jwcrux's comments

When I first launched Gophish a few years ago, I sent an email to a reporter I'm a fan of basically saying "Hey, I made this thing, I think your readers would benefit from it".

Their response was lightheartedly asking me if I really just sent them an email about a phishing simulation toolkit and expected them to click the links in the email :D

You're absolutely right, and I highly recommend Duo Insight! While I developed Gophish, I also work at Duo so I'm happy to discuss the differences between the two. :)

While my experience with Gophish was one of the things that brought me to Duo, Insight is not based on Gophish at all. I had the privilege of working with the team of engineers who built Insight and they are amazingly talented. It's a really high-quality product from an incredible team.

You hit the nail on the head as to why someone may prefer Insight to Gophish. Gophish, while being easy to set up, still requires _some_ setup and hosting. With Insight, everything is managed for you. This has significant time savings and infrastructure savings.

The downside to this is flexibility, which is what Gophish offers. Insight offers a good few pre-built templates while Gophish lets you create your own. You control everything and have the ability to tailor phishing campaigns exactly how you want them. Gophish was also built from the ground-up to be driven by an API, and has other features that may useful in more red-team scenarios (such as credential capture).

The other benefit to Gophish that you mentioned is that, since you control the infrastructure, you control all of the data end-to-end.

So while they're in a similar space, they're pretty different products with different strengths and weaknesses. If you're just starting to look into running a phishing simulation, I'd lean towards giving Insight a shot since it's super quick and easy to get a campaign out the door. Once you need more flexibility and power, Gophish is an easy transition. :)

I think I can still do a better job of pointing people who hit the repo first back to the website for more information. Right now, it’s linked, but it could be more clear.

I’ll take that as an opportunity for improvement. Thanks so much for taking the time to type out that feedback!

Thank you for the feedback! It’s really appreciated.

Just out of curiosity, does the copy on the main website [0] give a better indication or does that still not make for a clear description?

I ask because, while the repo was linked in this case, the main website is where most people land.

[0] https://getgophish.com

Guilty as charged :) in this case, I thought it made for a nice name, giving a nod to the old card game “Go Fish”.

Nice! While Gophish is a personal project, as part of $dayjob I do security research.

Recently, I did some analysis on phishing kits at a pretty large scale that sounds like it’d be of interest to you [0]

[0] https://duo.com/assets/ebooks/phish-in-a-barrel.pdf

Thank you so much!

I view Gophish as a way to volunteer and give back to the larger security community. I love engaging with the Gophish community and seeing people use the software to measure their own exposure to phishing.

That said, there aren't any plans to monetize Gophish. It will always stay free and open-source so that anyone can use it. :)

As far as support, I try and respond to every issue as fast as possible. It's a best effort, but I managed to pass 1k closed issues recently, which I was pretty proud of! And I'm fortunate that there are so many amazing people in the Gophish community who are willing to jump into issues, help out, and bounce great ideas around.

Hi everyone!

What a happy surprise to see my project on HN :)

My name is Jordan, I've been developing Gophish [0] for a few years now. The goal of the project is to let companies of all sizes perform high-quality phishing simulation regardless of their security budget.

Happy to answer any and all questions!

[0] https://getgophish.com/

I highly recommend reading The Idea Factory. It's a fascinating historical account of Bell Labs and how they performed research.

Or have a link at the top of search results for something like "not finding what you want?" or similar so that suggestions can be provided at the time of searching instead of having to context switch to a different help page.

I thought this was going to be very different than what it was.

Do you have references for this? I've had nothing but good experiences with HIBP in the past.

I also recommend MailHog[0]. I've had nothing but good experiences with it, and it was dirt simple to install.

[0] https://github.com/mailhog/MailHog

I hope they do. Wouldn't that be incredible? Having _native_ U2F/UAF built right into the browser.

The hard part is that there's another more subtle chicken and egg problem when it comes to software implementations and consumer HSM. Google/Apple/Microsoft will likely only really push forward native implementations when there is enough market share for consumer hardware having HSM's built in to make it worth it with feasible fallback options.

U2F/UAF/Webauthn are a really interesting chicken/egg problem.

