[Owasp-leaders] Bring balance: force verification in scanning tools

Mario Robles OWASP mario.robles at owasp.org
Wed Feb 1 14:38:10 UTC 2017


Interesting stuff related to the guy mentioned in this thread:

Reports claim Spanish police have arrested hacker Phineas Fisher <http://go.theregister.com/i/cfh/http://www.theregister.co.uk/2017/02/01/spanish_cop_cuff_phineas_fisher_suspect/>
But someone using his email says otherwise

From theregister.co.uk <http://theregister.co.uk/>
Spanish cops investigating an attack on a Catalan police union last May have arrested three suspects, including a hacker alleged to be behind high-profile attacks against spyware-for-cops firms Hacking Team and Gamma International. Phineas Fisher claimed responsibility for the hack and subsequent leak of sensitive information …


> On May 23, 2016, at 10:51, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> >>Don't put too much faith in any infosec stat.
> Would we agree at least that data breaches are rising and not decreasing?
> 
> My question was an ethical one:
> Do creators of hacking tools feel any remorse regarding their tools being misused?
> Do they feel they should take some responsibility by making the misused more difficult?
> 
> The answer is sound and clear.
> 
> Comparing hacking tools to screw drivers or unsafe cars is like comparing apple with oranges.
> Google and LinkedIn are used for hacking , but google was not built to hack, ZAP was.
> 
> Now you better compare that to guns . Guns <http://science.howstuffworks.com/innovation/inventions/who-invented-the-first-gun.htm> were built to kill.
> Do gun producers feel any remorse about their creations? How they are used or misused?
> We can say guns defend us but they are also to blame of murders worldwide.
> 
> Unsafe cars are called back to return and producers get sued if people get killed because of them.
> http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx <http://www.bankrate.com/finance/auto/the-8-most-infamous-car-recalls-in-history-1.aspx>
> 
> >>Hackers use tools developed for Security Pros. Security Pros use tools developed for hackers
> 
> @Tony, could you provide me a list of tools developed by hackers?
> So far the list <http://pastebin.com/raw/GPSHF04A> Phineas provided had all offensive security tools built by 'Security Pro's'😝.
> And his nice video contained a nice display using offensive security tools only.
> 
> >>In the end I feel that this discussing is a bit like the dilemma that Alfred Nobel had in regards to dynamite. Perhaps we as OWASP can find another way in help/promote security to become more mainstream. I am hopeful that with this discussion we can find this way forward.
> 
> YES. @Steven, to me, you could be more right.
> We keep on thinking like we are,  focusing on the same old, nothing will change and hackers will keep on using offensive 'security' tools to compromise systems.
> 
> You might all want to read this research and the Washington post article and think a little more regarding the core of the discussion.
> 
> In this paper I'll evaluate how some of the most popular security tools are intended to be used, how they have or may be used in sinister ways, and how the risks associated with them may be mitigated (If I am able to determine that in my research).
> https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf <https://sever.wustl.edu/degreeprograms/cyber-security-management/SiteAssets/DENTON%20FINAL%20PAPER%20Security%20Tools%20v5%207-27-15.pdf>
> https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html <https://www.washingtonpost.com/postlive/the-ethics-of-hacking-101/2014/10/07/39529518-4014-11e4-b0ea-8141703bbf6f_story.html>
> 
> P.S: ZAP is an awesome tool, whether is used for evil or good. But lets not deny it,  that is being used for evil too.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Mon, May 23, 2016 at 11:11 AM, Timothy D. Morgan <tim.morgan at owasp.org <mailto:tim.morgan at owasp.org>> wrote:
> 
> > The stats regarding data breaches are uprise. Why? Now more than ever,
> > there are more data breaches and for what the data and stats tells me is
> > what ever is happening, we don't do enough or we do the wrong things to
> > help appsec security.
> 
> Don't put too much faith in any infosec stat.  When you look hard at how the
> data is collected, you quickly realize it is the tip of the tip of the tip of
> an iceberg.  There's huge room for bias in the collection.  It's easy to ask
> for more data, but getting *good* data of the *kind we want* is usually
> impossible.  After all, those that have the most knowledge of breaches are the
> intruders, not the defenders, and they usually aren't very forthcoming.
> 
> tim
> 
> 
> 
> 
> 
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170201/79aaf047/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170201/79aaf047/attachment.pgp>


More information about the OWASP-Leaders mailing list