[Owasp-leaders] INQUIRY: Brad Causey

Christian Heinrich christian.heinrich at owasp.org
Tue May 24 22:35:24 EDT 2011 

Brad,

On Wed, May 25, 2011 at 11:22 AM, Brad Causey <bradcausey at owasp.org> wrote:
> First, I am not a member of the media community, and I'm actually not sure
> exactly what that is, but I apologize for any confusion that may have led
> you to believe this.

I was referring to me.

> The Scope of the final document is clear, and is stated as such. I fail to
> see any issue there. If you read the entire document, it should be clear
> that the focus therein is strictly related to the Google Hacking Project.
>
> I am not a member of the GCC, and am unable to speak to decisions or factors
> involving that committee.

So why did you therefore act as a member of the GCC and contact
Australian Chapter Leaders?

> My reservations regarding my continued involvement in OWASP was based on
> personal factors. As you may know, since you frequent mailing lists, I have
> recently moved to a farm, and have begun a vested interest in Agriculture
> and Carpentry. I have extended my participation with OWASP for the
> foreseeable future, and plan to continue contributing to the community.

Whatever, it was stated that you had some disappointment.

> Regarding funding. My participation there was due to my involvement in the
> GPC, and was approved by the Board. I'm not sure if you plan to evaluate
> each participant there, but I can assure you, it was not a paid vacation.
> Myself and dozens (hundreds?)of other active Members worked very hard, and
> produced agreed upon deliverables.

No, just the ones who are questionable, such as yourself.  That
stated, I truly (not) believe that Dinis did not "rig" the location
but ignoring all the submissions based on a question raised by Rex
Booth on the Leaders List.

> [Christian]As you would not doubt be aware, as a member of the GPC you
> should
> have no skeleton's in the closet.  As far as not releasing the code
> this simply should have been highlighted to the OWASP USA 2008
> organisers and requested to be removed from the proceeding.  That
> stated, the ulterior motive was in fact to generate "hype".[/Christian]
>
> Firstly, I did not present at OWASP USA 2008. Secondly, the Lunker project
> was a proof of concept, and never an official OWASP Project.

PoC - So was the OWASP Google Hacking Project and it was promoted as
an Alpha project.  Therefore, was is Lurker out of scope of an inquiry
then?

> [Christian]For the record, I was told by a high profile Google employee that
> the
> reason the Google SOAP Search API was revoked was not due to their
> public statement (i.e. deprecated for the AJAX Search API), rather it
> was being used to distribute upload malware to the web using Google
> Search Results.  While I haven't named names you could easily
> determine who I discussed this with by finding who spoke at
> http://2009.confidence.org.pl/prelegenci and he has this known issue
> with being discussed in the media (ask Ryan Narine).  Hence, my
> counter-claim of "responsible disclosure" of DIC (noted the
> caplization was used by "Brad" and on
> http://christianheinrich.blogspot.com/) and you resulting reckless
> conduct of the inquiry.[/Christian]
>
> The time to discuss this is over. The Google Hacking Inquiry is complete.

So the right to appeal has been revoked?  It is prudent that you just
make it up as you go along.

> [Christian]As far as asking this on the Lurker Mailing List (if it does
> exist?) -
> didn't "Brad" ask about the availability of the OWASP Google Hacking
> Project source code on an OWASP Mailing List which was unrelated to
> the project (i.e. owasp-australia).[Christian]
>
> Yes, Brad did. I don't know Brad personally, but if I recall correctly, the
> source was also requested on the GHP mailing list. If the Lunker mailing
> list doesn't exist, it is because it was never an OWASP project.

Did you ever identity "Brad" i.e. what does Tom Brennan reference as
"human forensics" within
https://lists.owasp.org/pipermail/owasp-board/2010-September/003757.html
- if so why didn't the synopsis state that OWASP had been trolled and
will therefore seek statutory declaration prior to starting an inquiry
process?

> [Christian]It is in the best interests of OWASP if you resign from the GPC
> and as
> a Chapter Leader now, provide me with a written apology and simply
> accept the resulting conclusion of the inquiry against you - which
> lets be honest will be politically motivated to protect the OWASP
> Board.[/Christian]
>
> We actually have a process for removing a member from the GPC, and it is
> outlined in the bylaws which are published. Should this action be warranted,
> I'm sure my peers will take proper action.

What about the inquiry process?  So there is a rule for me in which I
am discredited and one which benefits you.

Don't forget that there were missed opportunities to be exploited i.e.
https://lists.owasp.org/pipermail/owasp-board/2010-August/003554.html

I did like the statement that OWASP had to hold an inquiry because it
knew nothing about me but apparently I was accused of using OWASP to
promote a commercial agenda and yet this is the first that OWASP had
heard of me?  Would kinda cancel each other out but it would be
cleared by an inquiry which of course would not be intended to damage
me.

Then there is Dinis Cruz promoting O2 on the Leader's and London
Chapter Mailing List - do as I say not as a I do.

> Regarding the Chapter Leader position, I am actually in the process of
> resigning because of other obligations. The Birmingham, AL chapter is being
> transitioned to a very well known and respected member of the OWASP
> community.
>
> Should an Inquiry be required for any actions or decisions I have made, I'm
> sure my peers will treat me with the same objectivity you were treated with.

I would like to conduct the inquiry as I am always out to prove that
my assumptions are  incorrect?  Then again, I read it on the internet,
it must be true.

> I would also like to say that I applaud your concern for the OWASP
> community, and appreciate your concerns very much. All concerns and issues
> are treated very seriously, as you have no doubt discovered.
>
> I hope to have cleared up any confusion, and if not, feel free to contact
> the appropriate OWASP committee or the Board.

Apparently I will be *censored* from an "open" community provided
Chris will stand and deliver?

I will write this off as "one way it is a sighn of our success" i.e.
https://lists.owasp.org/pipermail/owasp-board/2011-January/004292.html

-- 
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh

More information about the OWASP-Leaders mailing list