[GPC] [Owasp-google-hacking] OWASP "Google Hacking" Project - Status - June 2010

Paulo Coimbra paulo.coimbra at owasp.org
Sun Jul 4 13:18:42 EDT 2010



For your information, the OWASP Google Hacking Project has been classified
as Inactive until further decision. 




Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager


From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: domingo, 4 de Julho de 2010 10:11
To: Brad Empeigne
Cc: Steven Steggles; owasp-google-hacking at lists.owasp.org;
paulo.coimbra at owasp.org; jeff.williams at owasp.org; Global Projects Committee;
Christian Heinrich; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-google-hacking] [GPC] OWASP "Google Hacking" Project -
Status - June 2010


Hi Brad and others that have raise concerns about this project (note that
the original email was also sent to the owasp-google-hacking list, so I'm
CCing this to a number of other owasp lists).

First of all , thanks for sharing your concerns about this project and I
want to assure you that we at OWASP Board and Projects Committee are taking
this issue very seriously. 

Due to the nature of OWASP and in its spirit of openess we trust that our
project leaders are working hard on their projects and delivering value to
their project's community.

Given the sheer number of OWASP Projects and the fact that we (at OWASPs
Global Projects Committee) have not yet completed the upgrade of all OWASP
Projects into the new Project Assessment Criteria V2.0 (+ new Project Wiki
Template), we have not been able to spend as much time as we should on
reviewing OWASP projects and ensuring that they are: still alive, need
review/help, make sense, etc...

The OWASP Google Hacking project has been on the radar of OWASP's Board and
GPC for a while (with a number of emails going back one year), BUT somehow
(mainly due to lack of time) we never followed it up. 

That said now, due to the level of complains that we have received and the
need that we have at OWASP to create a process to deal with this type of
situations, we are going to take a good look at this and find a solution for

A couple days ago, i meet Christian at the HITB conference in Amsterdam and
we spent a couple hours going over the history of this project and what
should happen next. 

Here is the status:

*	The OWASP Google Hacking project is going to be marked as 'Inactive'
(with very clear indication that this is not an active OWASP project), there
will be no more public presentations about this project, and there is also
the possibililty that we might delete this project (depending on what
happens with the Inquiry that I'm going to present below)
*	I have made a number of notes about the history of this project
which I will document soon
*	In order to address the issues raised, we are going to run an OWASP
Inquiry into this issue with the objective to address the issue of '...does
the OWASP Google Hacking Project deliverables match the expectations that
the OWASP community have for projects that are presented in the way this
project was..." (note that we have already an history at OWASP to run
'formal' inquiries for issues/concerns raised by our community (see for
http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009 )
*	Christian has also raised a number of concerns over how several
Australian Chapters have been run, and that will be addressed by a separate
OWASP Inquiry lead by the OWASP Chapters Committee.

Note that we are starting this process from the point of view that Christian
is an inocent party (i.e. not guilty of the accusations made until proven
so). It is important to note that the focus of the inquiry will be on the
technical merit of what was created for this project (and will stay away
from any personallity clashes that might/do exist between members of the
OWASP community). For example, one of the first steps will be to create an
independent technical analysis of what was delivered, so that we are able to
establish the extent of this project's contribution to OWASP and the
WebAppSec world.

Once we figure out the operational details of how this OWASP Inquiry (into
the OWASP Google Hacking Project) will work, we will be contacting the OWASP
Community (starting with the one that have raised their concerns) for  'on
the record' comments about this issue. After all data is collected and
analyzed, an independent group of OWASP Leaders will review it and provide
recomendations (just
like what happened in the Brazil's case)

A final point I would like to make, is that from an OWASP Projects point of
view, this is a very important case, since we really need to have better
guidelines on what we technically expect from OWASP Projects and its leaders

Hopefully, we will be able to use this case to further consolidate OWASP's
projects focus, quality and credibility

Dinis Cruz
OWASP Board Member

On 4 July 2010 04:38, Brad Empeigne <brad.empeigne at gmail.com> wrote:

Hi all, I had a look at the source code after reading the below email
and thought since it was finally public i could see what all the fuss
is about.

