Security Gatherings for the Little Guys

NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"

rubi-con

[buridan]

i did rub-con last year, it was quite interesting in a wide variety of ways http://www.rubi-con.org . check it out

Re:rubi-con

[Eol1]

wh00t ... Did Rubi-Con also last year and planning to go again this year. Damn good (and even informative <grin>) convention. Reasonably priced also (read: cheap).

Re:rubi-con

[noweb4u]

I know two of the organizers personally. They're planning to make it even better this year, with better speakers, more organization, and less random vandalism. I understand they are also going to have a commons area this time, other than the heavily smoke filled network room.
The price is up $10 this year, but it's going to be well worth it. That and forno already said he'd be a speaker again next year (just not a keynote ;-) ).
I'd suggest if you live in the midwest, especially Michigan, this is the place to go. :-)

h2k2 might help

[e-gold]

http://www.h2k2.net/ is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
JMR

Speaking ONLY for myself, as always.

DefCon

[pexatus]

DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.

If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.

Re:DefCon

[megabeck42]

$75 this year, but they're paying the speakers, so it should have a better set of talks.

Re:DefCon

[FuegoFuerte]

DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998).

A few things about Defcon... it's not at the same time as BlackHat, it's just following (which may be what you meant... just hard to tell). This year it's August 2-4. As someone else already mentioned, it's $75. It was going to be $100 but too many people complained or something (conjecture). The price increase was for two reasons: One, so speakers could be paid *iff* they have a good speach. Therefore, speakers who suck won't get paid. So, if they know they suck and won't get paid, they're not as likely to try speaking. Second, the price increase is an attempt to discourage script kiddies and other imbeciles (such as many on /. who are probably reading this now, though not all) from coming to the con and pissing people off.

More Information: The Defcon Page

Also, check out this year's speakers and this year's slogans.

Oh.... one other thing... DC, if you didn't already know, is held at the Alexis Park in Vegas.

There's always RTFL (read the friggin' literature)

[Skyshadow]

When I did sysadmin work, I kept up on security threats by reading the literature available. CERT notices, security reports from vendor sites and posted to newsgroups, read the cracker pubs to keep up on attack methods, etc.

Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.

Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.

2600

[nixchick]

Why not attend a 2600 meeting? They take place all over ther world and are free for anyone to attend. Despite what you may think some intellegent life is often present at the meetings.

They take place on the first Friday of every month and there is a list of them all here.

Try community colleges?

[interstellar_donkey]

In my neck of the woods (Phoenix metro area), I often hear ads on the local NPR station for networking and security seminars at the local community college.

These are typically touted as free or very inexpensive. Not being a security guy I can't really comment on how good they are, but it probably could'nt hurt to check one out.

My guess would be many small community colleges offer something like this.

About SANS

[lamj]

I work with SANS so I know more about SANS than other organizations.

SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.

Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.

In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)

Re:About SANS

[_Sprocket_]

I would like to add a few supportive words for SANS.

The courses tend to be top notch. But that is just part of SANS' value. SANS conferences also feature a series of night courses and informal Birds of a Feather (BOF) meetings (complete with snacks and refreshments). The BOFs cover a whole slew of subjects and if you wish to add to a subject (whether you are an expert or simply curious), you are welcome to sign up and form one and room / snacks are provided for you. These add incredible value to attending a SANS conference.

SANS also does a lot of other interesting things. They have a top-notch certification program (which has generated some interesting documents available to the public). And they are offering more and more of their certification tracks via online training programs as well as starting a localized mentor program to work with the online component.

Re:There's always RTFL (read the friggin' literatu

[einhverfr]

One important link is NSA Infrastructure security page Sure they focus here mostly on Windows, but the litterature is good and many of the ideas are pertainent to other environments.

Re:There's always RTFL (read the friggin' literatu

[Demerara]

I'm in Guyana, South America so the cost of the conferences with airfares etc is way outside the budget.

I agree that the literature is a good starting point - the reading room at SANS is a mighty fine
resource.
When I'm ready (read "can do no more without expert help") I'll look into courses/conferences.

Defcon MIGHT be a good bet

[sterno]

I've gone the last two years and though the price is quite good, from year to year the quality can vary a lot. Two years ago it was really quite good. A decent number of interesting speakers, got to hang out a bit with Bennett Haselton, the guy who runs peacefire.org. Overall had a good time.

The last year though the topics really didn't seem to be quite as good and there were endless mindless pranks going on. I'm all for clever interesting pranks, but this was dumb stuff like smashing hotel lights, etc. I mean, the prank hilight was dry ice in the pool. Neat effect, but hardly breaking new ground :)

That's the only problem with Defcon is that it tends to attract a certain anti-establishment sophmoric crowd (because unlike most similar cons, they can afford to get in :). While certainly there's something inherently anti-establishment about a hacker convention in the first place, that energy can be channeled into mindless destruction or it can be channeled into creative/constructive efforts. Seems that this varies from year to year :)

It's sorta well suited to vegas. You put down your money and take somewhat of a gamble on what you are going to get. I'd suggest checking the website for the speaker list and see if they have things that interest you. If it looks good, then go for it, give or take airfare and hotel it's a bargain.

USENIX Security is affordable for the lil' guys...

[fubob]

I'm surprised USENIX Security was not mentioned. After all, it's very affordable for the "little guys" if you are a student. And where else can you meet security researchers like Whitfield Diffie, one of the inventors of public key cryptography? Several of the papers from the symposium have already been mentioned on slashdot:

• Plan 9 security
• How to 0wn the Internet in your spare time
• Felten presents SDMI Research last year

The deadline for discounted registration is this Wednesday. See http://www.usenix.org/sec02/ to register.

Low budget, but a lot of personal commitment

[2Bits]

I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).

So, my low budget solution is the following:

- Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
- Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
- Buy and read a lot of security related books
- Download and play around with free and/or commercial (if available) softwares
- visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles), ... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.

Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.

And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.

Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.

Re:Basics

[PotatoMan]

My self-education went like this:

1) "Computer Networks" by Andrew S. Tannenbaum

This will teach you what's really going on

2) "Firewalls and Internet Security" by Cheswick and Bellovin.

The BEST book on firewalls. Online version at
http://www.wilyhacker.com

3) "Hacking Exposed" by McClure, Scambray and Kurtz.

Not as systematic as the others, but this one has the specifics that let you see what the other books were talking about.

4) Run a GNU/Linux system and start watching logs, etc. I'm on a dial-up and get hit several times per week. Follow up and see if you can figure out what they're doing; hopefully they don't get in!

5) Keep abreast with CERT, SANS, BUGTRAQ, etc.

6) There is no Royal Road to NetSec; you'll just have to dig in and learn it the hard way.

Cheapest..

[nolife]

This may have been mentioned already...

Subscribe to mailing lists like Bugtraq and NT Bugtraq and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.

How About Books?

[Squeamish+Ossifrage]

You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.

You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf:

• Building Secure Software, Viega & McGraw, $55 at Amazon
• Network Intrusion Detection, Northcutt, McLachlan & Novak, $32
• UNIX System Administration Handbook, Nemeth et. al. $68
• Secrets and Lies, Schneider $21
• Hacking Exposed, McClure, Scambray & Kurtz $35