<div dir="ltr"><div><div><div><div><div><div>Hi Seba,<br><br></div>Let's also consider the fact that no organization in the US is really† 'free' to deny collaborations with the government,<br></div>Is this boycott even fair?<br>
<br></div>One thing I have learn so far is not to trust what the press says. Half might be true and as long as there are no 'hard proofs' of their involvement this all sounds to me as a crazy conspiracy theory.<br>
<br></div>Could this just be that the algorithm had always a big flaw and RSA is just ashamed to admit this, instead prefers to leave all this in a 'mystery' and hope people forget soon about it?<br><br></div>RSA wouldn't be the first neither the last to use this strategy ;-)<br>
<br></div>regards<br><br>Johanna<br><div><div><br><br><br><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 6, 2014 at 7:51 AM, Seba <span dir="ltr"><<a href="mailto:seba@owasp.org" target="_blank">seba@owasp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Having read this thread and external sources, I personally think we (=OWASP) need to boycot the RSA conference.</div>
<div><br></div><div>It sends a strong message that we do not accept for any security company to include a backdoor.</div>
<div><br></div><div>Any other action will make us look as collaborating with RSA, who has yet to clarify if it did Yes or No support the NSA with this backdoor.</div><div>The current response: <a href="https://blogs.rsa.com/news-media-2/rsa-response/" target="_blank">https://blogs.rsa.com/news-media-2/rsa-response/</a>, qualifies for "carefully worded press release of the year" (<a href="https://twitter.com/damienmiller/status/414933026489909248" target="_blank">https://twitter.com/damienmiller/status/414933026489909248</a> Damien Miller, a security researcher at Google)†</div>

<div><br></div><div>kind regards,</div><div><br></div><div>Seba</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 6, 2014 at 11:53 AM, Eoin Keary <span dir="ltr"><<a href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>No we are not financially supporting the RSAC but we shall cover some of the trainer expenses. -that is my understanding.<div>

<br><br>Eoin Keary<div>Owasp Global Board</div><div><a href="tel:%2B353%2087%20977%202988" value="+353879772988" target="_blank">+353 87 977 2988</a></div><div><br></div></div></div><div><div><div><br>On 6 Jan 2014, at 08:48, psiinon <<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>> wrote:<br>

<br></div><blockquote type="cite"><div><div dir="ltr"><div>I stand corrected :)<br><br></div>And will be interested to hear if we are financially supporting RSAC.<br><br>Cheers,<br><br>Simon<br></div><div class="gmail_extra">

<br><br><div class="gmail_quote">On Sun, Jan 5, 2014 at 12:08 PM, Tobias <span dir="ltr"><<a href="mailto:tobias.gondrom@owasp.org" target="_blank">tobias.gondrom@owasp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Hi Simon, <br>
      <br>
      just to clarify on one of your assumptions in your email, as I
      learned this info on the board mailing-list last night, correcting
      my initial (wrong) assumption that everyone would be attending RSA
      just as "individual volunteers": <br>
      <br>
      - RSA approached OWASP if we (owasp) would deliver free
      training/awareness session.<br>
      - All contractual agreements were signed by OWASP and not by us as
      individuals. -> OWASP training.<br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012845.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2014-January/012845.html</a><br>
      - "we are delivering the training as OWASP."<br>
      "OWASP was approached by RSA."<br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html</a><br>
      - "this is a RSA association slot. The whole point is to
      officially represent OWASP at RSA...."<br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012848.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2014-January/012848.html</a><br>
      - this is as "formal reps of OWASP for this event."<br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012859.html" target="_blank">http://lists.owasp.org/pipermail/owasp-board/2014-January/012859.html</a><br>
      <br>
      Not sure whether that would be relevant for any of your comments?
