[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Dennis Groves dennis.groves at owasp.org
Tue Feb 4 01:12:26 UTC 2014

Thank you Josh,

Pursuant to your clarifications, I am in full agreement with your
conclusions and findings.



On Mon, Feb 3, 2014 at 6:04 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Dennis,
> First of all, thanks for the reply.  I appreciate anyone and everyone
> willing to give this a second thought as I know Christian and OWASP have
> had quite the tumultuous past.  You are absolutely correct in that my
> conclusion is made with "hindsight bias".  Unfortunately, the previous
> Board left Tobias, Fabio, and myself no real choice here.  Having refrained
> from a vote on Christian's request prior to our joining the Board (after
> both Tobias and I suggested it), we were left with the options to 1) make a
> decision based on what we were told or 2) make a decision based on our own
> investigation into the past.  Not being fond of #1, and hoping that I could
> help steer us to a peaceful resolution, I embarked on the second option.
> So, while I agree that I "suffer from hindsight bias", nothing that I've
> said implicates anyone from OWASP in anything negative here.  I don't think
> that allegations along these lines would be fruitful for anyone.
> I'm aware of the "mudpit" surrounding Christian, but frankly, it doesn't
> impact my conclusion in the slightest.  My conclusion is based on the fact
> that leaving the inquiry online runs contrary to our ethics policy.  It
> serves no positive purpose at this point and continues to propagate
> negativity against Christian.  I'm not sure how diving into the mudpit will
> change this or how Christian's actions afterward somehow justifies
> intentionally making someone's life miserable.  Perhaps I'm missing
> something?
> As for the request for reinstatement, his past actions should most
> certainly be taken into consideration there.  I have not drawn a
> conclusion, however, on this, so I'm not sure what you're looking for.  My
> general thought is that if Christian is willing to forgive and move beyond,
> then we should give him the opportunity to do so and should attempt to do
> the same.  I believe that Christian's behavior, while intolerable, seems to
> stem from that original inquiry as it did not exist before then and I'm
> willing to give him the benefit of the doubt if he tells me that he can
> move forward in a positive manner.  In short, I believe in second chances.
> And the worst case scenario is he proves me wrong and gets banned
> indefinitely for it.  We have everything to gain and little to lose.  Other
> than a personal bias against him, what is your specific objection?
> ~josh
> On Mon, Feb 3, 2014 at 6:30 PM, Dennis Groves <dennis.groves at owasp.org>wrote:
>> I also interviewed every participant you mentioned as well, however I did
>> it at the time of the incident.
>> I appreciate the level of detail you have gone to understand what
>> happened, and the level of effort you have gone to ensure OWASP is truly
>> open.
>> However, your conclusion is made in hindsight, and suffers from hindsight
>> bias <https://en.wikipedia.org/wiki/Hindsight_bias>. And hence the
>> saying "Hindsight is 20/20." I do agree that OWASP was much less
>> 'structured' back then, and that we operated far more by group consensus
>> (which you could correctly argue is a selection bias<https://en.wikipedia.org/wiki/Selection_bias>).
>> However, nobody back then was operating in any less good faith than you
>> are today.  The only conclusion that I can safely agree with is that today
>> projects are run much more effectively than at any time in the past, but to
>> be honest so is the whole of OWASP.
>> But, before I can agree with your conclusion I need to understand how
>> deeply you 'delved into the mudpit.' While everybody involved can easily
>> look back at their behaviour and perhaps conclude they could have handled
>> the situations differently, did you also dig into the history of very
>> dubious and abusive actions by the participants as well? Because, while
>> everybody involved feels justified in the actions they took some of those
>> actions certainly failed to live up to any standard that would have been
>> acceptable either in the past or present. I want to know what you think
>> about those events as well.
>> Personally, I think that it is to late to put the genie back in the
>> bottle.
>> Dennis
>> On Mon, Feb 3, 2014 at 4:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> OWASP Board,
>>> I feel, at this point, like I am ready to make a recommendation on the
>>> Google Hacking Inquiry, but am currently waiting to hear back from
>>> Christian regarding his ability to move forward if his membership were to
>>> be reinstated.
>>> *Google Hacking Inquiry*
>>> Regarding the Google Hacking inquiry, I have had a couple of phone calls
>>> now with Christian as well as one with Chris Gates (both recorded and
>>> you've been provided with links separately).  I've also been in contact
>>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>>> circumstances around the Google Hacking Inquiry.  There have been a few
>>> others whose names have come up that it may be pertinent to speak to (Chris
>>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>>> advice here.  While I cannot go so far as to say that a great injustice has
>>> been done, I do think that I've found plenty of evidence to make me doubt
>>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>>> OWASP.
>>> Unfortunately, back then, there does not appear to have been much
>>> control over the projects.  There did not exist the new levels, but if I
>>> had to qualify it, I'd say that the Google Hacking Project fits squarely
>>> into the "Incubator" level of our new project classification.  The
>>> interesting thing about this level is that source code is NOT required.  To
>>> the contrary, this level is basically, "I have an idea, let's see if I can
>>> turn it into something real."  One of the deliverables for moving on to the
>>> next level is a working POC, but from the looks of it, one could remain in
>>> the "Incubator" bucket for up to a year without ever providing the source
>>> code.  And, assuming you did that, the consequence is to be de-listed from
