[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Josh Sokol josh.sokol at owasp.org
Wed Feb 19 01:05:44 UTC 2014


Christian had a suggestion for alternate wording, but has agreed that the
proposed replacement text is still better than the document as it exists
today.  Since I have received votes of support from both Tobias and Jim, I
would like to have a vote on this proposal added to the 2/24 Board meeting
agenda as new business.

~josh


On Fri, Feb 14, 2014 at 12:13 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi Matt, hi all,
>
> from my perspective:
> The Google Hacking Inquiry has been concluded in September 2010.
> The consequence of a 6 months suspension from the leaders list ended in
> March 2011.
> This is now 3 years ago. Case closed. There is no need to keep such a
> closed case on public record more than 3 years after. We will of course
> archive the document internally, to be able to produce it in case there
> might be a dispute at some point in the future as to its content.
> What motivates me to remove this from public record, is that the penalty
> has been finished three years ago. Keeping this document on public record
> longer than three years after the event seems unreasonable, as it could be
> argued that the pure existence of this record in the public is actually a
> perpetuating sentence in itself beyond the one that was intended during the
> inquiry. And I note, that the records show that this inquiry was not the
> reason for a membership revocation mentioned elsewhere.
>
> Public records can be good for transparency while a case is in progress,
> but at some point an organisation needs to move on and allow all involved
> to do the same.
>
> IMHO, the new text (which I support) is a good place-holder showing that
> there was a record before and this has been removed. And I am indeed sorry
> for any possible collateral damage that that record itself may have caused.
>
> Best regards, Tobias
>
>
> Ps.: it might be worth noting that my opinion about keeping this record no
> longer public is independent of my opinion on other related issues.
>
>
>
>
> On 14/02/14 03:22, Matt Tesauro wrote:
>
> Josh,
>
>  I'm taking a bit of time to respond to this after sleeping on my
> response for several days.  I continue to have issues that I feel compelled
> to air to the board list.  I will try to keep this short.
>
>  (1) I have no problem with removing the inquiry content off the wiki.
>  Its continued utility, without regard to its past utility, is little to
> zero to both OWASP and the world at large.
>
>  (2) I do have a problem with the statement you propose to put in its
> place.  I'm not sure what purpose it serves beyond denigrating the work by
> previous board members.  Simply removing of the content (and the fact that
> there's wiki history to show it was removed for the curious) demonstrates
> that it is no longer relevant.
>
>  However, your statement is a quasi-indictment of the actions of a past
> board.  Read between your lines - the fact that "to wipe the slate clean",
> "intentionally injure or impugn the professional reputation" plus "We feel
> sincerely sorry for any damages" presupposes that there was purposeful and
> intended fault on the part of those working on that inquiry.
>
>  Please don't set the precedent for future boards to retrospectively
> question the actions of past boards and the community hampered the
> distortion of time and the utter lack of context in which the original
> decision was made.  For egregious faults, definitely question past boards
> or any relevant parties, but this is no where near that standard.
>
>  Add to this the fact that I have yet to see Christian take one iota of
> responsibility for any of his actions with the community in the past.  He
> has been negative on multiple occasions - look at the Top 10 list for his
> Sonatype + Aspect conspiracy emails, look at the plainly hateful comment
> about Paulo's tragic loss.  I have yet to hear any words of atonement,
> regret or contrition from Christian.  Everything happens *to him*, not by
> him.
>
>  Add to this that he is the ONLY community member, current or past, that
> required a Gmall tag in my @owasp.org email just to keep track of the
> controversies around him.  This was particularly true during my stint on
> the Foundation board but didn't stop when my board tenure ended.
>
>  Finally, OWASP is principally constructed of *volunteers* who *choose*to spend time on OWASP and forgo spending their free time on other pursuits
> - a meritocracy, if you will.  I see little to no value to the community in
> your suggested message about the Google Hacking Inquiry.  I'd much prefer
> time (and wiki) content was spent extolling those that add to the community
> in substantial ways rather then someone who's contributions are
> controversial at best.
>
>  I look forward to your well reasoned reply as well as a overly long
> email from Christian with loads of links to cherry-picked, out of context
> information.
>
>  For my own self, I'm going to focus on the positive portions of the
> OWASP community.  Even those who contribute outside OWASP to the betterment
> of applications and developers [1] who purportedly have "well known
> mental health issues". His answer is not far off what I would have said,
> but he, unlike me, took the time to answer and help someone in need.
>
>  </Matt's at least 10 cents>
>
>  [1]
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-February/009002.html
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Mon, Feb 3, 2014 at 5:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>>   OWASP Board,
>>
>>  I feel, at this point, like I am ready to make a recommendation on the
>> Google Hacking Inquiry, but am currently waiting to hear back from
>> Christian regarding his ability to move forward if his membership were to
>> be reinstated.
>>
>>  *Google Hacking Inquiry*
>>  Regarding the Google Hacking inquiry, I have had a couple of phone calls
>> now with Christian as well as one with Chris Gates (both recorded and
>> you've been provided with links separately).  I've also been in contact
>> with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
>> circumstances around the Google Hacking Inquiry.  There have been a few
>> others whose names have come up that it may be pertinent to speak to (Chris
>> Spencer and Andrew Vanderstock), but I'm confident that it won't change my
>> advice here.  While I cannot go so far as to say that a great injustice has
>> been done, I do think that I've found plenty of evidence to make me doubt
