[Owasp-leaders] [Owasp-board] OWASP Board decision that I don't agree with
Tobias
tobias.gondrom at owasp.org
Wed Jan 15 16:04:41 UTC 2014
I know. That was what I was referring to.
However, that feature in SM is either bound through personalised
invitation emails or ties the identity just to an IP address, which is
not a safe nor good criteria to establish identity.
Cheers, Tobias
On 15/01/14 16:00, Mark Miller wrote:
> SurveyMonkey has a setting for "Can Only Vote Once". I'm using that on
> the survey I am currently running (shameless plug goes here
> <http://trustedsoftwarealliance.com/2013/12/12/survey-developers-and-application-security-who-is-responsible/>)
> and even had a complaint this morning that someone couldn't vote
> twice, so I know it's working :-)
>
>
> On Wed, Jan 15, 2014 at 10:50 AM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>
> Hi Mark,
>
> we have a full Surveymonkey account for OWASP as well.
> So we could use it.
> But with both, with Google Survey and Surveymonkey, the key
> challenge is how to avoid duplicates.
> In Surveymonkey that only works if you send everyone a
> personalised invite, in Google you could use the owasp email
> address as identifier. Both have their problems. :-(
> So if you have any ideas on how to solve the "avoid double
> votes"-problem with minimal effort for the voter, please let me know.
>
> Cheers, Tobias
>
>
> Ps.: we should definitely look into if there are any problems
> keeping every member from having her/his owasp email address.
>
>
>
> On 15/01/14 15:29, Mark Miller wrote:
>> I am using Survey Monkey for various projects, so let me know if
>> that will be a viable option for future polls or surveys. -- Mark
>>
>>
>> On Wed, Jan 15, 2014 at 7:35 AM, psiinon <psiinon at gmail.com
>> <mailto:psiinon at gmail.com>> wrote:
>>
>> I've just closed the poll "Should OWASP give developer
>> training at RSA?".
>> It was somewhat overtaken by events, but I still think it was
>> useful.
>>
>> A couple of points to note:
>>
>> The stats I've published on
>> https://www.owasp.org/index.php/Polls are different to those
>> on the Google Poll summary.
>> This is because I've removed duplicate votes - unfortunately
>> Google Polls dont prevent duplicate votes and the summary
>> isnt updated if you remove the duplicates. Please let me know
>> if I've made a mistake anywhere. FYI I just counted
>> individuals latest votes.
>>
>> While I think the poll was useful it has shown up some
>> significant disadvantages of using Google Polls for this sort
>> of thing.
>> We have to make the polls either open to everyone or
>> restricted to those people with OWASP email accounts.
>> I didnt want to do the former as I thought it was important
>> to find out what OWASP members thought, not the internet as a
>> whole.
>> What I didnt realize at the time was that OWASP email
>> addresses are reserved for chapter/project leaders, which
>> meant that most OWASP members were not able to vote :(
>> Sorry about that.
>>
>> I'm going to let the other poll run its course, but I'm not
>> planning on starting any new polls using Google Polls as I
>> think they dont give us what we need.
>> Hopefully we'll have a better solution before too long that
>> will allow us to easily canvas the opinions of all OWASP
>> members - I think thats something that will be very
>> beneficial to the organization.
>>
>> Simon
>>
>>
>> On Thu, Jan 9, 2014 at 5:15 PM, Dirk Wetter <dirk at owasp.org
>> <mailto:dirk at owasp.org>> wrote:
>>
>> Am 01/05/2014 12:47 PM, schrieb Rory McCune:
>> > Hi all,
>> >
>> > Long thread is long. I'd make a couple of point on this.
>> >
>> > 1. I'm not sure I'd say that RSA completely denies
>> what's been said, to me their statement was written very
>> "carefully", not to deny that the NSA paid them $10
>> million to make Dual_EC_DRBG the default RNG in BSAFE.
>> All you need to have for RSAs statement to be true and
>> the allegations to be true is that they didn't have the
>> "intention" of weakening their product i.e. they did take
>> the money they did set the default algorithm but it
>> wasn't their intention to weaken their security.
