<html>
<head>
<meta name="generator" content="Windows Mail 17.5.9600.20315">
<style data-externalstyle="true"><!--
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
}
p.MsoNormal, li.MsoNormal, div.MsoNormal {
margin:0in;
margin-bottom:.0001pt;
}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst, 
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle, 
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:115%;
}
--></style></head>
<body dir="ltr">
<div data-externalstyle="false" dir="ltr" style="font-family: 'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'sans-serif';font-size:12pt;">

<div>Can we stop with the sensationalism?  JKF, MLK used Dante’s quote for serious social dividing issues, not on depicting whether a training talk on secure dev should take place with RSAC - a marketing department driven feat by a very large company known as EMC - owners of RSA Security LLC.</div><div><br></div><div>if you want to go down this ‘moral’ road, let your conscience know you’re passing judgment against an entity that is alleged.  Spending your time and efforts on alleged involvements that none of us are 100% certain, detracts us from our stewardship on teaching others on how to secure their applications, but no matter how much YOU think your understood vision of the world thinks of OWASP’s association with RSA, it dwarfs in comparison that have no idea on how to properly handle sessions, do output encoding, perform CRUD exercises on application users, etc.  </div><div><br></div><div>So what do we know? We know people want to get trained at this conference.  We know that logistics have been made for training.  We know last year we reached others. We also know what we can say in regards to the matter.  Knowing the trainers, I have no doubt they will have the balls to say what they need to say when they have the floor.  The rest is speculation.</div><div><br></div><div>Even my own comments on that the WIDER InfoSec community, not the hundreds of blog disciples but the THOUSANDS worldwide that just want to do work and improve their craft, professionals, even my own comment is speculation …..to say that they wouldn’t care. Maybe I’m wrong - I hope I'm wrong - and a unison of InfoSec and privacy professionals do actually take note and we find ourselves in a fury of controversy, but I’m pretty sure I'm not but I lessen my own comments to equate to a lot of the comments made against to say this.  Its just an opinionated statement.<br></div><div data-signatureblock="true"><div><br></div><div>And one last point….ironically, the post from Errata Security (man, Graham must be loving this free press coverage, how timely) has really good rebuttals to the ~250 that weighed in on the topic.  </div><div><br></div><div>Look mom, i’m a security ‘researcher’ now! (see below) (SOURCE: <a href="https://news.ycombinator.com/item?id=7013032" target="_parent">https://news.ycombinator.com/item?id=7013032</a> - THX Rory!)</div><div><br></div><div><table tabindex="-1" border="0"><tbody><tr><td><table tabindex="-1" border="0"><tbody><tr><td class="default"><span class="comment"><p><font size="1"><u><a href="https://news.ycombinator.com/reply?id=7015335&whence=%69%74%65%6d%3f%69%64%3d%37%30%31%33%30%33%32" target="_parent"></a></u></font></p></span></td></tr></tbody></table></td></tr><tr><td><table tabindex="-1" border="0"><tbody><tr><td><img width="40" height="1" tabindex="-1" src="https://news.ycombinator.com/s.gif"></td><td valign="top"><center><a id="up_7015249" href="https://news.ycombinator.com/vote?for=7015249&dir=up&whence=%69%74%65%6d%3f%69%64%3d%37%30%31%33%30%33%32" target="_parent"><div class="votearrow"></div></a><span id="down_7015249"></span></center></td><td class="default"><div style="margin-top: 2px; margin-bottom: -10px;"><span class="comhead"><a href="https://news.ycombinator.com/user?id=aortega" target="_parent"><u><font color="#0066cc">aortega</font></u></a> 7 hours ago  | <a href="https://news.ycombinator.com/item?id=7015249" target="_parent"><u><font color="#0066cc">link</font></u></a></span></div><br><span class="comment"><font color="#000000">What about Microsoft Bluehat, Google I/O, Yahoo, Apple, etc. all security vendors that collaborated with NSA. And that's only with the 5% leaked documents revealed.<p>What about vendors that implemented Dual_EC_DRBG years after the vulnerability was known?<p><a href="http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html" target="_parent" rel="nofollow"><u><font color="#0066cc">http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval....