[Owasp-leaders] (on respectufull OWASP threads) Re: [Owasp-testing] Flagship Project Status

Dinis Cruz dinis.cruz at owasp.org
Mon Jun 9 13:35:21 UTC 2014

Jason you are absolutely correct and this type of accusations and behaviour
should not be allowed/tolerated at OWASP.

The reality is that Christian (as you can see on this thread) is the one
that tends to behave like that. There has been many 'arguments' and 'owasp
threads' in the past, but Christian is the one that brings that level of
conversion to the table.

Christian has already been banned (at least) twice in the past from OWASP,
and after many requests (by many parties) the current board (which should
be the 'referee' that you mention) has failed to put an end into it.

*My biggest problem with Christian's behaviour is not the accusations that
he makes *(although I have to say that being one of the many in the
receiving end of such personal attacks ,is not nice at all (specially when
he makes accusations about OWASP activities that took a lot of effort and
personal sacrifice)), *my biggest problem is the idea that such behaviour
is accepted/tolerated at OWASP*.

OWASP SHOULD NOT tolerate that type of behaviour, from anyone.

This doesn't mean that we should not disagree with each other, of course we
should, BUT it is key that the discussion is kept on a professional level
and there is a minimum level of respect.

And of course, if some OWASP leader or contributor feels that something is
really wrong , then yes that should be reported (with evidence supporting
it). But that is not what Christian does.

So please, can the OWASP board deal with this type of accusations! There
have been too many OWASP leaders and key contributors offended, which is
really the big loss here.


On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:

> Hello Everyone,
> I've been watching this mail thread evolve in a mixture of shock and
> disappointment. I've have been the leader of a volunteer security group in
> Dublin, I've been attacked, I've been publicly questioned, I've been
> insulted. As the leader my hands were tied, as I was supposed to raise
> myself above the natural human reaction I wanted to have. In times like
> this it was great when the community itself would *jump in* and define what
> it would tolerate from it's members, both at a project level but also at
> the human level of how we engage and communicate with each other.
> In this group - I am not on the board. I am one of the voices, freed from
> the constraints of political correctness and being the "better man".
> I have witnessed highly insulting name calling with the *turncoat*
> statement, potentially professionally damaging statements about disgruntled
> employee behavior, organisational corruption insinuated with the nepotism
> theory's [without reference to the skill sets of those hired] even leaning
> towards accusing someone of embezzlement of funds.
> The tone, the attitude and sentiment of these communications need to stop.
> The corruption "facts" need to be elevated out of this arena, and into a
> far more formalized process. Public slander should not be tolerated at any
> level, least of all between the OWASP community itself. Jokes and Jibes are
> part an parcel of any group. I do not see the humor in this thread. Just
> ego.
> We are a very small community - I've met Simon, twice. I saw Dinis once at
> an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
> project to bring into my day job to help with automation, but at the time I
> found it a bit prototypy for a rollout. I have not looked at it since. It
> could be great now, It could be worse.
> I am stating this so you can understand I am not friends, or married to
> cousins of key stake holders or go for walks with OWASP board members dogs.
> My opinions are my own. My linked in profile is at least 4 years out of
> date, I don't do face book - so apologies to the background checkers. The
> hostile nature of this communication thread needs to end. I'll go even one
> step further - and explain myself in World cup terms.
> In my opinion - someone has just been tackled in the box and the striker
> has gone down. The referee has to make the decision. Was there a foul
> committed or did the striker take a dive? One thing is certain, at this
> point it's not O.K to wave play on.
> Compile your evidence of corruption. Send it discreetly to the board. Let
> the powers that be evaluate it.  If the allegations are determined to be
> unjustified - its either a red card offence or a yellow, the referee can
> decide. Or there is a penalty due that will change the course of the game.
> Arguably if this matter had of been handled more discreetly I do not think
> a yellow/red card would be justified irrespective of the result. At this
> point I am not so sure. People should question and protest, it's how they
> question - the medium they choose, and their approach that is subject to
> review.
> I also do not believe any project status should be above review. I think
> downgrading everything - and then upgrading was potentially the fairest and
> cleanest approach. Surely that technique is symbolic that the OWASP board
> are not playing favorites.
> I will not get involved in any further communication on this thread. I
> will not reply to any response to this note. This is a toxic hostile thread
> that needs to stop in it's current format. Compile the evidence, put it
> forward and OWASP should clean house to suit the desired result of the
> inquiry.
> Jason
> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>> I don't have an issue with Simon but the fact is Michael Coates, him
>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>> in the past.  In Simon's defence he probably didn't know about
>>> WebScrab because OWASP didn't help with the promotion of known
>>> projects since hired Dinis Cruz hired personal friends to promote his
>>> own projects.
>> On the contrary, I was very aware of WebScarab and its importance to
>> OWASP at the time - I half expected my application for ZAP to become an
>> OWASP project to be rejected due to the clear overlap with WebScarab.
>> I wanted to create a powerful but easy to use security tool for
>> developers, and I seriously considered using WebScarab as the basis for
>> that tool.
>> However while WebScarab had much more of the functionality that I wanted
>> than Paros did, I found WebScarab very complicated and unintuitive.
>> I decided that I would rather add functionality to Paros than try to make
>> WebScarab easier to use, and I've not regretted that decision :)
>> I do agree that OWASP has not been very effective at promoting any of its
>> projects, including ZAP.
>> However I'm not going to point fingers at any individuals.
>> OWASP is primarily a volunteer organization, and its up to all of us to
>> address issues that we are concerned with.
>> While I think OWASP could do a better job of promoting all of its
>> projects I dont have any big ideas how that could be achieved - marketing
>> is not my area of expertise ;)
>> I dont like criticizing unless I can offer constructive alternatives.
>> Cheers,
>> Simon
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> --
> Coimhéad fearg fhear na foighde.
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140609/a044d99a/attachment.html>

More information about the OWASP-Leaders mailing list