[Owasp-board] Fwd: R: Re: R: [Owasp-leaders] Hack OWASP.org as a pre/duringSummitCompetition

dinis cruz dinis.cruz at owasp.org
Wed Jan 26 19:33:30 UTC 2011


Board, before you jump on the bandwagon that this was going to be done in an
'amateur' way, please read the email below to see the level of care/thinking
(and professionalism) that the 3 owasp leaders from Italy were putting into
this

Dinis Cruz

Begin forwarded message:

*From:* loredana.mancini at business-e.it
*Date:* 26 January 2011 19:17:22 GMT
*To:* "dinis cruz" <dinis.cruz at owasp.org>
*Cc:* "Mancini Lucilla" <Lucilla.Mancini at business-e.it>,"Biagiotti Massimo"
<Massimo.Biagiotti at business-e.it>
*Subject:* *R: Re: R: [Owasp-leaders] Hack OWASP.org as a
pre/duringSummitCompetition*
*Reply-To:* loredana.mancini at business-e.it

...:-) yes I think it interesting, as I think we opened a discussion that
crosses technical, legal, contractual aspects (what if testing my
application I stop my provider infrastructure...think about cloud
implications...) And others...

So I think we can move it in a working session, if you agree, can you guide
us in this proposal? Thank you bye Loredana
------------------------------
*From: * dinis cruz <dinis.cruz at owasp.org>
*Date: *Wed, 26 Jan 2011 18:58:17 +0000
*To: *dinis cruz<dinis.cruz at owasp.org>
*Cc: *Mancini Lucilla<Lucilla.Mancini at business-e.it>; Mancini Loredana<
Loredana.Mancini at business-e.it>; Biagiotti Massimo<
Massimo.Biagiotti at business-e.it>
*Subject: *Re: R: [Owasp-leaders] Hack OWASP.org as a pre/during
SummitCompetition

It looks like the owasp community has no stomach to handle this.

Do you want to drop this idea and make it Instead a working session?

Dinis Cruz

On 26 Jan 2011, at 17:47, dinis cruz <dinis.cruz at owasp.org> wrote:

Can you reply this to that thread?

Maybe also dropping a hint that we are much better if we are hacked by a
'friend' than by a malicious attacker :)

Dinis Cruz

On 26 Jan 2011, at 12:53, Mancini Lucilla < <Lucilla.Mancini at business-e.it>
Lucilla.Mancini at business-e.it> wrote:

  Hi Diniz,

what Ralph says, on which we completely agree, is the first action that
everyone, who has to manage an hacking activity, takes into account.

With our wiki we were just  introducing the project and waiting for the
approval of the board.

The details and strategy should have been designed later on and as well
shared.

So in order to create the FAQ we need to ask some questions ( we ask now
those questions that we would have asked later in order to choose the right
way to proceed)

-  How is the website managed?

-  Is it hosted?

- Who owns the infrastructure?

- What kind of contract do you have with the provider?

- Do they provide security services as well?

- Is it possible as far as the contract is concerned that you ask for
hacking activities to test the security level provided?

- Would it be possible to provide access to a restricted number of testers
to appliances which are not exposed?

Please let us know if everything is clear and who we have to ask.

Thanks

Lucilla



------------------------------
*Da:* dinis cruz [mailto: <dinis.cruz at owasp.org>dinis.cruz at owasp.org]
*Inviato:* mer 26/01/2011 11.18
*A:* Ralph Durkee
*Cc:* <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org; Mancini
Loredana; <owasp-leaders-bounces at lists.owasp.org>
owasp-leaders-bounces at lists.owasp.org; Mancini Lucilla
*Oggetto:* Re: [Owasp-leaders] Hack <http://OWASP.org>OWASP.org as a
pre/during SummitCompetition

This practice is starting to be quite common these days. Google, Microsoft,
Mozilla (and others) have similar arrangements.

