[Owasp-board] GPC outstanding issues

Paulo Coimbra paulo.coimbra at owasp.org
Tue Jun 29 16:19:31 UTC 2010 

Eoin,

 

As you might remember, as you have been included in the recent previous
threads,  I have previously contacted Christian and said to him: “I’ve been
back to your previous email to understand what you are intending to do and
got a bit confused as you previously said “(...) Hence, I agreed that if
interested parties couldn't provide a valid SOAP Search API Key (which had
been discontinued by Google well before I had started to present this
project) - then the source code was prohibited from being distributed to
them as it was against Google's TOS. (...)” and now, as far as I understand,
you say that is only matter of locating some URLs. Could you please
clarify?”

 

Christian has answered back saying “(...) I appear to be quoted out of
context but the URLs were intended to establish the timeline of this OWASP
Project to that of the Google SOAP Search API and hence support the reason
for the decision related to the distribution at that time (i.e. until early
September 2009).(...)”

 

Please see the enclosed emails for your own judgement. 

 

Also, I may be wrong, it may be unjustified, but to give you a subjective
view, I’ve often kind of sensed a certain level of resistance when it comes
to make the source code available. 

 

For example, just recently when Steven Steggles addressed the project
mailing list saying “For some reason Christian appears to be uncooperative
and is refusing to open source the project code after several requests for
the source code  were made”, Christian didn’t release the source code and,
instead, referred the existence of anonymous trolls and asked for Steven’s
references:  “(...) contact information and timezone and references (i.e.
contact information of current and previous managers you reported too and
associated company names) (...)”. In addition, thereafter, Christian has
asked Larry to “(...) implement moderation on the OWASP "Google Hacking"
Project Mailing List (...)” saying “(...) The cause of this issue is related
to the OWASP Melbourne Chapter i.e.

https://lists.owasp.org/pipermail/owasp-australia/2010-June/thread.html and
is spilling over to http://search.twitter.com/search?q=owaspgate - the OWASP
"Google Hacking" Project is a secondary issue.

 

I find the episode above not that clear. In my view, Christian’s behaviour
may or not be justifiable and further data could support a more precise
judgement. These exchanged emails are also enclosed. Please glance it for
your own assessment.

 

Nevertheless, to be clear, I have begun ‘sensing’ Christian’s resistance at
least since 16-01-2009 when Tom Brennan sent me an email with the subject
“PROJECT DEAD” stating “Could I get a special PM update/request to get a
status on this project and move it or drop it... no movement”. Four days
later, before having contacted Christian, I received an email from him
saying he was presenting his OWASP project at the OWASP AU Conference 2009
and that we was wondering if I have had time to consider his list of
reviewers yet. I then answered that, as I had said before, I would present
to OWASP Board for their confirmation whoever he believed that could make a
useful job. Having into account Tom’s heads-up, I have also taken the
opportunity to ask Christian to update the project’s page as it hadn’t been
done since 28 October 2008
<https://www.owasp.org/index.php?title=Project_Information:template_Google_H
acking_Project&oldid=44947>  but I have never been responded. Exchanged
emails also enclosed. 

 

Later one, 27-10-2009, I was again contacted by Christian in an email where
he asked for assistance to update the project’s template. I’ve answered back
saying that I had updated the template myself, asked for his agreement and
informed I had prepared his new release RUXCON 2K8 to be assessed. I have
also informed that our assessment process is not mandatory and asked him
whether or not he was willing to take the step. Christian answered back
saying “The release at RUXCON 2K8 was a Proof of Concept i.e. it doesn't
handle exceptions. I am in the process of implementing the Perl Best
Practices and closing the issues and this would be the release that should
be reviewed.  I will let the OWASP GPC know when this is available (I
suspect that this will be sometime after March 2010).” 

Exchanged emails also enclosed.

 

We are now sometime after March 2010 and the release hasn’t been assessed as
of yet, not even has Christian sent off the names of the proposed reviewers.

 

Being so and to conclude this long email, I reaffirm what I said before. In
my assessment, the way Christian behaved was not sufficiently clear. In my
opinion, he kept the project’s page stalled and resisted to make the code
available while offering justifications not always totally evident to me.
Being so, if I were asked, I would suggest a formal inquiry to clarify the
whole situation and, consequently, to allow us to find out a fair response
to both Christian and to the non OWASP people that have repeatedly denounced
this situation. 

