<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Mark, <br>
      <br>
      we have a full Surveymonkey account for OWASP as well. <br>
      So we could use it. <br>
      But with both, with Google Survey and Surveymonkey, the key
      challenge is how to avoid duplicates. <br>
      In Surveymonkey that only works if you send everyone a
      personalised invite, in Google you could use the owasp email
      address as identifier. Both have their problems. :-( <br>
      So if you have any ideas on how to solve the "avoid double
      votes"-problem with minimal effort for the voter, please let me
      know. <br>
      <br>
      Cheers, Tobias<br>
      <br>
      <br>
      Ps.: we should definitely look into if there are any problems
      keeping every member from having her/his owasp email address. <br>
      <br>
      <br>
      <br>
      On 15/01/14 15:29, Mark Miller wrote:<br>
    </div>
    <blockquote
cite="mid:CA+=41AS4tDqAT60NqCws-OX=8x68VbNEv1Kpx2UxRS4Ejv-Qzw@mail.gmail.com"
      type="cite">
      <div dir="ltr">I am using Survey Monkey for various projects, so
        let me know if that will be a viable option for future polls or
        surveys. -- Mark</div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Jan 15, 2014 at 7:35 AM,
          psiinon <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>
                <div>
                  <div>
                    <div>
                      <div>
                        <div>
                          <div>
                            <div>
                              <div>
                                <div>I've just closed the poll "Should
                                  OWASP give developer training at
                                  RSA?".<br>
                                </div>
                                It was somewhat overtaken by events, but
                                I still think it was useful.<br>
                                <br>
                              </div>
                              A couple of points to note:<br>
                              <br>
                            </div>
                            The stats I've published on <a
                              moz-do-not-send="true"
                              href="https://www.owasp.org/index.php/Polls"
                              target="_blank">https://www.owasp.org/index.php/Polls</a>
                            are different to those on the Google Poll
                            summary.<br>
                          </div>
                          This is because I've removed duplicate votes -
                          unfortunately Google Polls dont prevent
                          duplicate votes and the summary isnt updated
                          if you remove the duplicates. Please let me
                          know if I've made a mistake anywhere. FYI I
                          just counted individuals latest votes.<br>
                          <br>
                        </div>
                        While I think the poll was useful it has shown
                        up some significant disadvantages of using
                        Google Polls for this sort of thing.<br>
                      </div>
                      We have to make the polls either open to everyone
                      or restricted to those people with OWASP email
                      accounts.<br>
                      I didnt want to do the former as I thought it was
                      important to find out what OWASP members thought,
                      not the internet as a whole.<br>
                    </div>
                    What I didnt realize at the time was that OWASP
                    email addresses are reserved for chapter/project
                    leaders, which meant that most OWASP members were
                    not able to vote :(<br>
                  </div>
                  Sorry about that.<br>
                  <br>
                </div>
                I'm going to let the other poll run its course, but I'm
                not planning on starting any new polls using Google
                Polls as I think they dont give us what we need.<br>
              </div>
              <div>Hopefully we'll have a better solution before too
                long that will allow us to easily canvas the opinions of
                all OWASP members - I think thats something that will be
                very beneficial to the organization.<br>
                <br>
                Simon<br>
              </div>
            </div>
            <div class="gmail_extra"><br>
              <br>
              <div class="gmail_quote">On Thu, Jan 9, 2014 at 5:15 PM,
                Dirk Wetter <span dir="ltr"><<a
                    moz-do-not-send="true" href="mailto:dirk@owasp.org"
                    target="_blank">dirk@owasp.org</a>></span> wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">Am
                  01/05/2014 12:47 PM, schrieb Rory McCune:<br>
                  > Hi all,<br>
                  ><br>
                  > Long thread is long.  I'd make a couple of point
                  on this.<br>
                  ><br>
                  > 1. I'm not sure I'd say that RSA completely
                  denies what's been said, to me their statement was
                  written very "carefully", not to deny that the NSA
                  paid them $10 million to make Dual_EC_DRBG the default
                  RNG in BSAFE.  All you need to have for RSAs statement
                  to be true and the allegations to be true is that they
                  didn't have the "intention" of weakening their product
                  i.e. they did take the money they did set the default
                  algorithm but it wasn't their intention to weaken
                  their security.<br>
                  ><br>
                  > If they had wanted to deny the allegations they
                  could just have said "the NSA did not pay us $10
                  million to make that the default RNG" would have been
                  clear and unambiguous, the fact they didn't makes a
                  reasonably strong implication that they did.<br>
                  <br>
                  thx, for this point. One should definitely read those
                  statements very carefully. There<br>
                  pops another example up in my head but that's too far
                  off to mention here. Completely<br>
                  denying would also sound different to me. The term
                  INTENTION is not appropriate the way<br>
                  it's being used at least.<br>
                  <br>
                  But also the response from RSA in September 2013 is
                  remarkable: "RSA determined it appropriate<br>
                  to issue an advisory to all our RSA BSAFE [..]