      <br>
      <br>
      All the best, Tobias<br>
      <br>
      <br>
      Ps.: regarding your remark about whether "OWASP is financially
      sponsoring an event": as board member, I have initiated a request
      for info with Sarah to clarify the extend of OWASPs financial
      arrangements for RSA. <br><div><div>
      <br>
      <br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012823.html" target="_blank"></a><br>
      On 05/01/14 11:05, psiinon wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>Heres my take on this:<br>
            <br>
            OWASP _should_ get involved in politics - thats where the
            big decisions are made. Organizations like OWASP can have a
            much greater impact than a set of 'concerned individuals'.<br>
            <br>
            OWASP should _not_ 'ban' volunteers from presenting /
            training etc at any event unless it is clearly at odds with
            the OWASP mission, eg a 'cracker' event.<br>
            <br>
            Volunteers presenting / training at an event does not
            indicate that OWASP as an organization supports the past
            (alleged) actions of the event organizers. OWASP financially
            sponsoring an event would be a different matter.<br>
            <br>
            The fact that the volunteers we are discussing are board
            member is irrelevant - we all represent OWASP when we appear
            under the OWASP banner.<br>
            <br>
            I dont think this is a clear cut case (as can be seen by the
            opposing views on this thread), and so the decision should
            be made by those individuals.<br>
            <br>
          </div>
          I have no problem with people attempting to sway these
          individuals either way on this thread, but I'm confident they
          will make the right decision for them and I dont think that
          will reflect badly on OWASP the organization which ever way
          they choose.<br>
          <br>
        </div>
        <div>Feel free to disagree with any of those opinions ;)<br>
        </div>
        <div><br>
        </div>
        Simon<br>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sun, Jan 5, 2014 at 8:51 AM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div link="blue" vlink="purple" lang="EN-US">
              <div>
                <p class="MsoNormal"><span>Josh,</span></p>
                <p class="MsoNormal">
                  <span>†</span></p>
                <p class="MsoNormal">
                  <span>This training is for RSA Badge types: ď<span style="background:#e7e5e1">Full Conference,
                      Explorer Expo, Explorer Expo Plus, Exhibitor,
                      Press, SpeakerĒ.</span></span></p>
                <p class="MsoNormal"><span style="background:#e7e5e1">†</span></p>
                <p class="MsoNormal"><span style="background:#e7e5e1">The
                    minimum someone would have to pay to attend this is
                    75$ right now, other than press and other speakers
                    get in for free.</span></p>
                <div>
                  <p class="MsoNormal">
                    <span style="background:#e7e5e1">†</span></p>
                  <p><span style="font-family:"Tahoma","sans-serif""><span>-<span style="font:7.0pt "Times New Roman"">†††††
                        </span></span></span><span style="background:#e7e5e1">Jim</span></p>
                  <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">†</span></p>
                  <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">†</span></p>
                  <p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
                      Josh Sokol [mailto:<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>] <br>
                      <b>Sent:</b> Saturday, January 04, 2014 5:04 PM<br>
                      <b>To:</b> Eoin Keary<br>
                      <b>Cc:</b> Jim Manico; Abbas Naderi; Kanwal Singh
                      (WebMentors); Nishant Johar (EMOBX); OWASP
                      Foundation Board List; Ravdeep Sodhi; OWASP
                      Leaders<br>
                      <b>Subject:</b> Re: [Owasp-board] [Owasp-leaders]
                      OWASP Board decision that I don't agree with</span></p>
                  <p class="MsoNormal">†</p>
                </div>
                <div>
                  <div>
                    <div>
                      <div>
                        <div>
                          <div>
                            <div>
                              <div>
                                <div>
                                  <p class="MsoNormal" style="margin-bottom:12.0pt">
                                    My apologies in the delay in
                                    responding to this.† I've been on
                                    the road all day today and will be
                                    slow to respond tomorrow as well.</p>
                                </div>
                                <div>
                                  <div>
                                    <p class="MsoNormal" style="margin-bottom:12.0pt">First
                                      off, let me admit that while my
                                      term hadn't officially begun yet,
                                      I am one of the Board members who
                                      encouraged Jim and Eoin to move
                                      forward with the training.† My
                                      rationale for this was simple;
                                      OWASP's mission is to make
                                      software security visible, so that
                                      individuals and organizations
                                      worldwide can make informed
                                      decisions about true software
                                      security risks.† The core of this
                                      statement being VISBILITY.† We
                                      need to find and take advantage of
                                      as many ways as possible to raise
                                      the visibility of security risks.†
                                      Our mission says nothing about
                                      making political statements.† It
                                      says nothing about ethical
                                      business practices.† Our mission
                                      can certainly be amended to
                                      reflect other imperatives, if so
                                      desired by our membership, but
                                      until that day we need to prevent
                                      mission scope creep.† </p>
                                  </div>
                                </div>
                              </div>
                              <div>
                                <div>
                                  <p class="MsoNormal" style="margin-bottom:12.0pt">Now,
                                    since our mission is making software
                                    security visible, we simply have to
                                    ask ourselves if we better serve
                                    this mission by:</p>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div>
                                <p class="MsoNormal" style="margin-bottom:12.0pt">
