<div dir="ltr"><div><div>As long as we're correcting the record, I never offered to have Christian rejoin OWASP.  I created a plan that I thought was a compromise between the various thoughts and feelings on the situation regarding Christian's request to re-evaluate his membership ban and offered to take it to the Board if he agreed to it.  As he says, he did decline and any activity towards his reinstatement ceased at that time.<br><br></div>To answer Christian's question, the Board received multiple complaints from members of the OWASP Foundation accusing him of posting e-mails to the OWASP Leaders list containing rude and abusive language and false accusations.  We asked our Compliance Officer to review the complaints, determine whether they are accurate, and determine whether the posts were in conflict with the OWASP Code of Ethics.  The conclusion was that the complaints were accurate and the posts were in conflict with the OWASP Code of Conduct and the recommendation was for the Board to define appropriate measures as a result of his actions and to make an official public statement.  Without the notes, I'm not sure who took that as an action item, but it certainly merits follow-up to make sure that it happens.  This absolutely should not have been a surprise to you Christian, and for that, I am sorry.  I was under the impression that it had been communicated to you.  I will take it as a personal action item to follow up with the Board and our ED to determine who took that action item on and make sure that they follow through with it.<br><br></div>~josh<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 6:55 PM, Christian Heinrich <span dir="ltr"><<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Martin,<div><br></div><div>For the record, I declined Josh Sokol's offer to rejoin OWASP because he refused to issue a clarification to the various OWASP Mailing Lists of the ulterior motives of Dinis Cruz and Chris Gatford with <a href="https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project" target="_blank">https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project</a></div><div><br></div><div>This, as I expected, has resulted in another positive contribution of mine being treated with suspicion and contempt.  I have made several recent positive contributions to ASVS that have been acknowledged by both Jim Manico and Andrew van der Stock of which are sample are provided below:</div><div>1. <a href="http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-September/000650.html" target="_blank">http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-September/000650.html</a></div><div>2. <a href="http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000691.html" target="_blank">http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000691.html</a></div><div>3. <a href="http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000692.html" target="_blank">http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/2014-October/000692.html</a> </div><div><br></div><div><div class="gmail_extra">As you would be aware I declined Josh's offer to rejoin in February 2014 and I have not corresponded on this matter since and I was explicit in instructing the OWASP Board not to presume that I want them to take any actions on my behalf. </div><div class="gmail_extra"><br></div><div class="gmail_extra">I am surprised to learn about an event involving me without any notification or the ability to defend myself in hearsay that Josh's alludes to in the e-mail dated 6 November 2014 at 1:57 PM.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Can you please give me a call to provide your version of the events since we hadn't spoken prior to 16 September 2014?</div><div class="gmail_extra"><br></div><div class="gmail_extra">I would appreciate if you could inform the various Mailing Lists to discontinue this discussion since:<br></div><div class="gmail_extra">1. I cannot defend myself on the OWASP Leaders Mailing List.</div><div class="gmail_extra">2. It may have an adverse effect on the legal proceeding against Chris Gatford.</div><div class="gmail_extra">3. I have no idea what Josh Sokol is alluding too that occurred on 16 September.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_quote"><div><div class="h5">On Fri, Nov 7, 2014 at 10:44 AM, Steven van der Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    I agree with Yvan that at least the leaders list had to be informed
    of this decision, and with that I mean that an addition message had
    to be sent besides the mention in the meeting minutes. Although the
    Operations Team is capable in handling sensitive issues, they do not
    have to be alone in upholding these rulings.<br>
    <br>
    Regards,<br>
    Steven.<br>
    <br>
    <br>
    <div>On 06/11/14 22:25, Yvan Boily wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Thu, Nov 6, 2014 at 1:57 PM, Josh
            Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div>
                  <div>
                    <div>
                      <div>Yvan,<br>
                        <br>
                      </div>
                      Your post is actually about two separate things:<br>
                      <br>
                    </div>
                    1) Action: The Board acknowledged the complaints
                    from various members of the Foundation and had our
                    Compliance Officer, Martin Knobloch, conduct an
                    investigation into the matter.  Martin concluded his
                    independent investigation into his actions and
                    provided his report to the Board in September.  My
                    mind is failing me as to whether it was the
                    September or October Board Meeting (pretty sure it
                    was at AppSecUSA on 9/16/2014), and the agenda and
                    voting doesn't reflect it (a problem I've asked to
                    get rectified), but the Board did vote to extend his
                    membership ban and not give reconsideration for
                    membership for a significant period of time.  I
                    don't remember offhand the exact details in terms of
                    timeframe as many different options were discussed. 
