[Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP "GoogleHacking" Project - Status - June 2010

aludwig at packetspy.com aludwig at packetspy.com
Tue Jul 6 12:46:11 EDT 2010


I think it is all summed up by this line from the previous email.

"that means you're taking advantage of the platform OWASP works so hard
to give people."


I leave you all with this simple question.

How can we minimise the effects of those who wish to gain
notoriety/fame/fortune/groupies at OWASP's expense? 
(part of which has been answered by Dinis's prior emails)

Andre Ludwig

> -------- Original Message --------
> Subject: Re: [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP
> "GoogleHacking" Project - Status - June 2010
> From: Eoin <eoin.keary at owasp.org>
> Date: Tue, July 06, 2010 8:05 am
> To: owasp-leaders at lists.owasp.org
> Cc: owasp-google-hacking at lists.owasp.org, Steven Steggles
> <steven.steggles at gmail.com>, Brad Empeigne <brad.empeigne at gmail.com>,
> Global Projects Committee <global-projects-committee at lists.owasp.org>
> 
> 
> Indeed Arshan, Totally agree.
> 
> Community, can we put this to bed and move on. This industry is full of
> empty vessels trying to take advantage as we all know.
> In future the GPC should be able to prevent such silliness in terms of what
> can become an OWASP branded solution and what is snake oil.
> 
> -ek
> 
> 
> 
> On 6 July 2010 15:53, Arshan Dabirsiaghi <
> arshan.dabirsiaghi at aspectsecurity.com> wrote:
> 
> > I just confirmed that this is the same "Google Hacking" talk that I saw
> > delivered in NYC, and I have to say it was pretty hilariously bad. Now, I
> > normally wouldn't be so rude about it, but this thread has shown how heavily
> > it was/is being promoted.
> >
> > It's a 150-line Perl script, and mostly comments. You compare it to
> > something SensePost did, but SensePost isn't going to conferences promoting
> > their little Perl script, it's just sitting on their website, quietly. At
> > conferences they publish original, awesome research.
> >
> > We want to encourage people to work on OWASP projects and contribute to the
> > community, but to be honest there isn't nearly enough here to be a
> > "project". It doesn't pass the "sniff test", nor any real assessment
> > criteria, I'm sure.
> >
> > What's worse is I don't think there's any way you couldn't know that. And
> > that means you're taking advantage of the platform OWASP works so hard to
> > give people.
> >
> > Maybe we can look forward to more substantial contribution from you in the
> > future, but I think it's best that this whole project be forgotten and both
> > parties walk away from each other.
> >
> > Arshan
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org [mailto:
> > owasp-leaders-bounces at lists.owasp.org] On Behalf Of Christian Heinrich
> > Sent: Monday, July 05, 2010 12:41 AM
> > To: dinis cruz
> > Cc: Steven Steggles; Brad Empeigne; owasp-google-hacking at lists.owasp.org;
> > owasp-leaders at lists.owasp.org; Global Projects Committee
> > Subject: Re: [Owasp-leaders] [Owasp-google-hacking] [GPC] OWASP
> > "GoogleHacking" Project - Status - June 2010
> >
> > Dinis,
> >
> > TCP Input Text et al is *not* within the scope of the OWASP Google
> > Hacking Project and neither were they represented as such. Rather the
> > scope is
> > http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29
> >
> > http://www.sensepost.com/cms/resources/labs/tools/misc/SP-DNS-mine.pl
> > should be used the benchmark based on the endorsement by this same
> > troll i.e. http://twitter.com/TownyRoberto/status/17405662031
> >
> > The identity of this troll *must* be established in light of their
> > refusal i.e.
> > https://lists.owasp.org/pipermail/owasp-google-hacking/2010-June/000017.html
> > to mitigate the possible damage to "Steven Steggles" of
> > http://whois.domaintools.com/lifebetweenscreens.com i.e. their e-mail
> > addresses are different.  It is believed that "Brad" and "George" are
> > also the same troll as the source code has only been downloaded once.
> >
> > Please keep in mind that this "complaint" from the troll is intended
> > to divert resources from the investigation of the spoofed e-mails sent
> > to the Mailing List of the OWASP Chapter in Melbourne, Australia i.e.