</font></u></a><p>See that link, Symantec and Cisco implemented it last month.</p></font><p><font color="#000000">I believe you will end up having to boycott 90% of US corporations.</font></p></span></td></tr></tbody></table></td></tr></tbody></table></div><div>Tony UV<br></div></div><div style="padding-top: 5px; border-top-color: rgb(229, 229, 229); border-top-width: 1px; border-top-style: solid;"><div><font face=" 'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'sans-serif'" style='line-height: 15pt; letter-spacing: 0.02em; font-family: "Calibri", "Segoe UI", "Meiryo", "Microsoft YaHei UI", "Microsoft JhengHei UI", "Malgun Gothic", "sans-serif"; font-size: 12pt;'><b>From:</b> <a href="mailto:roberto.merida@owasp.org" target="_parent">epsylon-owasp</a><br><b>Sent:</b> ‎Sunday‎, ‎January‎ ‎5‎, ‎2014 ‎12‎:‎55‎ ‎PM<br><b>To:</b> <a href="mailto:bev.corwin@owasp.org" target="_parent">Bev Corwin</a><br><b>Cc:</b> <a href="mailto:kanwalsb@gmail.com" target="_parent">Kanwal Singh (WebMentors)</a>, <a href="mailto:ravdeep.sodhi@ecoretechnos.com" target="_parent">Ravdeep Sodhi</a>, <a href="mailto:owasp-leaders@lists.owasp.org" target="_parent">OWASP Leaders</a>, <a href="mailto:nj@emobx.com" target="_parent">Nishant Johar (EMOBX)</a></font></div></div><div><br></div><div dir="">
    <div class="moz-cite-prefix">“The hottest places in hell are
      reserved for those who, in times of great moral crisis, maintain
      their neutrality.”<br>
      <br>
      ― John F. Kennedy <br>
      <br>
      On 05/01/14 18:38, Bev Corwin wrote:<br>
    </div>
    <blockquote style="margin-top: 0px; margin-bottom: 0px;" cite="mid:CAKHF8GGSVXSSjqShSoV+w8r-3Zdew1fonCNCy3icu6Df0OMD9A@mail.gmail.com">
      <div dir="ltr">For the record, my 2 cents: I support this "OWASP
        without borders", non political approach:
        <div><br>
        </div>
        <div><span style="font-family: arial,sans-serif; font-size: 13px;">"OWASP
            is a vendor-neutral, community-driven organization and its
            participation in any conference or program does not means
            endorsement or approval of any kind for products or business
            practices. OWASP participation is meant to 'make security
            visible' as stated in the OWASP chart. OWASP repudiates all
            activities that can decrease the security of IT systems."</span></div>
        <div><span style="font-family: arial,sans-serif; font-size: 13px;"><br>
          </span></div>
        <div><span style="font-family: arial,sans-serif; font-size: 13px;">Bev</span></div>
        <div><span style="font-family: arial,sans-serif; font-size: 13px;"><br>
          </span></div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sun, Jan 5, 2014 at 12:29 PM, Lucas
          Ferreira <span dir="ltr"><<a href="mailto:lucas.ferreira@owasp.org" target="_parent">lucas.ferreira@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
            <div dir="ltr">Hello everyone,
              <div><br>
              </div>
              <div>while I personally would rather not see OWASP in RSA,
                I have to admit that I was there last year and saw the
                room full of people when Eoin and Manico did their
                training. I agree this is a great opportunity.</div>
              <div><br>
              </div>
              <div>I also feel that the more hardcore security and
                crypto people will be less present at RSAC this year and
                this increases the possibility of reaching out of the
                community. This means that if we have a full room this
                year, we will probably have more non-security people
                that last year.</div>
              <div><br>
              </div>
              <div>So I was at the same time more willing to say the
                talk should be cancelled but worrying about loosing such
                an opportunity. To me we could get a more balanced
                approach if the training clearly included a disclaimer
                that we do not endorse any activity that can jeopardize
                the security of IT systems. This would make it clear
                that we are not in the conference because we endorse or
                believe RSA, but because the presentation would help
                OWASP in fulfilling its mission.</div>
              <div><br>
