[Owasp-board] [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP "GoogleHacking" Project - Status - June 2010

Matt Tesauro matt.tesauro at owasp.org
Wed Jul 7 15:37:25 UTC 2010


Here's the email where I introduced process used for the Brazil inquiry. 
  The process has not made it to the wiki to date that I am aware of:

==========
As I assume all parties already know, issues have been raised about the
AppSec Brazil 2009 conference.  These questions were raised publicly and
the questions raised have potential impact on future conferences plus
OWASP as a whole.  The OWASP community needs to determine what, if any,
adjustments need to be made to rectify this situation as well as prevent
another occurrence should problem(s) be identified.  As everything in
OWASP, this will need to be an open discussion with the community.

Initially, the issues were discussed on the Global Project Committee
(GPC) call on Monday.  However, considering the scope, the GPC felt that
this was a OWASP Board level issue.  Thus, the issue will be raised
during the next OWASP Board meeting on Tuesday, December 1st.

In the time between now and the board meeting, I've offered to gather
data from the parties.  Any issues, supporting documentation, or other
material you think would be useful in answering the questions raised,
please forward to me so I can gather it in a single location.

When this is discussed at the board meeting, I  will propose the
following to start the discussion.  I suspect that changes will occur to
my proposal during the board meeting so please consider this a beta
version.

(1) Collect data - I've already stated this process and it will continue
until the board meeting (and likely after).  The outcome of this portion
is to determine an objective picture of all the parties' perspectives.

(2) Discuss - Ask open questions, listen and engage the parties involved
to get the full story.

(3) Document - Use precise, descriptive language to document the
situation and its outcomes.  All parties will be involved in the
drafting of this document to ensure it represents the consensus opinion
of the data collected in (1) and (2) above.

(4) Reflect and maintain - Depending on the outcomes determined in (3),
review current community efforts to ensure that any negative outcomes
are avoided in future and that incentives are in place to keep the
community on track.  Should any changes be needed, the Global Committee
responsible for that area will handle implementation - e.g. changes to
conference rules would be handled by the Global Conference Committee.

