[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Tobias tobias.gondrom at owasp.org
Fri Feb 14 18:13:28 UTC 2014

Hi Matt, hi all,

from my perspective:
The Google Hacking Inquiry has been concluded in September 2010.
The consequence of a 6 months suspension from the leaders list ended in
March 2011.
This is now 3 years ago. Case closed. There is no need to keep such a
closed case on public record more than 3 years after. We will of course
archive the document internally, to be able to produce it in case there
might be a dispute at some point in the future as to its content.
What motivates me to remove this from public record, is that the penalty
has been finished three years ago. Keeping this document on public
record longer than three years after the event seems unreasonable, as it
could be argued that the pure existence of this record in the public is
actually a perpetuating sentence in itself beyond the one that was
intended during the inquiry. And I note, that the records show that this
inquiry was not the reason for a membership revocation mentioned elsewhere.

Public records can be good for transparency while a case is in progress,
but at some point an organisation needs to move on and allow all
involved to do the same.

IMHO, the new text (which I support) is a good place-holder showing that
there was a record before and this has been removed. And I am indeed
sorry for any possible collateral damage that that record itself may
have caused.

Best regards, Tobias

Ps.: it might be worth noting that my opinion about keeping this record
no longer public is independent of my opinion on other related issues.

On 14/02/14 03:22, Matt Tesauro wrote:
> Josh, 
> I'm taking a bit of time to respond to this after sleeping on my
> response for several days.  I continue to have issues that I feel
> compelled to air to the board list.  I will try to keep this short.
> (1) I have no problem with removing the inquiry content off the wiki.
>  Its continued utility, without regard to its past utility, is little
> to zero to both OWASP and the world at large.
> (2) I do have a problem with the statement you propose to put in its
> place.  I'm not sure what purpose it serves beyond denigrating the
> work by previous board members.  Simply removing of the content (and
> the fact that there's wiki history to show it was removed for the
> curious) demonstrates that it is no longer relevant.  
> However, your statement is a quasi-indictment of the actions of a past
> board.  Read between your lines - the fact that "to wipe the slate
> clean", "intentionally injure or impugn the professional reputation"
> plus "We feel sincerely sorry for any damages" presupposes that there
> was purposeful and intended fault on the part of those working on that
> inquiry.
> Please don't set the precedent for future boards to retrospectively
> question the actions of past boards and the community hampered the
> distortion of time and the utter lack of context in which the original
> decision was made.  For egregious faults, definitely question past
> boards or any relevant parties, but this is no where near that standard. 
> Add to this the fact that I have yet to see Christian take one iota of
> responsibility for any of his actions with the community in the past.
>  He has been negative on multiple occasions - look at the Top 10 list
> for his Sonatype + Aspect conspiracy emails, look at the plainly
> hateful comment about Paulo's tragic loss.  I have yet to hear any
> words of atonement, regret or contrition from Christian.  Everything
> happens _*to him*_, not by him.
> Add to this that he is the ONLY community member, current or past,
> that required a Gmall tag in my @owasp.org <http://owasp.org> email
> just to keep track of the controversies around him.  This was
> particularly true during my stint on the Foundation board but didn't
> stop when my board tenure ended.
> Finally, OWASP is principally constructed of _volunteers_ who _choose_
> to spend time on OWASP and forgo spending their free time on other
> pursuits - a meritocracy, if you will.  I see little to no value to
> the community in your suggested message about the Google Hacking
> Inquiry.  I'd much prefer time (and wiki) content was spent extolling
> those that add to the community in substantial ways rather then
> someone who's contributions are controversial at best.   
> I look forward to your well reasoned reply as well as a overly long
> email from Christian with loads of links to cherry-picked, out of
> context information.
> For my own self, I'm going to focus on the positive portions of the
> OWASP community.  Even those who contribute outside OWASP to the
> betterment of applications and developers [1] who purportedly have
> "well known mental health issues". His answer is not far off what I
> would have said, but he, unlike me, took the time to answer and help
> someone in need.
> </Matt's at least 10 cents>
> [1] http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-February/009002.html
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>     OWASP Board,
>     I feel, at this point, like I am ready to make a recommendation on
>     the Google Hacking Inquiry, but am currently waiting to hear back
>     from Christian regarding his ability to move forward if his
>     membership were to be reinstated.
>     _*Google Hacking Inquiry*_
>     Regarding the Google Hacking inquiry, I have had a couple of phone
>     calls now with Christian as well as one with Chris Gates (both
>     recorded and you've been provided with links separately).  I've
>     also been in contact with Jeff Williams, Dinis Cruz, Brad Causey,
>     and Jason Li to talk about circumstances around the Google Hacking
>     Inquiry.  There have been a few others whose names have come up
>     that it may be pertinent to speak to (Chris Spencer and Andrew
>     Vanderstock), but I'm confident that it won't change my advice
>     here.  While I cannot go so far as to say that a great injustice
>     has been done, I do think that I've found plenty of evidence to
>     make me doubt the circumstances of the inquiry and it's benefit
>     (or lack thereof) to OWASP. 
>     Unfortunately, back then, there does not appear to have been much
>     control over the projects.  There did not exist the new levels,
>     but if I had to qualify it, I'd say that the Google Hacking
>     Project fits squarely into the "Incubator" level of our new
>     project classification.  The interesting thing about this level is
>     that source code is NOT required.  To the contrary, this level is
>     basically, "I have an idea, let's see if I can turn it into