>> >
>> > If they had wanted to deny the allegations they could
>> just have said "the NSA did not pay us $10 million to
>> make that the default RNG" would have been clear and
>> unambiguous, the fact they didn't makes a reasonably
>> strong implication that they did.
>>
>> thx, for this point. One should definitely read those
>> statements very carefully. There
>> pops another example up in my head but that's too far off
>> to mention here. Completely
>> denying would also sound different to me. The term
>> INTENTION is not appropriate the way
>> it's being used at least.
>>
>> But also the response from RSA in September 2013 is
>> remarkable: "RSA determined it appropriate
>> to issue an advisory to all our RSA BSAFE [..] customers
>> recommending they choose one of
>> the different cryptographic Pseudo-Random Number
>> Generators (PRNG) built into the RSA BSAFE
>> toolkit". Acknowledged it's broken, but all RSA does is a
>> recommendation -- what?
>>
>> To keep in mind: Since a long time Dual_EC_DRBG crypto
>> community knew it's broken! Read this
>> from almighty Bruce ;-) in 2007:
>> https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
>> "But today there's an even bigger stink brewing around
>> Dual_EC_DRBG. In an informal presentation (.pdf)
>> at the CRYPTO 2007 conference in August, Dan Shumow and
>> Niels Ferguson showed that the algorithm
>> contains a weakness that can only be described as a
>> backdoor.". That was no reason for BSAFE after
>> that to ship DUAL_EC_DRBG other than .... you do the math.
>>
>>
>> Cheers,
>>
>> Dirk
>>
>> >
>> > 2. A point from earlier in the thread that not
>> attending would only be noticed in the Infosec community.
>> Not sure that's the case. Definitely on developer heavy
>> sites like news.ycombinator.com
>> <http://news.ycombinator.com>
>> <http://news.ycombinator.com> the NSA/RSA/Snowden piece
>> has been heavily played and indeed last night when this
>> thread kicked off Errata security's piece on boycotting
>> RSA was the top post on the site.
>> >
>> > 3. An alternative to training at RSA that's been
>> mentioned a couple of times, i.e. doing it at a different
>> venue, seems plausible. Would it maybe be possible to do
>> it as B-Sides SF which happens at the same time ?
>> >
>> > 4. A good point earlier about the DHS grants. If we're
>> happy with that, then it seems tricky to say that we're
>> not happy with this.
>> >
>> > Cheers
>> >
>> > Rory
>> >
>> >
>> > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico
>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>> <mailto:jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>>> wrote:
>> >
>> > By the way everyone, RSA completely denies these
>> allegations.
>> >
>> >
>> >
>> > …“we also categorically state that we have never
>> entered into any contract or engaged in any project with
>> the intention of weakening RSA’s products, or introducing
>> potential ‘backdoors’ into our products for anyone’s
>> use.” - https://blogs.rsa.com/news-media-2/rsa-response/
>> >
>>
>> >
>> >
>> >
>> > It’s tough to know who to trust these days, but I
>> do want to put RSA’s official comment on the table for
>> consideration.
>> >
>> >
>> >
>> > Cheers,
>> >
>> > - Jim
>> >
>> >
>> >
>> > *From:*Josh Sokol [mailto:josh.sokol at owasp.org
>> <mailto:josh.sokol at owasp.org>
>> <mailto:josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>]
>> > *Sent:* Saturday, January 04, 2014 5:04 PM
>> > *To:* Eoin Keary
>> > *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh
>> (WebMentors); Nishant Johar (EMOBX); OWASP Foundation
>> Board List; Ravdeep Sodhi; OWASP Leaders
>> > *Subject:* Re: [Owasp-board] [Owasp-leaders] OWASP
>> Board decision that I don't agree with
>> >
>> >
>> >
>> > My apologies in the delay in responding to this.
>> I've been on the road all day today and will be slow to
>> respond tomorrow as well.
