[Owasp-leaders] INQUIRY: Brad Causey

Brad Causey bradcausey at owasp.org
Tue May 24 21:22:37 EDT 2011


Christian,

You raise several issues which are handled by different entities of OWASP.

I would like to address each one in turn, and because we are involving
project based information, I am CC'ing in the GPC.

*[Christian]As a member of the media community it would be advisable to
state that
you are sorry for the distress that you have caused and that you lied
when making an official OWASP statement that issues to do with the
Chapters should be investigated by the GCC (Chapters) and you decided
to conduct your own libel informal investigation i.e. second paragraph
of "Scope" from
https://www.owasp.org/index.php/File:GPC_Report_1_-_Google_Hacking_Project.JPG
[/Christian]*

First, I am not a member of the media community, and I'm actually not sure
exactly what that is, but I apologize for any confusion that may have led
you to believe this.

Regarding the Inquiry, which I am able to speak to, being one of the
co-participants involved:

The Scope of the final document is clear, and is stated as such. I fail to
see any issue there. If you read the entire document, it should be clear
that the focus therein is strictly related to the Google Hacking Project.

I am not a member of the GCC, and am unable to speak to decisions or factors
involving that committee.

*[Christian]I also read on the owasp-board mailing list that you had some
regret
with OWASP prior to the OWASP Summit 2011, where you still provided
with a paid holiday even though the GPC had been inactive for some
time until the OWASP Google Hacking Inquiry and would therefore not be
eligible for funding if it wasn't conducted.[/Christian]*

My reservations regarding my continued involvement in OWASP was based on
personal factors. As you may know, since you frequent mailing lists, I have
recently moved to a farm, and have begun a vested interest in Agriculture
and Carpentry. I have extended my participation with OWASP for the
foreseeable future, and plan to continue contributing to the community.

Regarding funding. My participation there was due to my involvement in the
GPC, and was approved by the Board. I'm not sure if you plan to evaluate
each participant there, but I can assure you, it was not a paid vacation.
Myself and dozens (hundreds?)of other active Members worked very hard, and
produced agreed upon deliverables.
*
[Christian]As you would not doubt be aware, as a member of the GPC you
should
have no skeleton's in the closet.  As far as not releasing the code
this simply should have been highlighted to the OWASP USA 2008
organisers and requested to be removed from the proceeding.  That
stated, the ulterior motive was in fact to generate "hype".[/Christian]*

Firstly, I did not present at OWASP USA 2008. Secondly, the Lunker project
was a proof of concept, and never an official OWASP Project.

*[Christian]For the record, I was told by a high profile Google employee
that the
reason the Google SOAP Search API was revoked was not due to their
public statement (i.e. deprecated for the AJAX Search API), rather it
was being used to distribute upload malware to the web using Google
Search Results.  While I haven't named names you could easily
determine who I discussed this with by finding who spoke at
http://2009.confidence.org.pl/prelegenci and he has this known issue
with being discussed in the media (ask Ryan Narine).  Hence, my
counter-claim of "responsible disclosure" of DIC (noted the
caplization was used by "Brad" and on
http://christianheinrich.blogspot.com/) and you resulting reckless
conduct of the inquiry.[/Christian]*

The time to discuss this is over. The Google Hacking Inquiry is complete.
*
[Christian]As far as asking this on the Lurker Mailing List (if it does
exist?) -
didn't "Brad" ask about the availability of the OWASP Google Hacking
Project source code on an OWASP Mailing List which was unrelated to
the project (i.e. owasp-australia).[Christian]*

Yes, Brad did. I don't know Brad personally, but if I recall correctly, the
source was also requested on the GHP mailing list. If the Lunker mailing
list doesn't exist, it is because it was never an OWASP project.

*[Christian]It is in the best interests of OWASP if you resign from the GPC
and as
a Chapter Leader now, provide me with a written apology and simply
accept the resulting conclusion of the inquiry against you - which
lets be honest will be politically motivated to protect the OWASP
Board.[/Christian]*

We actually have a process for removing a member from the GPC, and it is
outlined in the bylaws which are published. Should this action be warranted,
I'm sure my peers will take proper action.

Regarding the Chapter Leader position, I am actually in the process of
resigning because of other obligations. The Birmingham, AL chapter is being
transitioned to a very well known and respected member of the OWASP
community.

Should an Inquiry be required for any actions or decisions I have made, I'm
sure my peers will treat me with the same objectivity you were treated with.

I would also like to say that I applaud your concern for the OWASP
community, and appreciate your concerns very much. All concerns and issues
are treated very seriously, as you have no doubt discovered.

I hope to have cleared up any confusion, and if not, feel free to contact
the appropriate OWASP committee or the Board.



-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--


On Tue, May 24, 2011 at 7:34 PM, Christian Heinrich <
christian.heinrich at owasp.org> wrote:

> Brad,
>
> Did you copy and paste this from a press release?
>
> As a member of the media community it would be advisable to state that
> you are sorry for the distress that you have caused and that you lied
> when making an official OWASP statement that issues to do with the
> Chapters should be investigated by the GCC (Chapters) and you decided
> to conduct your own libel informal investigation i.e. second paragraph
> of "Scope" from
>
> https://www.owasp.org/index.php/File:GPC_Report_1_-_Google_Hacking_Project.JPG
>
> I also read on the owasp-board mailing list that you had some regret
> with OWASP prior to the OWASP Summit 2011, where you still provided
> with a paid holiday even though the GPC had been inactive for some
> time until the OWASP Google Hacking Inquiry and would therefore not be
> eligible for funding if it wasn't conducted.
>
> As you would not doubt be aware, as a member of the GPC you should
> have no skeleton's in the closet.  As far as not releasing the code
> this simply should have been highlighted to the OWASP USA 2008
> organisers and requested to be removed from the proceeding.  That
> stated, the ulterior motive was in fact to generate "hype".
>
> For the record, I was told by a high profile Google employee that the
> reason the Google SOAP Search API was revoked was not due to their
> public statement (i.e. deprecated for the AJAX Search API), rather it
> was being used to distribute upload malware to the web using Google
> Search Results.  While I haven't named names you could easily
> determine who I discussed this with by finding who spoke at
> http://2009.confidence.org.pl/prelegenci and he has this known issue
> with being discussed in the media (ask Ryan Narine).  Hence, my
> counter-claim of "responsible disclosure" of DIC (noted the
> caplization was used by "Brad" and on
> http://christianheinrich.blogspot.com/) and you resulting reckless
> conduct of the inquiry.
>
> As far as asking this on the Lurker Mailing List (if it does exist?) -
> didn't "Brad" ask about the availability of the OWASP Google Hacking
> Project source code on an OWASP Mailing List which was unrelated to
> the project (i.e. owasp-australia).
>
> It is in the best interests of OWASP if you resign from the GPC and as
> a Chapter Leader now, provide me with a written apology and simply
> accept the resulting conclusion of the inquiry against you - which
> lets be honest will be politically motivated to protect the OWASP
> Board.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110524/7f9ed415/attachment-0001.html 


More information about the OWASP-Leaders mailing list