[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Christian Papathanasiou christian.papathanasiou at owasp.org
Mon Jan 6 10:48:42 UTC 2014

Let's act professionally until all details are forthcoming.

Innocent until proven guilty beyond all reasonable doubt - let's wait and see how this unfolds. Most of the rumours are speculative, conspiratory etc. Let's not jump to conclusions without all facts in our hands.

RSAC attracts most of the end user community and such OWASP training  comes at the right time to help them deal / learn how to deal / secure against all this fallout. 

Adding to the 2cents pile,

> On 6 Jan 2014, at 10:24, Antonio Fontes <antonio.fontes at owasp.org> wrote:
> Hello,
> My 2 cents (added with all others, someone is getting rich by the minute)...
> <meme>"What really grinds my gears is the amount of energy being
> involved in this discussion instead of OWASP projects."</meme>
> ;)
> Anyway...
> On one side, I see some members/leaders willing to speak at RSAC under
> the brand of OWASP. I will probably piss some readers by saying this but
> I don't believe in the ethics/neutrality/mission-driven argument that is
> being used. The training at RSAC is, from my personal point of view, a
> commercial action driven and supported by commercially interested
> parties, that happens to offer a very good visibility to OWASP
> alongside. Point. Until this point is not openly and honestly expressed,
> I am quite certain that the entire debate on this training at RSAC
> cannot happen as it is evolving around the wrong questions.
> On the other side, I see other members/leaders questioning the potential
> risk of a perception, by external people, that OWASP is endorsing RSA.
> Or, said differently, that OWASP will miss an opportunity to show the
> world it will not endorse unacceptable behavior. While this may seem
> ethically correct or "neutral" to the most "principles-driven" leaders,
> it is not at all. I believe it is actually even worse than delivering
> the training for a simple but MAJOR reason: nothing has been proven  and
> I strongly believe it is not OWASP's call to apply any preemptive
> judgment on this case.
> We are basically receiving information from both Reuters and RSA (looks
> to me that other media just quoted Reuters). Both parties are widely
> known to be all but independent or transparent. We can have our own
> personal opinions but those should stay aside from the debate about
> whether or not OWASP should deliver a training at RSAC. I would just
> highly recommend avoiding any form of financial support in whatsoever
> direction...
> Those who know me personally clearly know my position on RSA: I fully
> boycott any of RSA's products and/or services and they know the exact
> reasons behind my position. However, I believe neutrality is not about
> having "no opinions": it is about having lots of opinions but not
> letting personal views infer with the course of democracy and justice.
> If RSA acted illegally, I hope they will be heavily sanctioned for that.
> If they willingly collaborated with the NSA as it is reported, and it is
> not judged as an infringement of any nature, then it becomes the
> responsibility of more than 300 millions citizens who prefer spending
> time on TV shows and new smartphones at the cost of living under such
> unacceptable Laws, not RSA's. Being neutral means we don't judge but if
> a judge says it's illegal, then it is.
> In summary:
> 1) I fully disagree with how OWASP is functioning at the moment.
> 2) The number of leaders and the amount of energy that is being invested
> in responding under this thread is a clear sign that OWASP has a bigger
> problem pending than a simple RSAC training question. OWASP core ethics
> and principles are being questioned, Leaders are considering/threatening
> leaving the foundation and I believe this should have been a CORE FOCUS
> at the Board level for more than a year.
> 3) I think OWASP should give the training at RSAC. See below for a
> potential condition to this training...
> From my understanding, Sastry Tumuluri is the one who initiated this
> discussion so I will consciously stick to the content of his request.
> Sastry asked for a "change" and for a debate, he did not formally ask
> for the training to be cancelled (or maybe I missed another message).
> The reaction that followed in whether or not the training should be
> cancelled is clearly a sign of absence of moderation on the discussion:
> there are many other options in-between.
> Sastry: the training will probably allocate time to discuss cryptography
> issues/risks and emit recommendations.
> Would you feel your voice heard and respected if the trainers assured
> you personally that they will:
> 1) allocate time to discuss the NSA/RSA case as an example of risks
> surrounding the use of blackboxed cryptographic tools/frameworks
> 2) allocate time to raise the awareness of the audience on what
> limitations they are being exposed to when they deal with cryptography,
> in particular the notion of "understanding what is being trusted, and who" ?
> Kind regards,
> Antonio
> --
> antonio.fontes at owasp.org
> Board Leader - OWASP Geneva
> Board Member - OWASP Switzerland
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list