[Owasp-testing] [Owasp-leaders] (on respectufull OWASP threads) Re: Flagship Project Status

Christian Heinrich christian.heinrich at cmlh.id.au
Mon Jun 9 22:10:16 UTC 2014


I see your still hurt that I refused your offer to reinstate my
membership and have i.e.
and consequently run back to Dinis Cruz.

I have no desire to become a member of OWASP and neither would I want
to be a member of an organisation that would seek me as a member.

As far as I am concerned, if the OWASP Board is going to hold
inquiries then those inquiries should address the root cause, i.e.
Chris Gatford, and not the contributing factors i.e. the OWASP Google
Hacking Project.

I look forward to the proposed involvement of Martin Knobloch and
finally bring closure to this issue.

On Tue, Jun 10, 2014 at 1:08 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Christian has already had his membership revoked for his behavior (long
> before I got here) and he is currently not an OWASP member.  Can you please
> be more clear on what your desired action against Christian would be at this
> point?  If you're looking to remove him from the mailing list, I had the
> Bylaws amended earlier this year to allow for that action if needed/desired:
> https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf
> (Section 4.07 Participation)
> ~josh
> On Mon, Jun 9, 2014 at 9:52 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> Regarding Christian's abuses and attacks, that 'reporting' has been done
>> many times before, and this is not really a Whistleblower case since by
>> definition all that is happening is public domain, the issue is 'acceptance
>> (or not) of such behaviour'
>> Dinis
>> On 9 June 2014 15:08, psiinon <psiinon at gmail.com> wrote:
>>> If anyone has any concerns about an individual's conduct on OWASP mailing
>>> lists then they should report them to the OWASP Compliance officer as per
>>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy
>>> This is the correct way forward, and I'm sure that the number of
>>> complaints against an individual will be taken into account.
>>> Cheers,
>>> Simon
>>> On Mon, Jun 9, 2014 at 2:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>>> Jason you are absolutely correct and this type of accusations and
>>>> behaviour should not be allowed/tolerated at OWASP.
>>>> The reality is that Christian (as you can see on this thread) is the one
>>>> that tends to behave like that. There has been many 'arguments' and 'owasp
>>>> threads' in the past, but Christian is the one that brings that level of
>>>> conversion to the table.
>>>> Christian has already been banned (at least) twice in the past from
>>>> OWASP, and after many requests (by many parties) the current board (which
>>>> should be the 'referee' that you mention) has failed to put an end into it.
>>>> My biggest problem with Christian's behaviour is not the accusations
>>>> that he makes (although I have to say that being one of the many in the
>>>> receiving end of such personal attacks ,is not nice at all (specially when
>>>> he makes accusations about OWASP activities that took a lot of effort and
>>>> personal sacrifice)), my biggest problem is the idea that such behaviour is
>>>> accepted/tolerated at OWASP.
>>>> OWASP SHOULD NOT tolerate that type of behaviour, from anyone.
>>>> This doesn't mean that we should not disagree with each other, of course
>>>> we should, BUT it is key that the discussion is kept on a professional level
>>>> and there is a minimum level of respect.
>>>> And of course, if some OWASP leader or contributor feels that something
>>>> is really wrong , then yes that should be reported (with evidence supporting
>>>> it). But that is not what Christian does.
>>>> So please, can the OWASP board deal with this type of accusations! There
>>>> have been too many OWASP leaders and key contributors offended, which is
>>>> really the big loss here.
>>>> Dinis
>>>> On 7 June 2014 13:05, Jason Flood <jasoneflood at gmail.com> wrote:
>>>>> Hello Everyone,
>>>>> I've been watching this mail thread evolve in a mixture of shock and
>>>>> disappointment. I've have been the leader of a volunteer security group in
>>>>> Dublin, I've been attacked, I've been publicly questioned, I've been
>>>>> insulted. As the leader my hands were tied, as I was supposed to raise
>>>>> myself above the natural human reaction I wanted to have. In times like this
>>>>> it was great when the community itself would *jump in* and define what it
>>>>> would tolerate from it's members, both at a project level but also at the
>>>>> human level of how we engage and communicate with each other.
>>>>> In this group - I am not on the board. I am one of the voices, freed
>>>>> from the constraints of political correctness and being the "better man".
>>>>> I have witnessed highly insulting name calling with the turncoat
>>>>> statement, potentially professionally damaging statements about disgruntled
>>>>> employee behavior, organisational corruption insinuated with the nepotism
>>>>> theory's [without reference to the skill sets of those hired] even leaning
>>>>> towards accusing someone of embezzlement of funds.