==========

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/6/10 4:47 PM, Jeff Williams wrote:
> I think we should make it clear that there is a process for handling
> this kind of controversy at OWASP. These things are bound to crop up
> from time to time, and we can limit the amount of damage done by
> following a fair and balanced process led by impartial parties. The
> inquiry process will generate a set of recommendations which can then be
> implemented by the board.
>
> Dinis, since you’ve taken on this particular one – can you send out a
> message to the list reiterating the process (and linking – where is the
> writeup of the process)? That way everyone will know it is being
> handled. I think it’s fair to say that this particular project has had
> its status changed pending the outcome of the inquiry.
>
> Thanks,
>
> --Jeff
>
> *From:* owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] *On Behalf Of *Eoin
> *Sent:* Tuesday, July 06, 2010 5:10 PM
> *To:* dinis cruz
> *Cc:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] [Owasp-leaders] [Owasp-google-hacking]
> [GPC] OWASP "GoogleHacking" Project - Status - June 2010
>
> [i have removed the "audience" from this email,something Dinis, you
> should of done]
>
> Question: To what end shall this inquiry serve?
>
> As i mentioned before we now have a Global Projects Committee to assure
> appropriate projects are branded OWASP projects and receive support from
> the foundation.
>
> Question: The project is closed, what negative impact has this fiasco
> had on owasp?
>
> Question: Shall prolonging this issue continue to negatively impact owasp?
>
> Question: What do other board members think?
>
> ek
>
> On 6 July 2010 17:44, dinis cruz <dinis.cruz at owasp.org
> <mailto:dinis.cruz at owasp.org>> wrote:
>
> Sorry, but we can't put this one to bed,
>
> There has been too many questions and worries raised about this project
> which need to be addressed.
>
> The mistakes that have been made need to be documented so that we can
> learn its lessons and don't repeat them in the future.
>
> To see what will happen next please refer to one of my last emails were
> I explain that we are going to do an 'OWASP Inquiry' into this issue and
> explain its scope (for example we are starting with the assumption that
> Chistian is an innocent party)
>
> Dinis Cruz
>
>
> On 6 Jul 2010, at 16:05, Eoin <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>
>     Indeed Arshan, Totally agree.
>
>     Community, can we put this to bed and move on. This industry is full
>     of empty vessels trying to take advantage as we all know.
>
>     In future the GPC should be able to prevent such silliness in terms
>     of what can become an OWASP branded solution and what is snake oil.
>
>     -ek
>
>
>
>     On 6 July 2010 15:53, Arshan Dabirsiaghi
>     <arshan.dabirsiaghi at aspectsecurity.com
>     <mailto:arshan.dabirsiaghi at aspectsecurity.com>> wrote:
>
>     I just confirmed that this is the same "Google Hacking" talk that I
>     saw delivered in NYC, and I have to say it was pretty hilariously
>     bad. Now, I normally wouldn't be so rude about it, but this thread
>     has shown how heavily it was/is being promoted.
>
>     It's a 150-line Perl script, and mostly comments. You compare it to
>     something SensePost did, but SensePost isn't going to conferences
>     promoting their little Perl script, it's just sitting on their
>     website, quietly. At conferences they publish original, awesome
>     research.
>
>     We want to encourage people to work on OWASP projects and contribute
>     to the community, but to be honest there isn't nearly enough here to
>     be a "project". It doesn't pass the "sniff test", nor any real
>     assessment criteria, I'm sure.
>
>     What's worse is I don't think there's any way you couldn't know
>     that. And that means you're taking advantage of the platform OWASP
>     works so hard to give people.
>
>     Maybe we can look forward to more substantial contribution from you
>     in the future, but I think it's best that this whole project be
>     forgotten and both parties walk away from each other.
>
>     Arshan
>
>
>     -----Original Message-----
>     From: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of
>     Christian Heinrich
>     Sent: Monday, July 05, 2010 12:41 AM
>     To: dinis cruz
>     Cc: Steven Steggles; Brad Empeigne;
>     owasp-google-hacking at lists.owasp.org
>     <mailto:owasp-google-hacking at lists.owasp.org>;
>     owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>; Global Projects Committee
>     Subject: Re: [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP
>     "GoogleHacking" Project - Status - June 2010
>
>     Dinis,
>
>     TCP Input Text et al is *not* within the scope of the OWASP Google
>     Hacking Project and neither were they represented as such. Rather the
>     scope is
>     http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29
>
>     http://www.sensepost.com/cms/resources/labs/tools/misc/SP-DNS-mine.pl
>     should be used the benchmark based on the endorsement by this same
>     troll i.e. http://twitter.com/TownyRoberto/status/17405662031
