[Owasp-board] Fwd: [Owasp-topten] Dinis Cruz - Defamation
Tobias
tobias.gondrom at owasp.org
Sat Dec 21 09:51:41 UTC 2013
Michael,
I agree. The emails with subjects:
- Re: [Owasp-topten] Dinis Cruz - Defamation
- Re: [Owasp-topten] Lack of Respect Shown by Dinis Cruz
are off-topic to the "Top-Ten" project and need to be moved to another
list.
The governance list could be a place to do this. We might even consider
to create a mailing-list "disputes" or "complaints" for this purpose (if
the purpose of the governance list does not fit).
I would suggest to explicitly ask Christian to move his discussion to
the appropriate list ("governance" or a new "disputes"/"complaints"
list) and if he does not comply, moderate his emails in topten and
eventually discard off-topic emails to the Top-Ten list.
Please note: I am making no judgement on the validity of the claims and
allegations, only on the procedure.
Best regards, Tobias
On 21/12/13 03:03, Michael Coates wrote:
> Making you aware of this. It is not appropriate for these lists to run
> out of control with material that is fully off topic. If a topic needs
> to be discussed then the governance list is the place.
>
> This moderation for Christian was made after repeated requests from
> multiple people over multiple days to move these conversations
> elsewhere. I've also referred him to the governance policy on how to
> handle conflicts. He has not changed behavior and as a result this
> moderation is needed.
>
> To be clear, the conversation can still continue. It just needs to
> continue in the appropriate place - the governance list.
>
>
> I'm happy to discuss this approach further with the board as needed;
> however, we are not in a position to let this continue without action
> until the next board meeting.
>
>
> --
> Michael Coates
> Chair, Global Board
> OWASP
>
>
>
>
> ---------- Forwarded message ----------
> From: *Michael Coates* <michael.coates at owasp.org
> <mailto:michael.coates at owasp.org>>
> Date: Fri, Dec 20, 2013 at 6:59 PM
> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
> To: OWASP TopTen <owasp-topten at lists.owasp.org
> <mailto:owasp-topten at lists.owasp.org>>
>
>
> In the interest of keeping list to relevant topics for all members,
> I've made the request to moderate further emails about this topic. The
> conversation can continue, but it should continue on the governance list.
>
> Please see https://www.owasp.org/index.php/Governance/ConflictHandling
> for any questions.
>
>
>
> --
> Michael Coates
> Chair, Global Board
> OWASP
> @_mwc
>
>
>
> On Fri, Dec 20, 2013 at 6:51 PM, Abbas Naderi <abbas.naderi at owasp.org
> <mailto:abbas.naderi at owasp.org>> wrote:
>
> Christian and others,
> Do you think its a good idea to move this conversation to the
> OWASP government list? I personally believe that its not fair to
> ask him to let it be, only because its counter productive for the
> community, but am also against this discussion happenning in the
> public TopTen list.
> Thanks
> -Abbas
> On Dec 20, 2013, at 8:57 PM, Ryan Barnett <ryan.barnett at owasp.org
> <mailto:ryan.barnett at owasp.org>> wrote:
>
>> If there are issues to work out, fine, but please move this to
>> another list.
>>
>> Keep these project lists in point.
>>
>> *Ryan Barnett*
>> OWASP ModSecurity CRS Project Leader
>>
>> On Dec 20, 2013, at 8:19 PM, Michael Coates
>> <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>
>>> I'd like to echo Dennis's statement. This needs to stop.
>>>
>>> Thanks.
>>>
>>> On Dec 20, 2013 5:17 PM, "Christian Heinrich"
>>> <christian.heinrich at live.com
>>> <mailto:christian.heinrich at live.com>> wrote:
>>>
>>> Dennis,
>>>
>>> I stop the moment I receive a personal and public apology
>>> from Dinis Cruz with the admission that he deliberately
>>> created a situation to personally attack me?
>>>
>>> I don't see why I should just have to move on when this
>>> could have easily been avoided?
>>>
>>> Even when I did forgive OWASP continued to show me
>>> disrespect, such as not adding my name to the OWASP PCI
>>> Project
>>> i.e. http://lists.owasp.org/pipermail/owasp-pci-project/2011-November/000226.html.
>>> This was a deliberate and low act by OWASP.
>>>
>>> I would suggest you speak to your friend Dennis and seek a
>>> resolution that is mutually beneficial to all involved and
>>> not just to one party?
>>>
>>> ------------------------------------------------------------------------
>>> Date: Fri, 20 Dec 2013 17:55:23 -0700
>>> Subject: Re: [Owasp-topten] Dinis Cruz - Defamation
>>> From: dennis.groves at owasp.org <mailto:dennis.groves at owasp.org>
>>> To: christian.heinrich at live.com
>>> <mailto:christian.heinrich at live.com>
>>> CC: owasp-topten at lists.owasp.org
>>> <mailto:owasp-topten at lists.owasp.org>
>>>
>>> Christian,
>>>
>>> With all due respect, you need to stop. While disagreement
>>> can be healthy, this has gone too far.
