[Owasp-board] Fwd: [Owasp-topten] Dinis Cruz - Defamation

Tobias tobias.gondrom at owasp.org
Sat Dec 21 09:51:41 UTC 2013


I agree. The emails with subjects:
- Re: [Owasp-topten] Dinis Cruz - Defamation
- Re: [Owasp-topten] Lack of Respect Shown by Dinis Cruz

are off-topic to the "Top-Ten" project and need to be moved to another
The governance list could be a place to do this. We might even consider
to create a mailing-list "disputes" or "complaints" for this purpose (if
the purpose of the governance list does not fit).

I would suggest to explicitly ask Christian to move his discussion to
the appropriate list ("governance" or a new "disputes"/"complaints"
list) and if he does not comply, moderate his emails in topten and
eventually discard off-topic emails to the Top-Ten list.

Please note: I am making no judgement on the validity of the claims and
allegations, only on the procedure.

Best regards, Tobias

On 21/12/13 03:03, Michael Coates wrote:
> Making you aware of this. It is not appropriate for these lists to run
> out of control with material that is fully off topic. If a topic needs
> to be discussed then the governance list is the place.
> This moderation for Christian was made after repeated requests from
> multiple people over multiple days to move these conversations
> elsewhere. I've also referred him to the governance policy on how to
> handle conflicts. He has not changed behavior and as a result this
> moderation is needed.
> To be clear, the conversation can still continue. It just needs to
> continue in the appropriate place - the governance list.
> I'm happy to discuss this approach further with the board as needed;
> however, we are not in a position to let this continue without action
> until the next board meeting.
> --
> Michael Coates
> Chair, Global Board
> ---------- Forwarded message ----------
> From: *Michael Coates* <michael.coates at owasp.org
> <mailto:michael.coates at owasp.org>>
> Date: Fri, Dec 20, 2013 at 6:59 PM
> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
> To: OWASP TopTen <owasp-topten at lists.owasp.org
> <mailto:owasp-topten at lists.owasp.org>>
> In the interest of keeping list to relevant topics for all members,
> I've made the request to moderate further emails about this topic. The
> conversation can continue, but it should continue on the governance list.
> Please see https://www.owasp.org/index.php/Governance/ConflictHandling
> for any questions.
> --
> Michael Coates
> Chair, Global Board
> @_mwc
> On Fri, Dec 20, 2013 at 6:51 PM, Abbas Naderi <abbas.naderi at owasp.org
> <mailto:abbas.naderi at owasp.org>> wrote:
>     Christian and others,
>     Do you think its a good idea to move this conversation to the
>     OWASP government list? I personally believe that its not fair to
>     ask him to let it be, only because its counter productive for the
>     community, but am also against this discussion happenning in the
>     public TopTen list.
>     Thanks
>     -Abbas
>     On Dec 20, 2013, at 8:57 PM, Ryan Barnett <ryan.barnett at owasp.org
>     <mailto:ryan.barnett at owasp.org>> wrote:
>>     If there are issues to work out, fine, but please move this to
>>     another list.
>>     Keep these project lists in point. 
>>     *Ryan Barnett*
>>     OWASP ModSecurity CRS Project Leader
>>     On Dec 20, 2013, at 8:19 PM, Michael Coates
>>     <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>>     I'd like to echo Dennis's statement. This needs to stop.
>>>     Thanks.
>>>     On Dec 20, 2013 5:17 PM, "Christian Heinrich"
>>>     <christian.heinrich at live.com
>>>     <mailto:christian.heinrich at live.com>> wrote:
>>>         Dennis,
>>>         I stop the moment I receive a personal and public apology
>>>         from Dinis Cruz with the admission that he deliberately
>>>         created a situation to personally attack me?
>>>         I don't see why I should just have to move on when this
>>>         could have easily been avoided? 
>>>         Even when I did forgive OWASP continued to show me
>>>         disrespect, such as not adding my name to the OWASP PCI
>>>         Project
>>>         i.e. http://lists.owasp.org/pipermail/owasp-pci-project/2011-November/000226.html.
>>>          This was a deliberate and low act by OWASP.
>>>         I would suggest you speak to your friend Dennis and seek a
>>>         resolution that is mutually beneficial to all involved and
>>>         not just to one party?
>>>         ------------------------------------------------------------------------
>>>         Date: Fri, 20 Dec 2013 17:55:23 -0700
>>>         Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
>>>         From: dennis.groves at owasp.org <mailto:dennis.groves at owasp.org>
>>>         To: christian.heinrich at live.com
>>>         <mailto:christian.heinrich at live.com>
>>>         CC: owasp-topten at lists.owasp.org
>>>         <mailto:owasp-topten at lists.owasp.org>
>>>         Christian,
>>>         With all due respect,  you need to stop. While disagreement
>>>         can be healthy, this has gone too far.
>>>         Personal attacks do not help you nor the community. It is
>>>         precisely these kinds of personal attack's that led to your
>>>         reprimand in the past.
>>>         We all have stories, and I personally know where many of the
>>>         bodies are. Nothing is gained in digging them up. It is time
>>>         to move forward and do great things.
>>>         Christian, I am asking you to find a positive way to contribute.
>>>         Dennis
>>>         Sent from my mobile device, apologies for the brevity and
