[Owasp-board] Fwd: [Owasp-topten] Dinis Cruz - Defamation

Samantha Groves samantha.groves at owasp.org
Sat Dec 21 03:05:57 UTC 2013


Thank you, Michael.


On Fri, Dec 20, 2013 at 8:03 PM, Michael Coates <michael.coates at owasp.org>wrote:

> Making you aware of this. It is not appropriate for these lists to run out
> of control with material that is fully off topic. If a topic needs to be
> discussed then the governance list is the place.
>
> This moderation for Christian was made after repeated requests from
> multiple people over multiple days to move these conversations elsewhere.
> I've also referred him to the governance policy on how to handle conflicts.
> He has not changed behavior and as a result this moderation is needed.
>
> To be clear, the conversation can still continue. It just needs to
> continue in the appropriate place - the governance list.
>
>
> I'm happy to discuss this approach further with the board as needed;
> however, we are not in a position to let this continue without action until
> the next board meeting.
>
>
> --
> Michael Coates
> Chair, Global Board
> OWASP
>
>
>
>
> ---------- Forwarded message ----------
> From: Michael Coates <michael.coates at owasp.org>
> Date: Fri, Dec 20, 2013 at 6:59 PM
> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
> To: OWASP TopTen <owasp-topten at lists.owasp.org>
>
>
> In the interest of keeping list to relevant topics for all members, I've
> made the request to moderate further emails about this topic. The
> conversation can continue, but it should continue on the governance list.
>
> Please see https://www.owasp.org/index.php/Governance/ConflictHandlingfor any questions.
>
>
>
> --
> Michael Coates
> Chair, Global Board
> OWASP
> @_mwc
>
>
>
> On Fri, Dec 20, 2013 at 6:51 PM, Abbas Naderi <abbas.naderi at owasp.org>wrote:
>
>> Christian and others,
>> Do you think its a good idea to move this conversation to the OWASP
>> government list? I personally believe that its not fair to ask him to let
>> it be, only because its counter productive for the community, but am also
>> against this discussion happenning in the public TopTen list.
>> Thanks
>> -Abbas
>> On Dec 20, 2013, at 8:57 PM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>>
>> If there are issues to work out, fine, but please move this to another
>> list.
>>
>> Keep these project lists in point.
>>
>> *Ryan Barnett*
>> OWASP ModSecurity CRS Project Leader
>>
>> On Dec 20, 2013, at 8:19 PM, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>> I'd like to echo Dennis's statement. This needs to stop.
>>
>> Thanks.
>> On Dec 20, 2013 5:17 PM, "Christian Heinrich" <
>> christian.heinrich at live.com> wrote:
>>
>>> Dennis,
>>>
>>> I stop the moment I receive a personal and public apology from Dinis
>>> Cruz with the admission that he deliberately created a situation to
>>> personally attack me?
>>>
>>> I don't see why I should just have to move on when this could have
>>> easily been avoided?
>>>
>>> Even when I did forgive OWASP continued to show me disrespect, such as
>>> not adding my name to the OWASP PCI Project i.e.
>>> http://lists.owasp.org/pipermail/owasp-pci-project/2011-November/000226.html.
>>>  This was a deliberate and low act by OWASP.
>>>
>>> I would suggest you speak to your friend Dennis and seek a resolution
>>> that is mutually beneficial to all involved and not just to one party?
>>>
>>> ------------------------------
>>> Date: Fri, 20 Dec 2013 17:55:23 -0700
>>> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
>>> From: dennis.groves at owasp.org
>>> To: christian.heinrich at live.com
>>> CC: owasp-topten at lists.owasp.org
>>>
>>> Christian,
>>>
>>> With all due respect,  you need to stop. While disagreement can be
>>> healthy, this has gone too far.
>>>
>>> Personal attacks do not help you nor the community. It is precisely
>>> these kinds of personal attack's that led to your reprimand in the past.
>>>
>>> We all have stories, and I personally know where many of the bodies are.
>>> Nothing is gained in digging them up. It is time to move forward and do
>>> great things.
>>>
>>> Christian, I am asking you to find a positive way to contribute.
>>>
>>> Dennis
>>>
>>> Sent from my mobile device, apologies for the brevity and spelling
>>> errors.
>>> On Dec 20, 2013 5:38 PM, "Christian Heinrich" <
