[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Seba seba at owasp.org
Mon Jan 6 11:51:53 UTC 2014


Hi,

Having read this thread and external sources, I personally think we
(=OWASP) need to boycot the RSA conference.

It sends a strong message that we do not accept for any security company to
include a backdoor.

Any other action will make us look as collaborating with RSA, who has yet
to clarify if it did Yes or No support the NSA with this backdoor.
The current response: https://blogs.rsa.com/news-media-2/rsa-response/,
qualifies for "carefully worded press release of the year" (
https://twitter.com/damienmiller/status/414933026489909248 Damien Miller, a
security researcher at Google)

kind regards,

Seba



On Mon, Jan 6, 2014 at 11:53 AM, Eoin Keary <eoin.keary at owasp.org> wrote:

> No we are not financially supporting the RSAC but we shall cover some of
> the trainer expenses. -that is my understanding.
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 6 Jan 2014, at 08:48, psiinon <psiinon at gmail.com> wrote:
>
> I stand corrected :)
>
> And will be interested to hear if we are financially supporting RSAC.
>
> Cheers,
>
> Simon
>
>
> On Sun, Jan 5, 2014 at 12:08 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>
>>  Hi Simon,
>>
>> just to clarify on one of your assumptions in your email, as I learned
>> this info on the board mailing-list last night, correcting my initial
>> (wrong) assumption that everyone would be attending RSA just as "individual
>> volunteers":
>>
>> - RSA approached OWASP if we (owasp) would deliver free
>> training/awareness session.
>> - All contractual agreements were signed by OWASP and not by us as
>> individuals. -> OWASP training.
>> http://lists.owasp.org/pipermail/owasp-board/2014-January/012845.html
>> - "we are delivering the training as OWASP."
>> "OWASP was approached by RSA."
>> http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html
>> - "this is a RSA association slot. The whole point is to officially
>> represent OWASP at RSA...."
>> http://lists.owasp.org/pipermail/owasp-board/2014-January/012848.html
>> - this is as "formal reps of OWASP for this event."
>> http://lists.owasp.org/pipermail/owasp-board/2014-January/012859.html
>>
>> Not sure whether that would be relevant for any of your comments?
>>
>> All the best, Tobias
>>
>>
>> Ps.: regarding your remark about whether "OWASP is financially sponsoring
>> an event": as board member, I have initiated a request for info with Sarah
>> to clarify the extend of OWASPs financial arrangements for RSA.
>>
>>
>>  <http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html>
>> On 05/01/14 11:05, psiinon wrote:
>>
>>  Heres my take on this:
>>
>> OWASP _should_ get involved in politics - thats where the big decisions
>> are made. Organizations like OWASP can have a much greater impact than a
>> set of 'concerned individuals'.
>>
>> OWASP should _not_ 'ban' volunteers from presenting / training etc at any
>> event unless it is clearly at odds with the OWASP mission, eg a 'cracker'
>> event.
>>
>> Volunteers presenting / training at an event does not indicate that OWASP
>> as an organization supports the past (alleged) actions of the event
>> organizers. OWASP financially sponsoring an event would be a different
>> matter.
>>
>> The fact that the volunteers we are discussing are board member is
>> irrelevant - we all represent OWASP when we appear under the OWASP banner.
>>
>> I dont think this is a clear cut case (as can be seen by the opposing
>> views on this thread), and so the decision should be made by those
>> individuals.
>>
>>  I have no problem with people attempting to sway these individuals
>> either way on this thread, but I'm confident they will make the right
>> decision for them and I dont think that will reflect badly on OWASP the
>> organization which ever way they choose.
>>
>>  Feel free to disagree with any of those opinions ;)
>>
>>  Simon
>>
>>
>> On Sun, Jan 5, 2014 at 8:51 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>  Josh,
>>>
>>>
>>>
>>> This training is for RSA Badge types: “Full Conference, Explorer Expo,
>>> Explorer Expo Plus, Exhibitor, Press, Speaker”.
>>>
>>>
>>>
>>> The minimum someone would have to pay to attend this is 75$ right now,
>>> other than press and other speakers get in for free.
>>>
>>>
>>>
>>> -      Jim
>>>
>>>
>>>
>>>
>>>
>>> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
>>> *Sent:* Saturday, January 04, 2014 5:04 PM
>>> *To:* Eoin Keary
>>> *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant
>>> Johar (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
>>> *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision that
>>> I don't agree with
>>>
>>>
>>>
>>> My apologies in the delay in responding to this.  I've been on the road
>>> all day today and will be slow to respond tomorrow as well.
>>>
>>> First off, let me admit that while my term hadn't officially begun yet,
>>> I am one of the Board members who encouraged Jim and Eoin to move forward
>>> with the training.  My rationale for this was simple; OWASP's mission is to
>>> make software security visible, so that individuals and organizations
>>> worldwide can make informed decisions about true software security risks.
>>> The core of this statement being VISBILITY.  We need to find and take
>>> advantage of as many ways as possible to raise the visibility of security
>>> risks.  Our mission says nothing about making political statements.  It
>>> says nothing about ethical business practices.  Our mission can certainly
>>> be amended to reflect other imperatives, if so desired by our membership,
>>> but until that day we need to prevent mission scope creep.
>>>
>>> Now, since our mission is making software security visible, we simply
>>> have to ask ourselves if we better serve this mission by:
>>>
>>> 1) Performing a free training at a major conference, thereby increasing
>>> our exposure to people who haven't heard of OWASP before and enlightening
