[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Tobias tobias.gondrom at owasp.org
Wed Jan 15 15:50:15 UTC 2014


Hi Mark,

we have a full Surveymonkey account for OWASP as well.
So we could use it.
But with both, with Google Survey and Surveymonkey, the key challenge is
how to avoid duplicates.
In Surveymonkey that only works if you send everyone a personalised
invite, in Google you could use the owasp email address as identifier.
Both have their problems. :-(
So if you have any ideas on how to solve the "avoid double
votes"-problem with minimal effort for the voter, please let me know.

Cheers, Tobias


Ps.: we should definitely look into if there are any problems keeping
every member from having her/his owasp email address.



On 15/01/14 15:29, Mark Miller wrote:
> I am using Survey Monkey for various projects, so let me know if that
> will be a viable option for future polls or surveys. -- Mark
>
>
> On Wed, Jan 15, 2014 at 7:35 AM, psiinon <psiinon at gmail.com
> <mailto:psiinon at gmail.com>> wrote:
>
>     I've just closed the poll "Should OWASP give developer training at
>     RSA?".
>     It was somewhat overtaken by events, but I still think it was useful.
>
>     A couple of points to note:
>
>     The stats I've published on https://www.owasp.org/index.php/Polls
>     are different to those on the Google Poll summary.
>     This is because I've removed duplicate votes - unfortunately
>     Google Polls dont prevent duplicate votes and the summary isnt
>     updated if you remove the duplicates. Please let me know if I've
>     made a mistake anywhere. FYI I just counted individuals latest votes.
>
>     While I think the poll was useful it has shown up some significant
>     disadvantages of using Google Polls for this sort of thing.
>     We have to make the polls either open to everyone or restricted to
>     those people with OWASP email accounts.
>     I didnt want to do the former as I thought it was important to
>     find out what OWASP members thought, not the internet as a whole.
>     What I didnt realize at the time was that OWASP email addresses
>     are reserved for chapter/project leaders, which meant that most
>     OWASP members were not able to vote :(
>     Sorry about that.
>
>     I'm going to let the other poll run its course, but I'm not
>     planning on starting any new polls using Google Polls as I think
>     they dont give us what we need.
>     Hopefully we'll have a better solution before too long that will
>     allow us to easily canvas the opinions of all OWASP members - I
>     think thats something that will be very beneficial to the
>     organization.
>
>     Simon
>
>
>     On Thu, Jan 9, 2014 at 5:15 PM, Dirk Wetter <dirk at owasp.org
>     <mailto:dirk at owasp.org>> wrote:
>
>         Am 01/05/2014 12:47 PM, schrieb Rory McCune:
>         > Hi all,
>         >
>         > Long thread is long.  I'd make a couple of point on this.
>         >
>         > 1. I'm not sure I'd say that RSA completely denies what's
>         been said, to me their statement was written very "carefully",
>         not to deny that the NSA paid them $10 million to make
>         Dual_EC_DRBG the default RNG in BSAFE.  All you need to have
>         for RSAs statement to be true and the allegations to be true
>         is that they didn't have the "intention" of weakening their
>         product i.e. they did take the money they did set the default
>         algorithm but it wasn't their intention to weaken their security.
>         >
>         > If they had wanted to deny the allegations they could just
>         have said "the NSA did not pay us $10 million to make that the
>         default RNG" would have been clear and unambiguous, the fact
>         they didn't makes a reasonably strong implication that they did.
>
>         thx, for this point. One should definitely read those
>         statements very carefully. There
>         pops another example up in my head but that's too far off to
>         mention here. Completely
>         denying would also sound different to me. The term INTENTION
>         is not appropriate the way
>         it's being used at least.
>
>         But also the response from RSA in September 2013 is
>         remarkable: "RSA determined it appropriate
>         to issue an advisory to all our RSA BSAFE [..]  customers
>         recommending they choose one of
>         the different cryptographic Pseudo-Random Number Generators
>         (PRNG) built into the RSA BSAFE
>         toolkit". Acknowledged it's broken, but all RSA does is a
>         recommendation -- what?
>
>         To keep in mind: Since a long time Dual_EC_DRBG crypto
>         community knew it's broken! Read this
>         from almighty Bruce ;-) in 2007:
>         https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
>         "But today there's an even bigger stink brewing around
>         Dual_EC_DRBG. In an informal presentation (.pdf)
>         at the CRYPTO 2007 conference in August, Dan Shumow and Niels
>         Ferguson showed that the algorithm
>         contains a weakness that can only be described as a
>         backdoor.". That was no reason for BSAFE after
>         that to ship DUAL_EC_DRBG other than .... you do the math.
>
>
>         Cheers,
>
>         Dirk
>
>         >
>         > 2. A point from earlier in the thread that not attending
>         would only be noticed in the Infosec community.  Not sure
>         that's the case. Definitely on developer heavy sites like
>         news.ycombinator.com <http://news.ycombinator.com>
>         <http://news.ycombinator.com> the NSA/RSA/Snowden piece has
>         been heavily played and indeed last night when this thread
>         kicked off Errata security's piece on boycotting RSA was the
>         top post on the site.
>         >
>         > 3. An alternative to training at RSA that's been mentioned a
>         couple of times, i.e. doing it at a different venue, seems
>         plausible.  Would it maybe be possible to do it as B-Sides SF
>         which happens at the same time ?
