<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Great compilation, Tobias.</div><div><br></div><div>I see we are moving in the direction to a more objetive process, rather than subjective discussions (which are very important but will not reach any final result due to value judgment stuff)</div><div><br>On 05/01/2014, at 21:38, Tobias <<a href="mailto:tobias.gondrom@owasp.org">tobias.gondrom@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    <div class="moz-cite-prefix">Hi Gustavo, <br>
      <br>
      following the conversation here, I have seen so far the following
      proposals from community members:  <br>
      <br>
      a) offer the training at the RSA conference unchanged under the
      brand of OWASP<br>
      b) offer the training at the RSA conference unchanged under the
      brand of OWASP and OWASP makes a public statement that OWASP
      thinks weakening crypto is a bad idea. (personal note: btw. RSA
      should have no problem with that as they officially deny any such
      activities...)<br>
      c) give the training as individuals and not as OWASP (not sure
      whether that would at all be possible at this point) <br>
      d) try to move to a different venue (not sure whether that would
      be possible or financially viable)<br>
      e) cancel the training. <br>
      <br>
      Any more proposals? Anything I missed? <br>
      <br>
      As best would be to have as few options as possible and only
      realistic ones, we should check with Sarah whether c and d are
      realistic at all, as we could then reduce the choice to between
      a/b and e. <br>
      Or in the form of two choices: <br>
      1. "Should OWASP give a developer training at the RSA
      conference?"  - Choice: Yes/No<br>
      2. Should OWASP make a public statement to the effect that
      subverting/weakening crypto is a bad idea. - Choice: Yes/No<br>
      <br>
      Thanks and all the best, Tobias<br>
      <br>
      <br>
      Tobias Gondrom<br>
      OWASP Global Board Member<br>
      <br>
      <br>
      <br>
      On 05/01/14 22:50, L. Gustavo C. Barbato wrote:<br>
    </div>
    <blockquote cite="mid:CB966E53-C945-424B-BAF5-FFE17AFCE30B@owasp.org" type="cite">
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <div>Dinis,</div>
      <div><br>
      </div>
      <div>  That's what I am talking about. Perhaps, my english is not
        good enough to be understood.</div>
      <div><br>
      </div>
      <div>   The question would be simple with only two possible
        answers, Yes or No: "Should OWASP participate on RSA's
        conference?"</div>
      <div><br>
      </div>
      <div>Thanks,</div>
      <div>Gustavo.</div>
      <div><br>
        On 05/01/2014, at 20:43, Dinis Cruz <<a moz-do-not-send="true" href="mailto:dinis.cruz@owasp.org">dinis.cruz@owasp.org</a>>
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <p dir="ltr">I think a vote would be good , but the key is
            making sure the question(s) are neutral and balanced (ie the
            outcome of the vote is very dependent on how the question(s)
            are asked)</p>
          <p dir="ltr">And as I said many times before, the Center of
            gravity for OWASP should be with its leaders (and community)
            and not with the board, so a vote is a good way to make sure
            the leader's voice is heard (on related topic I also think
            that votes should be 'on the record' and public). Note : if
            we are going to have a thread about voting, its better to
            change the email thread subject</p>
          <div class="gmail_quote">On 5 Jan 2014 22:36, "L. Gustavo C.
            Barbato" <<a moz-do-not-send="true" href="mailto:lgbarbato@owasp.org">lgbarbato@owasp.org</a>>
            wrote:<br type="attribution">
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="auto">
                <div>Have you ever heard about plesbicite?</div>
                <div><br>
                </div>
                <div>This discussion is one example: we have given power
                  to board members to take decision on behalf of our
                  community. So if they want to present, in your belief,
                  they can go ahead without this useless thread
                  discussion.</div>
                <div><br>
                </div>
                <div>However, I dont believe this is useless , but a
                  very strategic decision with several point of views
                  already presented here.</div>
                <div><br>
                </div>
                <div>That's why I am advocating that we vote as a
                  plebiscite process where board members have the same
                  Power as everybody else here.</div>
                <div><br>
                </div>
                <div>Gustavo.</div>
                <div><br>
                  On 05/01/2014, at 15:59, Konstantinos Papapanagiotou
                  <<a moz-do-not-send="true" href="mailto:konstantinos@owasp.org" target="_blank">konstantinos@owasp.org</a>>
                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div>This kind of democracy might have worked in
                    ancient Athens (with pros and cons) but nowadays we
                    have a BoD and a CEO for such kind of decisions.
                    <div><br>
                    </div>
                    <div>Kostas</div>
                    <div><span></span><br>
                      <br>
                      On Sunday, January 5, 2014, L. Gustavo C. Barbato
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div dir="auto">
                          <div>Keeping discussing philosophy and high
                            ideals, we will never reach a consensus in
                            the time frame we need, so let's let
                            democracy wins the debay.</div>
                          <div><br>
                            On 05/01/2014, at 11:38, Josh Sokol <<a moz-do-not-send="true">josh.sokol@owasp.org</a>>
                            wrote:<br>
                            <br>
                          </div>
                          <blockquote type="cite">
                            <div>
                              <p dir="ltr">A key differentiator when we
                                did this free training at AppSecUSA in
                                Austin and LASCON 2013 is that it was
                                100% free and open to all.  No
                                conference pass was required to
                                participate.  Since that is not the case
                                here, and since the training is only
                                open to RSA attendees, then I think this
                                demonstrates a much closer tie between
                                OWASP and RSA than I would like to see. 
