[Owasp-leaders] [Owasp-board] RSA and the application of Justice

Sastry Tumuluri sastry.tumuluri at owasp.org
Wed Jan 8 17:13:29 UTC 2014

I agree.

We (OWASP) should not "try" / "judge" RSA or anyone else for that matter.
Pulling out is not the same as "dispensing justice".

Conversely if pullout = _punishment_, then going there = _endorsement_.
That means OWASP endorsement would play its small part (however small) in
emboldening future collaborators (irrespective of whether RSA is one or
not) to merrily backdoor their products without any fear of repercussions.

Pulling out could simply be an expression of what we stand for and what we
It could also be, as Josh (and earlier John Wilander) put it, "distancing
ourselves until the the matter is cleared up". Somewhat milder than the
above, but still a valid one.

In some ways, some of the differences (not all) in our reactions is
probably because we are inferring _judgement_ or _punishment_ into the
cause and/or effect of the pullout. I believe it need not be.

One other line of thought I noticed: "Let's stick to our mission of
training and raising awareness; doesn't matter where and beside whom"...
Unfortunately, that is far too close to the third part of this sequence
(the sequence itself is necessary to establish the context):
1. "I only made the gun... I didn't pull the trigger"
2. "I only sold it to the guy... he did look shady but who am I to judge
him... and of course I didn't pull the trigger"
3. "I don't know if he did it, but I'll continue to go to bed with him
until he's put in jail"

There is of course a worse end to the sequence:
4. "I know he's out because of lack of conclusive evidence; But hey, he's
rich/influential; so there is no harm in continuing to court him because
his guilt may never be proven".

The difference between #3 and #4 is that #3 is a genuine Ostrich; #4 is
merely pretending to be one.
The irony (and recursion) here is that "this line of thought too can never
be proven" -- especially when hidden behind righteous arguments (e.g.,
"innocent until proven guilty", "who are we to judge?" and so forth). I
realize that this is a damning insinuation; but my intent is not to hurt.
After seeing all the openness and transparency in this thread (I am
floored), the _worst_ that we can be accused of is being an Ostrich (#3
above); not pretending to be one.

I genuinely hope that we can recognize this danger for what it is... not
merely react in indignation.


On Wed, Jan 8, 2014 at 6:54 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Jim,
> This is not about justice, in my opinion, nor should it ever be.  We are
> not making statements about what RSA did or did not do, nor are we passing
> any judgement on the purported actions.  This is about OWASP distancing
> itself from any contracts or actions that may imply that we are tied to RSA
> as the actual jury (not OWASP) is still out on that and we do not want the
> results to impact the Foundation in any way.
> As for your statements about the DHS grants, I'm not necessarily sure that
> these two things are even related.  Giving back money that was granted with
> the intent to bolster specific projects with the intent strengthen our
> communal security out of some ideal of balanced justice just doesn't make
> sense to me.  Especially given that a DHS grant has nothing to do with NSA
> weakening crypto or paying off corporations to do so.  But....I would
> strongly encourage these project leaders to look at the crypto in their
> applications (if any) and ensure that they are using best practices and do
> not use any of the challenged crypto.  We are doing good things and serving
> the community with this money and I believe we should continue to do so.
> ~josh
> On Wed, Jan 8, 2014 at 2:34 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> The mythopoetical depiction of justice throughout history is an
>> interesting study. The Roman depiction of Lady Justice is blindfolded. The
>> Goddess Maat and Isis were depicted with balanced scales during Egyptian
>> times. Lady Justice is also depicted with scales and sword as well as being
>> blindfolded.
>> The point is that justice should be applied evenly, without regard to who
>> the punished is, to be dispensed evenly to all, with the same kind of
>> punishment.
>> Make no mistake, the public pull-out of our marketing co-agreement with
>> RSA is a punishment that is harmful to the RSA brand.
>> What I feel we have done is enact “justice” through “the anger of the
>> masses” on an issue where the information is still being sorted out and,
>> ahem, **many** more are guilty of similar “sins” if not worse.
>> If we are to walk away from RSA, then we also need to give back or walk
>> away from our Department of Homeland Security grants. To “slap” one while
>> taking money from another I think is inconsistent wide-open targeted
>> justice that will hurt more than help us in the end. This is not blind
>> justice. I am NOT SAYING that RSA is innocent, in fact I am quite angry at
>> what RSA is alleged to have done. I am saying that many more are guilty and
>> we are not applying fair and consistent rules. We might also be acting “too
>> soon” before all the facts are on the table.
>> I am deeply in conflict of interest here because I am supposed to deliver
>> this training and I’m also a professional trainer. But I wanted to state my
>> nuanced position here that we should continue down the current path and
>> decide in the future to cancel this agreement and other agreements once the
>> facts are sorted out.
>> And last, we are supposed to be vendor-neutral. I am starting to question
>> the entire commercial conference partnership program.
>> https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference We
>> might want to cancel conference partnerships with any commercial conference
>> due to the vendor neutrality rules in our bylaws.
>> Thanks for your consideration over this matter. It’s not an easy one.
>> Aloha,
>> Jim Manico
>> OWASP Board Member
>> @Manicode
>> (808) 652-3806
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140108/c177b1db/attachment.html>

More information about the OWASP-Leaders mailing list