                   customers recommending they choose one of<br>
                  the different cryptographic Pseudo-Random Number
                  Generators (PRNG) built into the RSA BSAFE<br>
                  toolkit". Acknowledged it's broken, but all RSA does
                  is a recommendation -- what?<br>
                  <br>
                  To keep in mind: Since a long time Dual_EC_DRBG crypto
                  community knew it's broken! Read this<br>
                  from almighty Bruce ;-) in 2007: <a
                    moz-do-not-send="true"
href="https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html"
                    target="_blank">https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html</a><br>
                  "But today there's an even bigger stink brewing around
                  Dual_EC_DRBG. In an informal presentation (.pdf)<br>
                  at the CRYPTO 2007 conference in August, Dan Shumow
                  and Niels Ferguson showed that the algorithm<br>
                  contains a weakness that can only be described as a
                  backdoor.". That was no reason for BSAFE after<br>
                  that to ship DUAL_EC_DRBG other than .... you do the
                  math.<br>
                  <br>
                  <br>
                  Cheers,<br>
                  <br>
                  Dirk<br>
                  <br>
                  ><br>
                  > 2. A point from earlier in the thread that not
                  attending would only be noticed in the Infosec
                  community.  Not sure that's the case. Definitely on
                  developer heavy sites like <a moz-do-not-send="true"
                    href="http://news.ycombinator.com" target="_blank">news.ycombinator.com</a>
                  <<a moz-do-not-send="true"
                    href="http://news.ycombinator.com" target="_blank">http://news.ycombinator.com</a>>
                  the NSA/RSA/Snowden piece has been heavily played and
                  indeed last night when this thread kicked off Errata
                  security's piece on boycotting RSA was the top post on
                  the site.<br>
                  ><br>
                  > 3. An alternative to training at RSA that's been
                  mentioned a couple of times, i.e. doing it at a
                  different venue, seems plausible.  Would it maybe be
                  possible to do it as B-Sides SF which happens at the
                  same time ?<br>
                  ><br>
                  > 4. A good point earlier about the DHS grants.  If
                  we're happy with that, then it seems tricky to say
                  that we're not happy with this.<br>
                  ><br>
                  > Cheers<br>
                  ><br>
                  > Rory<br>
                  ><br>
                  ><br>
                  > On Sun, Jan 5, 2014 at 8:45 AM, Jim Manico <<a
                    moz-do-not-send="true"
                    href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>>
                  wrote:<br>
                  ><br>
                  >     By the way everyone, RSA completely denies
                  these allegations.<br>
                  ><br>
                  ><br>
                  ><br>
                  >     …“we also categorically state that we have
                  never entered into any contract or engaged in any
                  project with the intention of weakening RSA’s
                  products, or introducing potential ‘backdoors’ into
                  our products for anyone’s use.” - <a
                    moz-do-not-send="true"
                    href="https://blogs.rsa.com/news-media-2/rsa-response/"
                    target="_blank">https://blogs.rsa.com/news-media-2/rsa-response/</a><br>
                  ><br>
                  <br>
                  ><br>
                  ><br>
                  ><br>
                  >     It’s tough to know who to trust these days,
                  but I do want to put RSA’s official comment on the
                  table for consideration.<br>
                  ><br>
                  ><br>
                  ><br>
                  >     Cheers,<br>
                  ><br>
                  >     -          Jim<br>
                  ><br>
                  ><br>
                  ><br>
                  >     *From:*Josh Sokol [mailto:<a
                    moz-do-not-send="true"
                    href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>>]<br>
                  >     *Sent:* Saturday, January 04, 2014 5:04 PM<br>
                  >     *To:* Eoin Keary<br>
                  >     *Cc:* Jim Manico; Abbas Naderi; Kanwal Singh
                  (WebMentors); Nishant Johar (EMOBX); OWASP Foundation
                  Board List; Ravdeep Sodhi; OWASP Leaders<br>
                  >     *Subject:* Re: [Owasp-board] [Owasp-leaders]
