[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Mark Miller mark.miller at owasp.org
Wed Jan 15 16:00:10 UTC 2014


SurveyMonkey has a setting for "Can Only Vote Once". I'm using that on the
survey I am currently running (shameless plug goes
here<http://trustedsoftwarealliance.com/2013/12/12/survey-developers-and-application-security-who-is-responsible/>)
and even had a complaint this morning that someone couldn't vote twice, so
I know it's working :-)


On Wed, Jan 15, 2014 at 10:50 AM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi Mark,
>
> we have a full Surveymonkey account for OWASP as well.
> So we could use it.
> But with both, with Google Survey and Surveymonkey, the key challenge is
> how to avoid duplicates.
> In Surveymonkey that only works if you send everyone a personalised
> invite, in Google you could use the owasp email address as identifier. Both
> have their problems. :-(
> So if you have any ideas on how to solve the "avoid double votes"-problem
> with minimal effort for the voter, please let me know.
>
> Cheers, Tobias
>
>
> Ps.: we should definitely look into if there are any problems keeping
> every member from having her/his owasp email address.
>
>
>
> On 15/01/14 15:29, Mark Miller wrote:
>
> I am using Survey Monkey for various projects, so let me know if that will
> be a viable option for future polls or surveys. -- Mark
>
>
> On Wed, Jan 15, 2014 at 7:35 AM, psiinon <psiinon at gmail.com> wrote:
>
>>      I've just closed the poll "Should OWASP give developer training at
>> RSA?".
>>  It was somewhat overtaken by events, but I still think it was useful.
>>
>>  A couple of points to note:
>>
>>  The stats I've published on https://www.owasp.org/index.php/Polls are
>> different to those on the Google Poll summary.
>>  This is because I've removed duplicate votes - unfortunately Google
>> Polls dont prevent duplicate votes and the summary isnt updated if you
>> remove the duplicates. Please let me know if I've made a mistake anywhere.
>> FYI I just counted individuals latest votes.
>>
>>  While I think the poll was useful it has shown up some significant
>> disadvantages of using Google Polls for this sort of thing.
>>  We have to make the polls either open to everyone or restricted to those
>> people with OWASP email accounts.
>> I didnt want to do the former as I thought it was important to find out
>> what OWASP members thought, not the internet as a whole.
>>  What I didnt realize at the time was that OWASP email addresses are
>> reserved for chapter/project leaders, which meant that most OWASP members
>> were not able to vote :(
>>  Sorry about that.
>>
>>  I'm going to let the other poll run its course, but I'm not planning on
>> starting any new polls using Google Polls as I think they dont give us what
>> we need.
>>  Hopefully we'll have a better solution before too long that will allow
>> us to easily canvas the opinions of all OWASP members - I think thats
>> something that will be very beneficial to the organization.
>>
>> Simon
>>
>>
>> On Thu, Jan 9, 2014 at 5:15 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>
>>> Am 01/05/2014 12:47 PM, schrieb Rory McCune:
>>> > Hi all,
>>> >
>>> > Long thread is long.  I'd make a couple of point on this.
>>> >
>>> > 1. I'm not sure I'd say that RSA completely denies what's been said,
>>> to me their statement was written very "carefully", not to deny that the
>>> NSA paid them $10 million to make Dual_EC_DRBG the default RNG in BSAFE.
>>>  All you need to have for RSAs statement to be true and the allegations to
>>> be true is that they didn't have the "intention" of weakening their product
>>> i.e. they did take the money they did set the default algorithm but it
>>> wasn't their intention to weaken their security.
>>> >
>>> > If they had wanted to deny the allegations they could just have said
>>> "the NSA did not pay us $10 million to make that the default RNG" would
>>> have been clear and unambiguous, the fact they didn't makes a reasonably
>>> strong implication that they did.
>>>
>>> thx, for this point. One should definitely read those statements very
>>> carefully. There
>>> pops another example up in my head but that's too far off to mention
>>> here. Completely
>>> denying would also sound different to me. The term INTENTION is not
>>> appropriate the way
>>> it's being used at least.