>
>     The identity of this troll *must* be established in light of their
>     refusal i.e.
>     https://lists.owasp.org/pipermail/owasp-google-hacking/2010-June/000017.html
>     to mitigate the possible damage to "Steven Steggles" of
>     http://whois.domaintools.com/lifebetweenscreens.com i.e. their e-mail
>     addresses are different. It is believed that "Brad" and "George" are
>     also the same troll as the source code has only been downloaded once.
>
>     Please keep in mind that this "complaint" from the troll is intended
>     to divert resources from the investigation of the spoofed e-mails sent
>     to the Mailing List of the OWASP Chapter in Melbourne, Australia i.e.
>     https://lists.owasp.org/pipermail/owasp-australia/2010-June/000287.html
>     and
>     https://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
>
>     On Sun, Jul 4, 2010 at 7:11 PM, dinis cruz <dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>> wrote:
>      > Hi Brad and others that have raise concerns about this project
>     (note that
>      > the original email was also sent to the owasp-google-hacking
>     list, so I'm
>      > CCing this to a number of other owasp lists).
>      >
>      > First of all , thanks for sharing your concerns about this
>     project and I
>      > want to assure you that we at OWASP Board and Projects Committee
>     are taking
>      > this issue very seriously.
>      >
>      > Due to the nature of OWASP and in its spirit of openess we trust
>     that our
>      > project leaders are working hard on their projects and delivering
>     value to
>      > their project's community.
>      >
>      > Given the sheer number of OWASP Projects and the fact that we (at
>     OWASPs
>      > Global Projects Committee) have not yet completed the upgrade of
>     all OWASP
>      > Projects into the new Project Assessment Criteria V2.0 (+ new
>     Project Wiki
>      > Template), we have not been able to spend as much time as we
>     should on
>      > reviewing OWASP projects and ensuring that they are: still alive,
>     need
>      > review/help, make sense, etc...
>      >
>      > The OWASP Google Hacking project has been on the radar of OWASP's
>     Board and
>      > GPC for a while (with a number of emails going back one year),
>     BUT somehow
>      > (mainly due to lack of time) we never followed it up.
>      >
>      > That said now, due to the level of complains that we have
>     received and the
>      > need that we have at OWASP to create a process to deal with this
>     type of
>      > situations, we are going to take a good look at this and find a
>     solution for
>      > it.
>      >
>      > A couple days ago, i meet Christian at the HITB conference in
>     Amsterdam and
>      > we spent a couple hours going over the history of this project
>     and what
>      > should happen next.
>      >
>      > Here is the status:
>      >
>      > The OWASP Google Hacking project is going to be marked as
>     'Inactive' (with
>      > very clear indication that this is not an active OWASP project),
>     there will
>      > be no more public presentations about this project, and there is
>     also the
>      > possibililty that we might delete this project (depending on what
>     happens
>      > with the Inquiry that I'm going to present below)
>      > I have made a number of notes about the history of this project
>     which I will
>      > document soon
>      > In order to address the issues raised, we are going to run an
>     OWASP Inquiry
>      > into this issue with the objective to address the issue of
>     '...does the
>      > OWASP Google Hacking Project deliverables match the expectations
>     that the
>      > OWASP community have for projects that are presented in the way
>     this project
>      > was..." (note that we have already an history at OWASP to run
>     'formal'
>      > inquiries for issues/concerns raised by our community (see for
>     example
>      >
>     http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009
>     )
>      > Christian has also raised a number of concerns over how several
>     Australian
>      > Chapters have been run, and that will be addressed by a separate
>     OWASP
>      > Inquiry lead by the OWASP Chapters Committee.
>      >
>      > Note that we are starting this process from the point of view
>     that Christian
>      > is an inocent party (i.e. not guilty of the accusations made
>     until proven
>      > so). It is important to note that the focus of the inquiry will
>     be on the
>      > technical merit of what was created for this project (and will
>     stay away
>      > from any personallity clashes that might/do exist between members
>     of the
>      > OWASP community). For example, one of the first steps will be to
>     create an
>      > independent technical analysis of what was delivered, so that we
>     are able to
>      > establish the extent of this project's contribution to OWASP and the
>      > WebAppSec world.
>      >
>      > Once we figure out the operational details of how this OWASP