                                  1) Performing a free training at a
                                  major conference, thereby increasing
                                  our exposure to people who haven't
                                  heard of OWASP before and enlightening
                                  them to software security risks that
                                  they likely were not aware of before.</p>
                              </div>
                            </div>
                          </div>
                          <div>
                            <div>
                              <p class="MsoNormal" style="margin-bottom:12.0pt">2) Taking a
                                stance against a company where some
                                evidence may imply that they took a
                                bribe to sacrifice security in one of
                                their products.</p>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div>
                            <p class="MsoNormal" style="margin-bottom:12.0pt">
                              Let me be clear on #2.† I don't agree that
                              what RSA did is right, if it is true.† In
                              fact, I have made the explicit decision to
                              not do business with RSA in my day job
                              because there are many other options out
                              there and it's just not worth the risk.†
                              But my passive decision to not purchase
                              from RSA is very different than OWASP
                              reneging on our agreement and making a
                              public statement about their ethics.</p>
                          </div>
                        </div>
                      </div>
                      <div>
                        <div>
                          <p class="MsoNormal" style="margin-bottom:12.0pt">So, given these
                            two options, my gut is that OWASP's mission
                            will be best served by #1.† It doesn't mean
                            that we're supporting RSA.† It doesn't mean
                            that we agree with unethical business
                            practices.† It just means that we are doing
                            the best we can to make application security
                            visible.† If that means piggy-backing on the
                            massive marketing effort they put into the
                            conference or the infrastructure that
                            supports it, I'm ok with that.† I understand
                            that others may object to this on ethical
                            grounds, and that's fine, but as a
                            non-profit organization, we have a mandate
                            to stay true to our mission, not to speak
                            out against whatever the latest security
                            headline is. </p>
                        </div>
                      </div>
                    </div>
                    <div>
                      <div>
                        <p class="MsoNormal" style="margin-bottom:12.0pt">I do have one
                          question about this training for
                          clarification.† The training is FREE for
                          anyone who would like to attend and not just
                          for RSA attendees, correct?† My assumption is
                          the former, but if the latter, this changes
                          things significantly in my opinion.</p>
                      </div>
                    </div>
                  </div>
                  <p class="MsoNormal">~josh</p>
                </div>
                <div>
                  <div>
                    <div>
                      <p class="MsoNormal" style="margin-bottom:12.0pt">†</p>
                      <div>
                        <p class="MsoNormal">On Sat, Jan 4, 2014 at 5:40
                          PM, Eoin Keary <<a href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>>
                          wrote:</p>
                        <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
                          <p class="MsoNormal">Good point.<br>
                            Bottom line is we want people to build
                            secure code. Delivering this message under
                            the same roof as RSA does not dilute the
                            quality of the class delivered.<br>
                            There is no black and white, only shades of
                            grey :)</p>
                          <div>
                            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                              <br>
                              Eoin Keary<br>
                              Owasp Global Board<br>
                              <a href="tel:%2B353%2087%20977%202988" target="_blank">+353 87 977 2988</a><br>
                              <br>
                            </p>
                          </div>
                          <div>
                            <div>
                              <p class="MsoNormal">On 4 Jan 2014, at
                                23:36, Jim Manico <<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>
                                wrote:<br>
                                <br>
                                > Another issue that is tangential.<br>
                                ><br>
                                > We are applying for several big
                                money DHS grants. These help keep the
                                foundation running.<br>
                                ><br>
                                > Should be reject all of these
                                grants because of the Snowden affair? It
                                we abort RSA but continue to take DHS
                                money, then we send a mixed message.<br>
                                ><br>
                                > Aloha,<br>
                                > Jim<br>
                                ><br>
                                >> I strongly support Sastry on
                                this one.<br>
                                >><br>
                                >> You might be participating as
                                individuals, but people see you guys as
                                the OWASP Board, and thatís something
                                that many of us donít like to be the
                                image of OWASP.<br>
                                >><br>
                                >> Thanks<br>
                                >> -Abbas<br>
                                >> On Jan 4, 2014, at 1:18 PM,
                                Eoin Keary <<a href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>>
                                wrote:<br>
                                >><br>
                                >>> To be clear, there was no
                                recorded vote on this but a debate.<br>
                                >>><br>
                                >>> I started the debate after
                                reading about Mikko. (Even though I was
                                delivering the training with Jim and it
                                is my material).<br>
                                >>><br>