>>>
>>> But also the response from RSA in September 2013 is remarkable: "RSA
>>> determined it appropriate
>>> to issue an advisory to all our RSA BSAFE [..]  customers recommending
>>> they choose one of
>>> the different cryptographic Pseudo-Random Number Generators (PRNG) built
>>> into the RSA BSAFE
>>> toolkit". Acknowledged it's broken, but all RSA does is a recommendation
>>> -- what?
>>>
>>> To keep in mind: Since a long time Dual_EC_DRBG crypto community knew
>>> it's broken! Read this
>>> from almighty Bruce ;-) in 2007:
>>> https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
>>> "But today there's an even bigger stink brewing around Dual_EC_DRBG. In
>>> an informal presentation (.pdf)
>>> at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson
>>> showed that the algorithm
>>> contains a weakness that can only be described as a backdoor.". That was
>>> no reason for BSAFE after
>>> that to ship DUAL_EC_DRBG other than .... you do the math.
>>>
>>>
>>> Cheers,
>>>
>>> Dirk
>>>
>>> >
>>> > 2. A point from earlier in the thread that not attending would only be
>>> noticed in the Infosec community.  Not sure that's the case. Definitely on
>>> developer heavy sites like news.ycombinator.com <
>>> http://news.ycombinator.com> the NSA/RSA/Snowden piece has been heavily
>>> played and indeed last night when this thread kicked off Errata security's
>>> piece on boycotting RSA was the top post on the site.
>>> >
>>> > 3. An alternative to training at RSA that's been mentioned a couple of
>>> times, i.e. doing it at a different venue, seems plausible.  Would it maybe
>>> be possible to do it as B-Sides SF which happens at the same time ?
>>> >
>>> > 4. A good point earlier about the DHS grants.  If we're happy with
>>> that, then it seems tricky to say that we're not happy with this.
>>> >
>>> > Cheers
>>> >
>>> > Rory
>>> >
>>> >
>>> > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico <jim.manico at owasp.org<mailto:
>>> jim.manico at owasp.org>> wrote:
>>> >
>>> >     By the way everyone, RSA completely denies these allegations.
>>> >
>>> >
>>> >
>>> >     …“we also categorically state that we have never entered into any
>>> contract or engaged in any project with the intention of weakening RSA’s
>>> products, or introducing potential ‘backdoors’ into our products for
>>> anyone’s use.” - https://blogs.rsa.com/news-media-2/rsa-response/
>>> >
>>>
>>> >
>>> >
>>> >
>>> >     It’s tough to know who to trust these days, but I do want to put
>>> RSA’s official comment on the table for consideration.
>>> >
>>> >
>>> >
>>> >     Cheers,
>>> >
>>> >     -          Jim
>>> >
>>> >
>>> >
>>> >     *From:*Josh Sokol [mailto:josh.sokol at owasp.org <mailto:
>>> josh.sokol at owasp.org>]
>>> >     *Sent:* Saturday, January 04, 2014 5:04 PM
>>> >     *To:* Eoin Keary
>>> >     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh (WebMentors); Nishant
>>> Johar (EMOBX); OWASP Foundation Board List; Ravdeep Sodhi; OWASP Leaders
>>> >     *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP Board decision
>>> that I don't agree with
>>> >
>>> >
>>> >
>>> >     My apologies in the delay in responding to this.  I've been on the
>>> road all day today and will be slow to respond tomorrow as well.
>>> >
>>> >     First off, let me admit that while my term hadn't officially begun
>>> yet, I am one of the Board members who encouraged Jim and Eoin to move
>>> forward with the training.  My rationale for this was simple; OWASP's
>>> mission is to make software security visible, so that individuals and
>>> organizations worldwide can make informed decisions about true software
>>> security risks.  The core of this statement being VISBILITY.  We need to
>>> find and take advantage of as many ways as possible to raise the visibility
>>> of security risks.  Our mission says nothing about making political
>>> statements.  It says nothing about ethical business practices.  Our mission
>>> can certainly be amended to reflect other imperatives, if so desired by our
>>> membership, but until that day we need to prevent mission scope creep.
