[Owasp-testing] [Owasp-leaders] (on respectufull OWASP threads) Re: Flagship Project Status

Yvan Boily yvanboily at gmail.com
Mon Jun 9 14:59:58 UTC 2014


On Mon, Jun 9, 2014 at 7:59 AM, Yvan Boily <yvanboily at gmail.com> wrote:

> Everything I am compiling is from the perspective of the Code of Conduct.
> I am doing this in my spare time, which is not a large amount of time, but
> I will be sending something in the next few days.
> On Mon, Jun 9, 2014 at 7:52 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> Regarding Christian's abuses and attacks, that 'reporting' has been done
>> many times before, and this is not really a Whistleblower case since by
>> definition all that is happening is public domain, the issue is 'acceptance
>> (or not) of such behaviour'
>> Dinis
>> On 9 June 2014 15:08, psiinon <psiinon at gmail.com> wrote:
>>> If anyone has any concerns about an individual's conduct on OWASP
>>> mailing lists then they should report them to the OWASP Compliance officer
>>> as per https://www.owasp.org/index.php/Governance/Whistleblower_Policy
>>> This is the correct way forward, and I'm sure that the number of
>>> complaints against an individual will be taken into account.
>>> Cheers,
>>> Simon
>>> On Mon, Jun 9, 2014 at 2:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>> Jason you are absolutely correct and this type of accusations and
>>>> behaviour should not be allowed/tolerated at OWASP.
>>>> The reality is that Christian (as you can see on this thread) is the
>>>> one that tends to behave like that. There has been many 'arguments' and
>>>> 'owasp threads' in the past, but Christian is the one that brings that
>>>> level of conversion to the table.
>>>> Christian has already been banned (at least) twice in the past from
>>>> OWASP, and after many requests (by many parties) the current board (which
>>>> should be the 'referee' that you mention) has failed to put an end into it.
>>>> *My biggest problem with Christian's behaviour is not the accusations
>>>> that he makes *(although I have to say that being one of the many in
>>>> the receiving end of such personal attacks ,is not nice at all (specially
>>>> when he makes accusations about OWASP activities that took a lot of effort
>>>> and personal sacrifice)), *my biggest problem is the idea that such
>>>> behaviour is accepted/tolerated at OWASP*.
>>>> OWASP SHOULD NOT tolerate that type of behaviour, from anyone.
>>>> This doesn't mean that we should not disagree with each other, of
>>>> course we should, BUT it is key that the discussion is kept on a
>>>> professional level and there is a minimum level of respect.
>>>> And of course, if some OWASP leader or contributor feels that something
>>>> is really wrong , then yes that should be reported (with evidence
>>>> supporting it). But that is not what Christian does.
>>>> So please, can the OWASP board deal with this type of accusations!
>>>> There have been too many OWASP leaders and key contributors offended, which
>>>> is really the big loss here.
>>>> Dinis
>>>> On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:
>>>>> Hello Everyone,
>>>>> I've been watching this mail thread evolve in a mixture of shock and
>>>>> disappointment. I've have been the leader of a volunteer security group in
>>>>> Dublin, I've been attacked, I've been publicly questioned, I've been
>>>>> insulted. As the leader my hands were tied, as I was supposed to raise
>>>>> myself above the natural human reaction I wanted to have. In times like
>>>>> this it was great when the community itself would *jump in* and define what
>>>>> it would tolerate from it's members, both at a project level but also at
>>>>> the human level of how we engage and communicate with each other.
>>>>> In this group - I am not on the board. I am one of the voices, freed
>>>>> from the constraints of political correctness and being the "better man".
>>>>> I have witnessed highly insulting name calling with the *turncoat*
>>>>> statement, potentially professionally damaging statements about disgruntled
>>>>> employee behavior, organisational corruption insinuated with the nepotism
>>>>> theory's [without reference to the skill sets of those hired] even leaning
>>>>> towards accusing someone of embezzlement of funds.
>>>>> The tone, the attitude and sentiment of these communications need to
>>>>> stop. The corruption "facts" need to be elevated out of this arena, and
>>>>> into a far more formalized process. Public slander should not be tolerated
>>>>> at any level, least of all between the OWASP community itself. Jokes and