              </div>
              <div>Anyway, when we had presentations at RSAC in the
                past, it was not be be seen as if OWASP endorsed RSA
                products. AFAIK, we have OWASP presentations in
                vendor-organized conferences and are still
                vendor-neutral. To me, this is a sign that, in the past,
                doing a presentation was not seen as an endorsement from
                OWASP.</div>
              <div><br>
              </div>
              <div>In the case of RSAC, I would still like to see a
                clear disclaimer. It could be something like:</div>
              <div><br>
              </div>
              <div>"OWASP is a vendor-neutral, community-driven
                organization and its participation in any conference or
                program does not means endorsement or approval of any
                kind for products or business practices. OWASP
                participation is meant to 'make security visible' as
                stated in the OWASP chart. OWASP repudiates all
                activities that can decrease the security of IT
                systems."</div>
              <div><br>
              </div>
              <div>Regards,</div>
              <div><br>
              </div>
              <div>Lucas</div>
            </div>
            <div class="gmail_extra">
              <div>
                <div class="h5"><br>
                  <br>
                  <div class="gmail_quote">On Sun, Jan 5, 2014 at 8:54
                    AM, L. Gustavo C. Barbato <span dir="ltr"><<a href="mailto:lgbarbato@owasp.org" target="_parent">lgbarbato@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                      <div dir="auto">
                        <div>Keeping discussing philosophy and high
                          ideals, we will never reach a consensus in the
                          time frame we need, so let's let democracy
                          wins the debay.</div>
                        <div>
                          <div>
                            <div><br>
                              On 05/01/2014, at 11:38, Josh Sokol <<a href="mailto:josh.sokol@owasp.org" target="_parent">josh.sokol@owasp.org</a>>
                              wrote:<br>
                              <br>
                            </div>
                            <blockquote style="margin-top: 0px; margin-bottom: 0px;">
                              <div>
                                <p dir="ltr">A key differentiator when
                                  we did this free training at AppSecUSA
                                  in Austin and LASCON 2013 is that it
                                  was 100% free and open to all.  No
                                  conference pass was required to
                                  participate.  Since that is not the
                                  case here, and since the training is
                                  only open to RSA attendees, then I
                                  think this demonstrates a much closer
                                  tie between OWASP and RSA than I would
                                  like to see.  I like the idea of
                                  approaching BSides SF and seeing if
                                  maybe they would be interested in
                                  hosting this training for free for the
                                  community at large.  If we can do
                                  that, then I think its the true win
                                  here as we get the visibility to
                                  satisfy our mission and we remove the
                                  negative stigma of being associated
                                  with RSA.</p>
                                <p dir="ltr">I would diaagree, however,
                                  that visibility is only a means to an
                                  end.  Since its in our mission
                                  statement, all of our activities and
                                  prioritizations are required, by law,
                                  to follow that.  And if we ever reach
                                  the point where everyone, everywhere,
                                  knows about application security, then
                                  we can close up shop and move on. 