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
Sent: terça-feira, 29 de Junho de 2010 10:45
To: Paulo Coimbra
Cc: OWASP Foundation Board List; Brad Causey; Dinis Cruz; Jason Li; Jeff
Williams; Leo Cavallari; Matt Tesauro; Pravir Chandra
Subject: Re: [Owasp-board] GPC outstanding issues

 

Paulo.

 

Re: "Secondly, in my assessment, the way Christian behaved was not
sufficiently clear. In my opinion, he resisted to make the code available
offering justifications not always totally evident to me."

 

Can you explain this a little more.



 

On 28 June 2010 17:36, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:

Brad,

 

In my last email, I’ve forgotten to answer your question about the Google
Hacking Project. 

 

As you know, the project leader has answered my call for him to release the
code but I my opinion a couple of issues still need to be sorted out.

 

Firstly, the Project roadmap currently available is way too simply and
doesn’t allow us to understand how the depreciated API’s question will be
solved. 

 

http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project_RoadMap

 

http://www.owasp.org/index.php/OWASP_Google_Hacking_Project_-_RUXCON_2K8_Rel
ease_-_Notes

 

http://code.google.com/p/dic/

 

Secondly, in my assessment, the way Christian behaved was not sufficiently
clear. In my opinion, he resisted to make the code available offering
justifications not always totally evident to me. 

 

Being so, if I were asked, I would suggest a formal inquiry to clarify the
whole situation and, consequently, to allow us to find out a fair response
to both Christian and to the non OWASP people that has repeatedly denounced
this situation. 

 

My 2 cents anyway, thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: bradcausey at gmail.com [mailto:bradcausey at gmail.com] On Behalf Of Brad
Causey
Sent: segunda-feira, 28 de Junho de 2010 13:24
To: Jason Li; Paulo Coimbra
Subject: GPC outstanding issues

 

Paulo,

 

I'm sorry it has been so long since we have talked. Are there any items I
can help you with in your efforts for the GPC?

 

Is the issue with the google hacking project resolved?

 


-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org <http://www.owasp.org/> 
--
"Si vis pacem, para bellum"
--


_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board




-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0002.html>
-------------- next part --------------
An embedded message was scrubbed...
From: "Christian Heinrich" <christian.heinrich at owasp.org>
Subject: Re: [GPC] OWASP "Google Hacking" Project - Status - June 2010
Date: Sun, 20 Jun 2010 12:44:17 +0100
Size: 38399
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0014.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Christian Heinrich" <christian.heinrich at owasp.org>
Subject: [SPAM] Re: Google Hacking Project
Date: Mon, 14 Jun 2010 17:14:31 +0100
Size: 28733
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0015.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Christian Heinrich" <christian.heinrich at owasp.org>
Subject: [SPAM] Re: [GPC] OWASP "Google Hacking" Project - Status - June 2010
Date: Mon, 28 Jun 2010 05:35:34 +0100
Size: 30305
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0016.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Steven Steggles" <steven.steggles at gmail.com>
Subject: [SPAM] Re: Google Hacking Project
Date: Mon, 14 Jun 2010 06:47:34 +0100
Size: 33140
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0017.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Tom Brennan - OWASP" <tomb at owasp.org>
Subject: PROJECT DEAD
Date: Sat, 17 Jan 2009 00:21:20 +0100
Size: 7037
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0018.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Paulo Coimbra" <paulo.coimbra at owasp.org>
Subject: RE: Reviewer[s] for OWASP "Google Hacking" Project
Date: Tue, 20 Jan 2009 16:38:43 +0100
Size: 14967
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0019.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: "Christian Heinrich" <christian.heinrich at owasp.org>
Subject: [SPAM] Re: OWASP "Google Hacking" Project - GPC Project Details -	DRAFT
Date: Thu, 29 Oct 2009 20:12:37 +0100
Size: 9819
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100629/7fca0c47/attachment-0020.mht>

More information about the Owasp-board mailing list