[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Josh Sokol josh.sokol at owasp.org
Fri Feb 14 17:20:53 UTC 2014


Matt,

I wasn't aware that other inquiries had happened before or after this.
That's new news to me.  I guess I do take some solace in that there was an
official process that existed prior to the Google Hacking Inquiry and it
wasn't created solely for that issue.

I guess I should elaborate on "I don't think that it's our place to
question whether this is or is not the case so if he says this is true".
The problem that we run into here is that this is a largely subjective
metric.  I do believe that evidence exists to show that Christian's
personal state diminished after the Inquiry.  I don't know, however, if we
can conclusively say that the Inquiry was the cause of that state.  I know
that Christian feels that it was and it's difficult to question feelings.
If you ask me, I believe it to be true based on the research that I've
done.  Others may feel differently.  In your example, there would be direct
harm to the Foundation if we took you at your word and paid you out.  In
Christian's case, I don't see any harm in believing that he feels that he
has been hurt and doing our diligence to try to prevent that.  That
documents utility is long gone and I think most of us can legitimately say
that we want to prevent others from being hurt by our actions whether
intentional or not.  Hence, my statement.  For clarity, I haven't
side-stepped verification.  I've formulated my own opinions and encourage
others to do the same, but feel that a more objective measurement of damage
to an individual seems rather insensitive in this case.

~josh


On Fri, Feb 14, 2014 at 10:28 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> Josh,
>
> Two quick points to clarify:
>
> * I didn't work the Google Hacking inquiry.  I did create the process for
> handling inquiries during the first one which involved the AppSec Brazil
> 2009 conference.  So I'm not responding based on a perceived critique of my
> work - I was only tangentially involved in the Google Hacking inquiry.  I
> simply do not like the precedent this will set.
>
> * I believe you are making a logical error in your statement "I don't
> think that it's our place to question whether this is or is not the case so
> if he says this is true".  I have always acted upon the trust but verify
> principal and, under your logical construct,  Simply side-stepping any
> verification due to it being a sensitive topic is not a good answer in my
> opinion.  If you cannot easily verify the claim, then soften the response.
>  I'm surprised that you would take a statement on face value where the
> speaker has an incentive to stray from the truth without any sort of
> compensating action.
>
> If you take this to an extreme, I can say that OWASP owes me $10,00 in
> lost wages due to the time I spend on OWASP WTE. It must be true because I
> said it.  This is obviously ridiculous but follows from your logical
> construct.
>
> I have already spent far more digital ink on this then I intended.
>  There's no personal or organizational enmity here - I simply wanted to
> register my opinion that the statement goes too far and, if I were the
> OWASP overloard, I wouldn't make it.
>
> You and the current board should do as you best see fit - that is why the
> community elected the current members.
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Thu, Feb 13, 2014 at 11:01 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Matt,
>>
>> As always your advice and friendship is truly valued by me.  I want to
>> assure you that when Tobias and I drafted that message, it was with the
>> desire to remain relatively neutral in our stance on the issue, while at
>> the same time recognizing that the document serves no real purpose today
>> other than to be a continuous reminder of what I think we can all agree was
>> a negative all around experience.  Perhaps a bit more of an explanation for
>> the wording is in order here:
>>
>>
>> *Recently, information has been brought to our attention which allows the
>> current OWASP Board to revisit OWASP's position on the Google Hacking
>> Inquiry that was undertaken in July of 2010.*
>>
>> This refers in large part to Christian's request for reinstatement.  His
>> desire to rejoin OWASP, coupled with the inexperience of three of the new
>> Board members, meant that we needed to revisit this situation in order to
>> make an educated decision on it.
>>
>>
>> *The OWASP Code of Ethics states that we should not intentionally injure
>> or impugn the professional reputation of colleagues and, upon
>> consideration, we feel that perpetuating the inquiry results would do just
>> that.*
>>
>> This is the same Code of Ethics that applies to all OWASP members and it
>> was written to ensure that everyone is treated with respect and dignity.