>     Inquiry (into
>      > the OWASP Google Hacking Project) will work, we will be
>     contacting the OWASP
>      > Community (starting with the one that have raised their concerns)
>     for 'on
>      > the record' comments about this issue. After all data is
>     collected and
>      > analyzed, an independent group of OWASP Leaders will review it
>     and provide
>      > recomendations (just like what happened in the Brazil's case)
>      >
>      > A final point I would like to make, is that from an OWASP
>     Projects point of
>      > view, this is a very important case, since we really need to have
>     better
>      > guidelines on what we technically expect from OWASP Projects and
>     its leaders
>      >
>      > Hopefully, we will be able to use this case to further
>     consolidate OWASP's
>      > projects focus, quality and credibility
>      >
>      > Dinis Cruz
>      > OWASP Board Member
>      >
>      >
>      > On 4 July 2010 04:38, Brad Empeigne <brad.empeigne at gmail.com
>     <mailto:brad.empeigne at gmail.com>> wrote:
>      >>
>      >> Hi all, I had a look at the source code after reading the below
>     email
>      >> and thought since it was finally public i could see what all the
>     fuss
>      >> is about.
>      >>
>      >> As someone who is comfortable with Perl i must admit that I'm
>      >> surprised by how basic this code is and it does look rather
>      >> amateurish. Not only that but the general concept of the code is
>      >> simple too since it appears to just be a google cache search and not
>      >> much more? To be frank it looks like a couple of hours of work
>     and it
>      >> maybe belongs as some example code referenced on a wiki page after
>      >> being tidied up, but thats about it. i am sorry to say that it
>     is far
>      >> from worthy of being presented at multiple international conferences
>      >> and the publicity this has received is not warranted. I hope
>     OWASP has
>      >> not funded this project and Christian used his own expenses to
>     present
>      >> around the world?
>      >>
>      >> I share Stevens general sentiment that something is not quite right
>      >> with this entire situation and in the future i believe OWASP need to
>      >> do better QA on projects and keep a closer eye on project leaders.
>      >> What has happened here does in fact reflect very poorly on
>     OWASP. Good
>      >> luck and best regards.
>      >>
>      >> -- Brad
>      >>
>      >>
>      >> On Sat, Jul 3, 2010 at 12:19 PM, Steven Steggles
>      >> <steven.steggles at gmail.com <mailto:steven.steggles at gmail.com>>
>     wrote:
>      >> > Dear OWASP,
>      >> >
>      >> > The source code that has been released is a single Perl script
>     of 250
>      >> > lines,
>      >> > most of the code being comments. The code appears to do
>     nothing besides
>      >> > providing a command line interface to perform a Google cache
>     query. Am I
>      >> > to
>      >> > believe that this is the sum total of the famous Google
>     Hacking Project?
>      >> > From what I understand of Christian's claims at various
>     conferences
>      >> > across
>      >> > the world, the following source code is still missing:
>      >> >
>      >> > 1. "Speak English or Die" Google Translate Workaround.
>      >> > 2. Google SOAP Search API "Key Ring" Workaround.
>      >> > 3. "TCP Input Text" Proof of Concept (PoC) which implements
>     the Google
>      >> > SOAP
>      >> > Search API to extract TCP Ports from Google Search Results as
>     input for
>      >> > nmap
>      >> > and netcat.
>      >> >
>      >> > Christian claimed to have released this source code at Ruxcon in
>      >> > November
>      >> > 2008....
>      >> >
>      >> > It appears as though OWASP has chosen to not address this issue
>      >> > correctly
>      >> > and bury its head in the sand.Perhaps in the naive hope that this
>      >> > problem
>      >> > will quietly go away. What a disgrace! The OWASP Google
>     Hacking project
>      >> > appears to have been solely created as a vehicle for
>     Christian's own
>      >> > self
>      >> > promotion! I am ashamed to be associated with such an
>     organization that
>      >> > turns a blind eye to this highly inappropriate behavior. What a
>      >> > disgrace!
>      >> >
>      >> > I expect that you will moderate this message but I feel that
>     the wider
>      >> > security community should be made aware of this sham and lack
>     of action
>      >> > on
>      >> > OWASP's part.
>      >> >
>      >> > I WILL NO LONGER BE PARTICIPATING IN OWASP RELATED MEETINGS OR
>      >> > CONFERENCES.
>      >> >
>      >> > Very disappointed,
>      >> > Steven
>
>     --
>     Regards,
>     Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
>     OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     --
>     Eoin Keary
>     OWASP Global Board Member
>     OWASP Code Review Guide Lead Author
>
>     Sent from my i-Transmogrifier
>     http://asg.ie/
>     https://twitter.com/EoinKeary
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list