>>>>> The tone, the attitude and sentiment of these communications need to
>>>>> stop. The corruption "facts" need to be elevated out of this arena, and into
>>>>> a far more formalized process. Public slander should not be tolerated at any
>>>>> level, least of all between the OWASP community itself. Jokes and Jibes are
>>>>> part an parcel of any group. I do not see the humor in this thread. Just
>>>>> ego.
>>>>> We are a very small community - I've met Simon, twice. I saw Dinis once
>>>>> at an OWASP gig in Dublin maybe 4 years ago. I looked at O2 as a potential
>>>>> project to bring into my day job to help with automation, but at the time I
>>>>> found it a bit prototypy for a rollout. I have not looked at it since. It
>>>>> could be great now, It could be worse.
>>>>> I am stating this so you can understand I am not friends, or married to
>>>>> cousins of key stake holders or go for walks with OWASP board members dogs.
>>>>> My opinions are my own. My linked in profile is at least 4 years out of
>>>>> date, I don't do face book - so apologies to the background checkers. The
>>>>> hostile nature of this communication thread needs to end. I'll go even one
>>>>> step further - and explain myself in World cup terms.
>>>>> In my opinion - someone has just been tackled in the box and the
>>>>> striker has gone down. The referee has to make the decision. Was there a
>>>>> foul committed or did the striker take a dive? One thing is certain, at this
>>>>> point it's not O.K to wave play on.
>>>>> Compile your evidence of corruption. Send it discreetly to the board.
>>>>> Let the powers that be evaluate it.  If the allegations are determined to be
>>>>> unjustified - its either a red card offence or a yellow, the referee can
>>>>> decide. Or there is a penalty due that will change the course of the game.
>>>>> Arguably if this matter had of been handled more discreetly I do not
>>>>> think a yellow/red card would be justified irrespective of the result. At
>>>>> this point I am not so sure. People should question and protest, it's how
>>>>> they question - the medium they choose, and their approach that is subject
>>>>> to review.
>>>>> I also do not believe any project status should be above review. I
>>>>> think downgrading everything - and then upgrading was potentially the
>>>>> fairest and cleanest approach. Surely that technique is symbolic that the
>>>>> OWASP board are not playing favorites.
>>>>> I will not get involved in any further communication on this thread. I
>>>>> will not reply to any response to this note. This is a toxic hostile thread
>>>>> that needs to stop in it's current format. Compile the evidence, put it
>>>>> forward and OWASP should clean house to suit the desired result of the
>>>>> inquiry.
>>>>> Jason
>>>>> On Sat, Jun 7, 2014 at 2:34 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> I don't have an issue with Simon but the fact is Michael Coates, him
>>>>>>> and you have all worked for Mozilla and yet OWASP invested in
>>>>>>> WebScrab
>>>>>>> in the past.  In Simon's defence he probably didn't know about
>>>>>>> WebScrab because OWASP didn't help with the promotion of known
>>>>>>> projects since hired Dinis Cruz hired personal friends to promote his
>>>>>>> own projects.
>>>>>> On the contrary, I was very aware of WebScarab and its importance to
>>>>>> OWASP at the time - I half expected my application for ZAP to become an
>>>>>> OWASP project to be rejected due to the clear overlap with WebScarab.
>>>>>> I wanted to create a powerful but easy to use security tool for
>>>>>> developers, and I seriously considered using WebScarab as the basis for that
>>>>>> tool.
>>>>>> However while WebScarab had much more of the functionality that I
>>>>>> wanted than Paros did, I found WebScarab very complicated and unintuitive.
>>>>>> I decided that I would rather add functionality to Paros than try to
>>>>>> make WebScarab easier to use, and I've not regretted that decision :)
>>>>>> I do agree that OWASP has not been very effective at promoting any of
>>>>>> its projects, including ZAP.
>>>>>> However I'm not going to point fingers at any individuals.
>>>>>> OWASP is primarily a volunteer organization, and its up to all of us
>>>>>> to address issues that we are concerned with.
>>>>>> While I think OWASP could do a better job of promoting all of its
>>>>>> projects I dont have any big ideas how that could be achieved - marketing is
>>>>>> not my area of expertise ;)
>>>>>> I dont like criticizing unless I can offer constructive alternatives.
>>>>>> Cheers,
>>>>>> Simon
>>>>>> --
>>>>>> OWASP ZAP Project leader
>>>>>> _______________________________________________
>>>>>> Owasp-testing mailing list
>>>>>> Owasp-testing at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>>> --
>>>>> Coimhéad fearg fhear na foighde.
>>>>> _______________________________________________
>>>>> Owasp-testing mailing list
>>>>> Owasp-testing at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> --
>>> OWASP ZAP Project leader
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Christian Heinrich


More information about the Owasp-testing mailing list