Friday, September 28, 2012

Membership Deadline Is This Sunday, Sept 30, 2012

DEADLINE REMINDER

The deadline for Paid and Honorary Membership is this Sunday, Sept 30 for eligibility to vote in the upcoming 2012 Election.  Please see https://www.owasp.org/index.php/Membership/2012_Election for more information.

Using the link above please check to be sure you are a current paid member.  If you are not, please consider becoming a member today  https://www.owasp.org/index.php/Newmembership  Your donation will help to continue to provide vendor neutral services and to continue to develop quality tools and documentation in our open source community.

If you would like to apply for honorary membership please complete the honorary membership form before September 30, 2012.
https://docs.google.com/a/owasp.org/spreadsheet/embeddedform?formkey=dHA4dno2TlhSa0pVSUNQclZCOWROV0E6MQ 

Thursday, September 27, 2012

AppSec USA 2012: Training Promotions, Deadlines, WASPY Awards, and Open Source Showcase

OWASP Community Members -

A few updates and reminders on our upcoming global event: AppSec USA 2012 taking place on October 23-26 at the Hyatt Regency in downtown Austin, Texas!

IN THIS MESSAGE: 
Training Promotions |  Reserve your hotel room by October 1 | Register by Sept. 30 |  Conference Schedule | Waspy Awards | Open Source Showcase | Thanks to our Sponsors

TRAINING PROMOTIONS

Win a free pass to Sherif Koussa's Training: Writing Secure J2EE Code
Winner must solve a Java riddle plus get the most amount of retweets, LI comments and likes or Facebook likes. 

Several of our trainers have decided to offer a "3 for 2" deal on their training course.  If your company wants to send 3 people to a training course - you can do it for the price of 2 training registrations.  Put it another way - buy 2 training registrations, get a third for free!   If you are interested in taking advantage of this promotion email sarah.baso@owasp.org for registration instructions and a discount code.  Training classes included in this offer:
To learn more about all of our training courses, visit: http://www.appsecusa.org/schedule/trainings/


DEADLINE: RESERVE YOUR HOTEL ROOM BY OCTOBER 1
The Hyatt has extended the cut-off date for our room block at the discounted rate of $189/night to OCTOBER 1.  Dont get stuck cabbing it every day, get your hotel room today. Book at the Hyatt Regency Austin under our discounted rate > https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=6604435


REGISTER BY SEPTEMBER 30th
Registration prices go up by $100 after September 30th, So sign up today for a great deal:  http://www.appsecusa.org/register/


CONFERENCE SCHEDULE
We have released the schedule (still subject to change) at schedule.appsecusa.org and the mobile version at m.appsecusa.org.  You can create your own personal schedule, connect with other attendees and even import your schedule into Outlook or iCal.


Web Application Security of the Year (WASPY) Award 
Every year a group of individuals including researchers, developers, security professionals and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other ‘unsung heroes’ that work every day to improve web application security and yet are rarely recognized. This year OWASP will initiate the first annual Web Application Security Person of the Year  (WASPY) award. The WASPY awards are solely funded by sponsors.

We would like to thank our Platinum Sponsor Qualys and our Silver Sponsor Trustwave for their additional contributions to this award.  

It's not too late to sponsor the WASPY awards.   Please contact Kelly Santalucia kelly.santalucia@owasp.org for more information or with any questions you may have.


OPEN SOURCE SHOWCASE
Don't miss the OWASP Open Source Showcase starting on Thursday, October 25th and ending on Friday, October 26th! A handful of open source projects were selected to showcase, demo, and promote their work at the AppSec USA conference this year. 
 The projects showcasing are: 

  • OWASP Hackademic Challenges
  • Armitage
  • ThreadFix
  • Brakeman
  • ModSecurity
  • Mantra OS

The Open Source Showcase is a great opportunity to participate in live demos, and meet the Project Leaders face to face. The showcases run from 9:00am to Noon, and from 2pm to 5pm on both Thursday and Friday. Please contact projects@owasp.org for more information. 

