[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Mon May 23 17:50:00 UTC 2016


>>You ask which tools were created by hackers? All of them. None of them.
Take your pick.
Actually the list is empty to me,  since all the open source tools hacking
tools I know are built by 'security pro's' so far
Except malware. Exploit-kits are for sell in the onion and you have to pay
for it.


>>This is a pointless conversation as eventually you will be talking about
how you could suffocate someone by cramming bandages down their throat.

>>You can use anything for evil.
Yes but there are tools build with a purpose in mind. Like ZAP, was built
to hack
A screwdriver was not build to kill neither bandages.

The question and subject of this email was to add a verification to ZAP.
Simon responded that he will not and gave his reasons.
Some people went into discussing why that's not a good idea.

Thats is the answer what I was looking for, whether you find it a pointless
conversation.



On Mon, May 23, 2016 at 1:36 PM, Tony Turner <tony.turner at owasp.org> wrote:

> You can use anything for evil. This is a pointless conversation as
> eventually you will be talking about how you could suffocate someone by
> cramming bandages down their throat.
>
> You ask which tools were created by hackers? All of them. None of them.
> Take your pick. Theres a very fine line between a hacker and a security
> pro. Its just a word. My point is it doesnt matter. Look at
> http://www.l0phtcrack.com/ - Today its a security tool, but it was not
> always considered as such.
>
> On Mon, May 23, 2016 at 12:51 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>Don't put too much faith in any infosec stat.
>> Would we agree at least that data breaches are rising and not decreasing?
>>
>> My question was an ethical one:
>> *Do creators of hacking tools feel any remorse regarding their tools
>> being misused? *
>> *Do they feel they should take some responsibility by making the misused
>> more difficult?*
>>
>> The answer is sound and clear.
>>
>> Comparing hacking tools to screw drivers or unsafe cars is like comparing
>> apple with oranges.
>> Google and LinkedIn are used for hacking , but google was not built to
>> hack, ZAP was.
>>
>> Now you better compare that to guns . Guns
>> <http://science.howstuffworks.com/innovation/inventions/who-invented-the-first-gun.htm>
>> were built to kill.
>> Do gun producers feel any remorse about their creations? How they are
>> used or misused?
>> We can say guns defend us but they are also to blame of murders worldwide.
>>
>> Unsafe cars are called back to return and producers get sued if people
>> get killed because of them.
>>
>> http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx
>>
>> >>Hackers use tools developed for Security Pros. Security Pros use tools
>> developed for hackers
>>
>> @Tony, could you provide me a list of tools developed by hackers?
>> So far the list <http://pastebin.com/raw/GPSHF04A> Phineas provided had
>> all offensive security tools built by 'Security Pro's'😝.
>> And his nice video contained a nice display using offensive security
>> tools only.
>>
>> *>>In the end I feel that this discussing is a bit like the dilemma
>> that Alfred Nobel had in regards to dynamite. Perhaps we as OWASP can
>> find another way in help/promote security to become more mainstream. I
>> am hopeful that with this discussion we can find this way forward.*
>>
>> YES. @Steven, to me, you could be more right.
>> We keep on thinking like we are,  focusing on the same old, nothing will
>> change and hackers will keep on using offensive 'security' tools to
>> compromise systems.
>>
>> You might all want to read this research and the Washington post article
>> and think a little more regarding the core of the discussion.
>>
>> *In this paper I'll evaluate how some of the most popular security tools
>> are intended to be used, how they have or may be used in sinister ways, and
>> how the risks associated with them may be mitigated (If I am able to
>> determine that in my research). *
>>
>>
>> https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf
>>
>>
>> https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html
>>
>>
>> P.S: ZAP is an awesome tool, whether is used for evil or good. But lets
>> not deny it,  that is being used for evil too.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, May 23, 2016 at 11:11 AM, Timothy D. Morgan <tim.morgan at owasp.org
>> > wrote:
>>
>>>
>>> > The stats regarding data breaches are uprise. Why? Now more than ever,
>>> > there are more data breaches and for what the data and stats tells me
>>> is
>>> > what ever is happening, we don't do enough or we do the wrong things to
>>> > help appsec security.
>>>
>>> Don't put too much faith in any infosec stat.  When you look hard at how
>>> the
>>> data is collected, you quickly realize it is the tip of the tip of the
>>> tip of
>>> an iceberg.  There's huge room for bias in the collection.  It's easy to
>>> ask
>>> for more data, but getting *good* data of the *kind we want* is usually
>>> impossible.  After all, those that have the most knowledge of breaches
>>> are the
>>> intruders, not the defenders, and they usually aren't very forthcoming.
>>>
>>> tim
>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> WAFEC Project Leader
> STING Game Project Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/8d31c6fd/attachment.html>


More information about the OWASP-Leaders mailing list