>>>         spelling errors.
>>>         On Dec 20, 2013 5:38 PM, "Christian Heinrich"
>>>         <christian.heinrich at live.com
>>>         <mailto:christian.heinrich at live.com>> wrote:
>>>             Dinis,
>>>             To address your false accusation of defamation dated Monday, Jun 17,
>>>             2013 at 7:13 PM
>>>             The negative perception and sentiment towards you well known the web
>>>             application security community and wider security community based on
>>>             your poor treatment of other members in the community and lack of
>>>             empathy towards others and is the only contributing factor to your
>>>             poor reputation and is shown in the following known examples (which
>>>             you are yet to respond to) where you have abused your privileged
>>>             position as an OWASP Board Member:
>>>             1. http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>>             2. http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>>>             3. http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>>             Therefore, since a low opinion of your character is expressed by the
>>>             security community the "truth" defence (for defamation) applies and
>>>             you have therefore not been defamed.
>>>             However, I would like to make you aware of at least two other
>>>             instances where you have defamed other people (there are many more
>>>             that I am aware of):
>>>             1. MARK CURPHEY
>>>             Mark had identified that your poor and negative approach to the
>>>             Microsoft .NET Group resulted in a complaint from the .NET VP
>>>             Executive to the Security VP Executive within Microsoft to withdraw
>>>             their funding to OWASP and that the Microsoft .NET Group would cease
>>>             their liaison with the (Microsoft) security team unless Mark Curphey
>>>             was removed from the (Microsoft) Security Team.
>>>             This fact is upheld based on the timeline of your harassment of the
>>>             Microsoft .NET Group and Mark subsequent transition and demotion to
>>>             the distribution of MSDN DVD and CD packages. Mark had also stated
>>>             that introducing OWASP to Microsoft was the worst decision he has ever
>>>             made in his extensive career.
>>>             Mark also stated that you are "lost in O2 world" and that he "hates
>>>             that f.cking c.nt" i.e. referring to you, as you walked away from the
>>>             heated discussion during Hack in the Box Amsterdam 2010.
>>>             I would recommend you cease any further correspondence with Microsoft
>>>             and you considering to repaying the 200K of funding that you have lost
>>>             since your role as an OWASP Board Member is to secure funding not lose
>>>             it in acting on an ulterior motive prohibited as an OWASP Board
>>>             Member.
>>>             2. CHRISTIAN HEINRICH
>>>             The damage to my reputation is well documented within
>>>             http://lists.owasp.org/pipermail/owasp-board/2010-July/008627.html
>>>             when you elected to conduct an inquiry against me without any evidence
>>>             to support the accusations i.e
>>>             https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
>>>             It should be noted that your friend from London, Paulo Coimbra,
>>>             claimed that you did not inflict "maximum damage to his [Christian
>>>             Heinrich]
>>>             reputation" http://lists.owasp.org/pipermail/owasp-board/2010-September/009008.html
>>>             so we have to question you claim of being defamed if Paulo doesn't
>>>             consider that to be the case?
>>>             Finally, a number of OWASP Board Members (past, current and future)
>>>             questioned your motives i.e.
>>>             http://lists.owasp.org/pipermail/owasp-board/2010-July/008598.html,
>>>             http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html,
>>>             etc since the OWASP Inquiry is largely viewed as an ulterior motive of
>>>             your vendetta against me as I refused to cancel the panel during OWASP
>>>             European Conference so you could have a second presentation O2 at the
>>>             OWASP European Conference, which you have never clarified when pressed
>>>             other OWASP Board Members i.e.
>>>             http://lists.owasp.org/pipermail/owasp-board/2010-December/009362.html.
>>>             Can you clarify your intent with the Google Hacking Inquiry Dinis?
>>>             On Mon, Dec 9, 2013 at 12:07 PM, Christian Heinrich
>>>             <christian.heinrich at cmlh.id.au <mailto:christian.heinrich at cmlh.id.au>> wrote:
>>>             > Jeff,
>>>             >
>>>             > This observation was based on a heated discussion between Dinis Cruz
>>>             > and Mark during Hack in the Box Amsterdam 2010 which I had cited as
>>>             > far back as 2011 within my comment on
>>>             > https://web.archive.org/web/20111204140709/http://www.curphey.com/2011/10/owasp-time-to-move-on-for-good-this-time/
>>>             > that resulted in OWASP losing significant funding from Microsoft due
>>>             > to the harassment from Dinis Cruz which is clearly in breach of his
>>>             > role as an OWASP Board member, which is to secure funding for the
>>>             > Foundation.
>>>             >