>>>>> Jibes are part an parcel of any group. I do not see the humor in this
>>>>> thread. Just ego.
>>>>> We are a very small community - I've met Simon, twice. I saw Dinis
>>>>> once at an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a
>>>>> potential project to bring into my day job to help with automation, but at
>>>>> the time I found it a bit prototypy for a rollout. I have not looked at it
>>>>> since. It could be great now, It could be worse.
>>>>> I am stating this so you can understand I am not friends, or married
>>>>> to cousins of key stake holders or go for walks with OWASP board members
>>>>> dogs. My opinions are my own. My linked in profile is at least 4 years out
>>>>> of date, I don't do face book - so apologies to the background checkers.
>>>>> The hostile nature of this communication thread needs to end. I'll go even
>>>>> one step further - and explain myself in World cup terms.
>>>>> In my opinion - someone has just been tackled in the box and the
>>>>> striker has gone down. The referee has to make the decision. Was there a
>>>>> foul committed or did the striker take a dive? One thing is certain, at
>>>>> this point it's not O.K to wave play on.
>>>>> Compile your evidence of corruption. Send it discreetly to the board.
>>>>> Let the powers that be evaluate it.  If the allegations are determined to
>>>>> be unjustified - its either a red card offence or a yellow, the referee can
>>>>> decide. Or there is a penalty due that will change the course of the game.
>>>>> Arguably if this matter had of been handled more discreetly I do not
>>>>> think a yellow/red card would be justified irrespective of the result. At
>>>>> this point I am not so sure. People should question and protest, it's how
>>>>> they question - the medium they choose, and their approach that is subject
>>>>> to review.
>>>>> I also do not believe any project status should be above review. I
>>>>> think downgrading everything - and then upgrading was potentially the
>>>>> fairest and cleanest approach. Surely that technique is symbolic that the
>>>>> OWASP board are not playing favorites.
>>>>> I will not get involved in any further communication on this thread. I
>>>>> will not reply to any response to this note. This is a toxic hostile thread
>>>>> that needs to stop in it's current format. Compile the evidence, put it
>>>>> forward and OWASP should clean house to suit the desired result of the
>>>>> inquiry.
>>>>> Jason
>>>>> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>>>>> and you have all worked for Mozilla and yet OWASP invested in
>>>>>>> WebScrab
>>>>>>> in the past.  In Simon's defence he probably didn't know about
>>>>>>> WebScrab because OWASP didn't help with the promotion of known
>>>>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>>>>> own projects.
>>>>>> On the contrary, I was very aware of WebScarab and its importance to
>>>>>> OWASP at the time - I half expected my application for ZAP to become an
>>>>>> OWASP project to be rejected due to the clear overlap with WebScarab.
>>>>>> I wanted to create a powerful but easy to use security tool for
>>>>>> developers, and I seriously considered using WebScarab as the basis for
>>>>>> that tool.
>>>>>> However while WebScarab had much more of the functionality that I
>>>>>> wanted than Paros did, I found WebScarab very complicated and unintuitive.
>>>>>> I decided that I would rather add functionality to Paros than try to
>>>>>> make WebScarab easier to use, and I've not regretted that decision :)
>>>>>> I do agree that OWASP has not been very effective at promoting any of
>>>>>> its projects, including ZAP.
>>>>>> However I'm not going to point fingers at any individuals.
>>>>>> OWASP is primarily a volunteer organization, and its up to all of us
>>>>>> to address issues that we are concerned with.
>>>>>> While I think OWASP could do a better job of promoting all of its
>>>>>> projects I dont have any big ideas how that could be achieved - marketing
>>>>>> is not my area of expertise ;)
>>>>>> I dont like criticizing unless I can offer constructive alternatives.
>>>>>> Cheers,
>>>>>> Simon
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>> _______________________________________________
>>>>>> Owasp-testing mailing list
>>>>>> Owasp-testing at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>>> --
>>>>> Coimhéad fearg fhear na foighde.
>>>>> _______________________________________________
>>>>> Owasp-testing mailing list
>>>>> Owasp-testing at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140609/3107ae21/attachment.html>

More information about the Owasp-testing mailing list