>> From Christian's statements, it is clear that he feels that the inquiry has
>> resulted in employment issues and has contributed to his emotional
>> detriment.  I don't think that it's our place to question whether this is
>> or is not the case so if he says this is true, then per our Code of Ethics,
>> we should refrain from any activity that would cause this.
>>
>>
>> *As such, we feel that it is in the best interests of the OWASP
>> Foundation and all concerned parties to wipe the slate clean by removing
>> the details of the inquiry from our public records at this time. *
>>
>> The Board desiring a clean start is by no means a denigration of
>> activities by the previous Board.  It is simply an acknowledgement that
>> there may currently be negative feelings on both sides of the fence that
>> need to be set aside in order to move forward in a positive fashion.
>> Removing the inquiry, as you said, is meant to show others that it is no
>> longer relevant.  The problem is that we are a community founded on open
>> principles and without a statement in it's place, I'm concerned that people
>> will question whether we're hiding something or sweeping it under the rug.
>> I feel that acknowledging what happened, but questioning it's value going
>> forward is the best way to be open while also laying this issue to rest.
>>
>> *We feel sincerely sorry for any damages that this inquiry may have
>> caused to any of the parties involved.*
>>
>> I believe you when you say that you had no intention to damage Christian
>> at the time.  This isn't an attempt to fault you or place blame.  Even if
>> you accidentally bump someone with your cart at the store, you still say
>> you're sorry, don't you?
>>
>> I hope that makes more sense to you now.  It's not an attempt to question
>> the past, but rather, an attempt to make a statement about how OWASP
>> intends to move forward.
>>
>> As for your points about the many negative things that Christian has
>> done, you're right.  He's said and done some pretty awful things.  Much of
>> it was provoked, some probably not, but it's extremely difficult to excuse
>> it.  That said, it's not entirely true that Christian hasn't expressed
>> remorse for some of the things he's said.  He did this to some extent on a
>> call that I had with him and he has said that he is willing to apologize.
>> But yes, you're right, the current Board has to weigh his past, present,
>> and future actions and words against the subjective "What's best for OWASP
>> and it's community."  The jury is still deliberating on that one, but I do
>> feel that my proposed action on the inquiry document itself should happen
>> regardless of that decision.
>>
>> Matt, thanks for contributing your thoughts and feelings to the
>> discussion.  You've got my number if you want to discuss further at any
>> point.
>>
>> ~josh
>>
>>
>> On Thu, Feb 13, 2014 at 9:22 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
>>
>>> Josh,
>>>
>>> I'm taking a bit of time to respond to this after sleeping on my
>>> response for several days.  I continue to have issues that I feel compelled
>>> to air to the board list.  I will try to keep this short.
>>>
>>> (1) I have no problem with removing the inquiry content off the wiki.
>>>  Its continued utility, without regard to its past utility, is little to
>>> zero to both OWASP and the world at large.
>>>
>>>  (2) I do have a problem with the statement you propose to put in its
>>> place.  I'm not sure what purpose it serves beyond denigrating the work by
>>> previous board members.  Simply removing of the content (and the fact that
>>> there's wiki history to show it was removed for the curious) demonstrates
>>> that it is no longer relevant.
>>>
>>> However, your statement is a quasi-indictment of the actions of a past
>>> board.  Read between your lines - the fact that "to wipe the slate clean",
>>> "intentionally injure or impugn the professional reputation" plus "We feel
>>> sincerely sorry for any damages" presupposes that there was purposeful and
>>> intended fault on the part of those working on that inquiry.
>>>
>>> Please don't set the precedent for future boards to retrospectively
>>> question the actions of past boards and the community hampered the
>>> distortion of time and the utter lack of context in which the original
>>> decision was made.  For egregious faults, definitely question past boards
>>> or any relevant parties, but this is no where near that standard.