>>> >
>>> >     Now, since our mission is making software security visible, we
>>> simply have to ask ourselves if we better serve this mission by:
>>> >
>>> >     1) Performing a free training at a major conference, thereby
>>> increasing our exposure to people who haven't heard of OWASP before and
>>> enlightening them to software security risks that they likely were not
>>> aware of before.
>>> >
>>> >     2) Taking a stance against a company where some evidence may imply
>>> that they took a bribe to sacrifice security in one of their products.
>>> >
>>> >     Let me be clear on #2.  I don't agree that what RSA did is right,
>>> if it is true.  In fact, I have made the explicit decision to not do
>>> business with RSA in my day job because there are many other options out
>>> there and it's just not worth the risk.  But my passive decision to not
>>> purchase from RSA is very different than OWASP reneging on our agreement
>>> and making a public statement about their ethics.
>>> >
>>> >     So, given these two options, my gut is that OWASP's mission will
>>> be best served by #1.  It doesn't mean that we're supporting RSA.  It
>>> doesn't mean that we agree with unethical business practices.  It just
>>> means that we are doing the best we can to make application security
>>> visible.  If that means piggy-backing on the massive marketing effort they
>>> put into the conference or the infrastructure that supports it, I'm ok with
>>> that.  I understand that others may object to this on ethical grounds, and
>>> that's fine, but as a non-profit organization, we have a mandate to stay
>>> true to our mission, not to speak out against whatever the latest security
>>> headline is.
>>> >
>>> >     I do have one question about this training for clarification.  The
>>> training is FREE for anyone who would like to attend and not just for RSA
>>> attendees, correct?  My assumption is the former, but if the latter, this
>>> changes things significantly in my opinion.
>>> >
>>> >     ~josh
>>> >
>>> >
>>> >
>>> >     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary <eoin.keary at owasp.org<mailto:
>>> eoin.keary at owasp.org>> wrote:
>>> >
>>> >         Good point.
>>> >         Bottom line is we want people to build secure code. Delivering
>>> this message under the same roof as RSA does not dilute the quality of the
>>> class delivered.
>>> >         There is no black and white, only shades of grey :)
>>> >
>>> >
>>> >
>>> >         Eoin Keary
>>> >         Owasp Global Board
>>> >         +353 87 977 2988 <%2B353%2087%20977%202988><tel:%2B353%2087%20977%202988>
>>> >
>>> >         On 4 Jan 2014, at 23:36, Jim Manico <jim.manico at owasp.org<mailto:
>>> jim.manico at owasp.org>> wrote:
>>> >
>>> >         > Another issue that is tangential.
>>> >         >
>>> >         > We are applying for several big money DHS grants. These help
>>> keep the foundation running.
>>> >         >
>>> >         > Should be reject all of these grants because of the Snowden
>>> affair? It we abort RSA but continue to take DHS money, then we send a
>>> mixed message.
>>> >         >
>>> >         > Aloha,
>>> >         > Jim
>>> >         >
>>> >         >> I strongly support Sastry on this one.
>>> >         >>
>>> >         >> You might be participating as individuals, but people see
>>> you guys as the OWASP Board, and that’s something that many of us don’t
>>> like to be the image of OWASP.
>>> >         >>
>>> >         >> Thanks
>>> >         >> -Abbas
>>> >         >> On Jan 4, 2014, at 1:18 PM, Eoin Keary <
>>> eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>> >         >>
>>> >         >>> To be clear, there was no recorded vote on this but a
>>> debate.
>>> >         >>>
>>> >         >>> I started the debate after reading about Mikko. (Even
>>> though I was delivering the training with Jim and it is my material).
>>> >         >>>
>>> >         >>> The majority of board of OWASP feels getting involved in
>>> politics is wrong and wanted to push ahead with the training.
