[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Michael Coates michael.coates at owasp.org
Sat Feb 8 00:59:13 UTC 2014

And vice versa - I'd like you thoughts and counter points before I cast my

Michael Coates

On Fri, Feb 7, 2014 at 4:58 PM, Michael Coates <michael.coates at owasp.org>wrote:

> I certainly trust all of you. But I definitely want a discussion and would
> like my thoughts to be heard (whatever they may be) by others for
> consideration in their vote.
> I would request we refrain from voting until we've had a discussion.
> --
> Michael Coates
> @_mwc
> On Fri, Feb 7, 2014 at 4:51 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I trust you and the process you went through, so I vote yes to this
>> measure.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Feb 8, 2014, at 12:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> I received feedback on this from Dennis Groves and Jason Li (off list),
>> but have yet to receive feedback from any of the current Board members.  I
>> am requesting for Sarah to add a vote to the agenda for the 2/24 Board
>> meeting (if we can't agree beforehand) to "Strike any reference to the
>> Google Hacking Inquiry on owasp.org and our public documentation and
>> replace it with <the text in my previous e-mail>".  I would appreciate if
>> you all could provide some sort of communication of support, dissension, or
>> at the very least, acknowledgement, of my e-mail before that time.  Thanks!
>> ~josh
>> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> OWASP Board,
>>> I feel, at this point, like I am ready to make a recommendation on the
>>> Google Hacking Inquiry, but am currently waiting to hear back from
>>> Christian regarding his ability to move forward if his membership were to
>>> be reinstated.
>>> *Google Hacking Inquiry*
>>> Regarding the Google Hacking inquiry, I have had a couple of phone calls
>>> now with Christian as well as one with Chris Gates (both recorded and
>>> you've been provided with links separately).  I've also been in contact
>>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>>> circumstances around the Google Hacking Inquiry.  There have been a few
>>> others whose names have come up that it may be pertinent to speak to (Chris
>>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>>> advice here.  While I cannot go so far as to say that a great injustice has
>>> been done, I do think that I've found plenty of evidence to make me doubt
>>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>>> OWASP.
>>> Unfortunately, back then, there does not appear to have been much
>>> control over the projects.  There did not exist the new levels, but if I
>>> had to qualify it, I'd say that the Google Hacking Project fits squarely
>>> into the "Incubator" level of our new project classification.  The
>>> interesting thing about this level is that source code is NOT required.  To
>>> the contrary, this level is basically, "I have an idea, let's see if I can
>>> turn it into something real."  One of the deliverables for moving on to the
>>> next level is a working POC, but from the looks of it, one could remain in
>>> the "Incubator" bucket for up to a year without ever providing the source
>>> code.  And, assuming you did that, the consequence is to be de-listed from
>>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>>> as it helps to foster ideas and provide support while still maintaining
>>> quality control over our projects.  Christian's claim is that he had his
>>> source code in an open repository, but never published a link because his
>>> project was never reviewed.  He provided at least one potential reviewer
>>> who was rejected at the time because they were not an OWASP member.  His
>>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>>> presentations at the time did include a slide soliciting reviewers.  So, my
>>> conclusion here is that Christian did what would be expected of an
>>> "Incubator" level project.  Publishing source code probably shouldn't have
>>> been an expectation (at least not right off the bat) and the resulting
>>> "punishment" from the Inquiry was certainly harsher than today's standard.
>>> On top of the above, it is clear that Christian feels that the Inquiry
>>> has affected his ability to work as well as his general state of well
>>> being.  If this is true, then it is in direct contradiction to the OWASP
>>> Code of Ethics where we state that OWASP members should not intentionally
>>> injure or impugn the professional reputation of our colleagues.  I don't
>>> think that it is rational for us to question whether this is or is not
>>> true, and therefore feel like our best course of action is to assume that
>>> it is and work to correct the situation.  My proposal is to remove the
>>> Google Hacking Inquiry document and any reference documentation as well
>>> that is on the OWASP public website.  In it's stead, I would like to place
>>> the following text:
>>> Recently, information has been brought to our attention which allows the
>>>> current OWASP Board to revisit OWASP's position on the Google Hacking
>>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>>> the inquiry results would do just that.  As such, we feel that it is in the
>>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>>> the slate clean by removing the details of the inquiry from our public
>>>> records at this time.  We feel sincerely sorry for any damages that this
>>>> inquiry may have caused to any of the parties involved.
>>> Let me be absolutely clear that this is not what Christian requested,
>>> but rather, what I feel is the right thing to do given the circumstances.
>>> Christian's first question to me was "What good did the inquiry do for
>>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>>> It chastised an active project leader for doing what it appears that
>>> several others were also doing at the time, potentially furthered personal
>>> biases, created negative feelings between Christian and OWASP, and just
>>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>>> has been allowed to linger for so long as it just perpetuates the things
>>> that we've done wrong, rather than all of the things that we've done
>>> right.  Regardless of how Christian or others feel about it, I believe that
>>> it's time to wipe the slate clean here and put an end to the negativity
>>> surrounding the inquiry.
>>> I'd like to propose a vote that we strike any reference to the Google
>>> Hacking Inquiry on owasp.org and our public documentation and replace
>>> it with the text above.
>>> *Request for Reinstatement*
>>> Unfortunately, our last call was cut short again with Christian dropping
>>> off the line.  I sent an e-mail to him attempting to reconcile our next
>>> steps, but I'm not sure that we are on the same page currently.  His desire
>>> is for OWASP to pursue another inquiry, similar to his own, charging Chris
>>> Gatford with being the individual behind the initial requests for inquiry
>>> and treating him as though he were an OWASP member as he was a chapter
>>> leader during that time.  I told him that I feel like the inquiry should
>>> not have been undertaken in the first place and that performing another
>>> inquiry and getting involved in a dispute between the two of them would
>>> serve no value to OWASP.  I have politely declined my support for such an
>>> initiative, but told him I would offer it to the other Board members if any
>>> of you are so inclined to pursue it further.
>>> Since I am unable to support his current request, and since he has
>>> stated that he is unable to move beyond this until this other inquiry has
>>> been performed, I am at a loss as far as next steps go.  My proposal would
>>> have been to do a 90 day probational membership reinstatement for
>>> Christian.  Provided that there were no issues during this time period, I
>>> think that we could consider whatever level of activity he maintains a
>>> relative success and we should grant full membership.  However, if there
>>> were to be issues, the request for reinstatement should be denied with a
>>> permanent ban so that no future Board members need to brief themselves on
>>> the past in order to make a decision about the future.  My rationale for
>>> this rationale for this is based squarely upon the assumption that all
>>> negative behaviors were due to the Google Hacking Inquiry and it's personal
>>> affect on Christian.  A 90 day probation should serve as a decent test to
>>> determine if he is willing to move beyond that and put the negativity
>>> behind us.  I am not requesting a vote at this time here as I feel no
>>> decision can be made without Christian's support for the path we take.  I
>>> will continue to work with him to hopefully come to a peaceful resolution.
>>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140207/d021a12e/attachment-0001.html>

More information about the Owasp-board mailing list