>     something real."  One of the deliverables for moving on to the
>     next level is a working POC, but from the looks of it, one could
>     remain in the "Incubator" bucket for up to a year without ever
>     providing the source code.  And, assuming you did that, the
>     consequence is to be de-listed from the "Incubator" bucket until
>     you have a POC.  This makes 100% sense to me as it helps to foster
>     ideas and provide support while still maintaining quality control
>     over our projects.  Christian's claim is that he had his source
>     code in an open repository, but never published a link because his
>     project was never reviewed.  He provided at least one potential
>     reviewer who was rejected at the time because they were not an
>     OWASP member.  His attempts to find a reviewer who was an OWASP
>     member were unsuccessful.  His presentations at the time did
>     include a slide soliciting reviewers.  So, my conclusion here is
>     that Christian did what would be expected of an "Incubator" level
>     project.  Publishing source code probably shouldn't have been an
>     expectation (at least not right off the bat) and the resulting
>     "punishment" from the Inquiry was certainly harsher than today's
>     standard.
>     On top of the above, it is clear that Christian feels that the
>     Inquiry has affected his ability to work as well as his general
>     state of well being.  If this is true, then it is in direct
>     contradiction to the OWASP Code of Ethics where we state that
>     OWASP members should not intentionally injure or impugn the
>     professional reputation of our colleagues.  I don't think that it
>     is rational for us to question whether this is or is not true, and
>     therefore feel like our best course of action is to assume that it
>     is and work to correct the situation.  My proposal is to remove
>     the Google Hacking Inquiry document and any reference
>     documentation as well that is on the OWASP public website.  In
>     it's stead, I would like to place the following text:
>         Recently, information has been brought to our attention which
>         allows the current OWASP Board to revisit OWASP's position on
>         the Google Hacking Inquiry that was undertaken in July of
>         2010.  The OWASP Code of Ethics
>         <https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states
>         that we should not intentionally injure or impugn the
>         professional reputation of colleagues and, upon consideration,
>         we feel that perpetuating the inquiry results would do just
>         that.  As such, we feel that it is in the best interests of
>         the OWASP Foundation and all concerned parties to wipe the
>         slate clean by removing the details of the inquiry from our
>         public records at this time.  We feel sincerely sorry for any
>         damages that this inquiry may have caused to any of the
>         parties involved.
>     Let me be absolutely clear that this is not what Christian
>     requested, but rather, what I feel is the right thing to do given
>     the circumstances.  Christian's first question to me was "What
>     good did the inquiry do for OWASP?" and my answer, unfortunately,
>     is that I'm really not finding any.  It chastised an active
>     project leader for doing what it appears that several others were
>     also doing at the time, potentially furthered personal biases,
>     created negative feelings between Christian and OWASP, and just
>     generally seems unfair to me.  I'm actually a bit ashamed that
>     this inquiry has been allowed to linger for so long as it just
>     perpetuates the things that we've done wrong, rather than all of
>     the things that we've done right.  Regardless of how Christian or
>     others feel about it, I believe that it's time to wipe the slate
>     clean here and put an end to the negativity surrounding the inquiry. 
>     I'd like to propose a vote that we strike any reference to the
>     Google Hacking Inquiry on owasp.org <http://owasp.org> and our
>     public documentation and replace it with the text above.
>     _*Request for Reinstatement*_
>     Unfortunately, our last call was cut short again with Christian
>     dropping off the line.  I sent an e-mail to him attempting to
>     reconcile our next steps, but I'm not sure that we are on the same
>     page currently.  His desire is for OWASP to pursue another
>     inquiry, similar to his own, charging Chris Gatford with being the
>     individual behind the initial requests for inquiry and treating
>     him as though he were an OWASP member as he was a chapter leader
>     during that time.  I told him that I feel like the inquiry should
>     not have been undertaken in the first place and that performing
>     another inquiry and getting involved in a dispute between the two
>     of them would serve no value to OWASP.  I have politely declined
>     my support for such an initiative, but told him I would offer it
>     to the other Board members if any of you are so inclined to pursue
>     it further. 
>     Since I am unable to support his current request, and since he has
>     stated that he is unable to move beyond this until this other
>     inquiry has been performed, I am at a loss as far as next steps
>     go.  My proposal would have been to do a 90 day probational
>     membership reinstatement for Christian.  Provided that there were
>     no issues during this time period, I think that we could consider
>     whatever level of activity he maintains a relative success and we
>     should grant full membership.  However, if there were to be
>     issues, the request for reinstatement should be denied with a
>     permanent ban so that no future Board members need to brief
>     themselves on the past in order to make a decision about the
>     future.  My rationale for this rationale for this is based
>     squarely upon the assumption that all negative behaviors were due
>     to the Google Hacking Inquiry and it's personal affect on
>     Christian.  A 90 day probation should serve as a decent test to
>     determine if he is willing to move beyond that and put the
>     negativity behind us.  I am not requesting a vote at this time
>     here as I feel no decision can be made without Christian's support
>     for the path we take.  I will continue to work with him to
>     hopefully come to a peaceful resolution.
>     ~josh
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/2dec77f4/attachment-0001.html>

More information about the Owasp-board mailing list