>>> >         >>>
>>> >         >>> So if feelings are strong we need to vote on this ASAP? as
>>> leaders of OWASP. A formal board vote? Executive decision from Sarah, our
>>> executive director.
>>> >         >>>
>>> >         >>>
>>> >         >>>
>>> >         >>> Eoin Keary
>>> >         >>> Owasp Global Board
>>> >         >>> +353 87 977 2988 <%2B353%2087%20977%202988><tel:%2B353%2087%20977%202988>
>>> >         >>>
>>> >         >>>
>>> >         >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri <
>>> sastry.tumuluri at owasp.org <mailto:sastry.tumuluri at owasp.org>> wrote:
>>> >         >>>
>>> >         >>>> Friends,
>>> >         >>>>
>>> >         >>>> Please see the following full conversation on twitter:
>>> >         >>>> https://twitter.com/EoinKeary/status/419111748424454145
>>> >         >>>>
>>> >         >>>> Eoin Keary and Jim Manico (both OWASP board members) will
>>> be presenting/conducting 4 hrs of free-of-cost AppSec training at the RSA
>>> Conference, 2014. Michael Coates, Chairman of the OWASP Board is also said
>>> to be present. Apparently, this was discussed at the OWASP board level; and
>>> the board has decided to go ahead, keeping in mind the benefit to the
>>> attending developers.
>>> >         >>>>
>>> >         >>>> As you are aware, RSA is strongly suspected (we'll never
>>> be 100% sure, I'm afraid) of being complicit with NSA in enabling fatal
>>> weakening of crypto products. RSA has issued a sort of a denial that only
>>> deepens the mistrust. As a protest, many leading speakers are cancelling
>>> their talks at the upcoming RSAC 2014. Among them are (to my knowledge)
>>> Mikko Hypponen, Jeffrey Carr and Josh Thomas.
>>> >         >>>>
>>> >         >>>> At such a time, I am saddened by the OWASP board decision
>>> to support RSAC by their presence. At a time when they had the opportunity
>>> to let the world know how much they care for the Information Security
>>> profession (esp., against weakening crypto); and how much they care about
>>> the privacy of people (against NSA's unabashed spying on Americans &
>>> non-Americans alike), the board has copped out using a flimsy
>>> rationalization ("benefit of (a few) developers", many of who would rethink
>>> their attendance had OWASP and more organizations didn't blink!").
>>> >         >>>>
>>> >         >>>> I'm sure there was a heated debate. I'm sure all angles
>>> were considered. However, this goes too deep for me to take it as "better
>>> men than me have considered and decided". As a matter of my personal
>>> values, if the situation doesn't change, I would no longer wish to continue
>>> as the OWASP Chapter Lead. Please let me know if any of you would like to
>>> take over from me.
>>> >         >>>>
>>> >         >>>> I will also share my feelings with fellow chapter members
>>> at our next chapter meeting on Jan 21st. Needless to say, no matter how
>>> things go, I remain committed to the principles of our open and open-source
>>> infosec community.
>>> >         >>>>
>>> >         >>>> Best regards,
>>> >         >>>>
>>> >         >>>> ==Sas3==
>>> >         >>> _______________________________________________
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
>  --
>  *Mark Miller, Senior Storyteller*
> *Curator and Founder, Trusted Software Alliance*
>
> *Host and Executive Producer, OWASP 24/7 Podcast Channel Community
> Advocate, Sonatype*
>
>  *Developers and Application Security: Who is Responsible?*<https://www.surveymonkey.com/s/Developers_and_AppSec>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>


-- 
*Mark Miller, Senior Storyteller*
*Curator and Founder, Trusted Software Alliance*

*Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity Advocate,
Sonatype*

*Developers and Application Security: Who is
Responsible?*<https://www.surveymonkey.com/s/Developers_and_AppSec>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140115/24e08fe1/attachment-0001.html>


More information about the OWASP-Leaders mailing list