                                  There is no compromising the end goal
                                  here because, per the mission
                                  statement, visibility is the end
                                  goal.  I'm sorry if that compromises
                                  your principals Sastry but its the
                                  truth about OWASP as a non-profit.</p>
                                <p dir="ltr">~josh</p>
                                <div class="gmail_quote">On Jan 5, 2014
                                  12:32 AM, "Sastry Tumuluri" <<a href="mailto:sastry.tumuluri@owasp.org" target="_parent">sastry.tumuluri@owasp.org</a>>
                                  wrote:<br>
                                  <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                                    1. The immediate focus on RSAC:<br>
                                    No matter how we rationalize, the
                                    fact is that we (OWASP) have<br>
                                    options. This, at worst, is one
                                    missed opportunity. So let us not,
                                    in<br>
                                    our relentless pursuit of
                                    VISIBILITY, compromise on
                                    principles.<br>
                                    <br>
                                    VISIBILITY is a means to an end
                                    (better security, more secure
                                    software<br>
                                    -- which in itself is likely a
                                    never-ending activity). Let us not<br>
                                    compromise on the end-goal while
                                    chasing the means.<br>
                                    <br>
                                    Short term gains (of reaching some
                                    developers) will easily be lost if<br>
                                    we take the low road. Even 300 more
                                    "aware" developers are for naught<br>
                                    if, based on RSAC acceptance, just
                                    one more company feels that the<br>
                                    risks of trucking with NSA/GCHQ and
                                    compromising underlying<br>
                                    foundations are acceptable.<br>
                                    <br>
                                    Is it our job/charter to "convey
                                    such a message"? I believe so.<br>
                                    Conversely, can we say "we merely
                                    advocate tech principles and<br>
                                    educate... this is not for us"? If
                                    we want to be treated as a<br>
                                    responsible member of the ecosystem,
                                    we can't duck like that.<br>
                                    <br>
                                    Related, but a slightly different
                                    perspective: Robert Graham's blog<br>
                                    post on this: <a href="http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html" target="_parent">http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html</a><br>
                                    <br>
                                    2. The tough world of principles,
                                    ethics, etc:<br>
                                    Jim Manico raised a very pertinent
                                    point regarding sending mixed<br>
                                    messages (=> recognition-of and
                                    consistency-in-applying our<br>
                                    principles). It isn't easy.<br>
                                    <br>
                                    Funding goes to the very heart of
                                    neutrality and ethics. So it is not<br>
                                    so tangential, after all. I know we
                                    shouldn't accept funds or even<br>
                                    projects from NSA, GCHQ, etc.
                                    Whether DHS is to be painted by the
                                    same<br>
                                    brush, I don't know (depends on
                                    internal structure, etc.). Let the<br>
                                    more knowledgeable people decide on
                                    this.<br>
                                    <br>
                                    Chasing "quick results at any cost"
                                    and then splitting hairs on<br>
                                    legality and rationalizations will
                                    not paint us black; but will surely<br>
                                    park us firmly in the gray areas of
                                    ethics. Is that what we want?<br>
                                    <br>
                                    Cheers,<br>
                                    <br>
                                    ==Sas3==<br>
                                    <br>
                                    On Sun, Jan 5, 2014 at 8:33 AM, Josh
                                    Sokol <<a href="mailto:josh.sokol@owasp.org" target="_parent">josh.sokol@owasp.org</a>>
                                    wrote:<br>
                                    > My apologies in the delay in
                                    responding to this.  I've been on
                                    the road all<br>
                                    > day today and will be slow to
                                    respond tomorrow as well.<br>
                                    ><br>
                                    > First off, let me admit that
                                    while my term hadn't officially
                                    begun yet, I am<br>
                                    > one of the Board members who
                                    encouraged Jim and Eoin to move
                                    forward with<br>
                                    > the training.  My rationale for
                                    this was simple; OWASP's mission is
                                    to make<br>
                                    > software security visible, so
                                    that individuals and organizations
                                    worldwide<br>
                                    > can make informed decisions
                                    about true software security risks.
                                     The core of<br>
                                    > this statement being VISBILITY.
                                     We need to find and take advantage
                                    of as<br>
                                    > many ways as possible to raise
                                    the visibility of security risks.