>         >
>         > 4. A good point earlier about the DHS grants.  If we're
>         happy with that, then it seems tricky to say that we're not
>         happy with this.
>         >
>         > Cheers
>         >
>         > Rory
>         >
>         >
>         > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico
>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>         <mailto:jim.manico at owasp.org <mailto:jim.manico at owasp.org>>>
>         wrote:
>         >
>         >     By the way everyone, RSA completely denies these
>         allegations.
>         >
>         >
>         >
>         >     ..."we also categorically state that we have never
>         entered into any contract or engaged in any project with the
>         intention of weakening RSA's products, or introducing
>         potential 'backdoors' into our products for anyone's use." -
>         https://blogs.rsa.com/news-media-2/rsa-response/
>         >
>
>         >
>         >
>         >
>         >     It's tough to know who to trust these days, but I do
>         want to put RSA's official comment on the table for consideration.
>         >
>         >
>         >
>         >     Cheers,
>         >
>         >     -          Jim
>         >
>         >
>         >
>         >     *From:*Josh Sokol [mailto:josh.sokol at owasp.org
>         <mailto:josh.sokol at owasp.org> <mailto:josh.sokol at owasp.org
>         <mailto:josh.sokol at owasp.org>>]
>         >     *Sent:* Saturday, January 04, 2014 5:04 PM
>         >     *To:* Eoin Keary
>         >     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh
>         (WebMentors); Nishant Johar (EMOBX); OWASP Foundation Board
>         List; Ravdeep Sodhi; OWASP Leaders
>         >     *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board
>         decision that I don't agree with
>         >
>         >
>         >
>         >     My apologies in the delay in responding to this.  I've
>         been on the road all day today and will be slow to respond
>         tomorrow as well.
>         >
>         >     First off, let me admit that while my term hadn't
>         officially begun yet, I am one of the Board members who
>         encouraged Jim and Eoin to move forward with the training.  My
>         rationale for this was simple; OWASP's mission is to make
>         software security visible, so that individuals and
>         organizations worldwide can make informed decisions about true
>         software security risks.  The core of this statement being
>         VISBILITY.  We need to find and take advantage of as many ways
>         as possible to raise the visibility of security risks.  Our
>         mission says nothing about making political statements.  It
>         says nothing about ethical business practices.  Our mission
>         can certainly be amended to reflect other imperatives, if so
>         desired by our membership, but until that day we need to
>         prevent mission scope creep.
>         >
>         >     Now, since our mission is making software security
>         visible, we simply have to ask ourselves if we better serve
>         this mission by:
>         >
>         >     1) Performing a free training at a major conference,
>         thereby increasing our exposure to people who haven't heard of
>         OWASP before and enlightening them to software security risks
>         that they likely were not aware of before.
>         >
>         >     2) Taking a stance against a company where some evidence
>         may imply that they took a bribe to sacrifice security in one
>         of their products.
>         >
>         >     Let me be clear on #2.  I don't agree that what RSA did
>         is right, if it is true.  In fact, I have made the explicit
>         decision to not do business with RSA in my day job because
>         there are many other options out there and it's just not worth
>         the risk.  But my passive decision to not purchase from RSA is
>         very different than OWASP reneging on our agreement and making
>         a public statement about their ethics.
>         >
>         >     So, given these two options, my gut is that OWASP's
>         mission will be best served by #1.  It doesn't mean that we're
>         supporting RSA.  It doesn't mean that we agree with unethical
>         business practices.  It just means that we are doing the best
>         we can to make application security visible.  If that means
>         piggy-backing on the massive marketing effort they put into
>         the conference or the infrastructure that supports it, I'm ok
>         with that.  I understand that others may object to this on
>         ethical grounds, and that's fine, but as a non-profit
>         organization, we have a mandate to stay true to our mission,
>         not to speak out against whatever the latest security headline is.
>         >
>         >     I do have one question about this training for
>         clarification.  The training is FREE for anyone who would like
>         to attend and not just for RSA attendees, correct?  My
>         assumption is the former, but if the latter, this changes
>         things significantly in my opinion.
>         >
>         >     ~josh
>         >
>         >
>         >
>         >     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
>         <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>         <mailto:eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>>
>         wrote:
>         >
>         >         Good point.
>         >         Bottom line is we want people to build secure code.
>         Delivering this message under the same roof as RSA does not
>         dilute the quality of the class delivered.
>         >         There is no black and white, only shades of grey :)
>         >
>         >
>         >
>         >         Eoin Keary
>         >         Owasp Global Board
>         >         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>         <tel:%2B353%2087%20977%202988>