                    Regardless, your suggestion that the Board has
                    failed to take action on this issue is misinformed.<br>
                  </div>
                </div>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>Glad to hear it!  Can we get an amendment to the
              process that when action is taken a complainant is
              notified?  <br>
            </div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div>
                  <div><br>
                  </div>
                  2) Enforcement: This is where things get tricky and is
                  largely outside of the Board's hands.  It becomes an
                  Operations Team issue to try and figure out how to
                  enforce the fact that someone is not allowed to
                  participate in OWASP.  I think that there was supposed
                  to be some discussion with Matt in terms of figuring
                  out how to handle it technically, but, from the recent
                  message, it doesn't appear that it was done.  Not sure
                  where the ball was dropped there, but I'm sure Paul
                  can look into it as ED.<span><font color="#888888"><br>
                    </font></span></div>
              </div>
            </blockquote>
            <div><br>
            </div>
            The technical enforcement aspect is only one part of it. 
            Technical measures to curtail participation are a rathole,
            especially for security folks since many of us have "figure
            out how to bypass controls" as part of our of our
            professional repertoire.<br>
          </div>
          <div class="gmail_quote">
            <div><br>
            </div>
            <div>The second part is to notify the community that a
              person has been blocked from participation; without the
              knowledge that the ban is in place, we don't have the
              means to advise folks that their participation is
              unwelcome due to past behavior.  This is important to both
              increase awareness that OWASP will uphold it's
              expectations for all community members, and to take the
              strain of enforcing the ban off of individual contributors
              or staff.  <br>
              <br>
            </div>
            <div>Thanks for everyone's work on this, and sorry
              to have to stir the pot on this issue again.<br>
              <br>
            </div>
            <div>Cheers,<br>
              Yvan<br>
            </div>
            <div><br>
            </div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div><span></span></div>
                <span><font color="#888888">~josh<br>
                  </font></span></div>
              <div>
                <div>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">On Thu, Nov 6, 2014 at 3:12
                      PM, Steven van der Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
                        <div bgcolor="#FFFFFF" text="#000000"> True<br>
                          <br>
                          I personally would have preferred it that, for
                          now, the leaders list was not included as
                          there is already too much bickering going on
                          there. And as you say, if the board fails to
                          make a decision or is unable to enforce the
                          code of ethics, then it would have been just
                          to include the leaders list in a 'call to
                          action'. I agree that the community deserves
                          more. I can only hope there will be an
                          announcement soon to resolve it all.<br>
                          <br>
                          Kind regards,<br>
                          Steven.
