[Owasp-leaders] [Governance] [OWASP ASVS] Obfuscation?

Josh Sokol josh.sokol at owasp.org
Fri Nov 7 22:32:39 UTC 2014

As long as we're correcting the record, I never offered to have Christian
rejoin OWASP.  I created a plan that I thought was a compromise between the
various thoughts and feelings on the situation regarding Christian's
request to re-evaluate his membership ban and offered to take it to the
Board if he agreed to it.  As he says, he did decline and any activity
towards his reinstatement ceased at that time.

To answer Christian's question, the Board received multiple complaints from
members of the OWASP Foundation accusing him of posting e-mails to the
OWASP Leaders list containing rude and abusive language and false
accusations.  We asked our Compliance Officer to review the complaints,
determine whether they are accurate, and determine whether the posts were
in conflict with the OWASP Code of Ethics.  The conclusion was that the
complaints were accurate and the posts were in conflict with the OWASP Code
of Conduct and the recommendation was for the Board to define appropriate
measures as a result of his actions and to make an official public
statement.  Without the notes, I'm not sure who took that as an action
item, but it certainly merits follow-up to make sure that it happens.  This
absolutely should not have been a surprise to you Christian, and for that,
I am sorry.  I was under the impression that it had been communicated to
you.  I will take it as a personal action item to follow up with the Board
and our ED to determine who took that action item on and make sure that
they follow through with it.