> > https://lists.owasp.org/pipermail/owasp-australia/2010-June/000287.html
> > and
> > https://lists.owasp.org/pipermail/owasp-australia/2010-June/000288.html
> >
> > On Sun, Jul 4, 2010 at 7:11 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> > > Hi Brad and others that have raise concerns about this project (note that
> > > the original email was also sent to the owasp-google-hacking list, so I'm
> > > CCing this to a number of other owasp lists).
> > >
> > > First of all , thanks for sharing your concerns about this project and I
> > > want to assure you that we at OWASP Board and Projects Committee are
> > taking
> > > this issue very seriously.
> > >
> > > Due to the nature of OWASP and in its spirit of openess we trust that our
> > > project leaders are working hard on their projects and delivering value
> > to
> > > their project's community.
> > >
> > > Given the sheer number of OWASP Projects and the fact that we (at OWASPs
> > > Global Projects Committee) have not yet completed the upgrade of all
> > OWASP
> > > Projects into the new Project Assessment Criteria V2.0 (+ new Project
> > Wiki
> > > Template), we have not been able to spend as much time as we should on
> > > reviewing OWASP projects and ensuring that they are: still alive, need
> > > review/help, make sense, etc...
> > >
> > > The OWASP Google Hacking project has been on the radar of OWASP's Board
> > and
> > > GPC for a while (with a number of emails going back one year), BUT
> > somehow
> > > (mainly due to lack of time) we never followed it up.
> > >
> > > That said now, due to the level of complains that we have received and
> > the
> > > need that we have at OWASP to create a process to deal with this type of
> > > situations, we are going to take a good look at this and find a solution
> > for
> > > it.
> > >
> > > A couple days ago, i meet Christian at the HITB conference in Amsterdam
> > and
> > > we spent a couple hours going over the history of this project and what
> > > should happen next.
> > >
> > > Here is the status:
> > >
> > > The OWASP Google Hacking project is going to be marked as 'Inactive'
> > (with
> > > very clear indication that this is not an active OWASP project), there
> > will
> > > be no more public presentations about this project, and there is also the
> > > possibililty that we might delete this project (depending on what happens
> > > with the Inquiry that I'm going to present below)
> > > I have made a number of notes about the history of this project which I
> > will
> > > document soon
> > > In order to address the issues raised, we are going to run an OWASP
> > Inquiry
> > > into this issue with the objective to address the issue of '...does the
> > > OWASP Google Hacking Project deliverables match the expectations that the
> > > OWASP community have for projects that are presented in the way this
> > project
> > > was..." (note that we have already an history at OWASP to run 'formal'
> > > inquiries for issues/concerns raised by our community (see for example
> > > http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009)
> > > Christian has also raised a number of concerns over how several
> > Australian
> > > Chapters have been run, and that will be addressed by a separate OWASP
> > > Inquiry lead by the OWASP Chapters Committee.
> > >
> > > Note that we are starting this process from the point of view that
> > Christian
> > > is an inocent party (i.e. not guilty of the accusations made until proven
> > > so). It is important to note that the focus of the inquiry will be on the
> > > technical merit of what was created for this project (and will stay away
> > > from any personallity clashes that might/do exist between members of the
> > > OWASP community). For example, one of the first steps will be to create
> > an
> > > independent technical analysis of what was delivered, so that we are able
> > to
> > > establish the extent of this project's contribution to OWASP and the
> > > WebAppSec world.
> > >
> > > Once we figure out the operational details of how this OWASP Inquiry
> > (into
> > > the OWASP Google Hacking Project) will work, we will be contacting the
> > OWASP
> > > Community (starting with the one that have raised their concerns) for
> > 'on
> > > the record' comments about this issue. After all data is collected and