>> >
>> > First off, let me admit that while my term hadn't
>> officially begun yet, I am one of the Board members who
>> encouraged Jim and Eoin to move forward with the
>> training. My rationale for this was simple; OWASP's
>> mission is to make software security visible, so that
>> individuals and organizations worldwide can make informed
>> decisions about true software security risks. The core
>> of this statement being VISBILITY. We need to find and
>> take advantage of as many ways as possible to raise the
>> visibility of security risks. Our mission says nothing
>> about making political statements. It says nothing about
>> ethical business practices. Our mission can certainly be
>> amended to reflect other imperatives, if so desired by
>> our membership, but until that day we need to prevent
>> mission scope creep.
>> >
>> > Now, since our mission is making software security
>> visible, we simply have to ask ourselves if we better
>> serve this mission by:
>> >
>> > 1) Performing a free training at a major
>> conference, thereby increasing our exposure to people who
>> haven't heard of OWASP before and enlightening them to
>> software security risks that they likely were not aware
>> of before.
>> >
>> > 2) Taking a stance against a company where some
>> evidence may imply that they took a bribe to sacrifice
>> security in one of their products.
>> >
>> > Let me be clear on #2. I don't agree that what RSA
>> did is right, if it is true. In fact, I have made the
>> explicit decision to not do business with RSA in my day
>> job because there are many other options out there and
>> it's just not worth the risk. But my passive decision to
>> not purchase from RSA is very different than OWASP
>> reneging on our agreement and making a public statement
>> about their ethics.
>> >
>> > So, given these two options, my gut is that OWASP's
>> mission will be best served by #1. It doesn't mean that
>> we're supporting RSA. It doesn't mean that we agree with
>> unethical business practices. It just means that we are
>> doing the best we can to make application security
>> visible. If that means piggy-backing on the massive
>> marketing effort they put into the conference or the
>> infrastructure that supports it, I'm ok with that. I
>> understand that others may object to this on ethical
>> grounds, and that's fine, but as a non-profit
>> organization, we have a mandate to stay true to our
>> mission, not to speak out against whatever the latest
>> security headline is.
>> >
>> > I do have one question about this training for
>> clarification. The training is FREE for anyone who would
>> like to attend and not just for RSA attendees, correct?
>> My assumption is the former, but if the latter, this
>> changes things significantly in my opinion.
>> >
>> > ~josh
>> >
>> >
>> >
>> > On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>> <mailto:eoin.keary at owasp.org
>> <mailto:eoin.keary at owasp.org>>> wrote:
>> >
>> > Good point.
>> > Bottom line is we want people to build secure
>> code. Delivering this message under the same roof as RSA
>> does not dilute the quality of the class delivered.
>> > There is no black and white, only shades of grey :)
>> >
>> >
>> >
>> > Eoin Keary
>> > Owasp Global Board
>> > +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>> <tel:%2B353%2087%20977%202988>
>> >
>> > On 4 Jan 2014, at 23:36, Jim Manico
>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>
>> <mailto:jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>>> wrote:
>> >
>> > > Another issue that is tangential.
>> > >
>> > > We are applying for several big money DHS
>> grants. These help keep the foundation running.
>> > >
>> > > Should be reject all of these grants because
>> of the Snowden affair? It we abort RSA but continue to
>> take DHS money, then we send a mixed message.
>> > >
>> > > Aloha,
>> > > Jim
>> > >
>> > >> I strongly support Sastry on this one.
>> > >>
>> > >> You might be participating as individuals,
>> but people see you guys as the OWASP Board, and that’s
>> something that many of us don’t like to be the image of
>> OWASP.
>> > >>
>> > >> Thanks
>> > >> -Abbas
>> > >> On Jan 4, 2014, at 1:18 PM, Eoin Keary
>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>
>> <mailto:eoin.keary at owasp.org
>> <mailto:eoin.keary at owasp.org>>> wrote:
>> > >>
>> > >>> To be clear, there was no recorded vote on
>> this but a debate.
>> > >>>
>> > >>> I started the debate after reading about
>> Mikko. (Even though I was delivering the training with
>> Jim and it is my material).
