                                </div>
                                <div>Is it possible to map a Mailman
                                  subscription to an IP? If so we could
                                  block or moderate an ip.</div>
                                <div><br>
                                </div>
                                <div>Mailman allows you to globally
                                  remove your email from all lists in
                                  one click. Can the admin for the
                                  listserv do the same in one click for
                                  a subscriber?</div>
                                <div><br>
                                </div>
                                <div>Are there any other spam catcher
                                  program that can look for patterns in
                                  subscribe email accounts? Kate
                                  mentioned today that some lists are
                                  reporting excessive subscribe requests
                                  from random looking gmail accounts.
                                  Owasp-Manila has also been hit by
                                  random gmail sign ups.</div>
                                <div><br>
                                </div>
                                <div>Look at other services we use as
                                  well. Slack had someone playing with
                                  slackbot auto</div>
                                <div>It's recently. Someone set Slackbot
                                  to trigger Johanna's survey every time
                                  a post included the words "and" or
                                  "the". Johanna also mentioned some
                                  strange slackbot emoji behavior. I
                                  didn't see any auto post rules set for
                                  emoji though.</div>
                                <div><br>
                                </div>
                                <div>There are dozens of potential
                                  services that someone with a grudge
                                  could disturb. Does it make sense to
                                  put out an alert to leaders to keep an
                                  eye out and report suspicious
                                  behavior?</div>
                                <div><br>
                                </div>
                                <div>Personally from a chapter
                                  development standpoint, my policy is
                                  to do a nominal background check on
                                  people requesting to start chapters,
                                  get <a moz-do-not-send="true"
                                    href="http://Owasp.org"
                                    target="_blank">Owasp.org</a> emails
                                  or start a mailing list. This
                                  typically means reviewing their resume
                                  (required for starting a chapter),
                                  looking them up on linked in or google
                                  News search, checking on any previous
                                  Owasp involvement in the wiki or our
                                  member database, etc. as well as
                                  checking with leaders and past leaders
                                  of a chapter, do you know them, is
                                  this a good person. Similar for
                                  volunteers for event booths,
                                  university outreach, etc. This is
                                  especially important as chapter
                                  leaders ultimately get to handle
                                  money. I've had someone in Nigeria ask
                                  to restart chapters in Oregon and
                                  Canada, one of many examples.</div>
                                <div><br>
                                </div>
                                <div>I also encourage people to use
                                  their <a moz-do-not-send="true"
                                    href="http://Owasp.org"
                                    target="_blank">Owasp.org</a> email
                                  to sign up for the wiki account, since
                                  that implies they a have already been
                                  vetted or at least paid a member fee
                                  to get gmail access. </div>
                                <div><br>
                                </div>
                                <div>Is this sufficient?are there other
                                  ways to monitor activity without
                                  turning into cops or making people
                                  feel unfairly scrutinized?</div>
                                <span><font color="#888888">
                                    <div><br>
                                      <span
                                        style="background-color:rgba(255,255,255,0)">Noreen
                                        Whysel<br>
                                      </span><span
                                        style="background-color:rgba(255,255,255,0);font-size:13pt">Community
                                        Manager</span>
                                      <div><span
                                          style="background-color:rgba(255,255,255,0)">OWASP
                                          Foundation</span></div>
                                    </div>
                                  </font></span>
                                <div>
                                  <div>
                                    <div><br>
                                      On Sep 4, 2015, at 11:45 AM,
                                      johanna curiel curiel <<a
                                        moz-do-not-send="true"
                                        href="mailto:johanna.curiel@owasp.org"
                                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>>
                                      wrote:<br>
                                      <br>
                                    </div>
                                    <blockquote type="cite">
                                      <div>
                                        <div dir="ltr">I'm just curious
                                          <div><br>
                                          </div>
                                          <div>How can OWASP avoid if he
                                            uses another email
                                            accounts/fake names
                                            addresses to gain access?</div>
                                          <div><br>
                                          </div>
                                          <div>I think access to the
                                            wiki has to be very strong
                                            supervised including a
                                            background check of the
                                            person requesting access </div>
                                          <div><br>
                                          </div>
                                          <div>Any ideas or procedures
                                            that are already in place?</div>
                                          <div><br>
                                          </div>
                                          <div>regards</div>
                                          <div><br>
                                          </div>
                                          <div>Johanna</div>
                                        </div>
                                        <div class="gmail_extra"><br>
                                          <div class="gmail_quote">On
                                            Fri, Sep 4, 2015 at 11:25
                                            AM, Matt Tesauro <span
                                              dir="ltr"><<a
                                                moz-do-not-send="true"
                                                href="mailto:matt.tesauro@owasp.org"
                                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.tesauro@owasp.org">matt.tesauro@owasp.org</a></a>></span>
                                            wrote:<br>
                                            <blockquote
                                              class="gmail_quote"
                                              style="margin:0 0 0
                                              .8ex;border-left:1px #ccc
                                              solid;padding-left:1ex">
                                              <div dir="ltr">And the
                                                screenshot...