>>>             > http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>>             > also supports my observation that I made during Hack in the Box
>>>             > Amsterdam 2010 in relation to Dinis Cruz's continued destructive
>>>             > dealing with people within the webappsec community.
>>>             >
>>>             > Furthermore, can you please amend the "Only O2 has been under active
>>>             > development since the last release of the Top 10 in 2010." paragraph
>>>             > within the OWASP Top Ten 2013 as:
>>>             > 1. You are personally aware that Dinis Cruz attacked the Orizon OWASP
>>>             > Project without provocation from Paulo as documented within
>>>             > http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>>             > 2. Dinis' confused and destructive agenda to mark OWASP project as
>>>             > "inactive" has resulted in a number of people abandoning the OWASP due
>>>             > to the lack of good he has inflicted on the community e.g.
>>>             > https://lists.owasp.org/pipermail/owasp-board/2009-May/002234.html.
>>>             > Furthermore, there is no clarification with then OWASP Top Ten to
>>>             > indicate that Paulo would not continue to support Orizon in light of
>>>             > his focus on Ruby, of which he is very active within i.e.
>>>             > http://armoredcode.com/
>>>             >
>>>             > I find it quite troubling that you have direct experience in dealing
>>>             > with several complaints against Dinis Cruz and O2, such as
>>>             > http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
>>>             > etc and yet you are clearly guided by favouritism and bias to promote
>>>             > O2 within the OWASP Top Ten over other OWASP Project that are of
>>>             > better quality, in your opinion such as with Orizon, than O2.
>>>             >
>>>             > I would welcome Dinis make a formal complaint to the OWASP Board
>>>             > against me in light of the substantial and supporting evidence to
>>>             > exclude 02 from the OWASP Top Ten.
>>>             >
>>>             > The inclusion of Sonatype within the recent OWASP Top Ten is also
>>>             > dubious since Ryan Berg also authored
>>>             > http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
>>>             > with Dinis Cruz. Therefore please remove any reference to Mass
>>>             > Assignment from the 2013 release OWASP Top Ten?
>>>             >
>>>             > On Mon, Jun 17, 2013 at 7:13 PM, Dinis Cruz <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>> wrote:
>>>             >> note: just while I was deleting Chistian's email I noticed the mention on my
>>>             >> name and that crazy accusation, and the reason I'm not replying is because
>>>             >> it is pointless to have a rational conversation with Christian (which as you
>>>             >> can see by my last email on that topic, I have tried and failed).
>>>             >>
>>>             >> What is shame is that accusations and defamations like those are accepted,
>>>             >> which might give less attentive readers the impression that they have any
>>>             >> kind of validity.
>>>             >>
>>>             >> Finally, lets get the facts right. The people I pissed of by trying to call
>>>             >> the attention to the Mass Assignment vulnerabilities was the Spring
>>>             >> Framework guys (at the time called Spring MVC AutoBinding vulnerability)
>>>             >>
>>>             >> The case where I pissed of Microsoft was when I tried to make the case that
>>>             >> Full Trust was a bad idea, that we (and they) should spend more time and
>>>             >> resources making .NET partial Trust work.
>>>             >>
>>>             >> Of course that 'pissed of' is a very strong term, and that was just their
>>>             >> excuse to ignore me. Since the reality is that they had no pressure from
>>>             >> their real customers to do something about it. And btw, I was not the only
>>>             >> one making this comment, I just happened to be the only one without an NDA
>>>             >> signed (with them) that would speak my mind in public forums :)
>>>             >>
>>>             >> Ahh, isn't it nice to be accused and abused by voicing opinions and to try
>>>             >> to make the framework vendors to pay attention to security
>>>             >> vulnerabilities/issues that exist by design, and which affect their
>>>             >> customers.
>>>             --
>>>             Regards,
>>>             Christian Heinrich
>>>             http://cmlh.id.au/contact
>>>             _______________________________________________
>>>             Owasp-topten mailing list
>>>             Owasp-topten at lists.owasp.org
>>>             <mailto:Owasp-topten at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>         _______________________________________________
>>>         Owasp-topten mailing list
>>>         Owasp-topten at lists.owasp.org
>>>         <mailto:Owasp-topten at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>     _______________________________________________
>>>     Owasp-topten mailing list
>>>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-topten
>>     _______________________________________________
>>     Owasp-topten mailing list
>>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131221/5dba4efa/attachment-0001.html>

More information about the Owasp-board mailing list