> > > analyzed, an independent group of OWASP Leaders will review it and
> > provide
> > > recomendations (just like what happened in the Brazil's case)
> > >
> > > A final point I would like to make, is that from an OWASP Projects point
> > of
> > > view, this is a very important case, since we really need to have better
> > > guidelines on what we technically expect from OWASP Projects and its
> > leaders
> > >
> > > Hopefully, we will be able to use this case to further consolidate
> > OWASP's
> > > projects focus, quality and credibility
> > >
> > > Dinis Cruz
> > > OWASP Board Member
> > >
> > >
> > > On 4 July 2010 04:38, Brad Empeigne <brad.empeigne at gmail.com> wrote:
> > >>
> > >> Hi all, I had a look at the source code after reading the below email
> > >> and thought since it was finally public i could see what all the fuss
> > >> is about.
> > >>
> > >> As someone who is comfortable with Perl i must admit that I'm
> > >> surprised by how basic this code is and it does look rather
> > >> amateurish. Not only that but the general concept of the code is
> > >> simple too since it appears to just be a google cache search and not
> > >> much more? To be frank it looks like a couple of hours of work and it
> > >> maybe belongs as some example code referenced on a wiki page after
> > >> being tidied up, but thats about it. i am sorry to say that it is far
> > >> from worthy of being presented at multiple international conferences
> > >> and the publicity this has received is not warranted. I hope OWASP has
> > >> not funded this project and Christian used his own expenses to present
> > >> around the world?
> > >>
> > >> I share Stevens general sentiment that something is not quite right
> > >> with this entire situation and in the future i believe OWASP need to
> > >> do better QA on projects and keep a closer eye on project leaders.
> > >> What has happened here does in fact reflect very poorly on OWASP. Good
> > >> luck and best regards.
> > >>
> > >> -- Brad
> > >>
> > >>
> > >> On Sat, Jul 3, 2010 at 12:19 PM, Steven Steggles
> > >> <steven.steggles at gmail.com> wrote:
> > >> > Dear OWASP,
> > >> >
> > >> > The source code that has been released is a single Perl script of 250
> > >> > lines,
> > >> > most of the code being comments. The code appears to do nothing
> > besides
> > >> > providing a command line interface to perform a Google cache query. Am
> > I
> > >> > to
> > >> > believe that this is the sum total of the famous Google Hacking
> > Project?
> > >> > From what I understand of Christian's claims at various conferences
> > >> > across
> > >> > the world, the following source code is still missing:
> > >> >
> > >> > 1. "Speak English or Die" Google Translate Workaround.
> > >> > 2. Google SOAP Search API "Key Ring" Workaround.
> > >> > 3. "TCP Input Text" Proof of Concept (PoC) which implements the Google
> > >> > SOAP
> > >> > Search API to extract TCP Ports from Google Search Results as input
> > for
> > >> > nmap
> > >> > and netcat.
> > >> >
> > >> > Christian claimed to have released this source code at Ruxcon in
> > >> > November
> > >> > 2008....
> > >> >
> > >> > It appears as though OWASP has chosen to not address this issue
> > >> > correctly
> > >> > and bury its head in the sand.Perhaps in the naive hope that this
> > >> > problem
> > >> > will quietly go away. What a disgrace! The OWASP Google Hacking
> > project
> > >> > appears to have been solely created as a vehicle for Christian's own
> > >> > self
> > >> > promotion! I am ashamed to be associated with such an organization
> > that
> > >> > turns a blind eye to this highly inappropriate behavior. What a
> > >> > disgrace!
> > >> >
> > >> > I expect that you will moderate this message but I feel that the wider
> > >> > security community should be made aware of this sham and lack of
> > action
> > >> > on
> > >> > OWASP's part.
> > >> >
> > >> > I WILL NO LONGER BE PARTICIPATING IN OWASP RELATED MEETINGS OR
> > >> > CONFERENCES.
> > >> >
> > >> > Very disappointed,
> > >> > Steven
> >
> > --
> > Regards,
> > Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
> > OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary<hr>_______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list