                  OWASP Board decision that I don't agree with<br>
                  ><br>
                  ><br>
                  ><br>
                  >     My apologies in the delay in responding to
                  this.  I've been on the road all day today and will be
                  slow to respond tomorrow as well.<br>
                  ><br>
                  >     First off, let me admit that while my term
                  hadn't officially begun yet, I am one of the Board
                  members who encouraged Jim and Eoin to move forward
                  with the training.  My rationale for this was simple;
                  OWASP's mission is to make software security visible,
                  so that individuals and organizations worldwide can
                  make informed decisions about true software security
                  risks.  The core of this statement being VISBILITY.
                   We need to find and take advantage of as many ways as
                  possible to raise the visibility of security risks.
                   Our mission says nothing about making political
                  statements.  It says nothing about ethical business
                  practices.  Our mission can certainly be amended to
                  reflect other imperatives, if so desired by our
                  membership, but until that day we need to prevent
                  mission scope creep.<br>
                  ><br>
                  >     Now, since our mission is making software
                  security visible, we simply have to ask ourselves if
                  we better serve this mission by:<br>
                  ><br>
                  >     1) Performing a free training at a major
                  conference, thereby increasing our exposure to people
                  who haven't heard of OWASP before and enlightening
                  them to software security risks that they likely were
                  not aware of before.<br>
                  ><br>
                  >     2) Taking a stance against a company where
                  some evidence may imply that they took a bribe to
                  sacrifice security in one of their products.<br>
                  ><br>
                  >     Let me be clear on #2.  I don't agree that
                  what RSA did is right, if it is true.  In fact, I have
                  made the explicit decision to not do business with RSA
                  in my day job because there are many other options out
                  there and it's just not worth the risk.  But my
                  passive decision to not purchase from RSA is very
                  different than OWASP reneging on our agreement and
                  making a public statement about their ethics.<br>
                  ><br>
                  >     So, given these two options, my gut is that
                  OWASP's mission will be best served by #1.  It doesn't
                  mean that we're supporting RSA.  It doesn't mean that
                  we agree with unethical business practices.  It just
                  means that we are doing the best we can to make
                  application security visible.  If that means
                  piggy-backing on the massive marketing effort they put
                  into the conference or the infrastructure that
                  supports it, I'm ok with that.  I understand that
                  others may object to this on ethical grounds, and
                  that's fine, but as a non-profit organization, we have
                  a mandate to stay true to our mission, not to speak
                  out against whatever the latest security headline is.<br>
                  ><br>
                  >     I do have one question about this training
                  for clarification.  The training is FREE for anyone
                  who would like to attend and not just for RSA
                  attendees, correct?  My assumption is the former, but
                  if the latter, this changes things significantly in my
                  opinion.<br>
                  ><br>
                  >     ~josh<br>
                  ><br>
                  ><br>
                  ><br>
                  >     On Sat, Jan 4, 2014 at 5:40 PM, Eoin Keary
                  <<a moz-do-not-send="true"
                    href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>>>
                  wrote:<br>
                  ><br>
                  >         Good point.<br>
                  >         Bottom line is we want people to build
                  secure code. Delivering this message under the same
                  roof as RSA does not dilute the quality of the class
                  delivered.<br>
                  >         There is no black and white, only shades
                  of grey :)<br>
                  ><br>
