[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with

Tobias tobias.gondrom at owasp.org
Wed Jan 15 16:04:41 UTC 2014


I know. That was what I was referring to.

However, that feature in SM is either bound through personalised
invitation emails or ties the identity just to an IP address, which is
not a safe nor good criteria to establish identity.

Cheers, Tobias


On 15/01/14 16:00, Mark Miller wrote:
> SurveyMonkey has a setting for "Can Only Vote Once". I'm using that on
> the survey I am currently running (shameless plug goes here
> <http://trustedsoftwarealliance.com/2013/12/12/survey-developers-and-application-security-who-is-responsible/>)
> and even had a complaint this morning that someone couldn't vote
> twice, so I know it's working :-)
>
>
> On Wed, Jan 15, 2014 at 10:50 AM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>
>     Hi Mark,
>
>     we have a full Surveymonkey account for OWASP as well.
>     So we could use it.
>     But with both, with Google Survey and Surveymonkey, the key
>     challenge is how to avoid duplicates.
>     In Surveymonkey that only works if you send everyone a
>     personalised invite, in Google you could use the owasp email
>     address as identifier. Both have their problems. :-(
>     So if you have any ideas on how to solve the "avoid double
>     votes"-problem with minimal effort for the voter, please let me know.
>
>     Cheers, Tobias
>
>
>     Ps.: we should definitely look into if there are any problems
>     keeping every member from having her/his owasp email address.
>
>
>
>     On 15/01/14 15:29, Mark Miller wrote:
>>     I am using Survey Monkey for various projects, so let me know if
>>     that will be a viable option for future polls or surveys. -- Mark
>>
>>
>>     On Wed, Jan 15, 2014 at 7:35 AM, psiinon <psiinon at gmail.com
>>     <mailto:psiinon at gmail.com>> wrote:
>>
>>         I've just closed the poll "Should OWASP give developer
>>         training at RSA?".
>>         It was somewhat overtaken by events, but I still think it was
>>         useful.
>>
>>         A couple of points to note:
>>
>>         The stats I've published on
>>         https://www.owasp.org/index.php/Polls are different to those
>>         on the Google Poll summary.
>>         This is because I've removed duplicate votes - unfortunately
>>         Google Polls dont prevent duplicate votes and the summary
>>         isnt updated if you remove the duplicates. Please let me know
>>         if I've made a mistake anywhere. FYI I just counted
>>         individuals latest votes.
>>
>>         While I think the poll was useful it has shown up some
>>         significant disadvantages of using Google Polls for this sort
>>         of thing.
>>         We have to make the polls either open to everyone or
>>         restricted to those people with OWASP email accounts.
>>         I didnt want to do the former as I thought it was important
>>         to find out what OWASP members thought, not the internet as a
>>         whole.
>>         What I didnt realize at the time was that OWASP email
>>         addresses are reserved for chapter/project leaders, which
>>         meant that most OWASP members were not able to vote :(
>>         Sorry about that.
>>
>>         I'm going to let the other poll run its course, but I'm not
>>         planning on starting any new polls using Google Polls as I
>>         think they dont give us what we need.
>>         Hopefully we'll have a better solution before too long that
>>         will allow us to easily canvas the opinions of all OWASP
>>         members - I think thats something that will be very
>>         beneficial to the organization.
>>
>>         Simon
>>
>>
>>         On Thu, Jan 9, 2014 at 5:15 PM, Dirk Wetter <dirk at owasp.org
>>         <mailto:dirk at owasp.org>> wrote:
>>
>>             Am 01/05/2014 12:47 PM, schrieb Rory McCune:
>>             > Hi all,
>>             >
>>             > Long thread is long.  I'd make a couple of point on this.
>>             >
>>             > 1. I'm not sure I'd say that RSA completely denies
>>             what's been said, to me their statement was written very
>>             "carefully", not to deny that the NSA paid them $10
>>             million to make Dual_EC_DRBG the default RNG in BSAFE.
>>              All you need to have for RSAs statement to be true and
>>             the allegations to be true is that they didn't have the
>>             "intention" of weakening their product i.e. they did take
>>             the money they did set the default algorithm but it
>>             wasn't their intention to weaken their security.
