[Owasp-testing] [Owasp-leaders] (on respectufull OWASP threads) Re: Flagship Project Status

Yvan Boily yvanboily at gmail.com
Mon Jun 9 14:59:43 UTC 2014

Everything I am compiling is from the perspective of the Code of Conduct.
I am doing this in my spare time, which is not a large amount of time, but
I will be sending something in the next few days.

On Mon, Jun 9, 2014 at 7:52 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Regarding Christian's abuses and attacks, that 'reporting' has been done
> many times before, and this is not really a Whistleblower case since by
> definition all that is happening is public domain, the issue is 'acceptance
> (or not) of such behaviour'
> Dinis
> On 9 June 2014 15:08, psiinon <psiinon at gmail.com> wrote:
>> If anyone has any concerns about an individual's conduct on OWASP mailing
>> lists then they should report them to the OWASP Compliance officer as per
>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy
>> This is the correct way forward, and I'm sure that the number of
>> complaints against an individual will be taken into account.
>> Cheers,
>> Simon
>> On Mon, Jun 9, 2014 at 2:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>> Jason you are absolutely correct and this type of accusations and
>>> behaviour should not be allowed/tolerated at OWASP.
>>> The reality is that Christian (as you can see on this thread) is the one
>>> that tends to behave like that. There has been many 'arguments' and 'owasp
>>> threads' in the past, but Christian is the one that brings that level of
>>> conversion to the table.
>>> Christian has already been banned (at least) twice in the past from
>>> OWASP, and after many requests (by many parties) the current board (which
>>> should be the 'referee' that you mention) has failed to put an end into it.
>>> *My biggest problem with Christian's behaviour is not the accusations
>>> that he makes *(although I have to say that being one of the many in
>>> the receiving end of such personal attacks ,is not nice at all (specially
>>> when he makes accusations about OWASP activities that took a lot of effort
>>> and personal sacrifice)), *my biggest problem is the idea that such
>>> behaviour is accepted/tolerated at OWASP*.
>>> OWASP SHOULD NOT tolerate that type of behaviour, from anyone.
>>> This doesn't mean that we should not disagree with each other, of course
>>> we should, BUT it is key that the discussion is kept on a professional
>>> level and there is a minimum level of respect.
>>> And of course, if some OWASP leader or contributor feels that something
>>> is really wrong , then yes that should be reported (with evidence
>>> supporting it). But that is not what Christian does.
>>> So please, can the OWASP board deal with this type of accusations! There
>>> have been too many OWASP leaders and key contributors offended, which is
>>> really the big loss here.
>>> Dinis
>>> On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:
>>>> Hello Everyone,
>>>> I've been watching this mail thread evolve in a mixture of shock and
>>>> disappointment. I've have been the leader of a volunteer security group in
>>>> Dublin, I've been attacked, I've been publicly questioned, I've been
>>>> insulted. As the leader my hands were tied, as I was supposed to raise
>>>> myself above the natural human reaction I wanted to have. In times like
>>>> this it was great when the community itself would *jump in* and define what
>>>> it would tolerate from it's members, both at a project level but also at
>>>> the human level of how we engage and communicate with each other.
>>>> In this group - I am not on the board. I am one of the voices, freed
>>>> from the constraints of political correctness and being the "better man".
>>>> I have witnessed highly insulting name calling with the *turncoat*
>>>> statement, potentially professionally damaging statements about disgruntled
>>>> employee behavior, organisational corruption insinuated with the nepotism
>>>> theory's [without reference to the skill sets of those hired] even leaning
>>>> towards accusing someone of embezzlement of funds.
>>>> The tone, the attitude and sentiment of these communications need to
>>>> stop. The corruption "facts" need to be elevated out of this arena, and
>>>> into a far more formalized process. Public slander should not be tolerated
>>>> at any level, least of all between the OWASP community itself. Jokes and
>>>> Jibes are part an parcel of any group. I do not see the humor in this
>>>> thread. Just ego.
>>>> We are a very small community - I've met Simon, twice. I saw Dinis once
>>>> at an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
>>>> project to bring into my day job to help with automation, but at the time I
>>>> found it a bit prototypy for a rollout. I have not looked at it since. It
>>>> could be great now, It could be worse.
>>>> I am stating this so you can understand I am not friends, or married to
>>>> cousins of key stake holders or go for walks with OWASP board members dogs.
>>>> My opinions are my own. My linked in profile is at least 4 years out of
>>>> date, I don't do face book - so apologies to the background checkers. The
>>>> hostile nature of this communication thread needs to end. I'll go even one
>>>> step further - and explain myself in World cup terms.
>>>> In my opinion - someone has just been tackled in the box and the
>>>> striker has gone down. The referee has to make the decision. Was there a
>>>> foul committed or did the striker take a dive? One thing is certain, at
>>>> this point it's not O.K to wave play on.
>>>> Compile your evidence of corruption. Send it discreetly to the board.
>>>> Let the powers that be evaluate it.  If the allegations are determined to
>>>> be unjustified - its either a red card offence or a yellow, the referee can
>>>> decide. Or there is a penalty due that will change the course of the game.
>>>> Arguably if this matter had of been handled more discreetly I do not
>>>> think a yellow/red card would be justified irrespective of the result. At
>>>> this point I am not so sure. People should question and protest, it's how
>>>> they question - the medium they choose, and their approach that is subject
>>>> to review.
>>>> I also do not believe any project status should be above review. I
>>>> think downgrading everything - and then upgrading was potentially the
>>>> fairest and cleanest approach. Surely that technique is symbolic that the
>>>> OWASP board are not playing favorites.
>>>> I will not get involved in any further communication on this thread. I
>>>> will not reply to any response to this note. This is a toxic hostile thread
>>>> that needs to stop in it's current format. Compile the evidence, put it
>>>> forward and OWASP should clean house to suit the desired result of the
>>>> inquiry.
>>>> Jason
>>>> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>>>> and you have all worked for Mozilla and yet OWASP invested in WebScrab
>>>>>> in the past.  In Simon's defence he probably didn't know about
>>>>>> WebScrab because OWASP didn't help with the promotion of known
>>>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>>>> own projects.
>>>>> On the contrary, I was very aware of WebScarab and its importance to
>>>>> OWASP at the time - I half expected my application for ZAP to become an
>>>>> OWASP project to be rejected due to the clear overlap with WebScarab.
>>>>> I wanted to create a powerful but easy to use security tool for
>>>>> developers, and I seriously considered using WebScarab as the basis for
>>>>> that tool.
>>>>> However while WebScarab had much more of the functionality that I
>>>>> wanted than Paros did, I found WebScarab very complicated and unintuitive.
>>>>> I decided that I would rather add functionality to Paros than try to
>>>>> make WebScarab easier to use, and I've not regretted that decision :)
>>>>> I do agree that OWASP has not been very effective at promoting any of
>>>>> its projects, including ZAP.
>>>>> However I'm not going to point fingers at any individuals.
>>>>> OWASP is primarily a volunteer organization, and its up to all of us
>>>>> to address issues that we are concerned with.
>>>>> While I think OWASP could do a better job of promoting all of its
>>>>> projects I dont have any big ideas how that could be achieved - marketing
>>>>> is not my area of expertise ;)
>>>>> I dont like criticizing unless I can offer constructive alternatives.
>>>>> Cheers,
>>>>> Simon
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>> _______________________________________________
>>>>> Owasp-testing mailing list
>>>>> Owasp-testing at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>> --
>>>> Coimhéad fearg fhear na foighde.
>>>> _______________________________________________
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140609/ab274e3b/attachment-0001.html>

More information about the Owasp-testing mailing list