                                     Our<br>
                                    > mission says nothing about
                                    making political statements.  It
                                    says nothing<br>
                                    > about ethical business
                                    practices.  Our mission can
                                    certainly be amended to<br>
                                    > reflect other imperatives, if
                                    so desired by our membership, but
                                    until that<br>
                                    > day we need to prevent mission
                                    scope creep.<br>
                                    ><br>
                                    > Now, since our mission is
                                    making software security visible, we
                                    simply have<br>
                                    > to ask ourselves if we better
                                    serve this mission by:<br>
                                    ><br>
                                    > 1) Performing a free training
                                    at a major conference, thereby
                                    increasing our<br>
                                    > exposure to people who haven't
                                    heard of OWASP before and
                                    enlightening them<br>
                                    > to software security risks that
                                    they likely were not aware of
                                    before.<br>
                                    ><br>
                                    > 2) Taking a stance against a
                                    company where some evidence may
                                    imply that they<br>
                                    > took a bribe to sacrifice
                                    security in one of their products.<br>
                                    ><br>
                                    > Let me be clear on #2.  I don't
                                    agree that what RSA did is right, if
                                    it is<br>
                                    > true.  In fact, I have made the
                                    explicit decision to not do business
                                    with<br>
                                    > RSA in my day job because there
                                    are many other options out there and
                                    it's<br>
                                    > just not worth the risk.  But
                                    my passive decision to not purchase
                                    from RSA<br>
                                    > is very different than OWASP
                                    reneging on our agreement and making
                                    a public<br>
                                    > statement about their ethics.<br>
                                    ><br>
                                    > So, given these two options, my
                                    gut is that OWASP's mission will be
                                    best<br>
                                    > served by #1.  It doesn't mean
                                    that we're supporting RSA.  It
                                    doesn't mean<br>
                                    > that we agree with unethical
                                    business practices.  It just means
                                    that we are<br>
                                    > doing the best we can to make
                                    application security visible.  If
                                    that means<br>
                                    > piggy-backing on the massive
                                    marketing effort they put into the
                                    conference<br>
                                    > or the infrastructure that
                                    supports it, I'm ok with that.  I
                                    understand that<br>
                                    > others may object to this on
                                    ethical grounds, and that's fine,
                                    but as a<br>
                                    > non-profit organization, we
                                    have a mandate to stay true to our
                                    mission, not<br>
                                    > to speak out against whatever
                                    the latest security headline is.<br>
                                    ><br>
                                    > I do have one question about
                                    this training for clarification.
                                     The training<br>
                                    > is FREE for anyone who would
                                    like to attend and not just for RSA
                                    attendees,<br>
                                    > correct?  My assumption is the
                                    former, but if the latter, this
                                    changes<br>
                                    > things significantly in my
                                    opinion.<br>
                                    ><br>
                                    > ~josh<br>
                                    ><br>
                                    ><br>
                                    > On Sat, Jan 4, 2014 at 5:40 PM,
                                    Eoin Keary <<a href="mailto:eoin.keary@owasp.org" target="_parent">eoin.keary@owasp.org</a>>
                                    wrote:<br>
                                    >><br>
                                    >> Good point.<br>
                                    >> Bottom line is we want
                                    people to build secure code.
