[Owasp-leaders] Bring balance: force verification in scanning tools

Tony Turner tony.turner at owasp.org
Mon May 23 17:36:41 UTC 2016


You can use anything for evil. This is a pointless conversation as
eventually you will be talking about how you could suffocate someone by
cramming bandages down their throat.

You ask which tools were created by hackers? All of them. None of them.
Take your pick. Theres a very fine line between a hacker and a security
pro. Its just a word. My point is it doesnt matter. Look at
http://www.l0phtcrack.com/ - Today its a security tool, but it was not
always considered as such.

On Mon, May 23, 2016 at 12:51 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>Don't put too much faith in any infosec stat.
> Would we agree at least that data breaches are rising and not decreasing?
>
> My question was an ethical one:
> *Do creators of hacking tools feel any remorse regarding their tools being
> misused? *
> *Do they feel they should take some responsibility by making the misused
> more difficult?*
>
> The answer is sound and clear.
>
> Comparing hacking tools to screw drivers or unsafe cars is like comparing
> apple with oranges.
> Google and LinkedIn are used for hacking , but google was not built to
> hack, ZAP was.
>
> Now you better compare that to guns . Guns
> <http://science.howstuffworks.com/innovation/inventions/who-invented-the-first-gun.htm>
> were built to kill.
> Do gun producers feel any remorse about their creations? How they are used
> or misused?
> We can say guns defend us but they are also to blame of murders worldwide.
>
> Unsafe cars are called back to return and producers get sued if people get
> killed because of them.
>
> http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx
>
> >>Hackers use tools developed for Security Pros. Security Pros use tools
> developed for hackers
>
> @Tony, could you provide me a list of tools developed by hackers?
> So far the list <http://pastebin.com/raw/GPSHF04A> Phineas provided had
> all offensive security tools built by 'Security Pro's'😝.
> And his nice video contained a nice display using offensive security tools
> only.
>
> *>>In the end I feel that this discussing is a bit like the dilemma
> that Alfred Nobel had in regards to dynamite. Perhaps we as OWASP can
> find another way in help/promote security to become more mainstream. I
> am hopeful that with this discussion we can find this way forward.*
>
> YES. @Steven, to me, you could be more right.
> We keep on thinking like we are,  focusing on the same old, nothing will
> change and hackers will keep on using offensive 'security' tools to
> compromise systems.
>
> You might all want to read this research and the Washington post article
> and think a little more regarding the core of the discussion.
>
> *In this paper I'll evaluate how some of the most popular security tools
> are intended to be used, how they have or may be used in sinister ways, and
> how the risks associated with them may be mitigated (If I am able to
> determine that in my research). *
>
>
> https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf
>
>
> https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html
>
>
> P.S: ZAP is an awesome tool, whether is used for evil or good. But lets
> not deny it,  that is being used for evil too.
>
>
>
>
>
>
>
>
> On Mon, May 23, 2016 at 11:11 AM, Timothy D. Morgan <tim.morgan at owasp.org>
> wrote:
>
>>
>> > The stats regarding data breaches are uprise. Why? Now more than ever,
>> > there are more data breaches and for what the data and stats tells me is
>> > what ever is happening, we don't do enough or we do the wrong things to
>> > help appsec security.
>>
>> Don't put too much faith in any infosec stat.  When you look hard at how
>> the
>> data is collected, you quickly realize it is the tip of the tip of the
>> tip of
>> an iceberg.  There's huge room for bias in the collection.  It's easy to
>> ask
>> for more data, but getting *good* data of the *kind we want* is usually
>> impossible.  After all, those that have the most knowledge of breaches
>> are the
>> intruders, not the defenders, and they usually aren't very forthcoming.
>>
>> tim
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
WAFEC Project Leader
STING Game Project Leader
tony.turner at owasp.org
https://www.owasp.org/index.php/Orlando
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/599642b7/attachment-0001.html>


More information about the OWASP-Leaders mailing list