>>>
>>> Add to this the fact that I have yet to see Christian take one iota of
>>> responsibility for any of his actions with the community in the past.  He
>>> has been negative on multiple occasions - look at the Top 10 list for his
>>> Sonatype + Aspect conspiracy emails, look at the plainly hateful comment
>>> about Paulo's tragic loss.  I have yet to hear any words of atonement,
>>> regret or contrition from Christian.  Everything happens *to him*, not
>>> by him.
>>>
>>> Add to this that he is the ONLY community member, current or past, that
>>> required a Gmall tag in my @owasp.org email just to keep track of the
>>> controversies around him.  This was particularly true during my stint on
>>> the Foundation board but didn't stop when my board tenure ended.
>>>
>>> Finally, OWASP is principally constructed of *volunteers* who *choose*to spend time on OWASP and forgo spending their free time on other pursuits
>>> - a meritocracy, if you will.  I see little to no value to the community in
>>> your suggested message about the Google Hacking Inquiry.  I'd much prefer
>>> time (and wiki) content was spent extolling those that add to the community
>>> in substantial ways rather then someone who's contributions are
>>> controversial at best.
>>>
>>> I look forward to your well reasoned reply as well as a overly long
>>> email from Christian with loads of links to cherry-picked, out of context
>>> information.
>>>
>>> For my own self, I'm going to focus on the positive portions of the
>>> OWASP community.  Even those who contribute outside OWASP to the betterment
>>> of applications and developers [1] who purportedly have "well known
>>> mental health issues". His answer is not far off what I would have said,
>>> but he, unlike me, took the time to answer and help someone in need.
>>>
>>> </Matt's at least 10 cents>
>>>
>>> [1]
>>> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-February/009002.html
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP WTE Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>> OWASP OpenStack Security Project Lead
>>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>>
>>>
>>> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>>  OWASP Board,
>>>>
>>>> I feel, at this point, like I am ready to make a recommendation on the
>>>> Google Hacking Inquiry, but am currently waiting to hear back from
>>>> Christian regarding his ability to move forward if his membership were to
>>>> be reinstated.
>>>>
>>>> *Google Hacking Inquiry*
>>>> Regarding the Google Hacking inquiry, I have had a couple of phone
>>>> calls now with Christian as well as one with Chris Gates (both recorded and
>>>> you've been provided with links separately).  I've also been in contact
>>>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>>>> circumstances around the Google Hacking Inquiry.  There have been a few
>>>> others whose names have come up that it may be pertinent to speak to (Chris
>>>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>>>> advice here.  While I cannot go so far as to say that a great injustice has
>>>> been done, I do think that I've found plenty of evidence to make me doubt
>>>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>>>> OWASP.
>>>>
>>>> Unfortunately, back then, there does not appear to have been much
>>>> control over the projects.  There did not exist the new levels, but if I
>>>> had to qualify it, I'd say that the Google Hacking Project fits squarely
>>>> into the "Incubator" level of our new project classification.  The
>>>> interesting thing about this level is that source code is NOT required.  To
>>>> the contrary, this level is basically, "I have an idea, let's see if I can
>>>> turn it into something real."  One of the deliverables for moving on to the
>>>> next level is a working POC, but from the looks of it, one could remain in
>>>> the "Incubator" bucket for up to a year without ever providing the source
>>>> code.  And, assuming you did that, the consequence is to be de-listed from
>>>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>>>> as it helps to foster ideas and provide support while still maintaining
>>>> quality control over our projects.  Christian's claim is that he had his
>>>> source code in an open repository, but never published a link because his
>>>> project was never reviewed.  He provided at least one potential reviewer
>>>> who was rejected at the time because they were not an OWASP member.  His
>>>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>>>> presentations at the time did include a slide soliciting reviewers.  So, my
>>>> conclusion here is that Christian did what would be expected of an
>>>> "Incubator" level project.  Publishing source code probably shouldn't have
>>>> been an expectation (at least not right off the bat) and the resulting
>>>> "punishment" from the Inquiry was certainly harsher than today's standard.