On Thu, Nov 6, 2014 at 6:55 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Martin,
> For the record, I declined Josh Sokol's offer to rejoin OWASP because he
> refused to issue a clarification to the various OWASP Mailing Lists of the
> ulterior motives of Dinis Cruz and Chris Gatford with
> https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
> This, as I expected, has resulted in another positive contribution of mine
> being treated with suspicion and contempt.  I have made several recent
> positive contributions to ASVS that have been acknowledged by both Jim
> Manico and Andrew van der Stock of which are sample are provided below:
> 1.
> http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-September/000650.html
> 2.
> http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000691.html
> 3.
> http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000692.html
> As you would be aware I declined Josh's offer to rejoin in February 2014
> and I have not corresponded on this matter since and I was explicit in
> instructing the OWASP Board not to presume that I want them to take any
> actions on my behalf.
> I am surprised to learn about an event involving me without any
> notification or the ability to defend myself in hearsay that Josh's alludes
> to in the e-mail dated 6 November 2014 at 1:57 PM.
> Can you please give me a call to provide your version of the events since
> we hadn't spoken prior to 16 September 2014?
> I would appreciate if you could inform the various Mailing Lists to
> discontinue this discussion since:
> 1. I cannot defend myself on the OWASP Leaders Mailing List.
> 2. It may have an adverse effect on the legal proceeding against Chris
> Gatford.
> 3. I have no idea what Josh Sokol is alluding too that occurred on 16
> September.
> On Fri, Nov 7, 2014 at 10:44 AM, Steven van der Baan <
> steven.van.der.baan at owasp.org> wrote:
>>  I agree with Yvan that at least the leaders list had to be informed of
>> this decision, and with that I mean that an addition message had to be sent
>> besides the mention in the meeting minutes. Although the Operations Team is
>> capable in handling sensitive issues, they do not have to be alone in
>> upholding these rulings.
>> Regards,
>> Steven.
>> On 06/11/14 22:25, Yvan Boily wrote:
>> On Thu, Nov 6, 2014 at 1:57 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>   Yvan,
>>>  Your post is actually about two separate things:
>>>  1) Action: The Board acknowledged the complaints from various members
>>> of the Foundation and had our Compliance Officer, Martin Knobloch, conduct
>>> an investigation into the matter.  Martin concluded his independent
>>> investigation into his actions and provided his report to the Board in
>>> September.  My mind is failing me as to whether it was the September or
>>> October Board Meeting (pretty sure it was at AppSecUSA on 9/16/2014), and
>>> the agenda and voting doesn't reflect it (a problem I've asked to get
>>> rectified), but the Board did vote to extend his membership ban and not
>>> give reconsideration for membership for a significant period of time.  I
>>> don't remember offhand the exact details in terms of timeframe as many
>>> different options were discussed.  Regardless, your suggestion that the
>>> Board has failed to take action on this issue is misinformed.
>>  Glad to hear it!  Can we get an amendment to the process that when
>> action is taken a complainant is notified?
>>>  2) Enforcement: This is where things get tricky and is largely outside
>>> of the Board's hands.  It becomes an Operations Team issue to try and
>>> figure out how to enforce the fact that someone is not allowed to
>>> participate in OWASP.  I think that there was supposed to be some
>>> discussion with Matt in terms of figuring out how to handle it technically,
>>> but, from the recent message, it doesn't appear that it was done.  Not sure
>>> where the ball was dropped there, but I'm sure Paul can look into it as ED.
>>  The technical enforcement aspect is only one part of it.  Technical
>> measures to curtail participation are a rathole, especially for security
>> folks since many of us have "figure out how to bypass controls" as part of
>> our of our professional repertoire.
>>  The second part is to notify the community that a person has been
>> blocked from participation; without the knowledge that the ban is in place,
>> we don't have the means to advise folks that their participation is
>> unwelcome due to past behavior.  This is important to both increase
>> awareness that OWASP will uphold it's expectations for all community
>> members, and to take the strain of enforcing the ban off of individual
>> contributors or staff.
>>  Thanks for everyone's work on this, and sorry to have to stir the pot
>> on this issue again.
>>  Cheers,
>> Yvan
>>>  ~josh
>>> On Thu, Nov 6, 2014 at 3:12 PM, Steven van der Baan <
>>> steven.van.der.baan at owasp.org> wrote:
>>>>  True
>>>> I personally would have preferred it that, for now, the leaders list
>>>> was not included as there is already too much bickering going on there. And
>>>> as you say, if the board fails to make a decision or is unable to enforce
>>>> the code of ethics, then it would have been just to include the leaders
>>>> list in a 'call to action'. I agree that the community deserves more. I can
>>>> only hope there will be an announcement soon to resolve it all.
>>>> Kind regards,
>>>> Steven.
>>>> On 06/11/14 20:57, Yvan Boily wrote:
>>>>   It would have been out of line if I had posted this line of inquiry
>>>> back to the individual project threads.  I changed the venue for these
>>>> comments to the leaders list and the governance team.  I also added the
>>>> board to this message.
>>>>  Bottom line, the board has not acted to protect the community from
>>>> someone who has regularly posted abusive messages, and has persisted in
>>>> doing so since the complaint was filed.  I don't really care whether his
>>>> content is technically valid, I care about the harm that allowing known bad
>>>> actors to continue to participate at the expense of others.
>>>>  I don't know him either, and I am not personally invested in the
>>>> outcome of the decision that the board makes regarding Christian; I am
>>>> personally invested in knowing whether or not OWASP is willing to following
>>>> it's own rules.  If the board is failing to enforce the code of ethics,
>>>> then this is an issue for the leaders and the governance team.  OWASP
>>>> contributors deserve better than this.
>>>>  Regards,
>>>> Yvan Boily
>>>> On Thu, Nov 6, 2014 at 12:25 PM, Steven van der Baan <
>>>> steven.van.der.baan at owasp.org> wrote:
>>>>>  Yvan,
>>>>> as far as I'm aware there has been no announcement that he should be
>>>>> blocked and to be honest I find this question out of place here.
>>>>> No, I'm no friend of mr Heinrich. No, I do not know him. Yes, I
>>>>> realise that he can be quite a handful, but I firmly believe that this type
>>>>> of questions should not be expressed as open and on multiple lists like you
>>>>> have done.
>>>>> Kind regards,
>>>>> Steven van der Baan.
>>>>> On 06/11/14 18:11, Yvan Boily wrote:
>>>>>  Regardless of the content, Christian is supposed to have been
>>>>> blocked from participation in OWASP.  Has there been a change here?
>>>>>  Regards,
>>>>> Yvan
>>>>> On Thu, Nov 6, 2014 at 7:20 AM, Bev Corwin <bev.corwin at owasp.org>
>>>>> wrote:
>>>>>> Sharing FYI:
>>>>>>  <clip>
>>>>>> Reliance on Hardening, Not Obfuscation
>>>>>> Hiding code does not prevent attacks—and it it foolish to assume that
>>>>>> it does. Open Source development practices rely on actually hardening (or
>>>>>> improving the security of) code by making it available for peers to test
>>>>>> and try to break, and then fixing the problems found.
>>>>>> </clip?
>>>>>>  From:
>>>>>>  http://mil-oss.org/learn-more/security-model-misconceptions
>>>>>>  Bev
>>>>>> On Tue, Nov 4, 2014 at 8:29 PM, Christian Heinrich <
>>>>>> christian.heinrich at cmlh.id.au> wrote:
>>>>>>> Andrew,
>>>>>>> On Wed, Nov 5, 2014 at 10:22 AM, Andrew van der Stock
>>>>>>> <vanderaj at owasp.org> wrote:
>>>>>>> > I am ashamed to say when reviewing the ASVS 2.0, I totally missed
>>>>>>> the
>>>>>>> > inclusion of V17.11, which is a Level 3 control for requiring
>>>>>>> > obfuscation. Was this included because it was in the Mobile Top 10
>>>>>>> > 2014?
>>>>>>> The benefit of obfuscation is that the auditor has to be much higher
>>>>>>> skilled than the "middle of the bell curve", who just copy a paste a
>>>>>>> report from their SAST product.
>>>>>>> This cost should be absorbed by the client since the auditor is
>>>>>>> required to undertaken additional work.
>>>>>>> In addition, obfuscation also minimises the loss of Intellectual
>>>>>>> property if the auditor misplaces the source code because the
>>>>>>> "[wo]man
>>>>>>> on the street" isn't going to be able to understand it or know what
>>>>>>> it
>>>>>>> is without some investment.
>>>>>>> I vote not to have obfuscation removed from ASVS, but reworded (in
>>>>>>> the
>>>>>>> next ASVS release) to include the additional clarification from the
>>>>>>> next release of the Mobile Top 10.
>>>>>>> --
>>>>>>> Regards,
>>>>>>> Christian Heinrich
>>>>>>> http://cmlh.id.au/contact
>>>>>>>  _______________________________________________
>>>>>>> Owasp-application-security-verification-standard mailing list
>>>>>>> Owasp-application-security-verification-standard at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141107/3ea4c5f9/attachment-0001.html>

More information about the OWASP-Leaders mailing list