>>>
>>> Personal attacks do not help you nor the community. It is
>>> precisely these kinds of personal attack's that led to your
>>> reprimand in the past.
>>>
>>> We all have stories, and I personally know where many of the
>>> bodies are. Nothing is gained in digging them up. It is time
>>> to move forward and do great things.
>>>
>>> Christian, I am asking you to find a positive way to contribute.
>>>
>>> Dennis
>>>
>>> Sent from my mobile device, apologies for the brevity and
>>> spelling errors.
>>>
>>> On Dec 20, 2013 5:38 PM, "Christian Heinrich"
>>> <christian.heinrich at live.com
>>> <mailto:christian.heinrich at live.com>> wrote:
>>>
>>> Dinis,
>>>
>>> To address your false accusation of defamation dated Monday, Jun 17,
>>> 2013 at 7:13 PM
>>>
>>> The negative perception and sentiment towards you well known the web
>>> application security community and wider security community based on
>>> your poor treatment of other members in the community and lack of
>>> empathy towards others and is the only contributing factor to your
>>> poor reputation and is shown in the following known examples (which
>>> you are yet to respond to) where you have abused your privileged
>>> position as an OWASP Board Member:
>>> 1. http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>> 2. http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html
>>> 3. http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>>
>>> Therefore, since a low opinion of your character is expressed by the
>>> security community the "truth" defence (for defamation) applies and
>>> you have therefore not been defamed.
>>>
>>> However, I would like to make you aware of at least two other
>>> instances where you have defamed other people (there are many more
>>> that I am aware of):
>>>
>>> 1. MARK CURPHEY
>>>
>>> Mark had identified that your poor and negative approach to the
>>> Microsoft .NET Group resulted in a complaint from the .NET VP
>>> Executive to the Security VP Executive within Microsoft to withdraw
>>> their funding to OWASP and that the Microsoft .NET Group would cease
>>> their liaison with the (Microsoft) security team unless Mark Curphey
>>> was removed from the (Microsoft) Security Team.
>>>
>>> This fact is upheld based on the timeline of your harassment of the
>>> Microsoft .NET Group and Mark subsequent transition and demotion to
>>> the distribution of MSDN DVD and CD packages. Mark had also stated
>>> that introducing OWASP to Microsoft was the worst decision he has ever
>>> made in his extensive career.
>>>
>>> Mark also stated that you are "lost in O2 world" and that he "hates
>>> that f.cking c.nt" i.e. referring to you, as you walked away from the
>>> heated discussion during Hack in the Box Amsterdam 2010.
>>>
>>> I would recommend you cease any further correspondence with Microsoft
>>> and you considering to repaying the 200K of funding that you have lost
>>> since your role as an OWASP Board Member is to secure funding not lose
>>> it in acting on an ulterior motive prohibited as an OWASP Board
>>> Member.
>>>
>>> 2. CHRISTIAN HEINRICH
>>>
>>> The damage to my reputation is well documented within
>>> http://lists.owasp.org/pipermail/owasp-board/2010-July/008627.html
>>> when you elected to conduct an inquiry against me without any evidence
>>> to support the accusations i.e
>>> https://www.owasp.org/index.php/OWASP_Inquiries/Google_Hacking_Project
>>>
>>> It should be noted that your friend from London, Paulo Coimbra,
>>> claimed that you did not inflict "maximum damage to his [Christian
>>> Heinrich]
>>> reputation" http://lists.owasp.org/pipermail/owasp-board/2010-September/009008.html
>>> so we have to question you claim of being defamed if Paulo doesn't
>>> consider that to be the case?
>>>
>>> Finally, a number of OWASP Board Members (past, current and future)
>>> questioned your motives i.e.
>>> http://lists.owasp.org/pipermail/owasp-board/2010-July/008598.html,
>>> http://lists.owasp.org/pipermail/owasp-board/2010-July/008566.html,
>>> etc since the OWASP Inquiry is largely viewed as an ulterior motive of
>>> your vendetta against me as I refused to cancel the panel during OWASP
>>> European Conference so you could have a second presentation O2 at the
>>> OWASP European Conference, which you have never clarified when pressed
>>> other OWASP Board Members i.e.
>>> http://lists.owasp.org/pipermail/owasp-board/2010-December/009362.html.
>>>
>>> Can you clarify your intent with the Google Hacking Inquiry Dinis?
