[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Rex Booth rex.booth at owasp.org
Wed Jan 26 13:23:00 EST 2011


Allow me to join the chorus of people supporting Mark.

This is a bad, bad idea.  We are supposed to be an organization of 
professionals.  We can't risk our reputation by approaching activities 
like this in such an amateur manner.

Rex


On 1/26/2011 10:17 AM, Mark Bristow wrote:
> I must have missed this in the flurry of "request for cycles" emails.
>
> I can't disagree with this initiative more.
>
> First off, there are tons of operational and legal challenges to 
> this.  Those of us who to professional web app pen testing know that 
> you really should (and in some countries NEED) clear rules of 
> engagement and hold harmless and other agreements in place to provide 
> cover for these types of activities.  OWASP does not own it's entire 
> infrastructure that supports the website.  Even if OWASP provided 
> cart-blanch approval to anyone who wishes to hack the OWASP.org 
> website there could be "collateral dammage" to entities other than 
> OWASP.  As I understand it the production wiki server is still housed 
> in an Aspect data center, what if someone, as part of the challenge, 
> took down ASPECT's common network?  What if someone used an attack on 
> ASPECT's upstream provider?  This type of activity is usually 
> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's 
> upstream would not (completely legally) pull their network connection 
> for allowing hacking activities?
>
> That doesn't even get into the operational aspects.  So we are 
> inviting people to potentially take down, compromise and/or deface the 
> OWASP wiki?  Especially during a time while we are trying to promote 
> the Summit?  What happens when they are sucessful and we can't get the 
> site back for hours, or even days?  What if the entire 
> username/password database is compromised?  Inviting this behavior 
> against a production system, with "real" data in it is just crazy.
>
> Then I have a fundamental objection.  OWASP is about fixing 
> application security issues through tools and education.  This is 
> solely a "hey, look what I can hack" exercise which IMO does not line 
> up with OWASP core values.  We need to promote more FIX and less HAX.
> </soapbox>
>
> -Mark
>
> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern 
> <JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>> wrote:
>
>     The biggest challenge is that finding solutions to breaking tends to
>     take a lot longer than the actual breaking itself...
>
>     -----Original Message-----
>     From: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of
>     Harisfazillah Jamel
>     Sent: Wednesday, January 26, 2011 8:13 AM
>     To: owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>; Ralph
>     Durkee; Loredana Mancini
>     Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>     SummitCompetition
>
>     Hi,
>
>     I disagree using hacking to find vulnerabilities, as a way of
>     promoting.
>
>     It's hard to find a contest that relate to hardening of server and
>     application or making codes better as part of a contest. We already
>     expose OWASP members with many ways of finding vulnerabilities. Lets
>     we balance with how to defense ourself from attack.
>
>     For example. We ask the contestant to fixed problem with all the
>     vulnerabilities listed and make report on the effort.
>
>     Or we can balance both. They find the vulnerabilities and do the
>     reports on how to fix it.
>
>     Haris ....
>
>     On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org
>     <mailto:dinis.cruz at owasp.org>>
>     wrote:
>     > This practice is starting to be quite common these days. Google,
>     Microsoft,
>     > Mozilla (and others) have similar arrangements.
>     >
>     > But you raise good questions, and we should have answers for it
>     on an
>     FAQ
>     > (Loredana can you add an FAQ to that page (here is a good template
>     > http://www.owasp.org/index.php/Summit_2011_FAQ))
>     >
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     Virtusa was recently ranked and featured in 2010 Deloitte
>     Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global
>     Outsourcing 100 sub-list and 2010 FinTech 100 among others.
>
>     ---------------------------------------------------------------------------------------------
>
>     This message, including any attachments, contains confidential
>     information intended for a specific individual and purpose, and is
>     intended for the addressee only. Any unauthorized disclosure, use,
>     dissemination, copying, or distribution of this message or any of
>     its attachments or the information contained in this e-mail, or
>     the taking of any action based on it, is strictly prohibited. If
>     you are not the intended recipient, please notify the sender
>     immediately by return e-mail and delete this message.
>
>     ---------------------------------------------------------------------------------------------
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org <mailto:mark.bristow at owasp.org>
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/0610f585/attachment.html 


More information about the OWASP-Leaders mailing list