[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Josh Sokol josh.sokol at owasp.org
Fri Feb 7 23:05:49 UTC 2014

I received feedback on this from Dennis Groves and Jason Li (off list), but
have yet to receive feedback from any of the current Board members.  I am
requesting for Sarah to add a vote to the agenda for the 2/24 Board meeting
(if we can't agree beforehand) to "Strike any reference to the Google
Hacking Inquiry on owasp.org and our public documentation and replace it
with <the text in my previous e-mail>".  I would appreciate if you all
could provide some sort of communication of support, dissension, or at the
very least, acknowledgement, of my e-mail before that time.  Thanks!


On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> OWASP Board,
> I feel, at this point, like I am ready to make a recommendation on the
> Google Hacking Inquiry, but am currently waiting to hear back from
> Christian regarding his ability to move forward if his membership were to
> be reinstated.
> *Google Hacking Inquiry*
> Regarding the Google Hacking inquiry, I have had a couple of phone calls
> now with Christian as well as one with Chris Gates (both recorded and
> you've been provided with links separately).  I've also been in contact
> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
> circumstances around the Google Hacking Inquiry.  There have been a few
> others whose names have come up that it may be pertinent to speak to (Chris
> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
> advice here.  While I cannot go so far as to say that a great injustice has
> been done, I do think that I've found plenty of evidence to make me doubt
> the circumstances of the inquiry and it's benefit (or lack thereof) to
> Unfortunately, back then, there does not appear to have been much control
> over the projects.  There did not exist the new levels, but if I had to
> qualify it, I'd say that the Google Hacking Project fits squarely into the
> "Incubator" level of our new project classification.  The interesting thing
> about this level is that source code is NOT required.  To the contrary,
> this level is basically, "I have an idea, let's see if I can turn it into
> something real."  One of the deliverables for moving on to the next level
> is a working POC, but from the looks of it, one could remain in the
> "Incubator" bucket for up to a year without ever providing the source
> code.  And, assuming you did that, the consequence is to be de-listed from
> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
> as it helps to foster ideas and provide support while still maintaining
> quality control over our projects.  Christian's claim is that he had his
> source code in an open repository, but never published a link because his
> project was never reviewed.  He provided at least one potential reviewer
> who was rejected at the time because they were not an OWASP member.  His
> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
> presentations at the time did include a slide soliciting reviewers.  So, my
> conclusion here is that Christian did what would be expected of an
> "Incubator" level project.  Publishing source code probably shouldn't have
> been an expectation (at least not right off the bat) and the resulting
> "punishment" from the Inquiry was certainly harsher than today's standard.
> On top of the above, it is clear that Christian feels that the Inquiry has
> affected his ability to work as well as his general state of well being.
> If this is true, then it is in direct contradiction to the OWASP Code of
> Ethics where we state that OWASP members should not intentionally injure or
> impugn the professional reputation of our colleagues.  I don't think that
> it is rational for us to question whether this is or is not true, and
> therefore feel like our best course of action is to assume that it is and
> work to correct the situation.  My proposal is to remove the Google Hacking
> Inquiry document and any reference documentation as well that is on the
> OWASP public website.  In it's stead, I would like to place the following
> text:
> Recently, information has been brought to our attention which allows the
>> current OWASP Board to revisit OWASP's position on the Google Hacking
>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>> reputation of colleagues and, upon consideration, we feel that perpetuating
>> the inquiry results would do just that.  As such, we feel that it is in the
>> best interests of the OWASP Foundation and all concerned parties to wipe
>> the slate clean by removing the details of the inquiry from our public
>> records at this time.  We feel sincerely sorry for any damages that this
>> inquiry may have caused to any of the parties involved.
> Let me be absolutely clear that this is not what Christian requested, but
> rather, what I feel is the right thing to do given the circumstances.
> Christian's first question to me was "What good did the inquiry do for
> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
> It chastised an active project leader for doing what it appears that
> several others were also doing at the time, potentially furthered personal
> biases, created negative feelings between Christian and OWASP, and just
> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
> has been allowed to linger for so long as it just perpetuates the things
> that we've done wrong, rather than all of the things that we've done
> right.  Regardless of how Christian or others feel about it, I believe that
> it's time to wipe the slate clean here and put an end to the negativity
> surrounding the inquiry.
> I'd like to propose a vote that we strike any reference to the Google
> Hacking Inquiry on owasp.org and our public documentation and replace it
> with the text above.
> *Request for Reinstatement*
> Unfortunately, our last call was cut short again with Christian dropping
> off the line.  I sent an e-mail to him attempting to reconcile our next
> steps, but I'm not sure that we are on the same page currently.  His desire
> is for OWASP to pursue another inquiry, similar to his own, charging Chris
> Gatford with being the individual behind the initial requests for inquiry
> and treating him as though he were an OWASP member as he was a chapter
> leader during that time.  I told him that I feel like the inquiry should
> not have been undertaken in the first place and that performing another
> inquiry and getting involved in a dispute between the two of them would
> serve no value to OWASP.  I have politely declined my support for such an
> initiative, but told him I would offer it to the other Board members if any
> of you are so inclined to pursue it further.
> Since I am unable to support his current request, and since he has stated
> that he is unable to move beyond this until this other inquiry has been
> performed, I am at a loss as far as next steps go.  My proposal would have
> been to do a 90 day probational membership reinstatement for Christian.
> Provided that there were no issues during this time period, I think that we
> could consider whatever level of activity he maintains a relative success
> and we should grant full membership.  However, if there were to be issues,
> the request for reinstatement should be denied with a permanent ban so that
> no future Board members need to brief themselves on the past in order to
> make a decision about the future.  My rationale for this rationale for this
> is based squarely upon the assumption that all negative behaviors were due
> to the Google Hacking Inquiry and it's personal affect on Christian.  A 90
> day probation should serve as a decent test to determine if he is willing
> to move beyond that and put the negativity behind us.  I am not requesting
> a vote at this time here as I feel no decision can be made without
> Christian's support for the path we take.  I will continue to work with him
> to hopefully come to a peaceful resolution.
> ~josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140207/0573ba20/attachment.html>

More information about the Owasp-board mailing list