Saturday, January 4, 2014

OWASP and the RSA Conference 2014

Much has happened since. After a lot of discussion, OWASP Board voted to cancel their co-marketing agreement with RSA for RSA 2014. They also voted to deliver training and talk at the conference, if permitted to do so. 
While my disagreements with the underlying arguments remain, I must admit I am a much bigger fan of OWASP's style of functioning than I was. To put it mildly, I had grossly misunderstood OWASP openness. In retrospect, I wouldn't have used the same strong words as I had, if I were to do it now. 
To preserve what was, and the nature of my misunderstanding, I'm leaving the post below as is. Instead of messing here, I'll write a separate post on the developments.
The OWASP Board apparently decided to participate in RSAC 2014 by way of offering a 4 hour free-of-cost AppSec training. Apparently "developers' benefit won out". 

Here is a twitter conversation on this topic:

This was an opportunity for the world's most influential and inspirational AppSec organization to take a principled stand that:

  1. the industry will not stand by and watch the foundations of trust and technology be eroded by patently malicious intent (such as that of subverting crypto products and standards); and
  2. the industry will not stand for unwarranted universal surveillance using national interest and anti-terrorism as flimsy excuses.
However, the wise old men/women of the board have chosen not to take the high road. They didn't say, "what's a few developers' one lost-opportunity when the whole world is reeling?". They didn't say "this will only encourage other pillagers of infosec public trust, assuring them that OWASP and others will find glib rationalizations to look the other side while they earn a few bucks on the side". 

In short, they copped out.[edit: I was under the impression that the decision was made, done, closed. However, in a welcome development, the matter has been re-opened for wider discussion within OWASP. I will update this post when the status changes.]

Update: The OWASP email discussion on this topic is available at:

Relevant blog post: Robert Graham's Why we have to boycott RSA

I've never been invited there as a speaker. My protest and opinion may neither dent RSAC nor OWASP. Yet, I believe it is important for me and other like-minded people to clearly say NO.

As a first step, I've offered (to my co-leads) to step down from the local OWASP Chapter leadership, unless the situation changes. It is a sad day for me, as I worked hard to establish this chapter only recently. We are doing a very important public service. The principles of open community and open source are as dear to me as the InfoSec profession. Yet, I don't believe I can compromise and tell RSA or OWASP that "it's okay".

At this time, I haven't considered any other possible action. I'm looking out for more though. 

Sunday, October 6, 2013

On a Slippery Road in the Name of National Security

Two very important things happened at the recently concluded Cocon 2013. Not surprisingly, the media missed these, in favor of more "mainstream" news focusing on the celebrities and visible initiatives.
  1. The Deputy National Security Advisor, Sh. Nehchal Sandhu gave a largely statistics & routine talk with the notable exception of a superb pronouncement:
    "We will not go down that road
    He was referring to the recent events surrounding NSA's surveillance and its fallout in the US (civil rights outrage) and in the rest of the world (Brazil, anyone?), including India (such as new guidelines on email usage, etc.). This statement was made to convey that the Indian Government would not indulge in the kind of tactics that NSA and FBI are being accused of.

    Why is this important? It portrays a commitment from the Government to act with a level of wisdom and maturity that has been hard to find recently not just here, but in most parts of the world.

  2. A few speakers talked about the Government's collaboration with the hacker community. One of the talks included an unapologetic response to the criticism of this year's takedown of a malware's C&C Server at this year's nullcon -- announcing a new era of Government - Community partnership.

    On the sidelines of this talk was a much more sinister discussion. That some parts of the Government might be willing to take hackers for hire -- for ostensibly National Security engagements.

    On the face of it, it should not cause any concern, right? Not until you understand the implications, subtle and otherwise. How will this relationship begin, what pitstops will it make and how far will it go?
    An example: LulzSec (ex-)leader cooperating with the FBI.
    Another: Desi hackers join Indian Cyber Army. In this, there is even a mention of a lawyer wanting to change the IT Act to provide protection for "patriotic stealth operations". Of course, they might be talking about "usual" hiring of infosec professionals in cyber-defense positions... but there is enough to indicate otherwise too.

    There are enough rumours and murmurs on whole truckloads of East European hackers being allowed to flourish in the fond hope that they will provide the necessary "air" cover (and perhaps, tactical support) to their governments when push comes to shove in cyberwars. Are we talking about going down that route?

    National Security as a justification to do things that you wouldn't otherwise do is a very slippery slope. Once you start the journey, you have no control on the speed, direction or the destination. This is a route that argues that the means justify the ends. No doubt there will be people who argue that when our adversaries do it, we must do it too.

    However, I hope that saner voices such as Sh. Sandhu's will prevail.
On a different note, I do hope that our above-board educational hacker groups (such as garage4hackers) make every effort not to tip and fall into the wrong category. A few beers, some boasting and a vulnerable target are all the ingredients that enthusiastic young blood needs to cross the line. There are always rationalizations that can be made after the fact. Including misplaced patriotism.