THANKS TO OUR SPONSORS!
We are EXTREMELY thankful to our donors and sponsors:

Adobe, NTOBJECTives, Aspect Security, Checkmarx, iMPERVA, Cigital, Qualys, NetSPI, Veracode, IBM, f5, WhiteHat, Army INSCOM, Trustwave Spiderlabs, Impact Security, Denim Group, Gemalto, Gotham Digital Science, Symplified, Blueinfy, Core Security Technologies, Radware, RSA Security, Rapid7, Falling Rock, and Pwnie Express.

THANK YOU! We couldn't pull this off without your generous support!



OWASP AppSec USA 2012, Austin TX
Training: October 23-24,
Talks, CTF, Showroom, & More: October 25-25
www.appsecusa.org
@appsecusa

Tuesday, September 25, 2012

OWASP Membership Deadline

Hello all,


I would like to remind everyone ONE LAST TIME of the September 30, 2012 membership deadline for eligibility to vote in the OWASP election. The members of the committee are not paid marketing people, or paid by OWASP for our efforts;  we are all volunteers, just like you. We pay membership because we want to support our local chapter, OWASP projects, and other efforts to raise awareness of critical software security issues.

OWASP needs your donation to continue to provide vendor neutral services and to continue to develop quality tools and documentation in our open source community.

For less than $1/week, you can support your local chapter and vote in the Global OWASP Election.

Become a member Today!

https://www.owasp.org/index.php/Newmembership 

If you are already a paid member, than please accept our sincere thank you for your continued support.

Honorary members can also vote in the election.  If you would like to apply for honorary membership please complete the honorary membership form before September 30, 2012.

https://docs.google.com/a/owasp.org/spreadsheet/embeddedform?formkey=dHA4dno2TlhSa0pVSUNQclZCOWROV0E6MQ 

Respectfully,

Helen Gao, CISSP
Global Membership Committee Chair
https://www.owasp.org/index.php/Global_Membership_Committee#Membership_Committee


Monday, September 17, 2012

OWASP ZAP – the Firefox of web security tools

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications.

My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on the ZAP blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP.

Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post:
  • help users develop and apply application security skills
  • build a competitive, open source, and community oriented platform
  • provide an extensible platform for testing
  • designed to be easy to use
  • raise the bar for other security tools
Helping users learn about Application Security
Unlike many security tools ZAP is designed to be used by people new to application security as well as security professionals.
My background is in development, and I started playing around with the Paros Proxy (from which I forked ZAP) as a way to learn about security tools. Helping people to learn about application security has been, and will remain, an essential goal for ZAP.
The open nature of ZAP is key here – users can delve into the code to see how it works. Anyone who thinks they can make an improvement has the opportunity to implement those changes, feed them back and be credited for them. Developers can work on ZAP to help them learn about security, and security people can work on ZAP to help them learn about coding.

An Open Source, Community based project
Like all OWASP projects, ZAP is open source and completely free to use. This means that there is no ‘pro’ version, so there is no incentive for us to hold back features for the ‘paid-for’ version. ZAP is also a community based project, which is an important distinction when compared with some other tools.
There are many security tools that are open source but are still tightly controlled by one individual or company. While a user can see how these products work it is often difficult to change them or influence their direction.
Anyone can get involved with the ZAP development – once someone has shown that they can produce good quality code and conform to ZAP guidelines then they can get commit access!
There are plenty of opportunities for non coders to get involved too – testing, documentation, training videos, translating – all contributions are welcomed and credited.

An Extensible platform for testing web applications
In addition to improving the core feature set for ZAP, we are working to ensure that as much of ZAP functionality is implemented as extensions or addons, which can easily be added to existing ZAP releases. This means that new features can be added dynamically without having to wait for full ZAP releases, and also means that we can accommodate features that will only appeal to a small subset of our users.
The ZAP community is very supportive of people who want to learn about coding or security, and we have just benefited from 3 students producing excellent enhancements to ZAP as part of the Google Summer of Code.