                                                <div><br>
                                                </div>
                                                <div>Rushing to get back
                                                  to work doesn't
                                                  actually buy you more
                                                  time ; )</div>
                                              </div>
                                              <div class="gmail_extra"><span><br
                                                    clear="all">
                                                  <div>
                                                    <div>--<br>
                                                      -- Matt Tesauro<br>
                                                      OWASP WTE Project
                                                      Lead<br>
                                                      <a
                                                        moz-do-not-send="true"
href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project"
                                                        target="_blank"><a class="moz-txt-link-freetext" href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a></a><br>
                                                      <a
                                                        moz-do-not-send="true"
href="http://AppSecLive.org" target="_blank"><a class="moz-txt-link-freetext" href="http://AppSecLive.org">http://AppSecLive.org</a></a> -
                                                      Community and
                                                      Download site
                                                      <div>OWASP
                                                        OpenStack
                                                        Security Project
                                                        Lead
                                                        <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project"
target="_blank"><a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></a></div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <br>
                                                </span>
                                                <div>
                                                  <div>
                                                    <div
                                                      class="gmail_quote">On
                                                      Fri, Sep 4, 2015
                                                      at 10:24 AM, Matt
                                                      Tesauro <span
                                                        dir="ltr"><<a
moz-do-not-send="true" href="mailto:matt.tesauro@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.tesauro@owasp.org">matt.tesauro@owasp.org</a></a>></span>
                                                      wrote:<br>
                                                      <blockquote
                                                        class="gmail_quote"
                                                        style="margin:0
                                                        0 0
                                                        .8ex;border-left:1px
                                                        #ccc
                                                        solid;padding-left:1ex">
                                                        <div dir="ltr"><span>> <span
style="font-size:12.8000001907349px">I'm assuming wiki editing has been
                                                          revoked?</span><br>
                                                          <div><br>
                                                          </div>
                                                          </span>
                                                          <div>Good
                                                          point about
                                                          the wiki - its
                                                          actually
                                                          designed to
                                                          clean up
                                                          bad/malicious
                                                          edits so the
                                                          damage
                                                          potential is
                                                          far less but I
                                                          went ahead and
                                                          blocked his
                                                          user account. 
                                                          See
                                                          screenshot.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>For the
                                                          curious, his
                                                          wiki
                                                          contributions
                                                          are at: <a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/Special:Contributions/Cmlh"
                                                          target="_blank"><a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Special:Contributions/Cmlh">https://www.owasp.org/index.php/Special:Contributions/Cmlh</a></a></div>
                                                          <div><br>
                                                          </div>
                                                          <div>-- Cheers</div>
                                                        </div>
                                                        <div
                                                          class="gmail_extra"><br
                                                          clear="all">
                                                          <div>
                                                          <div>--<br>
                                                          -- Matt
                                                          Tesauro<br>
                                                          OWASP WTE
                                                          Project Lead<br>
                                                          <a
                                                          moz-do-not-send="true"
href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project"
                                                          target="_blank"><a class="moz-txt-link-freetext" href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="http://AppSecLive.org" target="_blank"><a class="moz-txt-link-freetext" href="http://AppSecLive.org">http://AppSecLive.org</a></a> -
                                                          Community and
                                                          Download site
                                                          <div>OWASP
                                                          OpenStack
                                                          Security
                                                          Project Lead
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project"
target="_blank"><a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></a></div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          <div
                                                          class="gmail_quote"><span>On
                                                          Fri, Sep 4,
                                                          2015 at 10:07
                                                          AM, Matt Konda
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:matt.konda@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.konda@owasp.org">matt.konda@owasp.org</a></a>></span>
                                                          wrote:<br>
                                                          </span>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">Hi.