But you raise good questions, and we should have answers for it on an FAQ
(Loredana can you add an FAQ to that page (here is a good template
<http://www.owasp.org/index.php/Summit_2011_FAQ><http://www.owasp.org/index.php/Summit_2011_FAQ>
http://www.owasp.org/index.php/Summit_2011_FAQ))

Dinis Cruz


On 26 January 2011 10:13, Ralph Durkee <
<ralph.durkee at owasp.org><ralph.durkee at owasp.org>
ralph.durkee at owasp.org> wrote:

> I hope I'm misunderstanding, but if not this is a dangerous approach for a
> hacking contest. There needs to be a clear scope, rules of engagement and
> registration with rules and specific permission given.  What this will
> accomplish is to make the <http://owasp.org/> <http://owasp.org>owasp.orgweb site unavailable for the duration, most likely violate the hosting
> agreement for all of the ISPs involved, and make it difficult for OWASP to
> get hosting services in the future.  Generally the easiest approach for
> these contests is to have a private local in-person network, where you an
> control the contest, and grant permission for hacking specific systems on
> the lcoal network, but if you want to do it globally, you need
> preregistration with the scope limited to only systems accessed via an
> individually authenticated VPN.
>
> It is a cruel world, and with lot's of lawyers.
>
> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
> Rochester OWASP
>
>
> On 1/26/2011 3:41 AM, dinis cruz wrote:
>
> Loredana has taken the lead on this one and created the page
> <http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG><http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG>
> http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG with
> details about this competition (she will also be the main point of contact
> for this competition)
>
> Before I submit this to the OWASP board for vote, can you please take a
> look and chip in with your ideas (for example I think that the scope should
> include offline MediaWiki exploits/vulns and the competition should also
> continue during the Summit (we are going to set up a 'hacking room' just
> like we did at the last Summit (we need to think about the prices for the
> vulns discovered during the Summit))
>
> Dinis Cruz
>
>
> On 21 January 2011 11:02, Loredana Mancini <<loredana.mancini at business-e.it><loredana.mancini at business-e.it>
> loredana.mancini at business-e.it> wrote:
>
>>  Hi all,
>>
>>
>>
>> I would like to pick up this task, and step forward to organise it if you
>> think it still interesting, bye Loredana.
>>
>>
>> -----Messaggio originale-----
>> Da: <owasp-leaders-bounces at lists.owasp.org><owasp-leaders-bounces at lists.owasp.org>
>> owasp-leaders-bounces at lists.owasp.org
>> [ <owasp-leaders-bounces at lists.owasp.org><owasp-leaders-bounces at lists.owasp.org>
>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org><owasp-leaders-bounces at lists.owasp.org>]
>> Per conto di dinis cruz
>> Inviato: mercoledì 19 gennaio 2011 17.05
>> A: Vlatko Kosturjak
>> Cc: <owasp-leaders at lists.owasp.org> <owasp-leaders at lists.owasp.org>
>> owasp-leaders at lists.owasp.org
>> Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
>>
>> I think we should have a competion to see who can hack the
>> <http://owasp.org/> <http://owasp.org>owasp.org
>> website :)
>>
>> The price would be a fully paid (travel+accomodation) ticket to the
>> Summit
>>
>> Extra kudos points would be given for gaining root on the
>> <http://owasp.org/> <http://owasp.org>owasp.org
>> server
>>
>> Anybody on this list have the cycles to organize this?
>>
>> Dinis Cruz
>>
>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak < <kost at linux.hr><kost at linux.hr>
>> kost at linux.hr> wrote:
>>
>> > On 01/19/2011 04:50 PM, dinis cruz wrote:
>> >> It shows that <http://owasp.org/> <http://owasp.org>owasp.org is in
>> the same 'shape' as 90% of the websites
>> >> out there.
>> >>
>> >> There is a O2 module that shows all the Javascript (files and inline)
>> >> code that is loaded by an <http://owasp.org/> <http://owasp.org>
>> owasp.org page (it is quite a list)
>> >>
>> >> Maybe a good working session for the summit would be to consolidate
>> >> all <http://owasp.org/> <http://owasp.org>owasp.org javascripts and
>> add CSP to it
>> >>
>> >> In fact we should have a 'hack <http://owasp.org/> <http://owasp.org>
>> owasp.org and mediawiki' competition
>> >> at
>> >> the Summit ....... :) :) :)
>> >
>> > Especially to find bugs like this (as mediawiki is in PHP):
>> > <http://gregorkopf.de/slides_berlinsides_2010.pdf><http://gregorkopf.de/slides_berlinsides_2010.pdf>
>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>> >
>> > Kost
>> _______________________________________________
>> OWASP-Leaders mailing list
>> <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>
>> OWASP-Leaders at lists.owasp.org
>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders><https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list <OWASP-Leaders at lists.owasp.org> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org <https://lists.owasp.org/mailman/listinfo/owasp-leaders> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110126/91c76604/attachment-0002.html>


More information about the Owasp-board mailing list