                          <div>
                            <div><br>
                              <br>
                              <br>
                              <div>On 06/11/14 20:57, Yvan Boily wrote:<br>
                              </div>
                              <blockquote type="cite">
                                <div dir="ltr">
                                  <div>
                                    <div>
                                      <div>It would have been out of
                                        line if I had posted this line
                                        of inquiry back to the
                                        individual project threads.  I
                                        changed the venue for these
                                        comments to the leaders list and
                                        the governance team.  I also
                                        added the board to this message.<br>
                                      </div>
                                      <div><br>
                                      </div>
                                      Bottom line, the board has not
                                      acted to protect the community
                                      from someone who has regularly
                                      posted abusive messages, and has
                                      persisted in doing so since the
                                      complaint was filed.  I don't
                                      really care whether his content is
                                      technically valid, I care about
                                      the harm that allowing known bad
                                      actors to continue to participate
                                      at the expense of others.<br>
                                      <br>
                                    </div>
                                    I don't know him either, and I am
                                    not personally invested in the
                                    outcome of the decision that the
                                    board makes regarding Christian; I
                                    am personally invested in knowing
                                    whether or not OWASP is willing to
                                    following it's own rules.  If the
                                    board is failing to enforce the code
                                    of ethics, then this is an issue for
                                    the leaders and the governance
                                    team.  OWASP contributors deserve
                                    better than this.<br>
                                    <br>
                                  </div>
                                  Regards,<br>
                                  Yvan Boily<br>
                                </div><div><div>
                                <div class="gmail_extra"><br>
                                  <div class="gmail_quote">On Thu, Nov
                                    6, 2014 at 12:25 PM, Steven van der
                                    Baan <span dir="ltr"><<a href="mailto:steven.van.der.baan@owasp.org" target="_blank">steven.van.der.baan@owasp.org</a>></span>
                                    wrote:<br>
                                    <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
                                      <div bgcolor="#FFFFFF" text="#000000"> Yvan,<br>
                                        <br>
                                        as far as I'm aware there has
                                        been no announcement that he
                                        should be blocked and to be
                                        honest I find this question out
                                        of place here. <br>
                                        No, I'm no friend of mr
                                        Heinrich. No, I do not know him.
                                        Yes, I realise that he can be
                                        quite a handful, but I firmly
                                        believe that this type of
                                        questions should not be
                                        expressed as open and on
                                        multiple lists like you have
                                        done.<br>
                                        <br>
                                        Kind regards,<br>
                                        Steven van der Baan.
                                        <div>
                                          <div><br>
                                            <br>
                                            <div>On 06/11/14 18:11, Yvan
                                              Boily wrote:<br>
                                            </div>
                                            <blockquote type="cite">
                                              <div dir="ltr">
                                                <div>Regardless of the
                                                  content, Christian is
                                                  supposed to have been
                                                  blocked from
                                                  participation in
                                                  OWASP.  Has there been
                                                  a change here?<br>
                                                  <br>
                                                </div>
                                                Regards,<br>
                                                Yvan<br>
                                              </div>
                                              <div class="gmail_extra"><br>
                                                <div class="gmail_quote">On
                                                  Thu, Nov 6, 2014 at
                                                  7:20 AM, Bev Corwin <span dir="ltr"><<a href="mailto:bev.corwin@owasp.org" target="_blank">bev.corwin@owasp.org</a>></span>
                                                  wrote:<br>
                                                  <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
                                                    <div dir="ltr">Sharing
                                                      FYI:
                                                      <div><br>
                                                      </div>
                                                      <div><clip><br>
                                                        <h3>Reliance on
                                                          Hardening, Not
                                                          Obfuscation</h3>
                                                        <p>Hiding code
                                                          does not
                                                          prevent
                                                          attacks—and it
                                                          it foolish to
                                                          assume that it
                                                          does. Open
                                                          Source
                                                          development
                                                          practices rely
                                                          on actually
                                                          hardening (or
                                                          improving the
                                                          security of)
                                                          code by making
                                                          it available
                                                          for peers to
                                                          test and try
                                                          to break, and
                                                          then fixing
                                                          the problems
                                                          found.</p>
                                                        <div></clip?</div>
                                                        <div><br>
                                                        </div>
                                                        <div>From:</div>
                                                        <div><br>
                                                        </div>
                                                        <div><a href="http://mil-oss.org/learn-more/security-model-misconceptions" target="_blank">http://mil-oss.org/learn-more/security-model-misconceptions</a><br>
                                                        </div>
                                                      </div>
                                                      <div><br>
                                                      </div>
                                                      <div>Bev</div>
                                                      <div><br>
                                                      </div>
                                                    </div>
                                                    <div class="gmail_extra"><br>
                                                      <div class="gmail_quote">On
                                                        Tue, Nov 4, 2014
                                                        at 8:29 PM,
                                                        Christian
                                                        Heinrich <span dir="ltr"><<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>></span>
                                                        wrote:<br>
                                                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Andrew,<br>
                                                          <span><br>
                                                          On Wed, Nov 5,
                                                          2014 at 10:22
                                                          AM, Andrew van
                                                          der Stock<br>
                                                          <<a href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>>


                                                          wrote:<br>
                                                          > I am
                                                          ashamed to say
                                                          when reviewing
                                                          the ASVS 2.0,
                                                          I totally
                                                          missed the<br>
                                                          > inclusion
                                                          of V17.11,
                                                          which is a
                                                          Level 3
                                                          control for
                                                          requiring<br>
                                                          >
                                                          obfuscation.