Ease of use as a design goal
We realize that developers and functional testers will probably spend a relatively small amount of time using security tools, so we want ZAP to be as intuitive as possible.
But we try to maintain a balance between making things as simple as possible while at the same time not over simplifying them.
While there is no ‘big red button’ in ZAP which will solve all of your security problems,
ZAP provides a set of automated tools which will help individuals assess the security of applications.
ZAP also provides a set of manual tools which can be used by people with more knowledge, which is one of the reasons it has been so enthusiastically adopted by professional pentesters. Inexperienced users can start off using the automated tools and gradually use more and more of the manual features as they improve their knowledge of application security.

Raising the bar for security tools
Another way ZAP can help application security in general is by raising the bar for other security tools, commercial or otherwise. Other products are free to reuse our source code (with acknowledgement;) and also free to copy or be ‘inspired’ by features that are implemented in ZAP.
In fact we welcome such reuse as it will provide the following benefits:
  • improving other tools, which increases user choice
  • broadens the availability of effective security tools
  • allows feature parity across tools which will drive innovation and competition
Conclusion
In conclusion, ZAP is a free, open-source community developed tool aimed at making the online world more secure. Anyone can get involved developing the core engine, or by creating addons which have full access to the core functionality. And that will probably sound vaguely familiar as its very close to the philosophy behind Mozilla Firefox.
Its why I’m working for Mozilla as a security automation engineer, and the justification for this blog’s title:)
If you have any interest in application security then you should download ZAP and try it out. And if you would like to learn more, or help to make ZAP better then please get in touch with me.

Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Automation Engineer

Thursday, September 13, 2012

OWASP Candidate Interviews Posted and New Election Timeline Information

The OWASP election is rapidly approaching!  The candidate interviews have been posted. Please scroll to the bottom of  https://www.owasp.org/index.php/Membership/2012_Election and listen to the candidate interviews. 

Honorary Membership: Has been reopened and extended until Sept 30 EOD.  Please see  2012 Election  to find out if you are eligible.  If you are qualified, you MUST complete the Honorary Membership Form.

Paid Membership: The deadline has been extended to Sept 30 EOD.  OWASP paid Individual Members, paid Corporate Members and Honorary Members registered as of September 30 will have  one (1) vote per seat.  There are 3 seats up for the election.  You can check here to see if you are a paid member of OWASP using our Member Look Up  

Your vote counts!  If you are not a paid member, we encourage you to join OWASP today https://www.owasp.org/index.php/Membership_Map

Tuesday, September 11, 2012

AppSec USA 2012: Training, Conference Schedule, and More


The OWASP AppSec USA 2012 team has exciting updates for the October 23-26, 2012 event
taking place at the Hyatt Regency in downtown Austin, Texas!

IN THIS MESSAGE:
 
Training | Conference Schedule Released | Reserve your hotel room by Sept. 23 | 5K for Charity | Movie Sneak Preview: Reboot | Register | Thanks to our Sponsors

TRAINING

Ready to learn the art of SQL injection? Got it. Advanced Threat Modeling? You're covered. Taking OWASP WTE (OWASP Live CD) to the next level? Learn from its maintainer! Hardening your .NET or J2EE code? Be instructed by masters of the craft Erez Metula (author of "Managed Code Rootkits") and Sherif Koussa (lead developer on WebGoat5.0 and lead instructor at Secure Code Gurus).  We even have training for CISOs looking for info on setting up, managing and improving their global information security organization using mature OWASP projects and tools.

Learn more about our 1-day and 2-day classes> http://www.appsecusa.org/schedule/trainings/

OWASP AppSec USA 2012 is also offering a FREE Pass ($375 value) to a half-day pre-Conference Developer Training – for developers new to Application Security and the OWASP Community >  http://owasp.blogspot.com/2012/09/free-half-day-developer-training-at.html


CONFERENCE SCHEDULE RELEASED

We have released the schedule (still subject to change) at schedule.appsecusa.org and the mobile version at m.appsecusa.org.  You can create your own personal schedule, connect with other attendees and even import your schedule into Outlook or iCal.