>>             >
>>             > If they had wanted to deny the allegations they could
>>             just have said "the NSA did not pay us $10 million to
>>             make that the default RNG" would have been clear and
>>             unambiguous, the fact they didn't makes a reasonably
>>             strong implication that they did.
>>
>>             thx, for this point. One should definitely read those
>>             statements very carefully. There
>>             pops another example up in my head but that's too far off
>>             to mention here. Completely
>>             denying would also sound different to me. The term
>>             INTENTION is not appropriate the way
>>             it's being used at least.
>>
>>             But also the response from RSA in September 2013 is
>>             remarkable: "RSA determined it appropriate
>>             to issue an advisory to all our RSA BSAFE [..]  customers
>>             recommending they choose one of
>>             the different cryptographic Pseudo-Random Number
>>             Generators (PRNG) built into the RSA BSAFE
>>             toolkit". Acknowledged it's broken, but all RSA does is a
>>             recommendation -- what?
>>
>>             To keep in mind: Since a long time Dual_EC_DRBG crypto
>>             community knew it's broken! Read this
>>             from almighty Bruce ;-) in 2007:
>>             https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
>>             "But today there's an even bigger stink brewing around
>>             Dual_EC_DRBG. In an informal presentation (.pdf)
>>             at the CRYPTO 2007 conference in August, Dan Shumow and
>>             Niels Ferguson showed that the algorithm
>>             contains a weakness that can only be described as a
>>             backdoor.". That was no reason for BSAFE after
>>             that to ship DUAL_EC_DRBG other than .... you do the math.
>>
>>
>>             Cheers,
>>
>>             Dirk
>>
>>             >
>>             > 2. A point from earlier in the thread that not
>>             attending would only be noticed in the Infosec community.
>>              Not sure that's the case. Definitely on developer heavy
>>             sites like news.ycombinator.com
>>             <http://news.ycombinator.com>
>>             <http://news.ycombinator.com> the NSA/RSA/Snowden piece
>>             has been heavily played and indeed last night when this
>>             thread kicked off Errata security's piece on boycotting
>>             RSA was the top post on the site.
>>             >
>>             > 3. An alternative to training at RSA that's been
>>             mentioned a couple of times, i.e. doing it at a different
>>             venue, seems plausible.  Would it maybe be possible to do
>>             it as B-Sides SF which happens at the same time ?
>>             >
>>             > 4. A good point earlier about the DHS grants.  If we're
>>             happy with that, then it seems tricky to say that we're
>>             not happy with this.
>>             >
>>             > Cheers
>>             >
>>             > Rory
>>             >
>>             >
>>             > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico
>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>>             <mailto:jim.manico at owasp.org
>>             <mailto:jim.manico at owasp.org>>> wrote:
>>             >
>>             >     By the way everyone, RSA completely denies these
>>             allegations.
>>             >
>>             >
>>             >
>>             >     …“we also categorically state that we have never
>>             entered into any contract or engaged in any project with
>>             the intention of weakening RSA’s products, or introducing
>>             potential ‘backdoors’ into our products for anyone’s
>>             use.” - https://blogs.rsa.com/news-media-2/rsa-response/
>>             >
>>
>>             >
>>             >
>>             >
>>             >     It’s tough to know who to trust these days, but I
>>             do want to put RSA’s official comment on the table for
>>             consideration.
>>             >
>>             >
>>             >
>>             >     Cheers,
>>             >
>>             >     -          Jim
>>             >
>>             >
>>             >
>>             >     *From:*Josh Sokol [mailto:josh.sokol at owasp.org
>>             <mailto:josh.sokol at owasp.org>
>>             <mailto:josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>]
>>             >     *Sent:* Saturday, January 04, 2014 5:04 PM
>>             >     *To:* Eoin Keary
>>             >     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh
>>             (WebMentors); Nishant Johar (EMOBX); OWASP Foundation
>>             Board List; Ravdeep Sodhi; OWASP Leaders
>>             >     *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP
>>             Board decision that I don't agree with
>>             >
>>             >
>>             >
>>             >     My apologies in the delay in responding to this.
>>              I've been on the road all day today and will be slow to
>>             respond tomorrow as well.
