[GPC] [Owasp-leaders] [Owasp-google-hacking] OWASP "GoogleHacking" Project - Status - June 2010

Christian Heinrich christian.heinrich at owasp.org
Sun Jul 11 17:09:32 EDT 2010


Apologies for the delayed reply but I just saw this within the
"conversation" on gmail.

On Wed, Jul 7, 2010 at 12:53 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> I just confirmed that this is the same "Google Hacking" talk that I saw delivered in NYC, and I have to say it was pretty hilariously
> bad. Now, I normally wouldn't be so rude about it, but this thread has shown how heavily it was/is being promoted.

The agenda was of my presentation was limited to:
1. http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_(OWASP-IG-001)
2. http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29
3. http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project
4. It also included to highlight the issue of using robots.txt
incorrectly as a privacy control and the
which even people such as Jerimah Grossman didn't understand, which
were outside the scope of 1. and 2.

FYI - The presentation was initially proposed as 1. and 2. only as 3.
wasn't accepted until July 2008 which left me with two months to
prepare the PoC.

Can you please justify how I am at fault if your incorrect perception
of my presentation was hype i.e.
http://www.hackersforcharity.org/ghdb/ in light of OWASP's position on
"Builders vs Breakers" and why you chose not leave my session then?

I declined a number of offers to present this at other conferences,
such as HITB Malaysia 2008 which I offered to a number of other

The project itself had a limited shelf life i.e. Sept 2009

On Wed, Jul 7, 2010 at 12:53 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> It's a 150-line Perl script, and mostly comments. You compare it to something SensePost did, but SensePost isn't going to
>conferences promoting their little Perl script, it's just sitting on their website, quietly. At conferences they publish original, awesome

SensePost had presented this at BlackHat i.e. "Putting the Tea into

http://code.google.com/p/dic/wiki/PerlSourceCodeQuality addresses
which Perl community standards the source code conforms too (including
the extensive comments) - are you claiming that extensive comments are
"bad practice"?

On Wed, Jul 7, 2010 at 12:53 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> We want to encourage people to work on OWASP projects and contribute to the community, but to be honest there isn't nearly
> enough here to be a "project". It doesn't pass the "sniff test", nor any real assessment criteria, I'm sure.

I and most OWASP member would prefer that the state of the art
advanced but on reasonable scientific thought and *not* on hype i.e.

On Wed, Jul 7, 2010 at 12:53 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> What's worse is I don't think there's any way you couldn't know that. And that means you're taking advantage of the platform
> OWASP works so hard to give people.

Considering I was an end user during this time I have funded a
majority of this project (excluding $500USD OTTM Funding which I
contributed to the cost of the hotel) with my own funds (AUD15K$)
which I was not able to claim on tax or through my employer (i.e.

Only as vendor and/or consultant could I be accused of taking
advantage of OWASP but this would still have no merit.

On Wed, Jul 7, 2010 at 12:53 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi at aspectsecurity.com> wrote:
> Maybe we can look forward to more substantial contribution from you in the future, but I think it's best that this whole project be
> forgotten and both parties walk away from each other.

Here is a small list (which isn't mentioned on
1. Assisted in the organization of OWASP AU 2009, including selection
based on the CFP, Food and Drink Menu, preparing the panel session,
2. Chaired a Panel Session at OWASP EU 2008, attended all Global
Committee Meetings and assisted Matt Tesauro with interviews for the
OWASP PodCast.
3. Promoted OWASP to a number of events in the AsiaPac region, such as
SyScan which resulted in Onn Chee (Singapore Chapter Lead) now forming
a relationship.
4. Reviewed the OWASP T10 RC of which I was *not* credited for.  I
have also prepared a number of tables, diagrams, etc which I am
intending to release once this inquiry is complete.
5. Auditing each OWASP Chapter in Australia to remove vendor and
consultant influence and ensure that the Chapter Handbook is followed.
 Ensuring that OWASP membership is promoted to Australian companies
and individuals, etc.  Forming relationships with other industry
bodies in Australia i.e. AusCERT, AISA, etc

I will expect an apology and retraction from you in light of the
misinformation that you have spread.

Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking

More information about the Global-projects-committee mailing list