>> > >>>
>> > >>> The majority of board of OWASP feels
>> getting involved in politics is wrong and wanted to push
>> ahead with the training.
>> > >>>
>> > >>> So if feelings are strong we need to vote
>> on this ASAP? as leaders of OWASP. A formal board vote?
>> Executive decision from Sarah, our executive director.
>> > >>>
>> > >>>
>> > >>>
>> > >>> Eoin Keary
>> > >>> Owasp Global Board
>> > >>> +353 87 977 2988
>> <tel:%2B353%2087%20977%202988> <tel:%2B353%2087%20977%202988>
>> > >>>
>> > >>>
>> > >>> On 4 Jan 2014, at 16:48, Sastry Tumuluri
>> <sastry.tumuluri at owasp.org
>> <mailto:sastry.tumuluri at owasp.org>
>> <mailto:sastry.tumuluri at owasp.org
>> <mailto:sastry.tumuluri at owasp.org>>> wrote:
>> > >>>
>> > >>>> Friends,
>> > >>>>
>> > >>>> Please see the following full conversation
>> on twitter:
>> > >>>>
>> https://twitter.com/EoinKeary/status/419111748424454145
>> > >>>>
>> > >>>> Eoin Keary and Jim Manico (both OWASP
>> board members) will be presenting/conducting 4 hrs of
>> free-of-cost AppSec training at the RSA Conference, 2014.
>> Michael Coates, Chairman of the OWASP Board is also said
>> to be present. Apparently, this was discussed at the
>> OWASP board level; and the board has decided to go ahead,
>> keeping in mind the benefit to the attending developers.
>> > >>>>
>> > >>>> As you are aware, RSA is strongly
>> suspected (we'll never be 100% sure, I'm afraid) of being
>> complicit with NSA in enabling fatal weakening of crypto
>> products. RSA has issued a sort of a denial that only
>> deepens the mistrust. As a protest, many leading speakers
>> are cancelling their talks at the upcoming RSAC 2014.
>> Among them are (to my knowledge) Mikko Hypponen, Jeffrey
>> Carr and Josh Thomas.
>> > >>>>
>> > >>>> At such a time, I am saddened by the OWASP
>> board decision to support RSAC by their presence. At a
>> time when they had the opportunity to let the world know
>> how much they care for the Information Security
>> profession (esp., against weakening crypto); and how much
>> they care about the privacy of people (against NSA's
>> unabashed spying on Americans & non-Americans alike), the
>> board has copped out using a flimsy rationalization
>> ("benefit of (a few) developers", many of who would
>> rethink their attendance had OWASP and more organizations
>> didn't blink!").
>> > >>>>
>> > >>>> I'm sure there was a heated debate. I'm
>> sure all angles were considered. However, this goes too
>> deep for me to take it as "better men than me have
>> considered and decided". As a matter of my personal
>> values, if the situation doesn't change, I would no
>> longer wish to continue as the OWASP Chapter Lead. Please
>> let me know if any of you would like to take over from me.
>> > >>>>
>> > >>>> I will also share my feelings with fellow
>> chapter members at our next chapter meeting on Jan 21st.
>> Needless to say, no matter how things go, I remain
>> committed to the principles of our open and open-source
>> infosec community.
>> > >>>>
>> > >>>> Best regards,
>> > >>>>
>> > >>>> ==Sas3==
>> > >>> _______________________________________________
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> --
>> *Mark Miller, Senior Storyteller*
>> /Curator and Founder, Trusted Software Alliance/
>> /Host and Executive Producer, OWASP 24/7 Podcast Channel
>> Community Advocate, Sonatype/
>>
>> /*Developers and Application Security: Who is Responsible?*/
>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> *Mark Miller, Senior Storyteller*
> /Curator and Founder, Trusted Software Alliance/
> /Host and Executive Producer, OWASP 24/7 Podcast Channel
> Community Advocate, Sonatype/
>
> /*Developers and Application Security: Who is Responsible?*/
> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140115/d071e1e7/attachment-0001.html>
More information about the OWASP-Leaders
mailing list