>>             >
>>             >     First off, let me admit that while my term hadn't
>>             officially begun yet, I am one of the Board members who
>>             encouraged Jim and Eoin to move forward with the
>>             training.  My rationale for this was simple; OWASP's
>>             mission is to make software security visible, so that
>>             individuals and organizations worldwide can make informed
>>             decisions about true software security risks.  The core
>>             of this statement being VISBILITY.  We need to find and
>>             take advantage of as many ways as possible to raise the
>>             visibility of security risks.  Our mission says nothing
>>             about making political statements.  It says nothing about
>>             ethical business practices.  Our mission can certainly be
>>             amended to reflect other imperatives, if so desired by
>>             our membership, but until that day we need to prevent
>>             mission scope creep.
>>             >
>>             >     Now, since our mission is making software security
>>             visible, we simply have to ask ourselves if we better
>>             serve this mission by:
>>             >
>>             >     1) Performing a free training at a major
>>             conference, thereby increasing our exposure to people who
>>             haven't heard of OWASP before and enlightening them to
>>             software security risks that they likely were not aware
>>             of before.
>>             >
>>             >     2) Taking a stance against a company where some
>>             evidence may imply that they took a bribe to sacrifice
>>             security in one of their products.
>>             >
>>             >     Let me be clear on #2.  I don't agree that what RSA
>>             did is right, if it is true.  In fact, I have made the
>>             explicit decision to not do business with RSA in my day
>>             job because there are many other options out there and
>>             it's just not worth the risk.  But my passive decision to
>>             not purchase from RSA is very different than OWASP
>>             reneging on our agreement and making a public statement
>>             about their ethics.
>>             >
>>             >     So, given these two options, my gut is that OWASP's
>>             mission will be best served by #1.  It doesn't mean that
>>             we're supporting RSA.  It doesn't mean that we agree with
>>             unethical business practices.  It just means that we are
>>             doing the best we can to make application security
>>             visible.  If that means piggy-backing on the massive
>>             marketing effort they put into the conference or the
>>             infrastructure that supports it, I'm ok with that.  I
>>             understand that others may object to this on ethical
>>             grounds, and that's fine, but as a non-profit
>>             organization, we have a mandate to stay true to our
>>             mission, not to speak out against whatever the latest
>>             security headline is.
>>             >
>>             >     I do have one question about this training for
>>             clarification.  The training is FREE for anyone who would
>>             like to attend and not just for RSA attendees, correct?
>>              My assumption is the former, but if the latter, this
>>             changes things significantly in my opinion.
>>             >
>>             >     ~josh
>>             >
>>             >
>>             >
>>             >     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
>>             <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>>             <mailto:eoin.keary at owasp.org
>>             <mailto:eoin.keary at owasp.org>>> wrote:
>>             >
>>             >         Good point.
>>             >         Bottom line is we want people to build secure
>>             code. Delivering this message under the same roof as RSA
>>             does not dilute the quality of the class delivered.
>>             >         There is no black and white, only shades of grey :)
>>             >
>>             >
>>             >
>>             >         Eoin Keary
>>             >         Owasp Global Board
>>             >         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>             <tel:%2B353%2087%20977%202988>
>>             >
>>             >         On 4 Jan 2014, at 23:36, Jim Manico
>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>>             <mailto:jim.manico at owasp.org
>>             <mailto:jim.manico at owasp.org>>> wrote:
>>             >
>>             >         > Another issue that is tangential.
>>             >         >
>>             >         > We are applying for several big money DHS
>>             grants. These help keep the foundation running.
>>             >         >
>>             >         > Should be reject all of these grants because
>>             of the Snowden affair? It we abort RSA but continue to
>>             take DHS money, then we send a mixed message.
>>             >         >
>>             >         > Aloha,
>>             >         > Jim
>>             >         >
>>             >         >> I strongly support Sastry on this one.
>>             >         >>
>>             >         >> You might be participating as individuals,
>>             but people see you guys as the OWASP Board, and that’s
>>             something that many of us don’t like to be the image of
>>             OWASP.
>>             >         >>
>>             >         >> Thanks
>>             >         >> -Abbas
>>             >         >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>>             <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>>             <mailto:eoin.keary at owasp.org
>>             <mailto:eoin.keary at owasp.org>>> wrote:
>>             >         >>
>>             >         >>> To be clear, there was no recorded vote on
>>             this but a debate.
>>             >         >>>
>>             >         >>> I started the debate after reading about
>>             Mikko. (Even though I was delivering the training with
>>             Jim and it is my material).