>>>>
>>>> On top of the above, it is clear that Christian feels that the Inquiry
>>>> has affected his ability to work as well as his general state of well
>>>> being.  If this is true, then it is in direct contradiction to the OWASP
>>>> Code of Ethics where we state that OWASP members should not intentionally
>>>> injure or impugn the professional reputation of our colleagues.  I don't
>>>> think that it is rational for us to question whether this is or is not
>>>> true, and therefore feel like our best course of action is to assume that
>>>> it is and work to correct the situation.  My proposal is to remove the
>>>> Google Hacking Inquiry document and any reference documentation as well
>>>> that is on the OWASP public website.  In it's stead, I would like to place
>>>> the following text:
>>>>
>>>> Recently, information has been brought to our attention which allows
>>>>> the current OWASP Board to revisit OWASP's position on the Google Hacking
>>>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>>>> the inquiry results would do just that.  As such, we feel that it is in the
>>>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>>>> the slate clean by removing the details of the inquiry from our public
>>>>> records at this time.  We feel sincerely sorry for any damages that this
>>>>> inquiry may have caused to any of the parties involved.
>>>>>
>>>>
>>>> Let me be absolutely clear that this is not what Christian requested,
>>>> but rather, what I feel is the right thing to do given the circumstances.
>>>> Christian's first question to me was "What good did the inquiry do for
>>>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>>>> It chastised an active project leader for doing what it appears that
>>>> several others were also doing at the time, potentially furthered personal
>>>> biases, created negative feelings between Christian and OWASP, and just
>>>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>>>> has been allowed to linger for so long as it just perpetuates the things
>>>> that we've done wrong, rather than all of the things that we've done
>>>> right.  Regardless of how Christian or others feel about it, I believe that
>>>> it's time to wipe the slate clean here and put an end to the negativity
>>>> surrounding the inquiry.
>>>>
>>>> I'd like to propose a vote that we strike any reference to the Google
>>>> Hacking Inquiry on owasp.org and our public documentation and replace
>>>> it with the text above.
>>>>
>>>> *Request for Reinstatement*
>>>> Unfortunately, our last call was cut short again with Christian
>>>> dropping off the line.  I sent an e-mail to him attempting to reconcile our
>>>> next steps, but I'm not sure that we are on the same page currently.  His
>>>> desire is for OWASP to pursue another inquiry, similar to his own, charging
>>>> Chris Gatford with being the individual behind the initial requests for
>>>> inquiry and treating him as though he were an OWASP member as he was a
>>>> chapter leader during that time.  I told him that I feel like the inquiry
>>>> should not have been undertaken in the first place and that performing
>>>> another inquiry and getting involved in a dispute between the two of them
>>>> would serve no value to OWASP.  I have politely declined my support for
>>>> such an initiative, but told him I would offer it to the other Board
>>>> members if any of you are so inclined to pursue it further.
>>>>
>>>> Since I am unable to support his current request, and since he has
>>>> stated that he is unable to move beyond this until this other inquiry has
>>>> been performed, I am at a loss as far as next steps go.  My proposal would
>>>> have been to do a 90 day probational membership reinstatement for
>>>> Christian.  Provided that there were no issues during this time period, I
>>>> think that we could consider whatever level of activity he maintains a
>>>> relative success and we should grant full membership.  However, if there
>>>> were to be issues, the request for reinstatement should be denied with a
>>>> permanent ban so that no future Board members need to brief themselves on
>>>> the past in order to make a decision about the future.  My rationale for
>>>> this rationale for this is based squarely upon the assumption that all
>>>> negative behaviors were due to the Google Hacking Inquiry and it's personal
>>>> affect on Christian.  A 90 day probation should serve as a decent test to
>>>> determine if he is willing to move beyond that and put the negativity
>>>> behind us.  I am not requesting a vote at this time here as I feel no
>>>> decision can be made without Christian's support for the path we take.  I
>>>> will continue to work with him to hopefully come to a peaceful resolution.
>>>>
>>>> ~josh
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/6ccd1ca0/attachment-0001.html>


More information about the Owasp-board mailing list