[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Matt Tesauro matt.tesauro at owasp.org
Fri Feb 14 16:28:54 UTC 2014


Josh,

Two quick points to clarify:

* I didn't work the Google Hacking inquiry.  I did create the process for
handling inquiries during the first one which involved the AppSec Brazil
2009 conference.  So I'm not responding based on a perceived critique of my
work - I was only tangentially involved in the Google Hacking inquiry.  I
simply do not like the precedent this will set.

* I believe you are making a logical error in your statement "I don't think
that it's our place to question whether this is or is not the case so if he
says this is true".  I have always acted upon the trust but verify
principal and, under your logical construct,  Simply side-stepping any
verification due to it being a sensitive topic is not a good answer in my
opinion.  If you cannot easily verify the claim, then soften the response.
 I'm surprised that you would take a statement on face value where the
speaker has an incentive to stray from the truth without any sort of
compensating action.

If you take this to an extreme, I can say that OWASP owes me $10,00 in lost
wages due to the time I spend on OWASP WTE. It must be true because I said
it.  This is obviously ridiculous but follows from your logical construct.

I have already spent far more digital ink on this then I intended.  There's
no personal or organizational enmity here - I simply wanted to register my
opinion that the statement goes too far and, if I were the OWASP overloard,
I wouldn't make it.

You and the current board should do as you best see fit - that is why the
community elected the current members.