                                I like the idea of approaching BSides SF
                                and seeing if maybe they would be
                                interested in hosting this training for
                                free for the community at large.  If we
                                can do that, then I think its the true
                                win here as we get the visibility to
                                satisfy our mission and we remove the
                                negative stigma of being associated with
                                RSA.</p>
                              <p dir="ltr">I would diaagree, however,
                                that visibility is only a means to an
                                end.  Since its in our mission
                                statement, all of our activities and
                                prioritizations are required, by law, to
                                follow that.  And if we ever reach the
                                point where everyone, everywhere, knows
                                about application security, then we can
                                close up shop and move on.  There is no
                                compromising the end goal here because,
                                per the mission statement, visibility is
                                the end goal.  I'm sorry if that
                                compromises your principals Sastry but
                                its the truth about OWASP as a
                                non-profit.</p>
                              <p dir="ltr">~josh</p>
                              <div>On Jan 5, 2014 12:32 AM, "Sastry
                                Tumuluri" <<a moz-do-not-send="true">sastry.tumuluri@owasp.org</a>>
                                wrote:<br type="attribution">
                                <blockquote style="margin:0 0 0
                                  .8ex;border-left:1px #ccc
                                  solid;padding-left:1ex">
                                  1. The immediate focus on RSAC:<br>
                                  No matter how we rationalize, the fact
                                  is that we (OWASP) have<br>
                                  options. This, at worst, is one missed
                                  opportunity. So let us not, in<br>
                                  our relentless pursuit of VISIBILITY,
                                  compromise on principles.<br>
                                  <br>
                                  VISIBILITY is a means to an end
                                  (better security, more secure software<br>
                                  -- which in itself is likely a
                                  never-ending activity). Let us not<br>
                                  compromise on the end-goal while
                                  chasing the means.<br>
                                  <br>
                                  Short term gains (of reaching some
                                  developers) will easily be lost if<br>
                                  we take the low road. Even 300 more
                                  "aware" developers are for naught<br>
                                  if, based on RSAC acceptance, just one
                                  more company feels that the<br>
                                  risks of trucking with NSA/GCHQ and
                                  compromising underlying<br>
                                  foundations are acceptable.<br>
                                  <br>
                                  Is it our job/charter to "convey such
                                  a message"? I believe so.<br>
                                  Conversely, can we say "we merely
                                  advocate tech principles and<br>
                                  educate... this is not for us"? If we
                                  want to be treated as a<br>
                                  responsible member of the ecosystem,
                                  we can't duck like that.<br>
                                  <br>
                                  Related, but a slightly different
                                  perspective: Robert Graham's blog<br>
                                  post on this: <a moz-do-not-send="true" href="http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html" target="_blank">http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html</a><br>
                                  <br>
                                  2. The tough world of principles,
                                  ethics, etc:<br>
                                  Jim Manico raised a very pertinent
                                  point regarding sending mixed<br>
                                  messages (=> recognition-of and
                                  consistency-in-applying our<br>
                                  principles). It isn't easy.<br>
                                  <br>
                                  Funding goes to the very heart of
                                  neutrality and ethics. So it is not<br>
                                  so tangential, after all. I know we
                                  shouldn't accept funds or even<br>
                                  projects from NSA, GCHQ, etc. Whether
                                  DHS is to be painted by the same<br>
                                  brush, I don't know (depends on
                                  internal structure, etc.). Let the<br>
                                  more knowledgeable people decide on
                                  this.<br>
                                  <br>
                                  Chasing "quick results at any cost"
                                  and then splitting hairs on<br>
                                  legality and rationalizations will not
                                  paint us black; but will surely<br>
                                  park us firmly in the gray areas of
                                  ethics. Is that what we want?<br>
                                  <br>
                                  Cheers,<br>
                                  <br>
                                  ==Sas3==<br>
                                  <br>
                                  On Sun, Jan 5, 2014 at 8:33 AM, Josh
                                  Sokol <<a moz-do-not-send="true">josh.sokol@owasp.org</a>>
                                  wrote:<br>
                                  > My apologies in the delay in
                                  responding to this.  I've been on the
                                  road all<br>
                                  > day today and will be slow to
                                  respond tomorrow as well.<br>
                                  ><br>
                                  > First off, let me admit that
                                  while my term hadn't officially begun
                                  yet, I am<br>
                                  > one of the Board members who
                                  encouraged Jim and Eoin to move
                                  forward with<br>
                                  > the training.  My rationale for
                                  this was simple; OWASP's mission is to
                                  make<br>
                                  > software security visible, so
                                  that individuals and organizations
                                  worldwide<br>
                                  > can make informed decisions about
                                  true software security risks.  The
                                  core of<br>
                                  > this statement being VISBILITY.
                                   We need to find and take advantage of
                                  as<br>
                                  > many ways as possible to raise
                                  the visibility of security risks.  Our<br>
                                  > mission says nothing about making
                                  political statements.  It says nothing<br>
                                  > about ethical business practices.
                                   Our mission can certainly </blockquote>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
              _______________________________________________<br>
              OWASP-Leaders mailing list<br>
              <a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
              <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
              <br>
            </blockquote>
          </div>
        </div>
      </blockquote>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  

</div></blockquote></body></html>