[Owasp-leaders] [Owasp-board] RSA and the application of Justice

Dirk Wetter dirk at owasp.org
Thu Jan 9 12:19:05 UTC 2014


Hi all,

maybe this is a cultural thing but the words justice/punitive etc appears to me -- as an European -- as a kind
of an ancient eye-for-an-eye-strategy. ;-)

As OWASP I would simply walk away from the conference as it is (hopefully) not what I think we stand for. And
to protest against this deal.
Kudos to Mikko: http://arstechnica.com/security/2013/12/prestigious-speaker-mikko-hypponen-cancels-rsa-talk-to-protest-nsa-deal/


Cheers,

Dirk


PS:
Am 01/08/2014 10:42 PM, schrieb Jim Manico:
> Josh,
> 
> Like I said, I feel what we are doing fits under "punitive actions". We are penalizing them with our actions from my perspective. We are backing away from a contract that we spent time working on, we are making a public statement about weakening crypto...
> 
> And I believe we are enacting this punishment unevenly, without having all facts on the table. I also feel that taking DHS money demonstrates inconsistency in our policies.
> 
> I'd rather follow through with these commitments, and continue to track the situation.  I'd also like to see OWASP take a less surgical approach to this (ie: something that effects one vendor) and work on a more general stand on this issue.
> 
> Two more notes:
> 
> 1) I'm shocked at what RSA allegedly did and do not approve.
> 2) I am suspect of the entire commercial conference partnership program since it clearly violates vendor neutrality in my opinion.
> 
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> On Jan 8, 2014, at 3:24 AM, Josh Sokol <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
> 
>> Jim,
>>
>> This is not about justice, in my opinion, nor should it ever be.  We are not making statements about what RSA did or did not do, nor are we passing any judgement on the purported actions.  This is about OWASP distancing itself from any contracts or actions that may imply that we are tied to RSA as the actual jury (not OWASP) is still out on that and we do not want the results to impact the Foundation in any way.
>>
>> As for your statements about the DHS grants, I'm not necessarily sure that these two things are even related.  Giving back money that was granted with the intent to bolster specific projects with the intent strengthen our communal security out of some ideal of balanced justice just doesn't make sense to me.  Especially given that a DHS grant has nothing to do with NSA weakening crypto or paying off corporations to do so.  But....I would strongly encourage these project leaders to look at the crypto in their applications (if any) and ensure that they are using best practices and do not use any of the challenged crypto.  We are doing good things and serving the community with this money and I believe we should continue to do so.
>>
>> ~josh
>>
>>
>> On Wed, Jan 8, 2014 at 2:34 AM, Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>
>>     The mythopoetical depiction of justice throughout history is an interesting study. The Roman depiction of Lady Justice is blindfolded. The Goddess Maat and Isis were depicted with balanced scales during Egyptian times. Lady Justice is also depicted with scales and sword as well as being blindfolded.
>>
>>      
>>
>>     The point is that justice should be applied evenly, without regard to who the punished is, to be dispensed evenly to all, with the same kind of punishment.
>>
>>      
>>
>>     Make no mistake, the public pull-out of our marketing co-agreement with RSA is a punishment that is harmful to the RSA brand.
>>
>>      
>>
>>     What I feel we have done is enact “justice” through “the anger of the masses” on an issue where the information is still being sorted out and, ahem, **many** more are guilty of similar “sins” if not worse.
>>
>>      
>>
>>     If we are to walk away from RSA, then we also need to give back or walk away from our Department of Homeland Security grants. To “slap” one while taking money from another I think is inconsistent wide-open targeted justice that will hurt more than help us in the end. This is not blind justice. I am NOT SAYING that RSA is innocent, in fact I am quite angry at what RSA is alleged to have done. I am saying that many more are guilty and we are not applying fair and consistent rules. We might also be acting “too soon” before all the facts are on the table.
>>
>>      
>>
>>     I am deeply in conflict of interest here because I am supposed to deliver this training and I’m also a professional trainer. But I wanted to state my nuanced position here that we should continue down the current path and decide in the future to cancel this agreement and other agreements once the facts are sorted out.
>>
>>      
>>
>>     And last, we are supposed to be vendor-neutral. I am starting to question the entire commercial conference partnership program. https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference We might want to cancel conference partnerships with any commercial conference due to the vendor neutrality rules in our bylaws.
>>
>>      
>>
>>     Thanks for your consideration over this matter. It’s not an easy one.
>>
>>      
>>
>>     Aloha,
>>
>>     Jim Manico
>>
>>     OWASP Board Member
>>
>>     @Manicode
>>
>>     (808) 652-3806 <tel:%28808%29%20652-3806>
>>
>


More information about the OWASP-Leaders mailing list