Right now, not too many providers support these auth protocols, even though they are more secure than current 2fa alternatives and provide a better user experience. The aren't widely supported because that costs development time and many of their customers don't have security keys.

Customers won't buy security keys because it's an added cost that isn't supported by many websites.

The author of the post briefly mentions SoftU2F at the bottom of the post, but it's important to recognize how significant SoftU2F is to the U2F ecosystem.

We're just now starting to see consumer hardware come with HSM's built in. Apple SEP, Intel SGX, etc. are examples of this. SoftU2F _will_ be able to leverage these consumer HSM's to do secure crypto operations - see the pull request at [0] about storing keys in the SEP. This will effectively put U2F and UAF capability into the hands of your average consumer with no additional cost. Things can be just _built-in_, which is what it'll take to start seeing increased protocol adoption across browsers and service providers.

I'm stoked about the future of security keys and the associated protocols. Both external keys and HSM's built directly into consumer hardware.

[0] https://github.com/github/SoftU2F/pull/29

I believe their characterization is accurate. Not just anyone can download files from VT. You have to have access to their private API which is a premium billed (and anecdotally very expensive) service.[0]

That, to me, qualifies the term "VirusTotal and their partners" as accurate, since this is only a select group of companies who are paying VT a large sum for access to the data.

[0] https://www.virustotal.com/en/documentation/private-api/#fil...

I disagree. I think Carbon Black's disclaimer is more than sufficient:

The screenshot in Carbon Black's response clearly says that VirusTotal "makes the binaries available for download to their partners".

And here's the relevant text in the disclaimer:

> You are hereby advised (i) VirusTotal makes the metadata publicly available along with scan results from dozens of anti-virus products and (ii) VirusTotal also makes the files available to VirusTotal partners. You must determine whether to elect to enable this feature at your sole discretion.

And the warning also has this text in bold:

> If you have custom business applications with confidential business information on your network, sharing binaries with VirusTotal may not be appropriate for you.

With this being optional and off by default, I think it's on the customer to read the clear warning presented and make the call that's right for them.

I run the Twitter account @dumpmon[0] that HIBP gets the data from.

This is an interesting decision and I applaud Troy for, as always, doing what's best for his users. He's a great example of the kind of person we need more of in the industry.

Unfortunately, I run into the same problem. I have no doubt people can (and probably do) use dumpmon for nefarious purposes. My take on the matter when I first made dumpmon was that this data was clearly already known to the bad guys. The goal of the Twitter bot was to give a sense of how prevalent these "mini-breaches" were, but also to give the good guys (like HIBP!) a feed they can use to help stop the problem. I've been fortunate that multiple services have been able to use the feed to respond to these types of credential dumps really quickly.

If anyone is interested in some of the stats behind dumpmon, here's a shameless plug to an article I wrote a couple of years ago on the matter: https://jordan-wright.com/blog/2015/05/26/two-years-of-at-du...

Happy to answer any questions!

[0] https://twitter.com/dumpmon

Congrats on shipping this! Personally, I wish that social networks themselves offered bulk export of public assets for academic purposes instead of having people re-invent the wheel every time.

Just a heads up, IANAL, but make sure that you're considering Twitter (and other social network) API terms of service:

> If you provide Content to third parties, including downloadable datasets of Content or an API that returns Content, you will only distribute or allow download of Tweet IDs, Direct Message IDs, and/or User IDs.

> You may, however, provide export via non-automated means (e.g., download of spreadsheets or PDF files, or use of a “save as” button) of up to 50,000 public Tweet Objects and/or User Objects per user of your Service, per day.

> Any Content provided to third parties remains subject to this Policy, and those third parties must agree to the Twitter Terms of Service, Privacy Policy, Developer Agreement, and Developer Policy before receiving such downloads.

> You may not distribute more than 1,500,000 Tweet IDs to any entity (inclusive of multiple individual users associated with a single entity) within any given 30 day period, without the express written permission of Twitter.

[0] https://dev.twitter.com/overview/terms/agreement-and-policy

The Chrome Devtools API is really useful. However, if you're wanting to use Selenium, a coworker of mine wrote this up to show how to use headless Chrome with Python + Selenium https://duo.com/blog/driving-headless-chrome-with-python

I would imagine the same approach could be used here with minimal changes.