[Owasp-board] [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP "GoogleHacking" Project - Status - June 2010

Eoin eoin.keary at owasp.org
Tue Jul 6 21:10:02 UTC 2010


[i have removed the "audience" from this email,something Dinis, you should
of done]

Question: To what end shall this inquiry serve?
As i mentioned before we now have a Global Projects Committee to assure
appropriate projects are branded OWASP projects and receive support from the
foundation.

Question: The project is closed, what negative impact has this fiasco had on
owasp?

Question: Shall prolonging this issue continue to negatively impact owasp?

Question: What do other board members think?

ek




On 6 July 2010 17:44, dinis cruz <dinis.cruz at owasp.org> wrote:

> Sorry, but we can't put this one to bed,
>
> There has been too many questions and worries raised about this project
> which need to be addressed.
>
> The mistakes that have been made need to be documented so that we can learn
> its lessons and don't repeat them in the future.
>
> To see what will happen next please refer to one of my last emails were I
> explain that we are going to do an 'OWASP Inquiry' into this issue and
> explain its scope (for example we are starting with the assumption that
> Chistian is an innocent party)
>
> Dinis Cruz
>
> On 6 Jul 2010, at 16:05, Eoin <eoin.keary at owasp.org> wrote:
>
> Indeed Arshan, Totally agree.
>
> Community, can we put this to bed and move on. This industry is full of
> empty vessels trying to take advantage as we all know.
> In future the GPC should be able to prevent such silliness in terms of what
> can become an OWASP branded solution and what is snake oil.
>
> -ek
>
>
>
> On 6 July 2010 15:53, Arshan Dabirsiaghi <<arshan.dabirsiaghi at aspectsecurity.com>
> arshan.dabirsiaghi at aspectsecurity.com> wrote:
>
>> I just confirmed that this is the same "Google Hacking" talk that I saw
>> delivered in NYC, and I have to say it was pretty hilariously bad. Now, I
>> normally wouldn't be so rude about it, but this thread has shown how heavily
>> it was/is being promoted.
>>
>> It's a 150-line Perl script, and mostly comments. You compare it to
>> something SensePost did, but SensePost isn't going to conferences promoting
>> their little Perl script, it's just sitting on their website, quietly. At
>> conferences they publish original, awesome research.
>>
>> We want to encourage people to work on OWASP projects and contribute to
>> the community, but to be honest there isn't nearly enough here to be a
>> "project". It doesn't pass the "sniff test", nor any real assessment
>> criteria, I'm sure.
>>
>> What's worse is I don't think there's any way you couldn't know that. And
>> that means you're taking advantage of the platform OWASP works so hard to
>> give people.
>>
>> Maybe we can look forward to more substantial contribution from you in the
>> future, but I think it's best that this whole project be forgotten and both
>> parties walk away from each other.
>>
>> Arshan
>>
>> -----Original Message-----
>> From: <owasp-leaders-bounces at lists.owasp.org>
>> owasp-leaders-bounces at lists.owasp.org [mailto:<owasp-leaders-bounces at lists.owasp.org>
>> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Christian Heinrich
>> Sent: Monday, July 05, 2010 12:41 AM
>> To: dinis cruz
>> Cc: Steven Steggles; Brad Empeigne;
>> <owasp-google-hacking at lists.owasp.org>
>> owasp-google-hacking at lists.owasp.org; <owasp-leaders at lists.owasp.org>
>> owasp-leaders at lists.owasp.org; Global Projects Committee
>> Subject: Re: [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP
>> "GoogleHacking" Project - Status - June 2010
>>
>> Dinis,
>>
>> TCP Input Text et al is *not* within the scope of the OWASP Google
>> Hacking Project and neither were they represented as such. Rather the
>> scope is
>> <http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29>
>> http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29
>>
>> <http://www.sensepost.com/cms/resources/labs/tools/misc/SP-DNS-mine.pl>
>> http://www.sensepost.com/cms/resources/labs/tools/misc/SP-DNS-mine.pl
>> should be used the benchmark based on the endorsement by this same
>> troll i.e. <http://twitter.com/TownyRoberto/status/17405662031>
>> http://twitter.com/TownyRoberto/status/17405662031
>>
>> The identity of this troll *must* be established in light of their
>> refusal i.e.
>> <https://lists.owasp.org/pipermail/owasp-google-hacking/2010-June/000017.html>
>> https://lists.owasp.org/pipermail/owasp-google-hacking/2010-June/000017.html
>> to mitigate the possible damage to "Steven Steggles" of
>> <http://whois.domaintools.com/lifebetweenscreens.com>
>> http://whois.domaintools.com/lifebetweenscreens.com i.e. their e-mail