                                    Delivering this<br>
                                    >> message under the same roof
                                    as RSA does not dilute the quality
                                    of the class<br>
                                    >> delivered.<br>
                                    >> There is no black and
                                    white, only shades of grey :)<br>
                                    >><br>
                                    >><br>
                                    >> Eoin Keary<br>
                                    >> Owasp Global Board<br>
                                    >> <a href="tel:%2B353%2087%20977%202988" target="_parent">+353 87 977 2988</a><br>
                                    >><br>
                                    >><br>
                                    >> On 4 Jan 2014, at 23:36,
                                    Jim Manico <<a href="mailto:jim.manico@owasp.org" target="_parent">jim.manico@owasp.org</a>>
                                    wrote:<br>
                                    >><br>
                                    >> > Another issue that is
                                    tangential.<br>
                                    >> ><br>
                                    >> > We are applying for
                                    several big money DHS grants. These
                                    help keep the<br>
                                    >> > foundation running.<br>
                                    >> ><br>
                                    >> > Should be reject all
                                    of these grants because of the
                                    Snowden affair? It<br>
                                    >> > we abort RSA but
                                    continue to take DHS money, then we
                                    send a mixed message.<br>
                                    >> ><br>
                                    >> > Aloha,<br>
                                    >> > Jim<br>
                                    >> ><br>
                                    >> >> I strongly support
                                    Sastry on this one.<br>
                                    >> >><br>
                                    >> >> You might be
                                    participating as individuals, but
                                    people see you guys as<br>
                                    >> >> the OWASP Board,
                                    and that’s something that many of us
                                    don’t like to be the<br>
                                    >> >> image of OWASP.<br>
                                    >> >><br>
                                    >> >> Thanks<br>
                                    >> >> -Abbas<br>
                                    >> >> On Jan 4, 2014, at
                                    1:18 PM, Eoin Keary <<a href="mailto:eoin.keary@owasp.org" target="_parent">eoin.keary@owasp.org</a>>
                                    wrote:<br>
                                    >> >><br>
                                    >> >>> To be clear,
                                    there was no recorded vote on this
                                    but a debate.<br>
                                    >> >>><br>
                                    >> >>> I started the
                                    debate after reading about Mikko.
                                    (Even though I was<br>
                                    >> >>> delivering the
                                    training with Jim and it is my
                                    material).<br>
                                    >> >>><br>
                                    >> >>> The majority
                                    of board of OWASP feels getting
                                    involved in politics is<br>
                                    >> >>> wrong and
                                    wanted to push ahead with the
                                    training.<br>
                                    >> >>><br>
                                    >> >>> So if feelings
                                    are strong we need to vote on this
                                    ASAP? as leaders of<br>
                                    >> >>> OWASP. A
                                    formal board vote? Executive
                                    decision from Sarah, our executive<br>
                                    >> >>> director.<br>
                                    >> >>><br>
                                    >> >>><br>
                                    >> >>><br>
                                    >> >>> Eoin Keary<br>
                                    >> >>> Owasp Global
                                    Board<br>
                                    >> >>> <a href="tel:%2B353%2087%20977%202988" target="_parent">+353 87 977 2988</a><br>
                                    >> >>><br>
                                    >> >>><br>
                                    >> >>> On 4 Jan 2014,
                                    at 16:48, Sastry Tumuluri <<a href="mailto:sastry.tumuluri@owasp.org" target="_parent">sastry.tumuluri@owasp.org</a>><br>
                                    >> >>> wrote:<br>
                                    >> >>><br>
                                    >> >>>> Friends,<br>
                                    >> >>>><br>
                                    >> >>>> Please see
                                    the following full conversation on
                                    twitter:<br>
                                    >> >>>> <a href="https://twitter.com/EoinKeary/status/419111748424454145" target="_parent">https://twitter.com/EoinKeary/status/419111748424454145</a><br>
                                    >> >>>><br>
                                    >> >>>> Eoin Keary
                                    and Jim Manico (both OWASP board
                                    members) will be<br>
                                    >> >>>>
                                    presenting/conducting 4 hrs of
                                    free-of-cost AppSec training at the
                                    RSA<br>
                                    >> >>>>
                                    Conference, 2014. Michael Coates,
                                    Chairman of the OWASP Board is also
                                    said<br>
                                    >> >>>> to be
                                    present. Apparently, this was
                                    discussed at the OWASP board level;
                                    and<br>
                                    >> >>>> the board
                                    has decided to go ahead, keeping in
                                    mind the benefit to the<br>
                                    >> >>>> attending
                                    developers.<br>
                                    >> >>>><br>
                                    >> >>>> As you are
                                    aware, RSA is strongly suspected
                                    (we'll never be 100%<br>
                                    >> >>>> sure, I'm
                                    afraid) of being complicit with NSA
                                    in enabling fatal weakening of<br>
                                    >> >>>> crypto
                                    products. RSA has issued a sort of a
                                    denial that only deepens the<br>
                                    >> >>>> mistrust.