As someone who is comfortable with Perl i must admit that I'm
surprised by how basic this code is and it does look rather
amateurish. Not only that but the general concept of the code is
simple too since it appears to just be a google cache search and not
much more? To be frank it looks like a couple of hours of work and it
maybe belongs as some example code referenced on a wiki page after
being tidied up, but thats about it. i am sorry to say that it is far
from worthy of being presented at multiple international conferences
and the publicity this has received is not warranted. I hope OWASP has
not funded this project and Christian used his own expenses to present
around the world?

I share Stevens general sentiment that something is not quite right
with this entire situation and in the future i believe OWASP need to
do better QA on projects and keep a closer eye on project leaders.
What has happened here does in fact reflect very poorly on OWASP. Good
luck and best regards.

-- Brad

On Sat, Jul 3, 2010 at 12:19 PM, Steven Steggles
<steven.steggles at gmail.com> wrote:
> Dear OWASP,
> The source code that has been released is a single Perl script of 250
> most of the code being comments. The code appears to do nothing besides
> providing a command line interface to perform a Google cache query. Am I
> believe that this is the sum total of the famous Google Hacking Project?
> From what I understand of Christian's claims at various conferences across
> the world, the following source code is still missing:
> 1. "Speak English or Die" Google Translate Workaround.
> 2. Google SOAP Search API "Key Ring" Workaround.
> 3. "TCP Input Text" Proof of Concept (PoC) which implements the Google
> Search API to extract TCP Ports from Google Search Results as input for
> and netcat.
> Christian claimed to have released this source code at Ruxcon in November
> 2008....
> It appears as though OWASP has chosen to not address this issue correctly
> and bury its head in the sand.Perhaps in the naive hope that this problem
> will quietly go away. What a disgrace! The OWASP Google Hacking project
> appears to have been solely created as a vehicle for Christian's own self
> promotion! I am ashamed to be associated with such an organization that
> turns a blind eye to this highly inappropriate behavior. What a disgrace!
> I expect that you will moderate this message but I feel that the wider
> security community should be made aware of this sham and lack of action on
> OWASP's part.
> Very disappointed,
> Steven
> On Fri, Jul 2, 2010 at 4:50 PM, Christian Heinrich
> <christian.heinrich at owasp.org> wrote:
>> Brad,
>> On Mon, Jun 28, 2010 at 10:22 PM, Brad Causey <bradcausey at owasp.org>
>> wrote:
>> > So just to be clear Christian,
>> > 1. It appears that the source, is in fact, release. We thank you for
>> > that.
>> > 2. Do you have a timeline for future development? I would assume that
>> > because google depreciated it's API, that you would need to find other
>> > methods of performing queries.
>> > Thank you very much in advance.
>> 1. Yes, the RUXCON 2K8 Release is available again.
>> 2. As far as I am aware, their AJAX Search API does not have an
>> equivalent call related to retrieving content from the Google's cache.
>>  Scraping, etc would violate Google Term's of Service.  There is a
>> possibility that I could port it to Bing but I have not reviewed the
>> functionality of their SOAP API yet.
>> Having spoken with Dinis at HITB Amsterdam, his feeling was that the
>> project should be closed off and a new category be created to clarify
>> the reason why as it is not inactive, rather that development can't
>> continue due to the deprecation of the Google SOAP Search API.  I also
>> highlighted that it was only intended as a PoC as investing further
>> development in light of the closure of the SOAP Search API and would
>> be to the determent of other projects that I contribute too.
>> I will do one more review the related owasp.org wiki pages and update
>> the documentation on the repository, etc when I return to Australia
>> next weekend (i.e. 10 July) and indicate when this is completed to the
>> GPC.
>> --
>> Regards,
>> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
>> _______________________________________________
>> Owasp-google-hacking mailing list
>> Owasp-google-hacking at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-google-hacking


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100704/ad58f461/attachment-0001.html 

More information about the Global-projects-committee mailing list