>         >
>         >         On 4 Jan 2014, at 23:36, Jim Manico
>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>         <mailto:jim.manico at owasp.org <mailto:jim.manico at owasp.org>>>
>         wrote:
>         >
>         >         > Another issue that is tangential.
>         >         >
>         >         > We are applying for several big money DHS grants.
>         These help keep the foundation running.
>         >         >
>         >         > Should be reject all of these grants because of
>         the Snowden affair? It we abort RSA but continue to take DHS
>         money, then we send a mixed message.
>         >         >
>         >         > Aloha,
>         >         > Jim
>         >         >
>         >         >> I strongly support Sastry on this one.
>         >         >>
>         >         >> You might be participating as individuals, but
>         people see you guys as the OWASP Board, and that's something
>         that many of us don't like to be the image of OWASP.
>         >         >>
>         >         >> Thanks
>         >         >> -Abbas
>         >         >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>         <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>         <mailto:eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>>
>         wrote:
>         >         >>
>         >         >>> To be clear, there was no recorded vote on this
>         but a debate.
>         >         >>>
>         >         >>> I started the debate after reading about Mikko.
>         (Even though I was delivering the training with Jim and it is
>         my material).
>         >         >>>
>         >         >>> The majority of board of OWASP feels getting
>         involved in politics is wrong and wanted to push ahead with
>         the training.
>         >         >>>
>         >         >>> So if feelings are strong we need to vote on
>         this ASAP? as leaders of OWASP. A formal board vote? Executive
>         decision from Sarah, our executive director.
>         >         >>>
>         >         >>>
>         >         >>>
>         >         >>> Eoin Keary
>         >         >>> Owasp Global Board
>         >         >>> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>         <tel:%2B353%2087%20977%202988>
>         >         >>>
>         >         >>>
>         >         >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>         <sastry.tumuluri at owasp.org <mailto:sastry.tumuluri at owasp.org>
>         <mailto:sastry.tumuluri at owasp.org
>         <mailto:sastry.tumuluri at owasp.org>>> wrote:
>         >         >>>
>         >         >>>> Friends,
>         >         >>>>
>         >         >>>> Please see the following full conversation on
>         twitter:
>         >         >>>>
>         https://twitter.com/EoinKeary/status/419111748424454145
>         >         >>>>
>         >         >>>> Eoin Keary and Jim Manico (both OWASP board
>         members) will be presenting/conducting 4 hrs of free-of-cost
>         AppSec training at the RSA Conference, 2014. Michael Coates,
>         Chairman of the OWASP Board is also said to be present.
>         Apparently, this was discussed at the OWASP board level; and
>         the board has decided to go ahead, keeping in mind the benefit
>         to the attending developers.
>         >         >>>>
>         >         >>>> As you are aware, RSA is strongly suspected
>         (we'll never be 100% sure, I'm afraid) of being complicit with
>         NSA in enabling fatal weakening of crypto products. RSA has
>         issued a sort of a denial that only deepens the mistrust. As a
>         protest, many leading speakers are cancelling their talks at
>         the upcoming RSAC 2014. Among them are (to my knowledge) Mikko
>         Hypponen, Jeffrey Carr and Josh Thomas.
>         >         >>>>
>         >         >>>> At such a time, I am saddened by the OWASP
>         board decision to support RSAC by their presence. At a time
>         when they had the opportunity to let the world know how much
>         they care for the Information Security profession (esp.,
>         against weakening crypto); and how much they care about the
>         privacy of people (against NSA's unabashed spying on Americans
>         & non-Americans alike), the board has copped out using a
>         flimsy rationalization ("benefit of (a few) developers", many
>         of who would rethink their attendance had OWASP and more
>         organizations didn't blink!").
>         >         >>>>
>         >         >>>> I'm sure there was a heated debate. I'm sure
>         all angles were considered. However, this goes too deep for me
>         to take it as "better men than me have considered and
>         decided". As a matter of my personal values, if the situation
>         doesn't change, I would no longer wish to continue as the
>         OWASP Chapter Lead. Please let me know if any of you would
>         like to take over from me.
>         >         >>>>
>         >         >>>> I will also share my feelings with fellow
>         chapter members at our next chapter meeting on Jan 21st.
>         Needless to say, no matter how things go, I remain committed
>         to the principles of our open and open-source infosec community.
>         >         >>>>
>         >         >>>> Best regards,
>         >         >>>>
>         >         >>>> ==Sas3==
>         >         >>> _______________________________________________
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     -- 
>     OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> *Mark Miller, Senior Storyteller*
> /Curator and Founder, Trusted Software Alliance/
> /Host and Executive Producer, OWASP 24/7 Podcast Channel
> Community Advocate, Sonatype/
>
> /*Developers and Application Security: Who is Responsible?*/
> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140115/29dd94eb/attachment-0001.html>


More information about the OWASP-Leaders mailing list