[Owasp-testing] (on respectufull OWASP threads) Re: Flagship Project Status

psiinon psiinon at gmail.com
Mon Jun 9 14:08:35 UTC 2014

If anyone has any concerns about an individual's conduct on OWASP mailing
lists then they should report them to the OWASP Compliance officer as per
This is the correct way forward, and I'm sure that the number of complaints
against an individual will be taken into account.



On Mon, Jun 9, 2014 at 2:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Jason you are absolutely correct and this type of accusations and
> behaviour should not be allowed/tolerated at OWASP.
> The reality is that Christian (as you can see on this thread) is the one
> that tends to behave like that. There has been many 'arguments' and 'owasp
> threads' in the past, but Christian is the one that brings that level of
> conversion to the table.
> Christian has already been banned (at least) twice in the past from OWASP,
> and after many requests (by many parties) the current board (which should
> be the 'referee' that you mention) has failed to put an end into it.
> *My biggest problem with Christian's behaviour is not the accusations that
> he makes *(although I have to say that being one of the many in the
> receiving end of such personal attacks ,is not nice at all (specially when
> he makes accusations about OWASP activities that took a lot of effort and
> personal sacrifice)), *my biggest problem is the idea that such behaviour
> is accepted/tolerated at OWASP*.
> OWASP SHOULD NOT tolerate that type of behaviour, from anyone.
> This doesn't mean that we should not disagree with each other, of course
> we should, BUT it is key that the discussion is kept on a professional
> level and there is a minimum level of respect.
> And of course, if some OWASP leader or contributor feels that something is
> really wrong , then yes that should be reported (with evidence supporting
> it). But that is not what Christian does.
> So please, can the OWASP board deal with this type of accusations! There
> have been too many OWASP leaders and key contributors offended, which is
> really the big loss here.
> Dinis
> On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:
>> Hello Everyone,
>> I've been watching this mail thread evolve in a mixture of shock and
>> disappointment. I've have been the leader of a volunteer security group in
>> Dublin, I've been attacked, I've been publicly questioned, I've been
>> insulted. As the leader my hands were tied, as I was supposed to raise
>> myself above the natural human reaction I wanted to have. In times like
>> this it was great when the community itself would *jump in* and define what
>> it would tolerate from it's members, both at a project level but also at
>> the human level of how we engage and communicate with each other.
>> In this group - I am not on the board. I am one of the voices, freed from
>> the constraints of political correctness and being the "better man".
>> I have witnessed highly insulting name calling with the *turncoat*
>> statement, potentially professionally damaging statements about disgruntled
>> employee behavior, organisational corruption insinuated with the nepotism
>> theory's [without reference to the skill sets of those hired] even leaning
>> towards accusing someone of embezzlement of funds.
>> The tone, the attitude and sentiment of these communications need to
>> stop. The corruption "facts" need to be elevated out of this arena, and
>> into a far more formalized process. Public slander should not be tolerated
>> at any level, least of all between the OWASP community itself. Jokes and
>> Jibes are part an parcel of any group. I do not see the humor in this
>> thread. Just ego.
>> We are a very small community - I've met Simon, twice. I saw Dinis once
>> at an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
>> project to bring into my day job to help with automation, but at the time I
>> found it a bit prototypy for a rollout. I have not looked at it since. It
>> could be great now, It could be worse.
>> I am stating this so you can understand I am not friends, or married to
>> cousins of key stake holders or go for walks with OWASP board members dogs.
>> My opinions are my own. My linked in profile is at least 4 years out of
>> date, I don't do face book - so apologies to the background checkers. The
>> hostile nature of this communication thread needs to end. I'll go even one
>> step further - and explain myself in World cup terms.
>> In my opinion - someone has just been tackled in the box and the striker
>> has gone down. The referee has to make the decision. Was there a foul
>> committed or did the striker take a dive? One thing is certain, at this
>> point it's not O.K to wave play on.
>> Compile your evidence of corruption. Send it discreetly to the board. Let
>> the powers that be evaluate it.  If the allegations are determined to be
>> unjustified - its either a red card offence or a yellow, the referee can
>> decide. Or there is a penalty due that will change the course of the game.
>> Arguably if this matter had of been handled more discreetly I do not
>> think a yellow/red card would be justified irrespective of the result. At
>> this point I am not so sure. People should question and protest, it's how
>> they question - the medium they choose, and their approach that is subject
>> to review.
>> I also do not believe any project status should be above review. I think
>> downgrading everything - and then upgrading was potentially the fairest and
>> cleanest approach. Surely that technique is symbolic that the OWASP board
>> are not playing favorites.
>> I will not get involved in any further communication on this thread. I
>> will not reply to any response to this note. This is a toxic hostile thread
>> that needs to stop in it's current format. Compile the evidence, put it
>> forward and OWASP should clean house to suit the desired result of the
>> inquiry.
>> Jason
>> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>>> in the past.  In Simon's defence he probably didn't know about
>>>> WebScrab because OWASP didn't help with the promotion of known
>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>> own projects.
>>> On the contrary, I was very aware of WebScarab and its importance to
>>> OWASP at the time - I half expected my application for ZAP to become an
>>> OWASP project to be rejected due to the clear overlap with WebScarab.
>>> I wanted to create a powerful but easy to use security tool for
>>> developers, and I seriously considered using WebScarab as the basis for
>>> that tool.
>>> However while WebScarab had much more of the functionality that I wanted
>>> than Paros did, I found WebScarab very complicated and unintuitive.
>>> I decided that I would rather add functionality to Paros than try to
>>> make WebScarab easier to use, and I've not regretted that decision :)
>>> I do agree that OWASP has not been very effective at promoting any of
>>> its projects, including ZAP.
>>> However I'm not going to point fingers at any individuals.
>>> OWASP is primarily a volunteer organization, and its up to all of us to
>>> address issues that we are concerned with.
>>> While I think OWASP could do a better job of promoting all of its
>>> projects I dont have any big ideas how that could be achieved - marketing
>>> is not my area of expertise ;)
>>> I dont like criticizing unless I can offer constructive alternatives.
>>> Cheers,
>>> Simon
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> --
>> Coimhéad fearg fhear na foighde.
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140609/1b8352c1/attachment-0001.html>

More information about the Owasp-testing mailing list