[Owasp-google-hacking] Google hacking code

Brad Empeigne brad.empeigne at gmail.com
Mon Jun 14 00:33:09 EDT 2010


Hi Christian, I have read the Google terms of service and your
explanation and disagree that releasing the code would be breaking it.
I have read your slides and while you do have tiny snippets of source
code and console screenshots it is far from actual project source code
to reference. I have seen in some of your presentations you mention
that you are doing a release but can not find evidence that there was
an actual release of the code anywhere. I thought this because may be
then someone would have a copy or it is mirrored somewhere. This leads
me to the question .... was the code actually ever released to the
Google repository?

I am also unsure as to why you said you would send the code after
AusCert and then later ignored my private requests but responded
promptly on mailing lists with excuses as to why it can not be shared?
Furthermore I am confused by your private requests to call you to
discuss and i am not interested in doing so because i suspect you will
just reiterate your take of the Google terms of service as some sort
of noble excuse. Never did I expect such a simple request to turn into
a long complicated debate and have lost faith in OWASP if they are
running projects and making excuses to not distribute the work of open
source projects.

Some people would have simply added a note to the most recent release
saying that it does not work due to a change in a dependent API and
ask for support from possible contributors to migrate to the new API.
This would have broken no terms of service and no one would have
questioned it. Doing so could have kept the project running and
contributes to the community. Unfortunately from my perspective it
would seem now you are doing the opposite and considering it "in the
past" and something you managed to get a bunch of conference travel
for and a means of self promotion.

--Brad


On Sun, Jun 13, 2010 at 12:09 PM, Christian Heinrich
<christian.heinrich at owasp.org> wrote:
> George,
>
> On Sat, Jun 12, 2010 at 6:57 PM, George Anelopolis
> <george.anelopolis at gmail.com> wrote:
>> As your code for the Google hacking project did not include any "work
>> around" of the SOAP Search API, there is no violation of Google TOS.
>
> I disagree as to execute the test harness (prior to its distribution)
> would require OWASP to violate Google's TOS and therefore our (OWASP)
> agreement with Google.
>
>> It's highly unethical to present research at industry conferences if
>> you do not wish to fully disclose the findings. It seems that Mr.
>> Empeigne has made a legitimate request, and you should be doing all
>> you can to assist.
>
> I disagree as the PoC was last demonstrated well within the period
> (i.e. July 2009 at SyScan'09 Singapore) prior to
> http://googlecode.blogspot.com/2009/08/well-earned-retirement-for-soap-search.html
> and furthermore Brad has reviewed the latest slides published at the
> conclusion of these the conferences to understand the Google Search
> SOAP API functionality within the PoC.
>
>
> --
> Regards,
> Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> _______________________________________________
> Owasp-google-hacking mailing list
> Owasp-google-hacking at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-google-hacking
>


More information about the Owasp-google-hacking mailing list