>>>
>>> On Mon, Dec 9, 2013 at 12:07 PM, Christian Heinrich
>>> <christian.heinrich at cmlh.id.au <mailto:christian.heinrich at cmlh.id.au>> wrote:
>>> > Jeff,
>>> >
>>> > This observation was based on a heated discussion between Dinis Cruz
>>> > and Mark during Hack in the Box Amsterdam 2010 which I had cited as
>>> > far back as 2011 within my comment on
>>> > https://web.archive.org/web/20111204140709/http://www.curphey.com/2011/10/owasp-time-to-move-on-for-good-this-time/
>>> > that resulted in OWASP losing significant funding from Microsoft due
>>> > to the harassment from Dinis Cruz which is clearly in breach of his
>>> > role as an OWASP Board member, which is to secure funding for the
>>> > Foundation.
>>> >
>>> > http://www.veracode.com/blog/2011/10/stay-cool-nobody-is-calling-your-baby-ugly/
>>> > also supports my observation that I made during Hack in the Box
>>> > Amsterdam 2010 in relation to Dinis Cruz's continued destructive
>>> > dealing with people within the webappsec community.
>>> >
>>> > Furthermore, can you please amend the "Only O2 has been under active
>>> > development since the last release of the Top 10 in 2010." paragraph
>>> > within the OWASP Top Ten 2013 as:
>>> > 1. You are personally aware that Dinis Cruz attacked the Orizon OWASP
>>> > Project without provocation from Paulo as documented within
>>> > http://lists.owasp.org/pipermail/owasp-board/2009-October/007747.html
>>> > 2. Dinis' confused and destructive agenda to mark OWASP project as
>>> > "inactive" has resulted in a number of people abandoning the OWASP due
>>> > to the lack of good he has inflicted on the community e.g.
>>> > https://lists.owasp.org/pipermail/owasp-board/2009-May/002234.html.
>>> > Furthermore, there is no clarification with then OWASP Top Ten to
>>> > indicate that Paulo would not continue to support Orizon in light of
>>> > his focus on Ruby, of which he is very active within i.e.
>>> > http://armoredcode.com/
>>> >
>>> > I find it quite troubling that you have direct experience in dealing
>>> > with several complaints against Dinis Cruz and O2, such as
>>> > http://lists.owasp.org/pipermail/owasp-board/2011-January/009563.html,
>>> > etc and yet you are clearly guided by favouritism and bias to promote
>>> > O2 within the OWASP Top Ten over other OWASP Project that are of
>>> > better quality, in your opinion such as with Orizon, than O2.
>>> >
>>> > I would welcome Dinis make a formal complaint to the OWASP Board
>>> > against me in light of the substantial and supporting evidence to
>>> > exclude 02 from the OWASP Top Ten.
>>> >
>>> > The inclusion of Sonatype within the recent OWASP Top Ten is also
>>> > dubious since Ryan Berg also authored
>>> > http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
>>> > with Dinis Cruz. Therefore please remove any reference to Mass
>>> > Assignment from the 2013 release OWASP Top Ten?
>>> >
>>> > On Mon, Jun 17, 2013 at 7:13 PM, Dinis Cruz <dinis.cruz at owasp.org <mailto:dinis.cruz at owasp.org>> wrote:
>>> >> note: just while I was deleting Chistian's email I noticed the mention on my
>>> >> name and that crazy accusation, and the reason I'm not replying is because
>>> >> it is pointless to have a rational conversation with Christian (which as you
>>> >> can see by my last email on that topic, I have tried and failed).
>>> >>
>>> >> What is shame is that accusations and defamations like those are accepted,
>>> >> which might give less attentive readers the impression that they have any
>>> >> kind of validity.
>>> >>
>>> >> Finally, lets get the facts right. The people I pissed of by trying to call
>>> >> the attention to the Mass Assignment vulnerabilities was the Spring
>>> >> Framework guys (at the time called Spring MVC AutoBinding vulnerability)
>>> >>
>>> >> The case where I pissed of Microsoft was when I tried to make the case that
>>> >> Full Trust was a bad idea, that we (and they) should spend more time and
>>> >> resources making .NET partial Trust work.
>>> >>
>>> >> Of course that 'pissed of' is a very strong term, and that was just their
>>> >> excuse to ignore me. Since the reality is that they had no pressure from
>>> >> their real customers to do something about it. And btw, I was not the only
>>> >> one making this comment, I just happened to be the only one without an NDA
>>> >> signed (with them) that would speak my mind in public forums :)
>>> >>
>>> >> Ahh, isn't it nice to be accused and abused by voicing opinions and to try
>>> >> to make the framework vendors to pay attention to security
>>> >> vulnerabilities/issues that exist by design, and which affect their
>>> >> customers.
>>>
>>>
>>> --
>>> Regards,
>>> Christian Heinrich
>>>
>>> http://cmlh.id.au/contact
>>>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> <mailto:Owasp-topten at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> <mailto:Owasp-topten at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20131221/5dba4efa/attachment-0001.html>
More information about the Owasp-board
mailing list