>>> christian.heinrich at live.com> wrote:
>>>
>>> Dinis,
>>>
>>> To address your false accusation of defamation dated Monday, Jun 17,
>>> 2013 at 7:13 PM
>>>
>>> The negative perception and sentiment towards you well known the web
>>> application security community and wider security community based on
>>> your poor treatment of other members in the community and lack of
>>> empathy towards others and is the only contributing factor to your
>>> poor reputation and is shown in the following known examples (which
>>> you are yet to respond to) where you have abused your privileged
>>> position as an OWASP Board Member:
>>> 1. http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>> 2. http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>>> 3. http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>>
>>> Therefore, since a low opinion of your character is expressed by the
>>> security community the "truth" defence (for defamation) applies and
>>> you have therefore not been defamed.
>>>
>>> However, I would like to make you aware of at least two other
>>> instances where you have defamed other people (there are many more
>>> that I am aware of):
>>>
>>> 1. MARK CURPHEY
>>>
>>> Mark had identified that your poor and negative approach to the
>>> Microsoft .NET Group resulted in a complaint from the .NET VP
>>> Executive to the Security VP Executive within Microsoft to withdraw
>>> their funding to OWASP and that the Microsoft .NET Group would cease
>>> their liaison with the (Microsoft) security team unless Mark Curphey
>>> was removed from the (Microsoft) Security Team.
>>>
>>> This fact is upheld based on the timeline of your harassment of the
>>> Microsoft .NET Group and Mark subsequent transition and demotion to
>>> the distribution of MSDN DVD and CD packages. Mark had also stated
>>> that introducing OWASP to Microsoft was the worst decision he has ever
>>> made in his extensive career.
>>>
>>> Mark also stated that you are "lost in O2 world" and that he "hates
>>> that f.cking c.nt" i.e. referring to you, as you walked away from the
>>> heated discussion during Hack in the Box Amsterdam 2010.
>>>
>>> I would recommend you cease any further correspondence with Microsoft
>>> and you considering to repaying the 200K of funding that you have lost
>>> since your role as an OWASP Board Member is to secure funding not lose
>>> it in acting on an ulterior motive prohibited as an OWASP Board
>>> Member.
>>>
>>> 2. CHRISTIAN HEINRICH
>>>
>>> The damage to my reputation is well documented withinhttp://lists.owasp.org/pipermail/owasp-board/2010-July/008627.html
>>> when you elected to conduct an inquiry against me without any evidence
>>> to support the accusations i.ehttps://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
>>>
>>> It should be noted that your friend from London, Paulo Coimbra,
>>> claimed that you did not inflict "maximum damage to his [Christian
>>> Heinrich]
>>> reputation" http://lists.owasp.org/pipermail/owasp-board/2010-September/009008.html
>>> so we have to question you claim of being defamed if Paulo doesn't
>>> consider that to be the case?
>>>
>>> Finally, a number of OWASP Board Members (past, current and future)
>>> questioned your motives i.e.http://lists.owasp.org/pipermail/owasp-board/2010-July/008598.html,http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html,
>>> etc since the OWASP Inquiry is largely viewed as an ulterior motive of
>>> your vendetta against me as I refused to cancel the panel during OWASP
>>> European Conference so you could have a second presentation O2 at the
>>> OWASP European Conference, which you have never clarified when pressed
>>> other OWASP Board Members i.e.http://lists.owasp.org/pipermail/owasp-board/2010-December/009362.html.
>>>
>>> Can you clarify your intent with the Google Hacking Inquiry Dinis?
>>>
>>> On Mon, Dec 9, 2013 at 12:07 PM, Christian Heinrich
>>> <christian.heinrich at cmlh.id.au> wrote:
>>> > Jeff,
>>> >
>>> > This observation was based on a heated discussion between Dinis Cruz
>>> > and Mark during Hack in the Box Amsterdam 2010 which I had cited as
>>> > far back as 2011 within my comment on
>>> > https://web.archive.org/web/20111204140709/http://www.curphey.com/2011/10/owasp-time-to-move-on-for-good-this-time/
