[Owasp-board] [Owasp-google-hacking] [GPC] Update Needed
paulo.coimbra at owasp.org
Mon Jul 12 18:51:20 UTC 2010
As for your answer, below, I believe it is the appropriate time to say that
I don't think your facts' narrative always entirely captures the essence of
the email-thread you refer. However, I suggest we further clarify the matter
in the context of the inquiry process in course so as to assure the
situation is handled with the care, respect and factualness it deserves.
<https://www.owasp.org/index.php/Main_Page> OWASP Project Manager
From: owasp-google-hacking-bounces at lists.owasp.org
[mailto:owasp-google-hacking-bounces at lists.owasp.org] On Behalf Of Christian
Sent: segunda-feira, 12 de Julho de 2010 00:45
To: Jason Li
Cc: OWASP Foundation Board List; owasp-google-hacking at lists.owasp.org;
owasp-leaders at lists.owasp.org; Global Projects Committee
Subject: Re: [Owasp-google-hacking] [GPC] Update Needed
>> The next couple stages are the ones that would really make a
>> difference in marketing OWASP projects. The first of these is to
>> Provide a Repository. We did some preliminary reconnaissance to try
>> and get a branded Google Code hosting solution, but we didn't get
>> very far. I think this is a critical piece to provide some
>> consistency for projects. It also provides us a safety net in cases
>> where projects get abandoned. By having an official OWASP repository,
>> we'll always have the code to a project even if a leader later
>> decides to abandon it (e.g. Google Hacking). The next of these is to
>> revamp the project website and migrate existing projects to the new
>> site. That's a huge undertaking that I think is extremely important
>> to OWASP - but I'm not even sure it's worth discussing until we get
>> our ducks lined up in a row with our existing projects.
I have *never* abandoned the OWASP "Google Hacking" Project.
Coincidentally, the possible misinterpretation of "Inactive" was discussed
at the Leaders/GPC Meeting during OWASP EU 2009.
To quote the current metadata i.e. "GPC_Notes = This project has had its
status changed (currently inactive) pending the outcome of an inquiry. <!---
This project cannot longer be maintained due to the closure of the Google
SOAP Search API i.e.
While Dinis thought that marking it as inactive might help the current
situation to demonstrate that development had ceased due to Google
deprecating their SOAP Search API to which I disagreed at HITB Amsterdam -
consequently Joe Public has misinterpreted the reason as to why the project
is inactive (i.e. which is within the HTML
Comments) and that I am undergoing a disciplinary process for abusing the
OWASP Brand, etc as I have been found guilty irrespective of the e-mails
from Jeff and Dinis state.
>> I'm open to suggestions on how we can either quickly assess projects
>> in a meaningful way or bypass the problem entirely by creatively
>> doing something else. I believe we had several discussions about
>> putting the carrot in front of the cart. For example, we could simply
>> create a new whiz bang website for OWASP and the "price of admission"
>> to the "endorsed" part of the website was for a project leader to
>> push his project through a mostly self-review process. But that has
>> it's own issues as self-review is not always accurate (again, Google
>> Hacking serves as a good example - Christian was fairly quick to fill
>> out the OWASP Projects Survey) and so there's always going to be a
>> need for external review. And that external review will be a
>> bottleneck for anyone trying to push to the next tier.
You can't state that I lied considering the survey, i.e
was a snapshot at a particular time (i.e March 2009) which didn't have any
questions concerning what difficulties are faced by "new"
project leaders i.e. those whose are managing their first OWASP Project
without local support from senior OWASP Members i.e. Only Justin Derry was
available in Australia during this time and while he offered to assist this
was not extended post the OWASP Australian 2009 Conference fallout with the
Had you have asked for a history of the difficulties/unknowns etc within the
survey the GPC would have also known:
1. Chris Gates (metasploit), PDP (GNUCitizen) and Glen Roberts
(Solutionary) had nominated themselves to review the project but according
to an e-mail thread between Paulo and I (from September 2008 until January
2009) were unable to review the project on behalf of OWASP as they were not
OWASP members. Subsequently, they all had to submit CV for the Board to
approve (for some reason the GPC can't approve them) and I was not willing
to pass on this request as it was insulting to their standing within the
community and offer to volunteer their time. In Paulo's defense he was
distracted with preparing for the OWASP Summit in Portugal during this time
and apologies when he responded to each e-mail.
2. As I was unable to locate an OWASP reviewer I deleted the repository as I
was unsure if OWASP had any interest reviewing the project due to the
deprecation of the SOAP Search API, the fact that it was PoC v0.1, etc but
held onto the namespace if this changed.
3. That stated, Tom Brennan trying to kill the project was inferred in my
response to "If not, what is the reason that you do not wish to be
considered for industry partnership?" based on an e-mail thread with Paulo
and I during August 2008 but I am now confused on OWASP position on
condoning the violation of Google's Terms of Service in light of claiming to
Post this survey (i.e. at OWASP EU 2008), the GPC did not want to discuss my
project when I am raised that I had rescheduled the release from RUXCON 2K8
as per the survey i.e. during the Leaders/GPC Meeting i.e.
http://www.flickr.com/photos/appseceu09/, rather the discussion focused on
the consequence of marking projects inactive, etc which I mentioned above.
I also received IN-CONFIDENCE information on the Google SOAP Search API
(i.e. it wasn't deprecated because of the AJAX Search API) from Tavis
Ormandy (Google) during CONFidence 2009 which I made Dinis aware of.
Finally, the deprecation of the SOAP Search API in September 2009 occurs
*after* OWASP finally decides to review the project i.e.
- neither was I contacted in March 2010.
>> Ironically, the whole Google Hacking situation is a great lens to
>> view our efforts through. The problems OWASP is dealing with right
>> now for that project are exactly the problems we were thinking about
>> when we started our agenda... if we can only make some faster
>> progress, we might be able to preempt this kind of event in the future.
These are some of the recommendations from the response that I will be
1. Relocate the responsibility of selecting Project Reviewer who are not
OWASP members from the board to the GPC.
2. Create additional metadata which communicates that unique projects with a
limited shelf life, such as the OWASP "Google Hacking" Project.
3. Each OWASP Project should be reviewed based on a schedule (i.e. not by
signaling that it is ready for review) which could be timeslice across all
4. Reconsider Andrew van der Stock's proposal to become a full time employee
5. Remove members from the GPC would are also leaders of significant
projects i.e. it should consist of a majority of dedicated reviewers only.
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Owasp-google-hacking mailing list
Owasp-google-hacking at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board