Doing bad things for the wrong reason

[johanna curiel curiel]

Hello everyone

I got some bad and good news

A known hacker has released a video hacking a real police department....using ZAP!

http://motherboard.vice.com/read/phineas-fisher-sme

Look, on one side the tool is so good hackers like this guy are using it

On the other hand he is using ZAP for the wrong reasons and showing how he actually hacked the police department...

I'm seriously concern about this 

--

Johanna Curiel 

OWASP Volunteer

[johanna curiel curiel]

Hi Colm

I don't think is about ZAP, is more about OWASP.

S is for security and this guy is encouraging others to use ZAP for 'hacking back'

like he said:

"The point of this video is, naturally, to show others how to “hack back,” which follows Phineas Fisher's previous comments of encouraging others to follow suit.

“That's the plan,” the hacker told Motherboard in an email. “Like subverso says in the lyrics of the song at the end of the video, ‘el que comparte lo que aprende, es peligroso.’”

We are talking about the same hacker that hacked HackingTeam...

I was just discussing with other members that OWASP needs to set a balance between Breakers and defender projects

The best projects and to be hones with you, the one that really ha seem level of Quality is ZAP. Defenders....? None.

I think is time that people that come with new projects should do it focusing on defending and not breaking. It needs to be a balance.

Otherwise we can better call OWASP OWAIP= I for Insecurity...;-P helping hackers instead of promoting security.

Cheers

Johanna

On Thu, May 19, 2016 at 7:35 PM, Colm O'Flaherty <colm.p.o...@gmail.com> wrote:

In fairness, this chaval didn't even use the active scanners in zap. He tried a few evaluation expressions manually to find the injection point. He could have achieved the same effect with the developer tools in the browser, in fact. There is not much to worry about from a reputational point of view for ZAP, in my opinion.

This video should be on the curriculum in computer security courses. There are so many lessons to be learned from it, it's insane.

C.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zack Syn]

A tool is a tool :D

I use rdp and Microsoft Tools to hack into Windows. For the good reasons obviously ;)

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Evangelists Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangel...@googlegroups.com.

[johanna curiel curiel]

Hi Stephen

IS OWASP application security? if so, are we not suppose to help Application security?

Seen the video with extensive 10 minutes use of ZAP with a background music 'f*ck the police' and hacking and leaking the data of Police officers, putting in risk their privacy and safety doe snot feel nice. 

Hey, Mossos is well known for police abuse so this is clearly hacktivism. 

Please, lets think this through. This is the first time an OWASP tool gets such a promotion for the bad reasons. A hacker of this caliber goes and publicly says he wants other to hack back.The same hacker that recently was behind the HAckingTeam.

Kali linux and 'Offensive Security' focuses on 'offensive' but when OWASP says is about application security and all we have is such poor defender projects then I'm sorry, the S should change to I for Insecurity ;-P

Having only torches won't help fix the cars. We need to think how to fix the design and that does not happen only with torches.

We need to incentive security by design.OWASP is focusing too much in promoting 'how to hack' instead of 'how to fix broken apps'

Regards

Johanna

On Fri, May 20, 2016 at 6:09 AM, Stephen de Vries <step...@gmail.com> wrote:

Obligatory car analogy:

Imagine a pitch dark car park and a thief uses a torch to find the cars that have been designed without windows and doors and with the keys in the ignition.  Is the problem with the torch? or with the thief? or with the vehicle manufacturer who builds cars without windows and doors?

Stealing cars, whether they have windows or doors is illegal so clearly the thief is shoulders the bulk of the responsibility.  

But those who built the cars without even basic security measures should share some of the blame here.  

Where does that leave the torch?  The torch was never used to break into anything, it was only used to find the cars that were already broken through bad design.

In fact, it would probably be better if we had more torches so that the whole car park was illuminated and everyone could see which cars were broken by design.

On Fri, May 20, 2016, 00:38 johanna curiel curiel <johanna...@owasp.org> wrote:

Hello everyone

I got some bad and good news

A known hacker has released a video hacking a real police department....using ZAP!

http://motherboard.vice.com/read/phineas-fisher-sme

Look, on one side the tool is so good hackers like this guy are using it

On the other hand he is using ZAP for the wrong reasons and showing how he actually hacked the police department...

I'm seriously concern about this 

-- 

Johanna Curiel 

OWASP Volunteer

-- 
You received this message because you are subscribed to the Google Groups "OWASP ZAP Evangelists Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[psiinon]

The video also showed other tools like Kali, Iceweasle (a Firefox fork) and sqlmap.
Dont know about the other tools but I'd be surprised if anyone here at Mozilla got too upset about this.
That doesnt imply any sort of support for these actions, just a resigned acceptance that these sort of things are going to happen and theres nothing we can really do about them.
Has anyone seen anything negative written about ZAP or any of the other tools used as a result of this video?
If so please post links.

Cheers,

Simon

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangelists+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[psiinon]

We can all keep an eye on the downloads here: https://zapbot.github.io/zap-mgmt-scripts/downloads.html

And no, I've no idea why the number of downloads spiked on the 28th April :/ If anyone knows then please say...

On Friday, 20 May 2016 14:37:54 UTC+1, Cash Williams wrote:

A hammer is a hammer. It could be used by a carpenter to build a nice strong and secure home, or a teenager to bust out windows in an attempt to break in to the same home. Can't blame the hammer.

I actually think this is a good thing for ZAP. I'd bet a lot of people in the industry who had never heard of it before are looking into it right now. Would be interesting to see if the number of downloads jumps up due to this.

Another important think to keep in mind. ZAP isn't a script kiddie tool. The person using it has to have a good understanding of the results it outputs. If someone understands how to use ZAP to its fullest power, then they know how to the same thing manually.

On Fri, May 20, 2016 at 8:17 AM Colm O'Flaherty <colm.p.o...@gmail.com> wrote:

ZAP does help application security. I'm honestly surprised that you don't seem to think that. I use ZAP in an offensive way pretty much every day to help increase application security where I work.  We also need "fixers", but without first knowing what needs to be fixed, those "fixers" are not going to be very productive.

If you think OWASP needs more defender/fixer projects, then the obvious way to go (to me at least) is to go do something about it.  Telling people "it shouldn't be this way" doesn't help anyone, not least of all those people who have put in lots of work to make ZAP great at its job. Any tool in the wrong hands is dangerous, but i don't recall anyone urging the designers/manufacturers of torches (from the previous example) to instead focus on designing brighter cities and houses.  It's a different competency, and the wrong audience for the message, in my opinion.

C

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-evangelists+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Johanna Curiel 

OWASP Volunteer

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.