[Owasp-google-hacking] [GPC] OWASP "Google Hacking" Project - Status - June 2010

Steven Steggles steven.steggles at gmail.com
Mon Jul 5 02:10:32 EDT 2010


Dear OWASP,

I find Christian's email hard to follow....but I take offense to Christain
claiming I am a troll based of whois information and some other strange URL
based investigations?? This is not the sort of behavior I had previously
expected from OWASP representatives... but now it appears that all kinds of
madness are acceptable within this organization. I would suggest that a
professional organization only concern itself with technical details and
proven **facts**.

As can be seen on the presentation list for Ruxcon 2008 (
http://www.ruxcon.org.au/2008-presentations.shtml#19):

googless - Christian Heinrich
At Ruxcon 2008 cmlh will be releasing the:

1. "Speak English or Die" Google Translate Workaround.
2. Google SOAP Search API "Key Ring" Workaround.
3. "TCP Input Text" Proof of Concept (PoC) which implements the Google SOAP
Search API to extract TCP Ports from Google Search Results as input for nmap
and netcat.
cmlh is a Project Leader of the OWASP "Google Hacking" Project and
contributed to the "Spiders/Robots/Crawlers" and "Search Engine
Reconnaissance" sections of the OWASP Testing Guide v3 and presented at the
recent OWASP Conferences in Australia and USA (New York). cmlh has also
presented at Ruxcon 2005, Ruxcon 2006, SecTor 2008 and ToorCon X. My
complaint is genuine and I have no intention of diverting attention away
from some OWASP investigation.. As I previously stated, I do not care about
OWASP chapter politics! Goddamn it! My interest is soley in the Google
Hacking Project! I am only interested in the technical details and **facts**
surrounding this project. To me the whole situation is really suspicious!
>From the project itself, to the project promotion, to the reluctance of code
release and the barrage of excuses, to the code release (or lack there of),
and finally the lack of action on OWASP's part!

ps. I really doubt that source code has been downloaded only twice. I know
for a fact more that more than two people from my work have downloaded the
source code.

confused,
Steven Steggles


On Mon, Jul 5, 2010 at 2:41 PM, Christian Heinrich <
christian.heinrich at owasp.org> wrote:

> Dinis,
>
> TCP Input Text et al is *not* within the scope of the OWASP Google
> Hacking Project and neither were they represented as such. Rather the
> scope is
> http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29
>
> http://www.sensepost.com/cms/resources/labs/tools/misc/SP-DNS-mine.pl
> should be used the benchmark based on the endorsement by this same
> troll i.e. http://twitter.com/TownyRoberto/status/17405662031
>
> The identity of this troll *must* be established in light of their
> refusal i.e.
> https://lists.owasp.org/pipermail/owasp-google-hacking/2010-June/000017.html
> to mitigate the possible damage to "Steven Steggles" of
> http://whois.domaintools.com/lifebetweenscreens.com i.e. their e-mail
> addresses are different.  It is believed that "Brad" and "George" are
> also the same troll as the source code has only been downloaded once.
>
> Please keep in mind that this "complaint" from the troll is intended
> to divert resources from the investigation of the spoofed e-mails sent
> to the Mailing List of the OWASP Chapter in Melbourne, Australia i.e.
> https://lists.owasp.org/pipermail/owasp-australia/2010-June/000287.html
> and
> https://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
>
> On Sun, Jul 4, 2010 at 7:11 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > Hi Brad and others that have raise concerns about this project (note that
> > the original email was also sent to the owasp-google-hacking list, so I'm
> > CCing this to a number of other owasp lists).
> >
> > First of all , thanks for sharing your concerns about this project and I
> > want to assure you that we at OWASP Board and Projects Committee are
> taking
> > this issue very seriously.
> >
> > Due to the nature of OWASP and in its spirit of openess we trust that our
> > project leaders are working hard on their projects and delivering value
> to
> > their project's community.
> >
> > Given the sheer number of OWASP Projects and the fact that we (at OWASPs
> > Global Projects Committee) have not yet completed the upgrade of all
> OWASP
> > Projects into the new Project Assessment Criteria V2.0 (+ new Project
> Wiki
> > Template), we have not been able to spend as much time as we should on
> > reviewing OWASP projects and ensuring that they are: still alive, need
> > review/help, make sense, etc...
> >
> > The OWASP Google Hacking project has been on the radar of OWASP's Board
> and
> > GPC for a while (with a number of emails going back one year), BUT
> somehow
> > (mainly due to lack of time) we never followed it up.
> >
> > That said now, due to the level of complains that we have received and
> the
> > need that we have at OWASP to create a process to deal with this type of
> > situations, we are going to take a good look at this and find a solution
> for
> > it.
> >
> > A couple days ago, i meet Christian at the HITB conference in Amsterdam
> and
> > we spent a couple hours going over the history of this project and what
> > should happen next.
> >
> > Here is the status:
> >
> > The OWASP Google Hacking project is going to be marked as 'Inactive'
> (with
> > very clear indication that this is not an active OWASP project), there
> will
> > be no more public presentations about this project, and there is also the
> > possibililty that we might delete this project (depending on what happens
> > with the Inquiry that I'm going to present below)
> > I have made a number of notes about the history of this project which I
> will
> > document soon
> > In order to address the issues raised, we are going to run an OWASP
> Inquiry
> > into this issue with the objective to address the issue of '...does the
> > OWASP Google Hacking Project deliverables match the expectations that the
> > OWASP community have for projects that are presented in the way this
> project
> > was..." (note that we have already an history at OWASP to run 'formal'
> > inquiries for issues/concerns raised by our community (see for example
> > http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009)
> > Christian has also raised a number of concerns over how several
> Australian
> > Chapters have been run, and that will be addressed by a separate OWASP
> > Inquiry lead by the OWASP Chapters Committee.
> >
> > Note that we are starting this process from the point of view that
> Christian
> > is an inocent party (i.e. not guilty of the accusations made until proven
> > so). It is important to note that the focus of the inquiry will be on the
> > technical merit of what was created for this project (and will stay away
> > from any personallity clashes that might/do exist between members of the
> > OWASP community). For example, one of the first steps will be to create
> an
> > independent technical analysis of what was delivered, so that we are able
> to
> > establish the extent of this project's contribution to OWASP and the
> > WebAppSec world.
> >
> > Once we figure out the operational details of how this OWASP Inquiry
> (into
> > the OWASP Google Hacking Project) will work, we will be contacting the
> OWASP
> > Community (starting with the one that have raised their concerns) for
> 'on
> > the record' comments about this issue. After all data is collected and
> > analyzed, an independent group of OWASP Leaders will review it and
> provide
> > recomendations (just like what happened in the Brazil's case)
> >
> > A final point I would like to make, is that from an OWASP Projects point
> of
> > view, this is a very important case, since we really need to have better
> > guidelines on what we technically expect from OWASP Projects and its
> leaders
> >
> > Hopefully, we will be able to use this case to further consolidate
> OWASP's
> > projects focus, quality and credibility
> >
> > Dinis Cruz
> > OWASP Board Member
> >
> >
> > On 4 July 2010 04:38, Brad Empeigne <brad.empeigne at gmail.com> wrote:
> >>
> >> Hi all, I had a look at the source code after reading the below email
> >> and thought since it was finally public i could see what all the fuss
> >> is about.
> >>
> >> As someone who is comfortable with Perl i must admit that I'm
> >> surprised by how basic this code is and it does look rather
> >> amateurish. Not only that but the general concept of the code is
> >> simple too since it appears to just be a google cache search and not
> >> much more? To be frank it looks like a couple of hours of work and it
> >> maybe belongs as some example code referenced on a wiki page after
> >> being tidied up, but thats about it. i am sorry to say that it is far
> >> from worthy of being presented at multiple international conferences
> >> and the publicity this has received is not warranted. I hope OWASP has
> >> not funded this project and Christian used his own expenses to present
> >> around the world?
> >>
> >> I share Stevens general sentiment that something is not quite right
> >> with this entire situation and in the future i believe OWASP need to
> >> do better QA on projects and keep a closer eye on project leaders.
> >> What has happened here does in fact reflect very poorly on OWASP. Good
> >> luck and best regards.
> >>
> >> -- Brad
> >>
> >>
> >> On Sat, Jul 3, 2010 at 12:19 PM, Steven Steggles
> >> <steven.steggles at gmail.com> wrote:
> >> > Dear OWASP,
> >> >
> >> > The source code that has been released is a single Perl script of 250
> >> > lines,
> >> > most of the code being comments. The code appears to do nothing
> besides
> >> > providing a command line interface to perform a Google cache query. Am
> I
> >> > to
> >> > believe that this is the sum total of the famous Google Hacking
> Project?
> >> > From what I understand of Christian's claims at various conferences
> >> > across
> >> > the world, the following source code is still missing:
> >> >
> >> > 1. "Speak English or Die" Google Translate Workaround.
> >> > 2. Google SOAP Search API "Key Ring" Workaround.
> >> > 3. "TCP Input Text" Proof of Concept (PoC) which implements the Google
> >> > SOAP
> >> > Search API to extract TCP Ports from Google Search Results as input
> for
> >> > nmap
> >> > and netcat.
> >> >
> >> > Christian claimed to have released this source code at Ruxcon in
> >> > November
> >> > 2008....
> >> >
> >> > It appears as though OWASP has chosen to not address this issue
> >> > correctly
> >> > and bury its head in the sand.Perhaps in the naive hope that this
> >> > problem
> >> > will quietly go away. What a disgrace! The OWASP Google Hacking
> project
> >> > appears to have been solely created as a vehicle for Christian's own
> >> > self
> >> > promotion! I am ashamed to be associated with such an organization
> that
> >> > turns a blind eye to this highly inappropriate behavior. What a
> >> > disgrace!
> >> >
> >> > I expect that you will moderate this message but I feel that the wider
> >> > security community should be made aware of this sham and lack of
> action
> >> > on
> >> > OWASP's part.
> >> >
> >> > I WILL NO LONGER BE PARTICIPATING IN OWASP RELATED MEETINGS OR
> >> > CONFERENCES.
> >> >
> >> > Very disappointed,
> >> > Steven
>
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-google-hacking/attachments/20100705/f5bfb567/attachment-0001.html 


More information about the Owasp-google-hacking mailing list