>> the circumstances of the inquiry and it's benefit (or lack thereof) to
>> OWASP.
>>
>> Unfortunately, back then, there does not appear to have been much control
>> over the projects.  There did not exist the new levels, but if I had to
>> qualify it, I'd say that the Google Hacking Project fits squarely into the
>> "Incubator" level of our new project classification.  The interesting thing
>> about this level is that source code is NOT required.  To the contrary,
>> this level is basically, "I have an idea, let's see if I can turn it into
>> something real."  One of the deliverables for moving on to the next level
>> is a working POC, but from the looks of it, one could remain in the
>> "Incubator" bucket for up to a year without ever providing the source
>> code.  And, assuming you did that, the consequence is to be de-listed from
>> the "Incubator" bucket until you have a POC.  This makes 100% sense to me
>> as it helps to foster ideas and provide support while still maintaining
>> quality control over our projects.  Christian's claim is that he had his
>> source code in an open repository, but never published a link because his
>> project was never reviewed.  He provided at least one potential reviewer
>> who was rejected at the time because they were not an OWASP member.  His
>> attempts to find a reviewer who was an OWASP member were unsuccessful.  His
>> presentations at the time did include a slide soliciting reviewers.  So, my
>> conclusion here is that Christian did what would be expected of an
>> "Incubator" level project.  Publishing source code probably shouldn't have
>> been an expectation (at least not right off the bat) and the resulting
>> "punishment" from the Inquiry was certainly harsher than today's standard.
>>
>>  On top of the above, it is clear that Christian feels that the Inquiry
>> has affected his ability to work as well as his general state of well
>> being.  If this is true, then it is in direct contradiction to the OWASP
>> Code of Ethics where we state that OWASP members should not intentionally
>> injure or impugn the professional reputation of our colleagues.  I don't
>> think that it is rational for us to question whether this is or is not
>> true, and therefore feel like our best course of action is to assume that
>> it is and work to correct the situation.  My proposal is to remove the
>> Google Hacking Inquiry document and any reference documentation as well
>> that is on the OWASP public website.  In it's stead, I would like to place
>> the following text:
>>
>> Recently, information has been brought to our attention which allows the
>>> current OWASP Board to revisit OWASP's position on the Google Hacking
>>> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
>>> reputation of colleagues and, upon consideration, we feel that perpetuating
>>> the inquiry results would do just that.  As such, we feel that it is in the
>>> best interests of the OWASP Foundation and all concerned parties to wipe
>>> the slate clean by removing the details of the inquiry from our public
>>> records at this time.  We feel sincerely sorry for any damages that this
>>> inquiry may have caused to any of the parties involved.
>>>
>>
>>  Let me be absolutely clear that this is not what Christian requested,
>> but rather, what I feel is the right thing to do given the circumstances.
>> Christian's first question to me was "What good did the inquiry do for
>> OWASP?" and my answer, unfortunately, is that I'm really not finding any.
>> It chastised an active project leader for doing what it appears that
>> several others were also doing at the time, potentially furthered personal
>> biases, created negative feelings between Christian and OWASP, and just
>> generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
>> has been allowed to linger for so long as it just perpetuates the things
>> that we've done wrong, rather than all of the things that we've done
>> right.  Regardless of how Christian or others feel about it, I believe that
>> it's time to wipe the slate clean here and put an end to the negativity
>> surrounding the inquiry.
>>
>> I'd like to propose a vote that we strike any reference to the Google
>> Hacking Inquiry on owasp.org and our public documentation and replace it
>> with the text above.
>>
>>  *Request for Reinstatement*
>>  Unfortunately, our last call was cut short again with Christian
>> dropping off the line.  I sent an e-mail to him attempting to reconcile our
>> next steps, but I'm not sure that we are on the same page currently.  His
>> desire is for OWASP to pursue another inquiry, similar to his own, charging
>> Chris Gatford with being the individual behind the initial requests for
>> inquiry and treating him as though he were an OWASP member as he was a
>> chapter leader during that time.  I told him that I feel like the inquiry
>> should not have been undertaken in the first place and that performing
>> another inquiry and getting involved in a dispute between the two of them
>> would serve no value to OWASP.  I have politely declined my support for
>> such an initiative, but told him I would offer it to the other Board
>> members if any of you are so inclined to pursue it further.
>>
>>  Since I am unable to support his current request, and since he has
>> stated that he is unable to move beyond this until this other inquiry has
>> been performed, I am at a loss as far as next steps go.  My proposal would
>> have been to do a 90 day probational membership reinstatement for
>> Christian.  Provided that there were no issues during this time period, I
>> think that we could consider whatever level of activity he maintains a
>> relative success and we should grant full membership.  However, if there
>> were to be issues, the request for reinstatement should be denied with a
>> permanent ban so that no future Board members need to brief themselves on
>> the past in order to make a decision about the future.  My rationale for
>> this rationale for this is based squarely upon the assumption that all
>> negative behaviors were due to the Google Hacking Inquiry and it's personal
>> affect on Christian.  A 90 day probation should serve as a decent test to
>> determine if he is willing to move beyond that and put the negativity
>> behind us.  I am not requesting a vote at this time here as I feel no
>> decision can be made without Christian's support for the path we take.  I
>> will continue to work with him to hopefully come to a peaceful resolution.
>>
>>  ~josh
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140218/6670515d/attachment-0001.html>


More information about the Owasp-board mailing list