BOOK YOUR HOTEL ROOM BEFORE IT IS TOO LATE!
Dont get stuck cabbing it every day, get your hotel room today. Our special discount rate of $189/night is ending on Sept 23 and the conference hotel is filling up.  Book at the Hyatt Regency Austin under our discounted rate > https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=6604435


5K FOR CHARITY
AppSec USA 2012 5k Race to be held prior to conference sessions on Friday. The $50 fee includes race support and a limited edition Nike Dri-Fit t-shirt. All proceeds will be donated to the OWASP Projects Reboot initiative (https://www.owasp.org/index.php/Projects_Reboot_2012)

If you’ve already registered for AppSec and would like to attend, simply LOG IN HERE and add it to your agenda. If you have not already registered for AppSec, you should REGISTER TODAY to reserve your pass.


MOVIE SNEAK PREVIEW: REBOOT
We are very excited to announce a special sneak preview of the new film “Reboot” at OWASP AppSec USA 2012! Set within a dystopian world that is a collision between technology and humanity, “Reboot” touches upon many of the current social and political concerns that arise from becoming more and more intertwined with the virtual.

In contemporary Los Angeles, a young female hacker (Stat) awakens from unconsciousness to find an iPhone glued to her hand and a mysterious countdown ticking away on the display. Suffering from head trauma, and with little recollection of who she is or what is happening, Stat races against time to figure out what the code means, and what unknown event the pending zero-hour will bring.

Only 300 passes are available for this special screening at AppSec and it has already been added as an OPTIONAL AGENDA ITEM for our attendees. If you’ve already registered for AppSec and would like to attend, simply LOG IN HERE and add it to your agenda. If you have not already registered for AppSec, you should REGISTER TODAY to reserve your pass.


REGISTER
Register early and save money. Register a large group and save even more. And if you're a student, the savings are huge. So sign up today for a great deal, and please spread the word to students in
 computation, information protection, forensics, and law. We need more people to secure the world's systems. Registration is open and prices go up by another $50 on September 30th!

http://www.appsecusa.org/register/


THANKS TO OUR SPONSORS
We are EXTREMELY thankful to our donors and sponsors:

Adobe, NTOBJECTives, Aspect Security, Checkmarx, iMPERVA, Cigital, Qualys, NetSPI, Veracode, IBM, f5, WhiteHat, Trustwave Spiderlabs, Impact Security, Denim Group, Gemalto, Gotham Digital Science, Symplified, Blueinfy, Core Security Technologies, Radware, RSA Security, Rapid7, Falling Rock, and Pwnie Express.


THANK YOU! We couldn't pull this off without your generous support!


Thanks all.

OWASP AppSec USA 2012, Austin TX
Training: October 23-24,
Talks, CTF, Showroom, & More: October 25-25
www.appsecusa.org
@appsecusa

Free half-day developer training at AppSec USA


For a Limited Time Only
FREE Pass ($375 value) to pre-Conference OWASP AppSec USA 2012 Training
Offer for Developers New to Application Security and the OWASP Community

What: FREE half-day training

Course Title: Web Application Secure Defensive Coding Boot Camp 


Instructors: Jim Manico & Eoin Keary

Jim Manico is an OWASP volunteer who leads the OWASP Cheat Sheet Series and produces the OWASP Podcast Series. Jim is also theVP of Security Architecture at WhiteHat Security. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Security and others. He brings 16 years of database-driven Web software development and analysis experience to WhiteHat and OWASP.

Eoin Keary is the CTO and founder of BCC Risk Advisory Ltd. (bccriskadvisory.com) a local Irish company who specialise in secure application development, advisory, penetration testing, Mobile & Cloud security and training.
He is also an international board member, and vice chair of OWASP, The Open Web Application Security Project (owasp.org). During his time in OWASP he has lead the OWASP Testing and Security Code Review Guides and also contributed to OWASP SAMM, ASVS and the OWASP Cheat Sheet Series. Eoin has led global security engagements for some of the world’s largest financial services and consumer products companies. He is a well known technical leader in industry in the area of software security and penetration testing.

When: Morning or Afternoon session:
§  Tuesday, October 23, 2012; 8:00 AM to 12:00 PM
§  Tuesday, October 23, 2012; 1:00 PM to 5:00 PM

Why: Regardless of your chosen/mandated framework for building web applications: SpringStrutsRailsPHPPython, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts.