                  ><br>
                  ><br>
                  >         Eoin Keary<br>
                  >         Owasp Global Board<br>
                  >         <a moz-do-not-send="true"
                    href="tel:%2B353%2087%20977%202988"
                    value="+353879772988" target="_blank">+353 87 977
                    2988</a> <tel:%2B353%2087%20977%202988><br>
                  ><br>
                  >         On 4 Jan 2014, at 23:36, Jim Manico <<a
                    moz-do-not-send="true"
                    href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>>>
                  wrote:<br>
                  ><br>
                  >         > Another issue that is tangential.<br>
                  >         ><br>
                  >         > We are applying for several big
                  money DHS grants. These help keep the foundation
                  running.<br>
                  >         ><br>
                  >         > Should be reject all of these grants
                  because of the Snowden affair? It we abort RSA but
                  continue to take DHS money, then we send a mixed
                  message.<br>
                  >         ><br>
                  >         > Aloha,<br>
                  >         > Jim<br>
                  >         ><br>
                  >         >> I strongly support Sastry on
                  this one.<br>
                  >         >><br>
                  >         >> You might be participating as
                  individuals, but people see you guys as the OWASP
                  Board, and that’s something that many of us don’t like
                  to be the image of OWASP.<br>
                  >         >><br>
                  >         >> Thanks<br>
                  >         >> -Abbas<br>
                  >         >> On Jan 4, 2014, at 1:18 PM, Eoin
                  Keary <<a moz-do-not-send="true"
                    href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>>>
                  wrote:<br>
                  >         >><br>
                  >         >>> To be clear, there was no
                  recorded vote on this but a debate.<br>
                  >         >>><br>
                  >         >>> I started the debate after
                  reading about Mikko. (Even though I was delivering the
                  training with Jim and it is my material).<br>
                  >         >>><br>
                  >         >>> The majority of board of
                  OWASP feels getting involved in politics is wrong and
                  wanted to push ahead with the training.<br>
                  >         >>><br>
                  >         >>> So if feelings are strong we
                  need to vote on this ASAP? as leaders of OWASP. A
                  formal board vote? Executive decision from Sarah, our
                  executive director.<br>
                  >         >>><br>
                  >         >>><br>
                  >         >>><br>
                  >         >>> Eoin Keary<br>
                  >         >>> Owasp Global Board<br>
                  >         >>> <a moz-do-not-send="true"
                    href="tel:%2B353%2087%20977%202988"
                    value="+353879772988" target="_blank">+353 87 977
                    2988</a> <tel:%2B353%2087%20977%202988><br>
                  >         >>><br>
                  >         >>><br>
                  >         >>> On 4 Jan 2014, at 16:48,
                  Sastry Tumuluri <<a moz-do-not-send="true"
                    href="mailto:sastry.tumuluri@owasp.org"
                    target="_blank">sastry.tumuluri@owasp.org</a>
                  <mailto:<a moz-do-not-send="true"
                    href="mailto:sastry.tumuluri@owasp.org"
                    target="_blank">sastry.tumuluri@owasp.org</a>>>
                  wrote:<br>
                  >         >>><br>
                  >         >>>> Friends,<br>
                  >         >>>><br>
                  >         >>>> Please see the following
                  full conversation on twitter:<br>
                  >         >>>> <a
                    moz-do-not-send="true"
                    href="https://twitter.com/EoinKeary/status/419111748424454145"
                    target="_blank">https://twitter.com/EoinKeary/status/419111748424454145</a><br>
                  >         >>>><br>
                  >         >>>> Eoin Keary and Jim
                  Manico (both OWASP board members) will be
                  presenting/conducting 4 hrs of free-of-cost AppSec
                  training at the RSA Conference, 2014. Michael Coates,
                  Chairman of the OWASP Board is also said to be
                  present. Apparently, this was discussed at the OWASP
                  board level; and the board has decided to go ahead,
                  keeping in mind the benefit to the attending