>> addresses are different.  It is believed that "Brad" and "George" are
>> also the same troll as the source code has only been downloaded once.
>>
>> Please keep in mind that this "complaint" from the troll is intended
>> to divert resources from the investigation of the spoofed e-mails sent
>> to the Mailing List of the OWASP Chapter in Melbourne, Australia i.e.
>> <https://lists.owasp.org/pipermail/owasp-australia/2010-June/000287.html>
>> https://lists.owasp.org/pipermail/owasp-australia/2010-June/000287.html
>> and
>> <https://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html>
>> https://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
>>
>> On Sun, Jul 4, 2010 at 7:11 PM, dinis cruz < <dinis.cruz at owasp.org>
>> dinis.cruz at owasp.org> wrote:
>> > Hi Brad and others that have raise concerns about this project (note
>> that
>> > the original email was also sent to the owasp-google-hacking list, so
>> I'm
>> > CCing this to a number of other owasp lists).
>> >
>> > First of all , thanks for sharing your concerns about this project and I
>> > want to assure you that we at OWASP Board and Projects Committee are
>> taking
>> > this issue very seriously.
>> >
>> > Due to the nature of OWASP and in its spirit of openess we trust that
>> our
>> > project leaders are working hard on their projects and delivering value
>> to
>> > their project's community.
>> >
>> > Given the sheer number of OWASP Projects and the fact that we (at OWASPs
>> > Global Projects Committee) have not yet completed the upgrade of all
>> OWASP
>> > Projects into the new Project Assessment Criteria V2.0 (+ new Project
>> Wiki
>> > Template), we have not been able to spend as much time as we should on
>> > reviewing OWASP projects and ensuring that they are: still alive, need
>> > review/help, make sense, etc...
>> >
>> > The OWASP Google Hacking project has been on the radar of OWASP's Board
>> and
>> > GPC for a while (with a number of emails going back one year), BUT
>> somehow
>> > (mainly due to lack of time) we never followed it up.
>> >
>> > That said now, due to the level of complains that we have received and
>> the
>> > need that we have at OWASP to create a process to deal with this type of
>> > situations, we are going to take a good look at this and find a solution
>> for
>> > it.
>> >
>> > A couple days ago, i meet Christian at the HITB conference in Amsterdam
>> and
>> > we spent a couple hours going over the history of this project and what
>> > should happen next.
>> >
>> > Here is the status:
>> >
>> > The OWASP Google Hacking project is going to be marked as 'Inactive'
>> (with
>> > very clear indication that this is not an active OWASP project), there
>> will
>> > be no more public presentations about this project, and there is also
>> the
>> > possibililty that we might delete this project (depending on what
>> happens
>> > with the Inquiry that I'm going to present below)
>> > I have made a number of notes about the history of this project which I
>> will
>> > document soon
>> > In order to address the issues raised, we are going to run an OWASP
>> Inquiry
>> > into this issue with the objective to address the issue of '...does the
>> > OWASP Google Hacking Project deliverables match the expectations that
>> the
>> > OWASP community have for projects that are presented in the way this
>> project
>> > was..." (note that we have already an history at OWASP to run 'formal'
>> > inquiries for issues/concerns raised by our community (see for example
>> >
>> <http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009>
>> http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009 )
>> > Christian has also raised a number of concerns over how several
>> Australian
>> > Chapters have been run, and that will be addressed by a separate OWASP
>> > Inquiry lead by the OWASP Chapters Committee.
>> >
>> > Note that we are starting this process from the point of view that
>> Christian
>> > is an inocent party (i.e. not guilty of the accusations made until
>> proven
>> > so). It is important to note that the focus of the inquiry will be on
>> the
>> > technical merit of what was created for this project (and will stay away
>> > from any personallity clashes that might/do exist between members of the
>> > OWASP community). For example, one of the first steps will be to create
>> an
>> > independent technical analysis of what was delivered, so that we are
>> able to
>> > establish the extent of this project's contribution to OWASP and the
>> > WebAppSec world.
>> >
>> > Once we figure out the operational details of how this OWASP Inquiry
>> (into
>> > the OWASP Google Hacking Project) will work, we will be contacting the
>> OWASP