                                >>> The majority of board of
                                OWASP feels getting involved in politics
                                is wrong and wanted to push ahead with
                                the training.<br>
                                >>><br>
                                >>> So if feelings are strong
                                we need to vote on this ASAP? as leaders
                                of OWASP. A formal board vote? Executive
                                decision from Sarah, our executive
                                director.<br>
                                >>><br>
                                >>><br>
                                >>><br>
                                >>> Eoin Keary<br>
                                >>> Owasp Global Board<br>
                                >>> <a href="tel:%2B353%2087%20977%202988" target="_blank">+353 87 977 2988</a><br>
                                >>><br>
                                >>><br>
                                >>> On 4 Jan 2014, at 16:48,
                                Sastry Tumuluri <<a href="mailto:sastry.tumuluri@owasp.org" target="_blank">sastry.tumuluri@owasp.org</a>>
                                wrote:<br>
                                >>><br>
                                >>>> Friends,<br>
                                >>>><br>
                                >>>> Please see the
                                following full conversation on twitter:<br>
                                >>>> <a href="https://twitter.com/EoinKeary/status/419111748424454145" target="_blank">https://twitter.com/EoinKeary/status/419111748424454145</a><br>
                                >>>><br>
                                >>>> Eoin Keary and Jim
                                Manico (both OWASP board members) will
                                be presenting/conducting 4 hrs of
                                free-of-cost AppSec training at the RSA
                                Conference, 2014. Michael Coates,
                                Chairman of the OWASP Board is also said
                                to be present. Apparently, this was
                                discussed at the OWASP board level; and
                                the board has decided to go ahead,
                                keeping in mind the benefit to the
                                attending developers.<br>
                                >>>><br>
                                >>>> As you are aware, RSA
                                is strongly suspected (we'll never be
                                100% sure, I'm afraid) of being
                                complicit with NSA in enabling fatal
                                weakening of crypto products. RSA has
                                issued a sort of a denial that only
                                deepens the mistrust. As a protest, many
                                leading speakers are cancelling their
                                talks at the upcoming RSAC 2014. Among
                                them are (to my knowledge) Mikko
                                Hypponen, Jeffrey Carr and Josh Thomas.<br>
                                >>>><br>
                                >>>> At such a time, I am
                                saddened by the OWASP board decision to
                                support RSAC by their presence. At a
                                time when they had the opportunity to
                                let the world know how much they care
                                for the Information Security profession
                                (esp., against weakening crypto); and
                                how much they care about the privacy of
                                people (against NSA's unabashed spying
                                on Americans & non-Americans alike),
                                the board has copped out using a flimsy
                                rationalization ("benefit of (a few)
                                developers", many of who would rethink
                                their attendance had OWASP and more
                                organizations didn't blink!").<br>
                                >>>><br>
                                >>>> I'm sure there was a
                                heated debate. I'm sure all angles were
                                considered. However, this goes too deep
                                for me to take it as "better men than me
                                have considered and decided". As a
                                matter of my personal values, if the
                                situation doesn't change, I would no
                                longer wish to continue as the OWASP
                                Chapter Lead. Please let me know if any
                                of you would like to take over from me.<br>
                                >>>><br>
                                >>>> I will also share my
                                feelings with fellow chapter members at
                                our next chapter meeting on Jan 21st.
                                Needless to say, no matter how things
                                go, I remain committed to the principles
                                of our open and open-source infosec
                                community.<br>
                                >>>><br>
                                >>>> Best regards,<br>
                                >>>><br>
                                >>>> ==Sas3==<br>
                                >>>
                                _______________________________________________<br>
                                >>> OWASP-Leaders mailing list<br>
                                >>> <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                >>> <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                >><br>
                                >><br>
                                >><br>
                                >><br>
                                >>
                                _______________________________________________<br>
                                >> OWASP-Leaders mailing list<br>
                                >> <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                ><br>
_______________________________________________<br>
                                Owasp-board mailing list<br>
                                <a href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                <a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></p>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <p class="MsoNormal">†</p>
                    </div>
                  </div>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <br>
        -- <br>
        <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP
          ZAP</a> Project leader<br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br><br clear="all"><br>-- <br><a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a> Project leader<br>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>OWASP-Leaders mailing list</span><br><span><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a></span><br>

<span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br></div></blockquote></div></div></div><br>_______________________________________________<br>


OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>