                                                          <div><br>
                                                          </div>
                                                          <div>Wow.  I
                                                          was slow to
                                                          respond to
                                                          this whole
                                                          series of
                                                          events because
                                                          I didn't have
                                                          prior direct
                                                          exposure to
                                                          this
                                                          individual. 
                                                          Lucky me.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>First,
                                                          I'm glad we
                                                          (esp. Matt T.)
                                                          have taken
                                                          care of part
                                                          of the problem
                                                          through
                                                          mechanics.
                                                          Thanks all for
                                                          dealing with
                                                          that,
                                                          especially
                                                          Josh for
                                                          invoking the
                                                          bylaws to
                                                          trigger the
                                                          action.
                                                          <div><br>
                                                          <div>Second,
                                                          is there
                                                          further action
                                                          required with
                                                          regard to CH? 
                                                          I'm assuming
                                                          we keep our
                                                          eyes out for
                                                          disruptive
                                                          behavior for a
                                                          bit and just
                                                          catch it and
                                                          take action
                                                          quickly.  I'm
                                                          assuming wiki
                                                          editing has
                                                          been revoked?</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Third,
                                                          are there
                                                          other open
                                                          issues
                                                          (people) like
                                                          this that we
                                                          should deal
                                                          with
                                                          proactively?<br>
                                                          </div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Fourth,
                                                          what can we do
                                                          to handle this
                                                          prior to the
                                                          face to face
                                                          meeting?  As
                                                          painful as it
                                                          is over email,
                                                          I would really
                                                          rather focus
                                                          on positive
                                                          and
                                                          constructive
                                                          things we can
                                                          be doing (like
                                                          proposals for
                                                          wiki overhaul
                                                          and
                                                          investments in
                                                          projects) than
                                                          re-hashing
                                                          blow by blow
                                                          the words of
                                                          people we
                                                          don't want to
                                                          be part of the
                                                          community.  Is
                                                          there a
                                                          legitimate
                                                          legal risk
                                                          here?</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Thanks,</div>
                                                          <div>Matt</div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                        </div>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                  </div>
                                                </div>
                                              </div>
                                              <br>
_______________________________________________<br>
                                              Owasp-board mailing list<br>
                                              <a moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                              <a moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                rel="noreferrer"
                                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                              <br>
                                            </blockquote>
                                          </div>
                                          <br>
                                        </div>
                                      </div>
                                    </blockquote>
                                    <blockquote type="cite">
                                      <div><span>_______________________________________________</span><br>
                                        <span>Owasp-board mailing list</span><br>
                                        <span><a moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a></span><br>
                                        <span><a moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                            target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
                                      </div>
                                    </blockquote>
                                  </div>
                                </div>
                              </div>
                              <br>
_______________________________________________<br>
                              Owasp-board mailing list<br>
                              <a moz-do-not-send="true"
                                href="mailto:Owasp-board@lists.owasp.org"
                                target="_blank">Owasp-board@lists.owasp.org</a><br>
                              <a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                              <br>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
          </blockquote>
          <blockquote type="cite">
            <div><span>_______________________________________________</span><br>
              <span>Owasp-board mailing list</span><br>
              <span><a moz-do-not-send="true"
                  href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></span><br>
              <span><a moz-do-not-send="true"
                  href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
            </div>
          </blockquote>
        </div>
      </blockquote>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a>
Join me at AppSecUSA 2015!</pre>
  </body>
</html>