>> > Community (starting with the one that have raised their concerns) for
>> 'on
>> > the record' comments about this issue. After all data is collected and
>> > analyzed, an independent group of OWASP Leaders will review it and
>> provide
>> > recomendations (just like what happened in the Brazil's case)
>> >
>> > A final point I would like to make, is that from an OWASP Projects point
>> of
>> > view, this is a very important case, since we really need to have better
>> > guidelines on what we technically expect from OWASP Projects and its
>> leaders
>> >
>> > Hopefully, we will be able to use this case to further consolidate
>> OWASP's
>> > projects focus, quality and credibility
>> >
>> > Dinis Cruz
>> > OWASP Board Member
>> >
>> >
>> > On 4 July 2010 04:38, Brad Empeigne < <brad.empeigne at gmail.com>
>> brad.empeigne at gmail.com> wrote:
>> >>
>> >> Hi all, I had a look at the source code after reading the below email
>> >> and thought since it was finally public i could see what all the fuss
>> >> is about.
>> >>
>> >> As someone who is comfortable with Perl i must admit that I'm
>> >> surprised by how basic this code is and it does look rather
>> >> amateurish. Not only that but the general concept of the code is
>> >> simple too since it appears to just be a google cache search and not
>> >> much more? To be frank it looks like a couple of hours of work and it
>> >> maybe belongs as some example code referenced on a wiki page after
>> >> being tidied up, but thats about it. i am sorry to say that it is far
>> >> from worthy of being presented at multiple international conferences
>> >> and the publicity this has received is not warranted. I hope OWASP has
>> >> not funded this project and Christian used his own expenses to present
>> >> around the world?
>> >>
>> >> I share Stevens general sentiment that something is not quite right
>> >> with this entire situation and in the future i believe OWASP need to
>> >> do better QA on projects and keep a closer eye on project leaders.
>> >> What has happened here does in fact reflect very poorly on OWASP. Good
>> >> luck and best regards.
>> >>
>> >> -- Brad
>> >>
>> >>
>> >> On Sat, Jul 3, 2010 at 12:19 PM, Steven Steggles
>> >> < <steven.steggles at gmail.com>steven.steggles at gmail.com> wrote:
>> >> > Dear OWASP,
>> >> >
>> >> > The source code that has been released is a single Perl script of 250
>> >> > lines,
>> >> > most of the code being comments. The code appears to do nothing
>> besides
>> >> > providing a command line interface to perform a Google cache query.
>> Am I
>> >> > to
>> >> > believe that this is the sum total of the famous Google Hacking
>> Project?
>> >> > From what I understand of Christian's claims at various conferences
>> >> > across
>> >> > the world, the following source code is still missing:
>> >> >
>> >> > 1. "Speak English or Die" Google Translate Workaround.
>> >> > 2. Google SOAP Search API "Key Ring" Workaround.
>> >> > 3. "TCP Input Text" Proof of Concept (PoC) which implements the
>> Google
>> >> > SOAP
>> >> > Search API to extract TCP Ports from Google Search Results as input
>> for
>> >> > nmap
>> >> > and netcat.
>> >> >
>> >> > Christian claimed to have released this source code at Ruxcon in
>> >> > November
>> >> > 2008....
>> >> >
>> >> > It appears as though OWASP has chosen to not address this issue
>> >> > correctly
>> >> > and bury its head in the sand.Perhaps in the naive hope that this
>> >> > problem
>> >> > will quietly go away. What a disgrace! The OWASP Google Hacking
>> project
>> >> > appears to have been solely created as a vehicle for Christian's own
>> >> > self
>> >> > promotion! I am ashamed to be associated with such an organization
>> that
>> >> > turns a blind eye to this highly inappropriate behavior. What a
>> >> > disgrace!
>> >> >
>> >> > I expect that you will moderate this message but I feel that the
>> wider
>> >> > security community should be made aware of this sham and lack of
>> action
>> >> > on
>> >> > OWASP's part.
>> >> >
>> >> > I WILL NO LONGER BE PARTICIPATING IN OWASP RELATED MEETINGS OR
>> >> > CONFERENCES.
>> >> >
>> >> > Very disappointed,
>> >> > Steven
>>
>> --
>> Regards,
>> Christian Heinrich - <http://www.owasp.org/index.php/user:cmlh>
>> http://www.owasp.org/index.php/user:cmlh
>> OWASP "Google Hacking" Project Lead - <http://sn.im/owasp_google_hacking>
>> http://sn.im/owasp_google_hacking
>> _______________________________________________
>> OWASP-Leaders mailing list
>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> <http://asg.ie/>http://asg.ie/
>  <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100706/96dbba5c/attachment-0002.html>


More information about the Owasp-board mailing list