>>> > that resulted in OWASP losing significant funding from Microsoft due
>>> > to the harassment from Dinis Cruz which is clearly in breach of his
>>> > role as an OWASP Board member, which is to secure funding for the
>>> > Foundation.
>>> >
>>> > http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>> > also supports my observation that I made during Hack in the Box
>>> > Amsterdam 2010 in relation to Dinis Cruz's continued destructive
>>> > dealing with people within the webappsec community.
>>> >
>>> > Furthermore, can you please amend the "Only O2 has been under active
>>> > development since the last release of the Top 10 in 2010." paragraph
>>> > within the OWASP Top Ten 2013 as:
>>> > 1. You are personally aware that Dinis Cruz attacked the Orizon OWASP
>>> > Project without provocation from Paulo as documented within
>>> > http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>> > 2. Dinis' confused and destructive agenda to mark OWASP project as
>>> > "inactive" has resulted in a number of people abandoning the OWASP due
>>> > to the lack of good he has inflicted on the community e.g.
>>> > https://lists.owasp.org/pipermail/owasp-board/2009-May/002234.html.
>>> > Furthermore, there is no clarification with then OWASP Top Ten to
>>> > indicate that Paulo would not continue to support Orizon in light of
>>> > his focus on Ruby, of which he is very active within i.e.
>>> > http://armoredcode.com/
>>> >
>>> > I find it quite troubling that you have direct experience in dealing
>>> > with several complaints against Dinis Cruz and O2, such as
>>> > http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
>>> > etc and yet you are clearly guided by favouritism and bias to promote
>>> > O2 within the OWASP Top Ten over other OWASP Project that are of
>>> > better quality, in your opinion such as with Orizon, than O2.
>>> >
>>> > I would welcome Dinis make a formal complaint to the OWASP Board
>>> > against me in light of the substantial and supporting evidence to
>>> > exclude 02 from the OWASP Top Ten.
>>> >
>>> > The inclusion of Sonatype within the recent OWASP Top Ten is also
>>> > dubious since Ryan Berg also authored
>>> > http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
>>> > with Dinis Cruz. Therefore please remove any reference to Mass
>>> > Assignment from the 2013 release OWASP Top Ten?
>>> >
>>> > On Mon, Jun 17, 2013 at 7:13 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>> >> note: just while I was deleting Chistian's email I noticed the mention on my
>>> >> name and that crazy accusation, and the reason I'm not replying is because
>>> >> it is pointless to have a rational conversation with Christian (which as you
>>> >> can see by my last email on that topic, I have tried and failed).
>>> >>
>>> >> What is shame is that accusations and defamations like those are accepted,
>>> >> which might give less attentive readers the impression that they have any
>>> >> kind of validity.
>>> >>
>>> >> Finally, lets get the facts right. The people I pissed of by trying to call
>>> >> the attention to the Mass Assignment vulnerabilities was the Spring
>>> >> Framework guys (at the time called Spring MVC AutoBinding vulnerability)
>>> >>
>>> >> The case where I pissed of Microsoft was when I tried to make the case that
>>> >> Full Trust was a bad idea, that we (and they) should spend more time and
>>> >> resources making .NET partial Trust work.
>>> >>
>>> >> Of course that 'pissed of' is a very strong term, and that was just their
>>> >> excuse to ignore me. Since the reality is that they had no pressure from
>>> >> their real customers to do something about it. And btw, I was not the only
>>> >> one making this comment, I just happened to be the only one without an NDA
>>> >> signed (with them) that would speak my mind in public forums :)
>>> >>
>>> >> Ahh, isn't it nice to be accused and abused by voicing opinions and to try
>>> >> to make the framework vendors to pay attention to security
>>> >> vulnerabilities/issues that exist by design, and which affect their
>>> >> customers.
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>> http://cmlh.id.au/contact
>>>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131220/730a664c/attachment-0001.html>


More information about the Owasp-board mailing list