>>             >         >>>
>>             >         >>> The majority of board of OWASP feels
>>             getting involved in politics is wrong and wanted to push
>>             ahead with the training.
>>             >         >>>
>>             >         >>> So if feelings are strong we need to vote
>>             on this ASAP? as leaders of OWASP. A formal board vote?
>>             Executive decision from Sarah, our executive director.
>>             >         >>>
>>             >         >>>
>>             >         >>>
>>             >         >>> Eoin Keary
>>             >         >>> Owasp Global Board
>>             >         >>> +353 87 977 2988
>>             <tel:%2B353%2087%20977%202988> <tel:%2B353%2087%20977%202988>
>>             >         >>>
>>             >         >>>
>>             >         >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>>             <sastry.tumuluri at owasp.org
>>             <mailto:sastry.tumuluri at owasp.org>
>>             <mailto:sastry.tumuluri at owasp.org
>>             <mailto:sastry.tumuluri at owasp.org>>> wrote:
>>             >         >>>
>>             >         >>>> Friends,
>>             >         >>>>
>>             >         >>>> Please see the following full conversation
>>             on twitter:
>>             >         >>>>
>>             https://twitter.com/EoinKeary/status/419111748424454145
>>             >         >>>>
>>             >         >>>> Eoin Keary and Jim Manico (both OWASP
>>             board members) will be presenting/conducting 4 hrs of
>>             free-of-cost AppSec training at the RSA Conference, 2014.
>>             Michael Coates, Chairman of the OWASP Board is also said
>>             to be present. Apparently, this was discussed at the
>>             OWASP board level; and the board has decided to go ahead,
>>             keeping in mind the benefit to the attending developers.
>>             >         >>>>
>>             >         >>>> As you are aware, RSA is strongly
>>             suspected (we'll never be 100% sure, I'm afraid) of being
>>             complicit with NSA in enabling fatal weakening of crypto
>>             products. RSA has issued a sort of a denial that only
>>             deepens the mistrust. As a protest, many leading speakers
>>             are cancelling their talks at the upcoming RSAC 2014.
>>             Among them are (to my knowledge) Mikko Hypponen, Jeffrey
>>             Carr and Josh Thomas.
>>             >         >>>>
>>             >         >>>> At such a time, I am saddened by the OWASP
>>             board decision to support RSAC by their presence. At a
>>             time when they had the opportunity to let the world know
>>             how much they care for the Information Security
>>             profession (esp., against weakening crypto); and how much
>>             they care about the privacy of people (against NSA's
>>             unabashed spying on Americans & non-Americans alike), the
>>             board has copped out using a flimsy rationalization
>>             ("benefit of (a few) developers", many of who would
>>             rethink their attendance had OWASP and more organizations
>>             didn't blink!").
>>             >         >>>>
>>             >         >>>> I'm sure there was a heated debate. I'm
>>             sure all angles were considered. However, this goes too
>>             deep for me to take it as "better men than me have
>>             considered and decided". As a matter of my personal
>>             values, if the situation doesn't change, I would no
>>             longer wish to continue as the OWASP Chapter Lead. Please
>>             let me know if any of you would like to take over from me.
>>             >         >>>>
>>             >         >>>> I will also share my feelings with fellow
>>             chapter members at our next chapter meeting on Jan 21st.
>>             Needless to say, no matter how things go, I remain
>>             committed to the principles of our open and open-source
>>             infosec community.
>>             >         >>>>
>>             >         >>>> Best regards,
>>             >         >>>>
>>             >         >>>> ==Sas3==
>>             >         >>> _______________________________________________
>>
>>             _______________________________________________
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>         -- 
>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     -- 
>>     *Mark Miller, Senior Storyteller*
>>     /Curator and Founder, Trusted Software Alliance/
>>     /Host and Executive Producer, OWASP 24/7 Podcast Channel
>>     Community Advocate, Sonatype/
>>
>>     /*Developers and Application Security: Who is Responsible?*/
>>     <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> *Mark Miller, Senior Storyteller*
> /Curator and Founder, Trusted Software Alliance/
> /Host and Executive Producer, OWASP 24/7 Podcast Channel
> Community Advocate, Sonatype/
>
> /*Developers and Application Security: Who is Responsible?*/
> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140115/d071e1e7/attachment-0001.html>


More information about the OWASP-Leaders mailing list