>>> them to software security risks that they likely were not aware of before.
>>>
>>> 2) Taking a stance against a company where some evidence may imply that
>>> they took a bribe to sacrifice security in one of their products.
>>>
>>> Let me be clear on #2.  I don't agree that what RSA did is right, if it
>>> is true.  In fact, I have made the explicit decision to not do business
>>> with RSA in my day job because there are many other options out there and
>>> it's just not worth the risk.  But my passive decision to not purchase from
>>> RSA is very different than OWASP reneging on our agreement and making a
>>> public statement about their ethics.
>>>
>>> So, given these two options, my gut is that OWASP's mission will be best
>>> served by #1.  It doesn't mean that we're supporting RSA.  It doesn't mean
>>> that we agree with unethical business practices.  It just means that we are
>>> doing the best we can to make application security visible.  If that means
>>> piggy-backing on the massive marketing effort they put into the conference
>>> or the infrastructure that supports it, I'm ok with that.  I understand
>>> that others may object to this on ethical grounds, and that's fine, but as
>>> a non-profit organization, we have a mandate to stay true to our mission,
>>> not to speak out against whatever the latest security headline is.
>>>
>>> I do have one question about this training for clarification.  The
>>> training is FREE for anyone who would like to attend and not just for RSA
>>> attendees, correct?  My assumption is the former, but if the latter, this
>>> changes things significantly in my opinion.
>>>
>>> ~josh
>>>
>>>
>>>
>>> On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>> Good point.
>>> Bottom line is we want people to build secure code. Delivering this
>>> message under the same roof as RSA does not dilute the quality of the class
>>> delivered.
>>> There is no black and white, only shades of grey :)
>>>
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>   On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> > Another issue that is tangential.
>>> >
>>> > We are applying for several big money DHS grants. These help keep the
>>> foundation running.
>>> >
>>> > Should be reject all of these grants because of the Snowden affair? It
>>> we abort RSA but continue to take DHS money, then we send a mixed message.
>>> >
>>> > Aloha,
>>> > Jim
>>> >
>>> >> I strongly support Sastry on this one.
>>> >>
>>> >> You might be participating as individuals, but people see you guys as
>>> the OWASP Board, and that’s something that many of us don’t like to be the
>>> image of OWASP.
>>> >>
>>> >> Thanks
>>> >> -Abbas
>>> >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> >>
>>> >>> To be clear, there was no recorded vote on this but a debate.
>>> >>>
>>> >>> I started the debate after reading about Mikko. (Even though I was
>>> delivering the training with Jim and it is my material).
>>> >>>
>>> >>> The majority of board of OWASP feels getting involved in politics is
>>> wrong and wanted to push ahead with the training.
>>> >>>
>>> >>> So if feelings are strong we need to vote on this ASAP? as leaders
>>> of OWASP. A formal board vote? Executive decision from Sarah, our executive
>>> director.
>>> >>>
>>> >>>
>>> >>>
>>> >>> Eoin Keary
>>> >>> Owasp Global Board
>>> >>> +353 87 977 2988
>>> >>>
>>> >>>
>>> >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <sastry.tumuluri at owasp.org>
>>> wrote:
>>> >>>
>>> >>>> Friends,
>>> >>>>
>>> >>>> Please see the following full conversation on twitter:
>>> >>>> https://twitter.com/EoinKeary/status/419111748424454145
>>> >>>>
>>> >>>> Eoin Keary and Jim Manico (both OWASP board members) will be
>>> presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>>> to be present. Apparently, this was discussed at the OWASP board level; and
>>> the board has decided to go ahead, keeping in mind the benefit to the
>>> attending developers.
>>> >>>>
>>> >>>> As you are aware, RSA is strongly suspected (we'll never be 100%
>>> sure, I'm afraid) of being complicit with NSA in enabling fatal weakening
>>> of crypto products. RSA has issued a sort of a denial that only deepens the
>>> mistrust. As a protest, many leading speakers are cancelling their talks at
>>> the upcoming RSAC 2014. Among them are (to my knowledge) Mikko Hypponen,
>>> Jeffrey Carr and Josh Thomas.
>>> >>>>
>>> >>>> At such a time, I am saddened by the OWASP board decision to
>>> support RSAC by their presence. At a time when they had the opportunity to
>>> let the world know how much they care for the Information Security
>>> profession (esp., against weakening crypto); and how much they care about
>>> the privacy of people (against NSA's unabashed spying on Americans &
>>> non-Americans alike), the board has copped out using a flimsy
>>> rationalization ("benefit of (a few) developers", many of who would rethink
>>> their attendance had OWASP and more organizations didn't blink!").
>>> >>>>
>>> >>>> I'm sure there was a heated debate. I'm sure all angles were
>>> considered. However, this goes too deep for me to take it as "better men
>>> than me have considered and decided". As a matter of my personal values, if
>>> the situation doesn't change, I would no longer wish to continue as the
>>> OWASP Chapter Lead. Please let me know if any of you would like to take
>>> over from me.
>>> >>>>
>>> >>>> I will also share my feelings with fellow chapter members at our
>>> next chapter meeting on Jan 21st. Needless to say, no matter how things go,
>>> I remain committed to the principles of our open and open-source infosec
>>> community.
>>> >>>>
>>> >>>> Best regards,
>>> >>>>
>>> >>>> ==Sas3==
>>> >>> _______________________________________________
>>> >>> OWASP-Leaders mailing list
>>> >>> OWASP-Leaders at lists.owasp.org
>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140106/86514cd3/attachment-0001.html>


More information about the OWASP-Leaders mailing list