[Owasp-leaders] OWASP Board decision that I don't agree with

dan cornell dan.cornell at owasp.org
Sat Jan 4 22:40:47 UTC 2014


<humor>
Eoin, Jim and Michael:

At the very least please pull out the training slides that recommend
DUAL_EC_DRBG for random number generation. Unless, of course, that was a
requirement to do the training session...

:)
</humor>


On Sat, Jan 4, 2014 at 4:28 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> At this point, there are three options available:
>
> *1. Cancel the training*
> This sends a strong message, but not as strong as the second option,
> because many people will just think we bailed out for a bunch of other
> reasons (like not ready to do it)
> It will also cause some pain, as its scheduled and everything
>
> *2. Move the training to another area/facility*
> This will still send a strong message, and people will start asking for
> the reason behind it, which I think is beneficial for everybody.
> It will also cause minimal pain, because not much needs to change (except
> for the room to partake)
>
> *3. Keep it going as is*
> Damage the OWASP brand and face, as well as make a lot of leaders here
> unhappy.
> Least pain for management, no change.
>
>
> I think a leaders vote in this matter is necessary, not just a board vote,
> because we’re all at stake reputation-wise.
>
> Thanks
> -Abbas
> ______________________________________________________________
> *Notice:* This message is *digitally signed*, its *source* and *integrity* are
> verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Jan 4, 2014, at 3:20 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
> I'm Happy to look at the opportunity to train 300-400 developer as a great
> positive, venue is provided by RSA.
>
> If we had the training in a different building beside the venue, rented by
> OWASP would that change perception?
>
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 4 Jan 2014, at 19:10, Martin Knobloch <martin.knobloch at owasp.org>
> wrote:
>
> Abbas,
>
> I see your point, but Eoin, Jim and guest starring Michael are all board
> members. If they accept this as a bunch of OWASP guys or as OWASP leaders
> makes no difference, and even if none of them would be in the board, it
> still is OWASP doing a free training.
>
> So, what are the options?
> Positive thinking: OWASP is giving a free training for developers, using
> RSA only for the venue. As the trainig is free and the conference is not,
> we do not promote RSA as such and therefore no matter what is true about
> the RSA / NSA story.
> Negative thinking: OWASP is involved in this RSA thing (and might even
> push some people to attend the RSA conference, what by itself is doubtful),
> even they knew about the RSA/NSA story might be true.
>
> Eoin, there is no live without politics ;-) Either way that will be
> decided, is political.
> Does the advantage weights against the possible disadvantages? Neither
> way, we should do this without a statement. Something like "OWASP does
> disapprove the what RSA has been accused of...
> ..but we do this as we belief in our mission an give free training to
> developers"
> ..therefore, we choose not to conduct this free training"
>
> My 2 cents,
> Cheers,
> -martin
> Op 4 jan. 2014 19:48 schreef "Abbas Naderi" <abbas.naderi at owasp.org>:
>
>> I don’t see any names here either, but still would appreciate you guys to
>> prevent any doubts.
>> I mean keeping it like “a bunch of OWASP people presenting a talk” and
>> not “the OWASP directive presenting something on RSAC”.
>> Thanks
>> -A
>> On Jan 4, 2014, at 1:42 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>> we are participating as OWASP.
>> OWASP was asked to do this initially by RSA.
>> Our material has no personal or company branding but OWASP branding.
>> Thanks for feedback.
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 4 Jan 2014, at 18:24, Abbas Naderi <abbas.naderi at owasp.org> wrote:
>>
>> I strongly support Sastry on this one.
>>
>> You might be participating as individuals, but people see you guys as the
>> OWASP Board, and that’s something that many of us don’t like to be the
>> image of OWASP.
>>
>> Thanks
>> -Abbas
>> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>
>> To be clear, there was no recorded vote on this but a debate.
>>
>> I started the debate after reading about Mikko. (Even though I was
>> delivering the training with Jim and it is my material).
>>
>> The majority of board of OWASP feels getting involved in politics is
>> wrong and wanted to push ahead with the training.
>>
>> So if feelings are strong we need to vote on this ASAP? as leaders of
>> OWASP. A formal board vote? Executive decision from Sarah, our executive
>> director.
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
>> wrote:
>>
>> Friends,
>>
>> Please see the following full conversation on twitter:
>> https://twitter.com/EoinKeary/status/419111748424454145
>>
>> Eoin Keary and Jim Manico (both OWASP board members) will be
>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>> to be present. Apparently, this was discussed at the OWASP board level; and
>> the board has decided to go ahead, keeping in mind the benefit to the
>> attending developers.
>>
>> As you are aware, RSA is strongly suspected (we'll never be 100% sure,
>> I'm afraid) of being complicit with NSA in enabling fatal weakening of
>> crypto products. RSA has issued a sort of a denial that only deepens the
>> mistrust. As a protest, many leading speakers are cancelling their talks at
>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>> Jeffrey Carr and Josh Thomas.
>>
>> At such a time, I am saddened by the OWASP board decision to support RSAC
>> by their presence. At a time when they had the opportunity to let the world
>> know how much they care for the Information Security profession (esp.,
>> against weakening crypto); and how much they care about the privacy of
>> people (against NSA's unabashed spying on Americans & non-Americans alike),
>> the board has copped out using a flimsy rationalization ("benefit of (a
>> few) developers", many of who would rethink their attendance had OWASP and
>> more organizations didn't blink!").
>>
>> I'm sure there was a heated debate. I'm sure all angles were considered.
>> However, this goes too deep for me to take it as "better men than me have
>> considered and decided". As a matter of my personal values, if the
>> situation doesn't change, I would no longer wish to continue as the OWASP
>> Chapter Lead. Please let me know if any of you would like to take over from
>> me.
>>
>> I will also share my feelings with fellow chapter members at our next
>> chapter meeting on Jan 21st. Needless to say, no matter how things go, I
>> remain committed to the principles of our open and open-source infosec
>> community.
>>
>> Best regards,
>>
>> ==Sas3==
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140104/db735440/attachment.html>


More information about the OWASP-Leaders mailing list