                  developers.<br>
                  >         >>>><br>
                  >         >>>> As you are aware, RSA is
                  strongly suspected (we'll never be 100% sure, I'm
                  afraid) of being complicit with NSA in enabling fatal
                  weakening of crypto products. RSA has issued a sort of
                  a denial that only deepens the mistrust. As a protest,
                  many leading speakers are cancelling their talks at
                  the upcoming RSAC 2014. Among them are (to my
                  knowledge) Mikko Hypponen, Jeffrey Carr and Josh
                  Thomas.<br>
                  >         >>>><br>
                  >         >>>> At such a time, I am
                  saddened by the OWASP board decision to support RSAC
                  by their presence. At a time when they had the
                  opportunity to let the world know how much they care
                  for the Information Security profession (esp., against
                  weakening crypto); and how much they care about the
                  privacy of people (against NSA's unabashed spying on
                  Americans & non-Americans alike), the board has
                  copped out using a flimsy rationalization ("benefit of
                  (a few) developers", many of who would rethink their
                  attendance had OWASP and more organizations didn't
                  blink!").<br>
                  >         >>>><br>
                  >         >>>> I'm sure there was a
                  heated debate. I'm sure all angles were considered.
                  However, this goes too deep for me to take it as
                  "better men than me have considered and decided". As a
                  matter of my personal values, if the situation doesn't
                  change, I would no longer wish to continue as the
                  OWASP Chapter Lead. Please let me know if any of you
                  would like to take over from me.<br>
                  >         >>>><br>
                  >         >>>> I will also share my
                  feelings with fellow chapter members at our next
                  chapter meeting on Jan 21st. Needless to say, no
                  matter how things go, I remain committed to the
                  principles of our open and open-source infosec
                  community.<br>
                  >         >>>><br>
                  >         >>>> Best regards,<br>
                  >         >>>><br>
                  >         >>>> ==Sas3==<br>
                  >         >>>
                  _______________________________________________<br>
                  <div>
                    <div><br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OWASP-Leaders@lists.owasp.org"
                        target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><span
                        class="HOEnZb"><font color="#888888"><br>
                        </font></span></div>
                  </div>
                </blockquote>
              </div>
              <span class="HOEnZb"><font color="#888888"><br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <a moz-do-not-send="true"
                    href="https://www.owasp.org/index.php/ZAP"
                    target="_blank">OWASP ZAP</a> Project leader<br>
                </font></span></div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
              target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr">
          <div style="font-family:arial;font-size:small"><b>Mark Miller,
              Senior Storyteller</b></div>
          <div style="font-family:arial;font-size:small"><i><font
                color="#990000">Curator and Founder, Trusted Software
                Alliance</font></i></div>
          <div style="font-family:arial;font-size:small"><i><font
                color="#990000">Host and Executive Producer, OWASP 24/7
                Podcast Channel<br>
                Community Advocate, Sonatype</font></i></div>
          <div style="font-family:arial;font-size:small">
            <br>
          </div>
          <div style="font-family:arial;font-size:small"><a
              moz-do-not-send="true"
              href="https://www.surveymonkey.com/s/Developers_and_AppSec"
              style="margin:0px;padding:0px;outline:none;font-family:'Helvetica
Neue',arial,sans-serif;font-size:12.727272033691406px;line-height:14.545454025268555px"
              target="_blank"><i
                style="margin:0px;padding:0px;outline:none"><b
                  style="margin:0px;padding:0px;outline:none"><span
                    style="margin:0px;padding:0px;outline:none;color:rgb(86,163,203)">Developers
                    and Application Security: Who is Responsible?</span></b></i></a><br>
          </div>
          <div><br>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>