                                    As a protest, many leading speakers
                                    are cancelling their talks at<br>
                                    >> >>>> the
                                    upcoming RSAC 2014. Among them are
                                    (to my knowledge) Mikko Hypponen,<br>
                                    >> >>>> Jeffrey
                                    Carr and Josh Thomas.<br>
                                    >> >>>><br>
                                    >> >>>> At such a
                                    time, I am saddened by the OWASP
                                    board decision to support<br>
                                    >> >>>> RSAC by
                                    their presence. At a time when they
                                    had the opportunity to let the<br>
                                    >> >>>> world know
                                    how much they care for the
                                    Information Security profession
                                    (esp.,<br>
                                    >> >>>> against
                                    weakening crypto); and how much they
                                    care about the privacy of<br>
                                    >> >>>> people
                                    (against NSA's unabashed spying on
                                    Americans & non-Americans
                                    alike),<br>
                                    >> >>>> the board
                                    has copped out using a flimsy
                                    rationalization ("benefit of (a few)<br>
                                    >> >>>>
                                    developers", many of who would
                                    rethink their attendance had OWASP
                                    and more<br>
                                    >> >>>>
                                    organizations didn't blink!").<br>
                                    >> >>>><br>
                                    >> >>>> I'm sure
                                    there was a heated debate. I'm sure
                                    all angles were<br>
                                    >> >>>>
                                    considered. However, this goes too
                                    deep for me to take it as "better
                                    men<br>
                                    >> >>>> than me
                                    have considered and decided". As a
                                    matter of my personal values, if<br>
                                    >> >>>> the
                                    situation doesn't change, I would no
                                    longer wish to continue as the<br>
                                    >> >>>> OWASP
                                    Chapter Lead. Please let me know if
                                    any of you would like to take over<br>
                                    >> >>>> from me.<br>
                                    >> >>>><br>
                                    >> >>>> I will
                                    also share my feelings with fellow
                                    chapter members at our next<br>
                                    >> >>>> chapter
                                    meeting on Jan 21st. Needless to
                                    say, no matter how things go, I<br>
                                    >> >>>> remain
                                    committed to the principles of our
                                    open and open-source infosec<br>
                                    >> >>>> community.<br>
                                    >> >>>><br>
                                    >> >>>> Best
                                    regards,<br>
                                    >> >>>><br>
                                    >> >>>> ==Sas3==<br>
                                    >> >>>
                                    _______________________________________________<br>
                                    >> >>> OWASP-Leaders
                                    mailing list<br>
                                    >> >>> <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                    >> >>> <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                    >> >><br>
                                    >> >><br>
                                    >> >><br>
                                    >> >><br>
                                    >> >>
                                    _______________________________________________<br>
                                    >> >> OWASP-Leaders
                                    mailing list<br>
                                    >> >> <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                    >> >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                    >> ><br>
                                    >>
                                    _______________________________________________<br>
                                    >> Owasp-board mailing list<br>
                                    >> <a href="mailto:Owasp-board@lists.owasp.org" target="_parent">Owasp-board@lists.owasp.org</a><br>
                                    >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                    ><br>
                                    ><br>
                                    ><br>
                                    >
                                    _______________________________________________<br>
                                    > OWASP-Leaders mailing list<br>
                                    > <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                    > <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                    ><br>
                                  </blockquote>
                                </div>
                              </div>
                            </blockquote>
                            <blockquote style="margin-top: 0px; margin-bottom: 0px;">
                              <div><span>_______________________________________________</span><br>
                                <span>OWASP-Leaders mailing list</span><br>
                                <span><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a></span><br>
                                <span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                      <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <div><br>
                  </div>
                </div>
              </div>
              <span class="HOEnZb"><font color="#888888">-- <br>
                  Homo sapiens non urinat in ventum.
                </font></span></div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  

</div>





</div>
</body>
</html>