[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Jim Manico jim.manico at owasp.org
Sat Feb 8 01:05:38 UTC 2014


I totally respect that. I already listened to both phone calls and reviewed
all of the documentation and encourage everyone to do the same before

I trust (but verified) Josh's communication and work over this matter and
support his requested conclusion.

Jim Manico
(808) 652-3805

On Feb 8, 2014, at 1:58 AM, Michael Coates <michael.coates at owasp.org> wrote:

I certainly trust all of you. But I definitely want a discussion and would
like my thoughts to be heard (whatever they may be) by others for
consideration in their vote.

I would request we refrain from voting until we've had a discussion.

Michael Coates

On Fri, Feb 7, 2014 at 4:51 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I trust you and the process you went through, so I vote yes to this
> measure.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Feb 8, 2014, at 12:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> I received feedback on this from Dennis Groves and Jason Li (off list),
> but have yet to receive feedback from any of the current Board members.  I
> am requesting for Sarah to add a vote to the agenda for the 2/24 Board
> meeting (if we can't agree beforehand) to "Strike any reference to the
> Google Hacking Inquiry on owasp.org and our public documentation and
> replace it with <the text in my previous e-mail>".  I would appreciate if
> you all could provide some sort of communication of support, dissension, or
> at the very least, acknowledgement, of my e-mail before that time.  Thanks!
> ~josh
> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> OWASP Board,
>> I feel, at this point, like I am ready to make a recommendation on the
>> Google Hacking Inquiry, but am currently waiting to hear back from
>> Christian regarding his ability to move forward if his membership were to
>> be reinstated.
>> *Google Hacking Inquiry*
>> Regarding the Google Hacking inquiry, I have had a couple of phone calls
>> now with Christian as well as one with Chris Gates (both recorded and
>> you've been provided with links separately).  I've also been in contact
>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>> circumstances around the Google Hacking Inquiry.  There have been a few
>> others whose names have come up that it may be pertinent to speak to (Chris
>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>> advice here.  While I cannot go so far as to say that a great injustice has
>> been done, I do think that I've found plenty of evidence to make me doubt
>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>> Unfortunately, back then, there does not appear to have been much control
>> over the projects.  There did not exist the new levels, but if I had to
>> qualify it, I'd say that the Google Hacking Project fits squarely into the
>> "Incubator" level of our new project classification.  The interesting thing
>> about this level is that source code is NOT required.  To the contrary,
>> this level is basically, "I have an idea, let's see if I can turn it into
>> something real."  One of the deliverables for moving on to the next level
>> is a working POC, but from the looks of it, one could remain in the
>> "Incubator" bucket for up to a year without ever providing the source
>> code.  And, assuming you did that, the consequence is to be de-listed from
>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>> as it helps to foster ideas and provide support while still maintaining
>> quality control over our projects.  Christian's claim is that he had his
>> source code in an open repository, but never published a link because his
>> project was never reviewed.  He provided at least one potential reviewer
>> who was rejected at the time because they were not an OWASP member.  His
>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>> presentations at the time did include a slide soliciting reviewers.  So, my
>> conclusion here is that Christian did what would be expected of an
>> "Incubator" level project.  Publishing source code probably shouldn't have
>> been an expectation (at least not right off the bat) and the resulting
>> "punishment" from the Inquiry was certainly harsher than today's standard.
>> On top of the above, it is clear that Christian feels that the Inquiry
>> has affected his ability to work as well as his general state of well
>> being.  If this is true, then it is in direct contradiction to the OWASP
>> Code of Ethics where we state that OWASP members should not intentionally
>> injure or impugn the professional reputation of our colleagues.  I don't
>> think that it is rational for us to question whether this is or is not
>> true, and therefore feel like our best course of action is to assume that
>> it is and work to correct the situation.  My proposal is to remove the
>> Google Hacking Inquiry document and any reference documentation as well
>> that is on the OWASP public website.  In it's stead, I would like to place
>> the following text:
>> Recently, information has been brought to our attention which allows the
>>> current OWASP Board to revisit OWASP's position on the Google Hacking
>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>> the inquiry results would do just that.  As such, we feel that it is in the
>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>> the slate clean by removing the details of the inquiry from our public
>>> records at this time.  We feel sincerely sorry for any damages that this
>>> inquiry may have caused to any of the parties involved.
>> Let me be absolutely clear that this is not what Christian requested, but
>> rather, what I feel is the right thing to do given the circumstances.
>> Christian's first question to me was "What good did the inquiry do for
>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>> It chastised an active project leader for doing what it appears that
>> several others were also doing at the time, potentially furthered personal
>> biases, created negative feelings between Christian and OWASP, and just
>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>> has been allowed to linger for so long as it just perpetuates the things
>> that we've done wrong, rather than all of the things that we've done
>> right.  Regardless of how Christian or others feel about it, I believe that
>> it's time to wipe the slate clean here and put an end to the negativity
>> surrounding the inquiry.
>> I'd like to propose a vote that we strike any reference to the Google
>> Hacking Inquiry on owasp.org and our public documentation and replace it
>> with the text above.
>> *Request for Reinstatement*
>> Unfortunately, our last call was cut short again with Christian dropping
>> off the line.  I sent an e-mail to him attempting to reconcile our next
>> steps, but I'm not sure that we are on the same page currently.  His desire
>> is for OWASP to pursue another inquiry, similar to his own, charging Chris
>> Gatford with being the individual behind the initial requests for inquiry
>> and treating him as though he were an OWASP member as he was a chapter
>> leader during that time.  I told him that I feel like the inquiry should
>> not have been undertaken in the first place and that performing another
>> inquiry and getting involved in a dispute between the two of them would
>> serve no value to OWASP.  I have politely declined my support for such an
>> initiative, but told him I would offer it to the other Board members if any
>> of you are so inclined to pursue it further.
>> Since I am unable to support his current request, and since he has stated
>> that he is unable to move beyond this until this other inquiry has been
>> performed, I am at a loss as far as next steps go.  My proposal would have
>> been to do a 90 day probational membership reinstatement for Christian.
>> Provided that there were no issues during this time period, I think that we
>> could consider whatever level of activity he maintains a relative success
>> and we should grant full membership.  However, if there were to be issues,
>> the request for reinstatement should be denied with a permanent ban so that
>> no future Board members need to brief themselves on the past in order to
>> make a decision about the future.  My rationale for this rationale for this
>> is based squarely upon the assumption that all negative behaviors were due
>> to the Google Hacking Inquiry and it's personal affect on Christian.  A 90
>> day probation should serve as a decent test to determine if he is willing
>> to move beyond that and put the negativity behind us.  I am not requesting
>> a vote at this time here as I feel no decision can be made without
>> Christian's support for the path we take.  I will continue to work with him
>> to hopefully come to a peaceful resolution.
>> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140208/bc2f10c3/attachment-0001.html>

More information about the Owasp-board mailing list