[Owasp-google-hacking] [GPC] Update Needed

Christian Heinrich christian.heinrich at owasp.org
Sun Jul 11 19:45:09 EDT 2010


Jason,

>> The next couple stages are the ones that would really make a
>> difference in marketing OWASP projects. The first of these is to
>> Provide a Repository. We did some preliminary reconnaissance to try
>> and get a branded Google Code hosting solution, but we didn't get very
>> far. I think this is a critical piece to provide some consistency for
>> projects. It also provides us a safety net in cases where projects get
>> abandoned. By having an official OWASP repository, we'll always have
>> the code to a project even if a leader later decides to abandon it
>> (e.g. Google Hacking). The next of these is to revamp the project
>> website and migrate existing projects to the new site. That's a huge
>> undertaking that I think is extremely important to OWASP - but I'm not
>> even sure it's worth discussing until we get our ducks lined up in a
>> row with our existing projects.

I have *never* abandoned the OWASP "Google Hacking" Project.

Coincidentally, the possible misinterpretation of "Inactive" was
discussed at the Leaders/GPC Meeting during OWASP EU 2009.

To quote the current metadata i.e. "GPC_Notes = This project has had
its status changed (currently inactive) pending the outcome of an
inquiry. <!--- This project cannot longer be maintained due to the
closure of the Google SOAP Search API i.e.
http://googlecode.blogspot.com/2009/08/well-earned-retirement-for-soap-search.html.--->"

While Dinis thought that marking it as inactive might help the current
situation to demonstrate that development had ceased due to Google
deprecating their SOAP Search API to which I disagreed at HITB
Amsterdam - consequently Joe Public has misinterpreted the reason as
to why the project is inactive (i.e. which is within the HTML
Comments) and that I am undergoing a disciplinary process for abusing
the OWASP Brand, etc as I have been found guilty irrespective of the
e-mails from Jeff and Dinis state.

>> I'm open to suggestions on how we can either quickly assess projects
>> in a meaningful way or bypass the problem entirely by creatively doing
>> something else. I believe we had several discussions about putting the
>> carrot in front of the cart. For example, we could simply create a new
>> whiz bang website for OWASP and the "price of admission" to the
>> "endorsed" part of the website was for a project leader to push his
>> project through a mostly self-review process. But that has it's own
>> issues as self-review is not always accurate (again, Google Hacking
>> serves as a good example - Christian was fairly quick to fill out the
>> OWASP Projects Survey) and so there's always going to be a need for
>> external review. And that external review will be a bottleneck for
>> anyone trying to push to the next tier.

You can't state that I lied considering the survey, i.e
https://spreadsheets.google.com/ccc?key=pJzNU1yNJd7VBH1bS6rY0EQ&hl=en#,
 was a snapshot at a particular time (i.e March 2009) which didn't
have any questions concerning what difficulties are faced by "new"
project leaders i.e. those whose are managing their first OWASP
Project without local support from senior OWASP Members i.e. Only
Justin Derry was available in Australia during this time and while he
offered to assist this was not extended post the OWASP Australian 2009
Conference fallout with the OWASP Board.

Had you have asked for a history of the difficulties/unknowns etc
within the survey the GPC would have also known:
1. Chris Gates (metasploit), PDP (GNUCitizen) and Glen Roberts
(Solutionary) had nominated themselves to review the project but
according to an e-mail thread between Paulo and I (from September 2008
until January 2009) were unable to review the project on behalf of
OWASP as they were not OWASP members.  Subsequently, they all had to
submit CV for the Board to approve (for some reason the GPC can't
approve them) and I was not willing to pass on this request as it was
insulting to their standing within the community and offer to
volunteer their time.  In Paulo's defense he was distracted with
preparing for the OWASP Summit in Portugal during this time and
apologies when he responded to each e-mail.
2. As I was unable to locate an OWASP reviewer I deleted the
repository as I was unsure if OWASP had any interest reviewing the
project due to the deprecation of the SOAP Search API, the fact that
it was PoC v0.1, etc but held onto the namespace if this changed.
3.  That stated, Tom Brennan trying to kill the project was inferred
in my response to "If not, what is the reason that you do not wish to
be considered for industry partnership?" based on an e-mail thread
with Paulo and I during August 2008 but I am now confused on OWASP
position on condoning the violation of Google's Terms of Service in
light of claiming to be "open".

Post this survey (i.e. at OWASP EU 2008), the GPC did not want to
discuss my project when I am raised that I had rescheduled the release
from RUXCON 2K8 as per the survey i.e. during the Leaders/GPC Meeting
i.e. http://www.flickr.com/photos/appseceu09/, rather the discussion
focused on the consequence of marking projects inactive, etc which I
mentioned above.

I also received IN-CONFIDENCE information on the Google SOAP Search
API (i.e. it wasn't deprecated because of the AJAX Search API) from
Tavis Ormandy (Google) during CONFidence 2009 which I made Dinis aware
of.

Finally, the deprecation of the SOAP Search API in September 2009
occurs *after* OWASP finally decides to review the project i.e.
https://lists.owasp.org/pipermail/owasp-google-hacking/2009-October/000004.html
- neither was I contacted in March 2010.

>> Ironically, the whole Google Hacking situation is a great lens to view
>> our efforts through. The problems OWASP is dealing with right now for
>> that project are exactly the problems we were thinking about when we
>> started our agenda... if we can only make some faster progress, we
>> might be able to preempt this kind of event in the future.

These are some of the recommendations from the response that I will be
shortly releasing:
1. Relocate the responsibility of selecting Project Reviewer who are
not OWASP members from the board to the GPC.
2. Create additional metadata which communicates that unique projects
with a limited shelf life, such as the OWASP "Google Hacking" Project.
3. Each OWASP Project should be reviewed based on a schedule (i.e. not
by signaling that it is ready for review) which could be timeslice
across all other projects.
4. Reconsider Andrew van der Stock's proposal to become a full time employee
5. Remove members from the GPC would are also leaders of significant
projects i.e. it should consist of a majority of dedicated reviewers
only.

-- 
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


More information about the Owasp-google-hacking mailing list