[Owasp-board] Fwd: [Owasp-topten] Dinis Cruz - Defamation

Michael Coates michael.coates at owasp.org
Sat Dec 21 03:03:04 UTC 2013

Making you aware of this. It is not appropriate for these lists to run out
of control with material that is fully off topic. If a topic needs to be
discussed then the governance list is the place.

This moderation for Christian was made after repeated requests from
multiple people over multiple days to move these conversations elsewhere.
I've also referred him to the governance policy on how to handle conflicts.
He has not changed behavior and as a result this moderation is needed.

To be clear, the conversation can still continue. It just needs to continue
in the appropriate place - the governance list.

I'm happy to discuss this approach further with the board as needed;
however, we are not in a position to let this continue without action until
the next board meeting.

Michael Coates
Chair, Global Board

---------- Forwarded message ----------
From: Michael Coates <michael.coates at owasp.org>
Date: Fri, Dec 20, 2013 at 6:59 PM
Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
To: OWASP TopTen <owasp-topten at lists.owasp.org>

In the interest of keeping list to relevant topics for all members, I've
made the request to moderate further emails about this topic. The
conversation can continue, but it should continue on the governance list.

Please see https://www.owasp.org/index.php/Governance/ConflictHandling for
any questions.

Michael Coates
Chair, Global Board

On Fri, Dec 20, 2013 at 6:51 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:

> Christian and others,
> Do you think its a good idea to move this conversation to the OWASP
> government list? I personally believe that its not fair to ask him to let
> it be, only because its counter productive for the community, but am also
> against this discussion happenning in the public TopTen list.
> Thanks
> -Abbas
> On Dec 20, 2013, at 8:57 PM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> If there are issues to work out, fine, but please move this to another
> list.
> Keep these project lists in point.
> *Ryan Barnett*
> OWASP ModSecurity CRS Project Leader
> On Dec 20, 2013, at 8:19 PM, Michael Coates <michael.coates at owasp.org>
> wrote:
> I'd like to echo Dennis's statement. This needs to stop.
> Thanks.
> On Dec 20, 2013 5:17 PM, "Christian Heinrich" <christian.heinrich at live.com>
> wrote:
>> Dennis,
>> I stop the moment I receive a personal and public apology from Dinis Cruz
>> with the admission that he deliberately created a situation to personally
>> attack me?
>> I don't see why I should just have to move on when this could have easily
>> been avoided?
>> Even when I did forgive OWASP continued to show me disrespect, such as
>> not adding my name to the OWASP PCI Project i.e.
>> http://lists.owasp.org/pipermail/owasp-pci-project/2011-November/000226.html.
>>  This was a deliberate and low act by OWASP.
>> I would suggest you speak to your friend Dennis and seek a resolution
>> that is mutually beneficial to all involved and not just to one party?
>> ------------------------------
>> Date: Fri, 20 Dec 2013 17:55:23 -0700
>> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
>> From: dennis.groves at owasp.org
>> To: christian.heinrich at live.com
>> CC: owasp-topten at lists.owasp.org
>> Christian,
>> With all due respect,  you need to stop. While disagreement can be
>> healthy, this has gone too far.
>> Personal attacks do not help you nor the community. It is precisely these
>> kinds of personal attack's that led to your reprimand in the past.
>> We all have stories, and I personally know where many of the bodies are.
>> Nothing is gained in digging them up. It is time to move forward and do
>> great things.
>> Christian, I am asking you to find a positive way to contribute.
>> Dennis
>> Sent from my mobile device, apologies for the brevity and spelling errors.
>> On Dec 20, 2013 5:38 PM, "Christian Heinrich" <
>> christian.heinrich at live.com> wrote:
>> Dinis,
>> To address your false accusation of defamation dated Monday, Jun 17,
>> 2013 at 7:13 PM
>> The negative perception and sentiment towards you well known the web
>> application security community and wider security community based on
>> your poor treatment of other members in the community and lack of
>> empathy towards others and is the only contributing factor to your
>> poor reputation and is shown in the following known examples (which
>> you are yet to respond to) where you have abused your privileged
>> position as an OWASP Board Member:
>> 1. http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>> 2. http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>> 3. http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>> Therefore, since a low opinion of your character is expressed by the
>> security community the "truth" defence (for defamation) applies and
>> you have therefore not been defamed.
>> However, I would like to make you aware of at least two other
>> instances where you have defamed other people (there are many more
>> that I am aware of):
>> Mark had identified that your poor and negative approach to the
>> Microsoft .NET Group resulted in a complaint from the .NET VP
>> Executive to the Security VP Executive within Microsoft to withdraw
>> their funding to OWASP and that the Microsoft .NET Group would cease
>> their liaison with the (Microsoft) security team unless Mark Curphey
>> was removed from the (Microsoft) Security Team.
>> This fact is upheld based on the timeline of your harassment of the
>> Microsoft .NET Group and Mark subsequent transition and demotion to
>> the distribution of MSDN DVD and CD packages. Mark had also stated
>> that introducing OWASP to Microsoft was the worst decision he has ever
>> made in his extensive career.
>> Mark also stated that you are "lost in O2 world" and that he "hates
>> that f.cking c.nt" i.e. referring to you, as you walked away from the
>> heated discussion during Hack in the Box Amsterdam 2010.
>> I would recommend you cease any further correspondence with Microsoft
>> and you considering to repaying the 200K of funding that you have lost
>> since your role as an OWASP Board Member is to secure funding not lose
>> it in acting on an ulterior motive prohibited as an OWASP Board
>> Member.
>> The damage to my reputation is well documented withinhttp://lists.owasp.org/pipermail/owasp-board/2010-July/008627.html
>> when you elected to conduct an inquiry against me without any evidence
>> to support the accusations i.ehttps://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
>> It should be noted that your friend from London, Paulo Coimbra,
>> claimed that you did not inflict "maximum damage to his [Christian
>> Heinrich]
>> reputation" http://lists.owasp.org/pipermail/owasp-board/2010-September/009008.html
>> so we have to question you claim of being defamed if Paulo doesn't
>> consider that to be the case?
>> Finally, a number of OWASP Board Members (past, current and future)
>> questioned your motives i.e.http://lists.owasp.org/pipermail/owasp-board/2010-July/008598.html,http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html,
>> etc since the OWASP Inquiry is largely viewed as an ulterior motive of
>> your vendetta against me as I refused to cancel the panel during OWASP
>> European Conference so you could have a second presentation O2 at the
>> OWASP European Conference, which you have never clarified when pressed
>> other OWASP Board Members i.e.http://lists.owasp.org/pipermail/owasp-board/2010-December/009362.html.
>> Can you clarify your intent with the Google Hacking Inquiry Dinis?
>> On Mon, Dec 9, 2013 at 12:07 PM, Christian Heinrich
>> <christian.heinrich at cmlh.id.au> wrote:
>> > Jeff,
>> >
>> > This observation was based on a heated discussion between Dinis Cruz
>> > and Mark during Hack in the Box Amsterdam 2010 which I had cited as
>> > far back as 2011 within my comment on
>> > https://web.archive.org/web/20111204140709/http://www.curphey.com/2011/10/owasp-time-to-move-on-for-good-this-time/
>> > that resulted in OWASP losing significant funding from Microsoft due
>> > to the harassment from Dinis Cruz which is clearly in breach of his
>> > role as an OWASP Board member, which is to secure funding for the
>> > Foundation.
>> >
>> > http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>> > also supports my observation that I made during Hack in the Box
>> > Amsterdam 2010 in relation to Dinis Cruz's continued destructive
>> > dealing with people within the webappsec community.
>> >
>> > Furthermore, can you please amend the "Only O2 has been under active
>> > development since the last release of the Top 10 in 2010." paragraph
>> > within the OWASP Top Ten 2013 as:
>> > 1. You are personally aware that Dinis Cruz attacked the Orizon OWASP
>> > Project without provocation from Paulo as documented within
>> > http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>> > 2. Dinis' confused and destructive agenda to mark OWASP project as
>> > "inactive" has resulted in a number of people abandoning the OWASP due
>> > to the lack of good he has inflicted on the community e.g.
>> > https://lists.owasp.org/pipermail/owasp-board/2009-May/002234.html.
>> > Furthermore, there is no clarification with then OWASP Top Ten to
>> > indicate that Paulo would not continue to support Orizon in light of
>> > his focus on Ruby, of which he is very active within i.e.
>> > http://armoredcode.com/
>> >
>> > I find it quite troubling that you have direct experience in dealing
>> > with several complaints against Dinis Cruz and O2, such as
>> > http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
>> > etc and yet you are clearly guided by favouritism and bias to promote
>> > O2 within the OWASP Top Ten over other OWASP Project that are of
>> > better quality, in your opinion such as with Orizon, than O2.
>> >
>> > I would welcome Dinis make a formal complaint to the OWASP Board
>> > against me in light of the substantial and supporting evidence to
>> > exclude 02 from the OWASP Top Ten.
>> >
>> > The inclusion of Sonatype within the recent OWASP Top Ten is also
>> > dubious since Ryan Berg also authored
>> > http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
>> > with Dinis Cruz. Therefore please remove any reference to Mass
>> > Assignment from the 2013 release OWASP Top Ten?
>> >
>> > On Mon, Jun 17, 2013 at 7:13 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> >> note: just while I was deleting Chistian's email I noticed the mention on my
>> >> name and that crazy accusation, and the reason I'm not replying is because
>> >> it is pointless to have a rational conversation with Christian (which as you
>> >> can see by my last email on that topic, I have tried and failed).
>> >>
>> >> What is shame is that accusations and defamations like those are accepted,
>> >> which might give less attentive readers the impression that they have any
>> >> kind of validity.
>> >>
>> >> Finally, lets get the facts right. The people I pissed of by trying to call
>> >> the attention to the Mass Assignment vulnerabilities was the Spring
>> >> Framework guys (at the time called Spring MVC AutoBinding vulnerability)
>> >>
>> >> The case where I pissed of Microsoft was when I tried to make the case that
>> >> Full Trust was a bad idea, that we (and they) should spend more time and
>> >> resources making .NET partial Trust work.
>> >>
>> >> Of course that 'pissed of' is a very strong term, and that was just their
>> >> excuse to ignore me. Since the reality is that they had no pressure from
>> >> their real customers to do something about it. And btw, I was not the only
>> >> one making this comment, I just happened to be the only one without an NDA
>> >> signed (with them) that would speak my mind in public forums :)
>> >>
>> >> Ahh, isn't it nice to be accused and abused by voicing opinions and to try
>> >> to make the framework vendors to pay attention to security
>> >> vulnerabilities/issues that exist by design, and which affect their
>> >> customers.
>> --
>> Regards,
>> Christian Heinrich
>> http://cmlh.id.au/contact
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131220/a9fad417/attachment-0001.html>

More information about the Owasp-board mailing list