>>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>>> as it helps to foster ideas and provide support while still maintaining
>>> quality control over our projects.  Christian's claim is that he had his
>>> source code in an open repository, but never published a link because his
>>> project was never reviewed.  He provided at least one potential reviewer
>>> who was rejected at the time because they were not an OWASP member.  His
>>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>>> presentations at the time did include a slide soliciting reviewers.  So, my
>>> conclusion here is that Christian did what would be expected of an
>>> "Incubator" level project.  Publishing source code probably shouldn't have
>>> been an expectation (at least not right off the bat) and the resulting
>>> "punishment" from the Inquiry was certainly harsher than today's standard.
>>> On top of the above, it is clear that Christian feels that the Inquiry
>>> has affected his ability to work as well as his general state of well
>>> being.  If this is true, then it is in direct contradiction to the OWASP
>>> Code of Ethics where we state that OWASP members should not intentionally
>>> injure or impugn the professional reputation of our colleagues.  I don't
>>> think that it is rational for us to question whether this is or is not
>>> true, and therefore feel like our best course of action is to assume that
>>> it is and work to correct the situation.  My proposal is to remove the
>>> Google Hacking Inquiry document and any reference documentation as well
>>> that is on the OWASP public website.  In it's stead, I would like to place
>>> the following text:
>>> Recently, information has been brought to our attention which allows the
>>>> current OWASP Board to revisit OWASP's position on the Google Hacking
>>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>>> the inquiry results would do just that.  As such, we feel that it is in the
>>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>>> the slate clean by removing the details of the inquiry from our public
>>>> records at this time.  We feel sincerely sorry for any damages that this
>>>> inquiry may have caused to any of the parties involved.
>>> Let me be absolutely clear that this is not what Christian requested,
>>> but rather, what I feel is the right thing to do given the circumstances.
>>> Christian's first question to me was "What good did the inquiry do for
>>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>>> It chastised an active project leader for doing what it appears that
>>> several others were also doing at the time, potentially furthered personal
>>> biases, created negative feelings between Christian and OWASP, and just
>>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>>> has been allowed to linger for so long as it just perpetuates the things
>>> that we've done wrong, rather than all of the things that we've done
>>> right.  Regardless of how Christian or others feel about it, I believe that
>>> it's time to wipe the slate clean here and put an end to the negativity
>>> surrounding the inquiry.
>>> I'd like to propose a vote that we strike any reference to the Google
>>> Hacking Inquiry on owasp.org and our public documentation and replace
>>> it with the text above.
>>> *Request for Reinstatement*
>>> Unfortunately, our last call was cut short again with Christian dropping
>>> off the line.  I sent an e-mail to him attempting to reconcile our next
>>> steps, but I'm not sure that we are on the same page currently.  His desire
>>> is for OWASP to pursue another inquiry, similar to his own, charging Chris
>>> Gatford with being the individual behind the initial requests for inquiry
>>> and treating him as though he were an OWASP member as he was a chapter
>>> leader during that time.  I told him that I feel like the inquiry should
>>> not have been undertaken in the first place and that performing another
>>> inquiry and getting involved in a dispute between the two of them would
>>> serve no value to OWASP.  I have politely declined my support for such an
>>> initiative, but told him I would offer it to the other Board members if any
>>> of you are so inclined to pursue it further.
>>> Since I am unable to support his current request, and since he has
>>> stated that he is unable to move beyond this until this other inquiry has
>>> been performed, I am at a loss as far as next steps go.  My proposal would
>>> have been to do a 90 day probational membership reinstatement for
>>> Christian.  Provided that there were no issues during this time period, I
>>> think that we could consider whatever level of activity he maintains a
>>> relative success and we should grant full membership.  However, if there
>>> were to be issues, the request for reinstatement should be denied with a
>>> permanent ban so that no future Board members need to brief themselves on
>>> the past in order to make a decision about the future.  My rationale for
>>> this rationale for this is based squarely upon the assumption that all
>>> negative behaviors were due to the Google Hacking Inquiry and it's personal
>>> affect on Christian.  A 90 day probation should serve as a decent test to
>>> determine if he is willing to move beyond that and put the negativity
>>> behind us.  I am not requesting a vote at this time here as I feel no
>>> decision can be made without Christian's support for the path we take.  I
>>> will continue to work with him to hopefully come to a peaceful resolution.
>>> ~josh
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> --
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>> .
>> *This email is licensed under a CC BY-ND 3.0
>> <http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
>> Stand up for your freedom to install free software.<http://www.fsf.org/campaigns/secure-boot/statement>
>> Please do not send me Microsoft Office/Apple iWork documents.
>> Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
>> <http://www.owasp.org/>

Dennis Groves <http://about.me/dennis.groves>, MSc
Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
*This email is licensed under a CC BY-ND 3.0
<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB> license.*
Stand up for your freedom to install free
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140203/be18a3e9/attachment-0001.html>

More information about the Owasp-board mailing list