[Owasp-testing] (on respectufull OWASP threads) Re: Flagship Project Status

Dinis Cruz dinis.cruz at owasp.org
Mon Jun 9 14:52:09 UTC 2014

Regarding Christian's abuses and attacks, that 'reporting' has been done
many times before, and this is not really a Whistleblower case since by
definition all that is happening is public domain, the issue is 'acceptance
(or not) of such behaviour'


On 9 June 2014 15:08, psiinon <psiinon at gmail.com> wrote:

> If anyone has any concerns about an individual's conduct on OWASP mailing
> lists then they should report them to the OWASP Compliance officer as per
> https://www.owasp.org/index.php/Governance/Whistleblower_Policy
> This is the correct way forward, and I'm sure that the number of
> complaints against an individual will be taken into account.
> Cheers,
> Simon
> On Mon, Jun 9, 2014 at 2:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> Jason you are absolutely correct and this type of accusations and
>> behaviour should not be allowed/tolerated at OWASP.
>> The reality is that Christian (as you can see on this thread) is the one
>> that tends to behave like that. There has been many 'arguments' and 'owasp
>> threads' in the past, but Christian is the one that brings that level of
>> conversion to the table.
>> Christian has already been banned (at least) twice in the past from
>> OWASP, and after many requests (by many parties) the current board (which
>> should be the 'referee' that you mention) has failed to put an end into it.
>> *My biggest problem with Christian's behaviour is not the accusations
>> that he makes *(although I have to say that being one of the many in the
>> receiving end of such personal attacks ,is not nice at all (specially when
>> he makes accusations about OWASP activities that took a lot of effort and
>> personal sacrifice)), *my biggest problem is the idea that such
>> behaviour is accepted/tolerated at OWASP*.
>> OWASP SHOULD NOT tolerate that type of behaviour, from anyone.
>> This doesn't mean that we should not disagree with each other, of course
>> we should, BUT it is key that the discussion is kept on a professional
>> level and there is a minimum level of respect.
>> And of course, if some OWASP leader or contributor feels that something
>> is really wrong , then yes that should be reported (with evidence
>> supporting it). But that is not what Christian does.
>> So please, can the OWASP board deal with this type of accusations! There
>> have been too many OWASP leaders and key contributors offended, which is
>> really the big loss here.
>> Dinis
>> On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:
>>> Hello Everyone,
>>> I've been watching this mail thread evolve in a mixture of shock and
>>> disappointment. I've have been the leader of a volunteer security group in
>>> Dublin, I've been attacked, I've been publicly questioned, I've been
>>> insulted. As the leader my hands were tied, as I was supposed to raise
>>> myself above the natural human reaction I wanted to have. In times like
>>> this it was great when the community itself would *jump in* and define what
>>> it would tolerate from it's members, both at a project level but also at
>>> the human level of how we engage and communicate with each other.
>>> In this group - I am not on the board. I am one of the voices, freed
>>> from the constraints of political correctness and being the "better man".
>>> I have witnessed highly insulting name calling with the *turncoat*
>>> statement, potentially professionally damaging statements about disgruntled
>>> employee behavior, organisational corruption insinuated with the nepotism
>>> theory's [without reference to the skill sets of those hired] even leaning
>>> towards accusing someone of embezzlement of funds.
>>> The tone, the attitude and sentiment of these communications need to
>>> stop. The corruption "facts" need to be elevated out of this arena, and
>>> into a far more formalized process. Public slander should not be tolerated
>>> at any level, least of all between the OWASP community itself. Jokes and
>>> Jibes are part an parcel of any group. I do not see the humor in this
>>> thread. Just ego.
>>> We are a very small community - I've met Simon, twice. I saw Dinis once
>>> at an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
>>> project to bring into my day job to help with automation, but at the time I
>>> found it a bit prototypy for a rollout. I have not looked at it since. It
>>> could be great now, It could be worse.
>>> I am stating this so you can understand I am not friends, or married to
>>> cousins of key stake holders or go for walks with OWASP board members dogs.
>>> My opinions are my own. My linked in profile is at least 4 years out of
>>> date, I don't do face book - so apologies to the background checkers. The
>>> hostile nature of this communication thread needs to end. I'll go even one
>>> step further - and explain myself in World cup terms.
>>> In my opinion - someone has just been tackled in the box and the striker
>>> has gone down. The referee has to make the decision. Was there a foul
>>> committed or did the striker take a dive? One thing is certain, at this
>>> point it's not O.K to wave play on.
>>> Compile your evidence of corruption. Send it discreetly to the board.
>>> Let the powers that be evaluate it.  If the allegations are determined to
>>> be unjustified - its either a red card offence or a yellow, the referee can
>>> decide. Or there is a penalty due that will change the course of the game.
>>> Arguably if this matter had of been handled more discreetly I do not
>>> think a yellow/red card would be justified irrespective of the result. At
>>> this point I am not so sure. People should question and protest, it's how
>>> they question - the medium they choose, and their approach that is subject
>>> to review.
>>> I also do not believe any project status should be above review. I think
>>> downgrading everything - and then upgrading was potentially the fairest and
>>> cleanest approach. Surely that technique is symbolic that the OWASP board
>>> are not playing favorites.
>>> I will not get involved in any further communication on this thread. I
>>> will not reply to any response to this note. This is a toxic hostile thread
>>> that needs to stop in it's current format. Compile the evidence, put it
>>> forward and OWASP should clean house to suit the desired result of the
>>> inquiry.
>>> Jason
>>> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>>>> in the past.  In Simon's defence he probably didn't know about
>>>>> WebScrab because OWASP didn't help with the promotion of known
>>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>>> own projects.
>>>> On the contrary, I was very aware of WebScarab and its importance to
>>>> OWASP at the time - I half expected my application for ZAP to become an
>>>> OWASP project to be rejected due to the clear overlap with WebScarab.
>>>> I wanted to create a powerful but easy to use security tool for
>>>> developers, and I seriously considered using WebScarab as the basis for
>>>> that tool.
>>>> However while WebScarab had much more of the functionality that I
>>>> wanted than Paros did, I found WebScarab very complicated and unintuitive.
>>>> I decided that I would rather add functionality to Paros than try to
>>>> make WebScarab easier to use, and I've not regretted that decision :)
>>>> I do agree that OWASP has not been very effective at promoting any of
>>>> its projects, including ZAP.
>>>> However I'm not going to point fingers at any individuals.
>>>> OWASP is primarily a volunteer organization, and its up to all of us to
>>>> address issues that we are concerned with.
>>>> While I think OWASP could do a better job of promoting all of its
>>>> projects I dont have any big ideas how that could be achieved - marketing
>>>> is not my area of expertise ;)
>>>> I dont like criticizing unless I can offer constructive alternatives.
>>>> Cheers,
>>>> Simon
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> _______________________________________________
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> --
>>> Coimhéad fearg fhear na foighde.
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140609/71718d4c/attachment.html>

More information about the Owasp-testing mailing list