Who is Eligible: Developers (dev managers welcome, assign people from your team to attend). Bring yourself, no materials required.
Where: Austin Hyatt Regency Downtown; 208 Barton Springs Road, Austin TX

Register here:

Disclaimer: First come, first served, there is limited capacity. Offer is for developers new to application security and the OWASP Community. Register by October 8, 2012.

Don’t miss this opportunity because OWASP AppSec USA is hosted in Austin this year! In addition, register for AppSec USA 2012 www.appsecusa.org (more training on Wednesday, October 24; full conference Thursday-Friday, October 25-26).

Monday, September 3, 2012

OWASP 1-Liner

by @johnwilander

OWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application where users communicate via so called one-liners. A one-liner is a short text message sent into cyberspace, open to read for anyone accessing the system. The app is intended for demos and training in application security.
IMPORTANT:
  • OWASP 1-Liner contains several serious security holes intended for demonstrations and application security training. Do not trust it with any kind of sensitive information such as usernames or passwords you use for regular sites and systems.
  • OWASP 1-Liner is an official OWASP project, originally released at OWASP AppSec Research 2012 in Athens.

Contents

A. License and Attribution B. Quick Start C. Purpose D. Project Structure E. Build and Deploy F. Contributors

A. Licence and Attribution

If you use the OWASP 1-Liner you should attribute its original author John Wilander and the OWASP Foundation. Thank you!

OWASP 1-Liner is released under the Creative Commons Attribution-ShareAlike 3.0 Unported license. Full details can be found in the LICENSE_CC3.txt file in this project.
Other licensed software bundled in:
  • Ext JS 4 from Sencha which is under the GNU General Public License (GPLv3), please see LICENSE_GPL3.txt.
  • jQuery and the jQuery Cookie plugin which are under the MIT license, please see LICENSE_MIT.txt.
  • jQuery encoder by Chris Schmidt. Please see LICENSE_JQUERY_ENCODER.txt.
  • OWASP AntiSamy which is licensed under BSD 2. The project refers to the template which is available in LICENSE_BSD_2.txt.
  • One slightly modified file from BeEF, namely hook.js with a setTimeout call to beef_init(). BeEF is licensed under the Apache License, version 2.0. Please see LICENSE_APACHE_2.0.txt.
  • Several Java libraries and of course Java itself. All of these dependencies are found in the build.gradle file and their respective licenses can be found at each project's site.

B. Quick Start

OWASP 1-Liner is deployed on your own machine. This is the quickest way to get going:
  • Clone https://github.com/johnwilander/owasp-1-liner (this repo if you're on GitHub right now) using Git
  • Enter '127.0.0.1 local.1-liner.org' and '127.0.0.1 attackr.se' in your hosts file
  • Make sure you have Gradle installed
  • Go to the root folder of your cloned OWASP 1-Liner in a shell
  • Execute 'gradle jettyRun'
  • Surf to https://local.1-liner.org:8444
  • Check out the OWASP_1-Liner_Demos.txt file for demo inspiration

C. Purpose

The purpose of the OWASP 1-Liner Project is to provide the application security community with a modern (at least as per 2012 :) Java- and JavaScript-based web application suited for both demonstrations and training.

D. Project Structure

OWASP 1-Liner is built up of two implementations:
  • OWASP 1-Liner Vulnerable – the deliberately insecure version of the app
  • OWASP 1-Liner Securish – a more secure version of the same app

E. Build and Deploy

OWASP 1-Liner is a Gradle application. You download the source, build, and deploy on your own machine. The intention is to allow for live coding and patching. The suggested IDE is Jetbrains' IntelliJ.

Clone the Repository

Go to https://github.com/johnwilander/owasp-1-liner and clone the repo to your local machine using Git.

Install Gradle

On Mac OS X

If you're on Mac OS X and use Homebrew you can just run 'brew install gradle' in a shell.