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Thu, Feb 13, 2014 at 11:01 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Matt,
>
> As always your advice and friendship is truly valued by me.  I want to
> assure you that when Tobias and I drafted that message, it was with the
> desire to remain relatively neutral in our stance on the issue, while at
> the same time recognizing that the document serves no real purpose today
> other than to be a continuous reminder of what I think we can all agree was
> a negative all around experience.  Perhaps a bit more of an explanation for
> the wording is in order here:
>
>
> *Recently, information has been brought to our attention which allows the
> current OWASP Board to revisit OWASP's position on the Google Hacking
> Inquiry that was undertaken in July of 2010.*
>
> This refers in large part to Christian's request for reinstatement.  His
> desire to rejoin OWASP, coupled with the inexperience of three of the new
> Board members, meant that we needed to revisit this situation in order to
> make an educated decision on it.
>
>
> *The OWASP Code of Ethics states that we should not intentionally injure
> or impugn the professional reputation of colleagues and, upon
> consideration, we feel that perpetuating the inquiry results would do just
> that.*
>
> This is the same Code of Ethics that applies to all OWASP members and it
> was written to ensure that everyone is treated with respect and dignity.
> From Christian's statements, it is clear that he feels that the inquiry has
> resulted in employment issues and has contributed to his emotional
> detriment.  I don't think that it's our place to question whether this is
> or is not the case so if he says this is true, then per our Code of Ethics,
> we should refrain from any activity that would cause this.
>
>
> *As such, we feel that it is in the best interests of the OWASP Foundation
> and all concerned parties to wipe the slate clean by removing the details
> of the inquiry from our public records at this time. *
>
> The Board desiring a clean start is by no means a denigration of
> activities by the previous Board.  It is simply an acknowledgement that
> there may currently be negative feelings on both sides of the fence that
> need to be set aside in order to move forward in a positive fashion.
> Removing the inquiry, as you said, is meant to show others that it is no
> longer relevant.  The problem is that we are a community founded on open
> principles and without a statement in it's place, I'm concerned that people
> will question whether we're hiding something or sweeping it under the rug.
> I feel that acknowledging what happened, but questioning it's value going
> forward is the best way to be open while also laying this issue to rest.
>
> *We feel sincerely sorry for any damages that this inquiry may have caused
> to any of the parties involved.*
>
> I believe you when you say that you had no intention to damage Christian
> at the time.  This isn't an attempt to fault you or place blame.  Even if
> you accidentally bump someone with your cart at the store, you still say
> you're sorry, don't you?
>
> I hope that makes more sense to you now.  It's not an attempt to question
> the past, but rather, an attempt to make a statement about how OWASP
> intends to move forward.
>
> As for your points about the many negative things that Christian has done,
> you're right.  He's said and done some pretty awful things.  Much of it was
> provoked, some probably not, but it's extremely difficult to excuse it.
> That said, it's not entirely true that Christian hasn't expressed remorse
> for some of the things he's said.  He did this to some extent on a call
> that I had with him and he has said that he is willing to apologize.  But
> yes, you're right, the current Board has to weigh his past, present, and
> future actions and words against the subjective "What's best for OWASP and
> it's community."  The jury is still deliberating on that one, but I do feel
> that my proposed action on the inquiry document itself should happen
> regardless of that decision.
>
> Matt, thanks for contributing your thoughts and feelings to the
> discussion.  You've got my number if you want to discuss further at any
> point.
>
> ~josh
>
>
> On Thu, Feb 13, 2014 at 9:22 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
>
>> Josh,
>>
>> I'm taking a bit of time to respond to this after sleeping on my response
>> for several days.  I continue to have issues that I feel compelled to air
>> to the board list.  I will try to keep this short.
>>
>> (1) I have no problem with removing the inquiry content off the wiki.
>>  Its continued utility, without regard to its past utility, is little to
>> zero to both OWASP and the world at large.
>>
>>  (2) I do have a problem with the statement you propose to put in its
>> place.  I'm not sure what purpose it serves beyond denigrating the work by
>> previous board members.  Simply removing of the content (and the fact that
>> there's wiki history to show it was removed for the curious) demonstrates
>> that it is no longer relevant.
>>
>> However, your statement is a quasi-indictment of the actions of a past
>> board.  Read between your lines - the fact that "to wipe the slate clean",
>> "intentionally injure or impugn the professional reputation" plus "We feel
>> sincerely sorry for any damages" presupposes that there was purposeful and
>> intended fault on the part of those working on that inquiry.
>>
>> Please don't set the precedent for future boards to retrospectively
>> question the actions of past boards and the community hampered the
>> distortion of time and the utter lack of context in which the original
>> decision was made.  For egregious faults, definitely question past boards
>> or any relevant parties, but this is no where near that standard.
>>
>> Add to this the fact that I have yet to see Christian take one iota of
>> responsibility for any of his actions with the community in the past.  He
>> has been negative on multiple occasions - look at the Top 10 list for his
>> Sonatype + Aspect conspiracy emails, look at the plainly hateful comment
>> about Paulo's tragic loss.  I have yet to hear any words of atonement,
>> regret or contrition from Christian.  Everything happens *to him*, not
>> by him.
>>
>> Add to this that he is the ONLY community member, current or past, that
>> required a Gmall tag in my @owasp.org email just to keep track of the
>> controversies around him.  This was particularly true during my stint on
>> the Foundation board but didn't stop when my board tenure ended.
>>
>> Finally, OWASP is principally constructed of *volunteers* who *choose*to spend time on OWASP and forgo spending their free time on other pursuits
>> - a meritocracy, if you will.  I see little to no value to the community in
>> your suggested message about the Google Hacking Inquiry.  I'd much prefer
>> time (and wiki) content was spent extolling those that add to the community
>> in substantial ways rather then someone who's contributions are
>> controversial at best.
>>
>> I look forward to your well reasoned reply as well as a overly long email
>> from Christian with loads of links to cherry-picked, out of context
>> information.
>>
>> For my own self, I'm going to focus on the positive portions of the OWASP
>> community.  Even those who contribute outside OWASP to the betterment of
>> applications and developers [1] who purportedly have "well known mental
>> health issues". His answer is not far off what I would have said, but he,
>> unlike me, took the time to answer and help someone in need.
>>
>> </Matt's at least 10 cents>
>>