                                                          Was this
                                                          included
                                                          because it was
                                                          in the Mobile
                                                          Top 10<br>
                                                          > 2014?<br>
                                                          <br>
                                                          </span>The
                                                          benefit of
                                                          obfuscation is
                                                          that the
                                                          auditor has to
                                                          be much higher<br>
                                                          skilled than
                                                          the "middle of
                                                          the bell
                                                          curve", who
                                                          just copy a
                                                          paste a<br>
                                                          report from
                                                          their SAST
                                                          product.<br>
                                                          <br>
                                                          This cost
                                                          should be
                                                          absorbed by
                                                          the client
                                                          since the
                                                          auditor is<br>
                                                          required to
                                                          undertaken
                                                          additional
                                                          work.<br>
                                                          <br>
                                                          In addition,
                                                          obfuscation
                                                          also minimises
                                                          the loss of
                                                          Intellectual<br>
                                                          property if
                                                          the auditor
                                                          misplaces the
                                                          source code
                                                          because the
                                                          "[wo]man<br>
                                                          on the street"
                                                          isn't going to
                                                          be able to
                                                          understand it
                                                          or know what
                                                          it<br>
                                                          is without
                                                          some
                                                          investment.<br>
                                                          <br>
                                                          I vote not to
                                                          have
                                                          obfuscation
                                                          removed from
                                                          ASVS, but
                                                          reworded (in
                                                          the<br>
                                                          next ASVS
                                                          release) to
                                                          include the
                                                          additional
                                                          clarification
                                                          from the<br>
                                                          next release
                                                          of the Mobile
                                                          Top 10.<br>
                                                          <span><font color="#888888"><br>
                                                          <span><font color="#888888">
                                                          <br>
                                                          --<br>
                                                          Regards,<br>
                                                          Christian
                                                          Heinrich<br>
                                                          <br>
                                                          <a href="http://cmlh.id.au/contact" target="_blank">http://cmlh.id.au/contact</a><br>
                                                          </font></span></font></span><span><font color="#888888">
                                                          <div>
                                                          <div>_______________________________________________<br>
                                                          Owasp-application-security-verification-standard


                                                          mailing list<br>
                                                          <a href="mailto:Owasp-application-security-verification-standard@lists.owasp.org" target="_blank">Owasp-application-security-verification-standard@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard</a><br>
                                                          </div>
                                                          </div>
                                                          </font></span></blockquote>
                                                      </div>
                                                      <br>
                                                    </div>
                                                    <br>
_______________________________________________<br>
                                                    OWASP-Leaders
                                                    mailing list<br>
                                                    <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                    <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                    <br>
                                                  </blockquote>
                                                </div>
                                                <br>
                                              </div>
                                              <br>
                                              <fieldset></fieldset>
                                              <br>
                                              <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                            </blockquote>
                                            <br>
                                          </div>
                                        </div>
                                      </div>
                                    </blockquote>
                                  </div>
                                  <br>
                                </div>
                              </div></div></blockquote>
                              <br>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </div>

<br></div></div>_______________________________________________<br>
Governance mailing list<br>
<a href="mailto:Governance@lists.owasp.org" target="_blank">Governance@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/governance" target="_blank">https://lists.owasp.org/mailman/listinfo/governance</a><br>
<br></blockquote></div><span class=""><br><br clear="all"><div><br></div>-- <br><div>Regards,<br>Christian Heinrich<br><br><a href="http://cmlh.id.au/contact" target="_blank">http://cmlh.id.au/contact</a></div>
</span></div></div></div>
</blockquote></div><br></div>