On Windows 7

  1. Go to http://www.gradle.org/, download and unzip Gradle
  2. Add the environment variable 'GRADLE_HOME' and then add 'GRADLE_HOME\bin' to the Path variable

On Linux

  1. Go to http://www.gradle.org/, download and unzip Gradle
  2. Edit the PATH in the environment file, e.g. $ sudo nano /etc/environment
  3. Add the following to the environment file:
    • PATH = "... :$GRADLE_HOME/bin"
    • GRADLE_HOME="gradle_directory".
  4. Reload environment variables: $ source /etc/environment
  5. Add symbolic links to the usr/bin folder: $ sudo ln -sf /gradle_directory/bin/* /usr/bin/.

Configuring local domain names

You have to access the apps through proper URLs (not IP numbers or "localhost") so you need to set up fake domain names in your hosts file.

On Mac OS X

  1. Open /etc/hosts as root in an editor, e.g sudo emacs /etc/hosts
  2. Add these lines:
    • 127.0.0.1 local.1-liner.org
    • 127.0.0.1 attackr.se

On Windows 7

  1. Run an editor (e.g. Notepad) as administrator
  2. Open C:\Windows\System32\drivers\etc\hosts in the editor
  3. Add these lines:
    • '127.0.0.1 local.1-liner.org'
    • '127.0.0.1 attackr.se'

On Linux

  1. Open and edit as root the file /etc/hosts, e.g. $ sudo gedit /etc/hosts
  2. Add these lines:
    • '127.0.0.1 local.1-liner.org'
    • '127.0.0.1 attackr.se'

Build and run on Jetty

OWASP 1-Liner uses the Jetty plugin for Gradle to run the apps.
  • Go to the root folder of the cloned in a shell, for instance /opt/workspace/owasp_1-liner/
  • gradle jettyRun
Now the app should be up and ready for business on https://local.1-liner.org:8444

Dependencies

Check the build.gradle file for dependencies.

How to set up trusted SSL

On Mac OS X

Below are instructions on how to get browsers without their own trusted CAs list (i e Chrome and Safari) to accept your applications self-signed SSL cert for https://local.1-liner.org:8444.
  1. Open a shell and cd to the app root dir (that's where you'll see the keystore file)
  2. If the supplied certificate has expired or you want to replace it for some other reason, run Java's keytool like this (the password is always '1-liner' without single-quotes):
    • keytool -delete -alias jetty -keystore keystore
    • keytool -keystore keystore -alias jetty -genkey -keyalg RSA
    • Be sure to enter local.1-liner-org as CN (stated as first and last name in the creation process).
    • Enter the password '1-liner' without single-quotes for both passwords
    • keytool -export -keystore keystore -alias jetty -file jetty-ssl.keystore.cer
  3. Open you keychain manager and select the "System" keychain
  4. Archive -> Import, select your new .cer file, enter OS X admin password
  5. Double click the newly imported cert, expand trust, mark for SSL – Always trust
  6. Reload the page in your browser and now it should be accepted

On Windows 7

  1. Click Start button and enter "certmgr.msc" in the search box.
  2. Go to 'Trusted Root Certification Authorities'
    • Right click
    • Pick "All tasks" -> Import -> Next -> Browse
    • Find the location of the OWASP 1-Liner certificate in the source root
    • Next -> Finish -> Yes -> OK
If the supplied certificate has expired or you want to replace it for some other reason, follow steps 1 and 2 under "On Mac OS X" in a Powershell.
Note, we seem to have some problems running the application in IE. Bug reports are welcome.

On Linux

If the supplied certificate has expired or you want to replace it for some other reason, follow steps 1 and 2 under "On Mac OS X" in a shell.
There is no central management for SSL certificates so you have to determine the validity of the certificate on each application.
Firefox
Hit https://local.1-liner.org:8444 and then select 'I understand the risks' -> 'Add Exception' -> 'Get Certificate' -> 'Confirm security exception'.
Chromium
It does not have a SSL certificate manager. So, the certificate has to be added to the NSS Shared DB with the use of lbnss3-tools, which has to be installed. Use Firefox to export the certificate to a file as PEM. Then type in a shell
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "Give_a_name" -i "the_extracted_certificate"

F. Contributors

Original and main developer is John Wilander.
Further contributors in alphabetical order:
  • Paraskevi "Vicky" Simita