>> [1]
>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-February/009002.html
>>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>>
>> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>>  OWASP Board,
>>>
>>> I feel, at this point, like I am ready to make a recommendation on the
>>> Google Hacking Inquiry, but am currently waiting to hear back from
>>> Christian regarding his ability to move forward if his membership were to
>>> be reinstated.
>>>
>>> *Google Hacking Inquiry*
>>> Regarding the Google Hacking inquiry, I have had a couple of phone calls
>>> now with Christian as well as one with Chris Gates (both recorded and
>>> you've been provided with links separately).  I've also been in contact
>>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>>> circumstances around the Google Hacking Inquiry.  There have been a few
>>> others whose names have come up that it may be pertinent to speak to (Chris
>>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>>> advice here.  While I cannot go so far as to say that a great injustice has
>>> been done, I do think that I've found plenty of evidence to make me doubt
>>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>>> OWASP.
>>>
>>> Unfortunately, back then, there does not appear to have been much
>>> control over the projects.  There did not exist the new levels, but if I
>>> had to qualify it, I'd say that the Google Hacking Project fits squarely
>>> into the "Incubator" level of our new project classification.  The
>>> interesting thing about this level is that source code is NOT required.  To
>>> the contrary, this level is basically, "I have an idea, let's see if I can
>>> turn it into something real."  One of the deliverables for moving on to the
>>> next level is a working POC, but from the looks of it, one could remain in
>>> the "Incubator" bucket for up to a year without ever providing the source
>>> code.  And, assuming you did that, the consequence is to be de-listed from
>>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>>> as it helps to foster ideas and provide support while still maintaining
>>> quality control over our projects.  Christian's claim is that he had his
>>> source code in an open repository, but never published a link because his
>>> project was never reviewed.  He provided at least one potential reviewer
>>> who was rejected at the time because they were not an OWASP member.  His
>>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>>> presentations at the time did include a slide soliciting reviewers.  So, my
>>> conclusion here is that Christian did what would be expected of an
>>> "Incubator" level project.  Publishing source code probably shouldn't have
>>> been an expectation (at least not right off the bat) and the resulting
>>> "punishment" from the Inquiry was certainly harsher than today's standard.
>>>
>>> On top of the above, it is clear that Christian feels that the Inquiry
>>> has affected his ability to work as well as his general state of well
>>> being.  If this is true, then it is in direct contradiction to the OWASP
>>> Code of Ethics where we state that OWASP members should not intentionally
>>> injure or impugn the professional reputation of our colleagues.  I don't
>>> think that it is rational for us to question whether this is or is not
>>> true, and therefore feel like our best course of action is to assume that
>>> it is and work to correct the situation.  My proposal is to remove the
>>> Google Hacking Inquiry document and any reference documentation as well
>>> that is on the OWASP public website.  In it's stead, I would like to place
>>> the following text:
>>>
>>> Recently, information has been brought to our attention which allows the
>>>> current OWASP Board to revisit OWASP's position on the Google Hacking
>>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>>> the inquiry results would do just that.  As such, we feel that it is in the
>>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>>> the slate clean by removing the details of the inquiry from our public
>>>> records at this time.  We feel sincerely sorry for any damages that this
>>>> inquiry may have caused to any of the parties involved.
>>>>
>>>
>>> Let me be absolutely clear that this is not what Christian requested,
>>> but rather, what I feel is the right thing to do given the circumstances.
>>> Christian's first question to me was "What good did the inquiry do for
>>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>>> It chastised an active project leader for doing what it appears that
>>> several others were also doing at the time, potentially furthered personal
>>> biases, created negative feelings between Christian and OWASP, and just
>>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>>> has been allowed to linger for so long as it just perpetuates the things
>>> that we've done wrong, rather than all of the things that we've done
>>> right.  Regardless of how Christian or others feel about it, I believe that
>>> it's time to wipe the slate clean here and put an end to the negativity
>>> surrounding the inquiry.
>>>
>>> I'd like to propose a vote that we strike any reference to the Google
>>> Hacking Inquiry on owasp.org and our public documentation and replace
>>> it with the text above.
>>>
>>> *Request for Reinstatement*
>>> Unfortunately, our last call was cut short again with Christian dropping
>>> off the line.  I sent an e-mail to him attempting to reconcile our next
>>> steps, but I'm not sure that we are on the same page currently.  His desire
>>> is for OWASP to pursue another inquiry, similar to his own, charging Chris
>>> Gatford with being the individual behind the initial requests for inquiry
>>> and treating him as though he were an OWASP member as he was a chapter
>>> leader during that time.  I told him that I feel like the inquiry should
>>> not have been undertaken in the first place and that performing another
>>> inquiry and getting involved in a dispute between the two of them would
>>> serve no value to OWASP.  I have politely declined my support for such an
>>> initiative, but told him I would offer it to the other Board members if any
>>> of you are so inclined to pursue it further.
>>>
>>> Since I am unable to support his current request, and since he has
>>> stated that he is unable to move beyond this until this other inquiry has
>>> been performed, I am at a loss as far as next steps go.  My proposal would
>>> have been to do a 90 day probational membership reinstatement for
>>> Christian.  Provided that there were no issues during this time period, I
>>> think that we could consider whatever level of activity he maintains a
>>> relative success and we should grant full membership.  However, if there
>>> were to be issues, the request for reinstatement should be denied with a
>>> permanent ban so that no future Board members need to brief themselves on
>>> the past in order to make a decision about the future.  My rationale for
>>> this rationale for this is based squarely upon the assumption that all
>>> negative behaviors were due to the Google Hacking Inquiry and it's personal
>>> affect on Christian.  A 90 day probation should serve as a decent test to
>>> determine if he is willing to move beyond that and put the negativity
>>> behind us.  I am not requesting a vote at this time here as I feel no
>>> decision can be made without Christian's support for the path we take.  I
>>> will continue to work with him to hopefully come to a peaceful resolution.
>>>
>>> ~josh
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/78166cfb/attachment-0001.html>


More information about the Owasp-board mailing list