Slashdot Mirror
Security Gatherings for the Little Guys
NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"
i did rub-con last year, it was quite interesting in a wide variety of ways http://www.rubi-con.org . check it out
And if you're cought, pretend that you were testing their security procedures.
http://www.h2k2.net/ is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
JMR
Speaking ONLY for myself, as always.
Try e-gold - (contact me). I'm NOT e-
DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.
If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.
Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.
Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
To answer your question, how about asking a nearby college or computer company? I hit up SCO once about security (many, many years ago), and was invited to one of their "internal" security classes for under $500.
Click here or here.
Or try your local Windows/NT and Unix/Linux user groups. Security is a frequent theme of these groups' meetings.
defcon is becoming more 'mainstream' every year and is a good conference on the cheap. for $75 you get many tracks from newbie to uberhax0r. its also a good excuse to get out of the office and spend a weekend in vegas.
In my neck of the woods (Phoenix metro area), I often hear ads on the local NPR station for networking and security seminars at the local community college.
These are typically touted as free or very inexpensive. Not being a security guy I can't really comment on how good they are, but it probably could'nt hurt to check one out.
My guess would be many small community colleges offer something like this.
The Internet is generally stupid
The key to learning more about security and making connections is to get involved with your local scene (or generate one, if necessary).
Find your local ISSA chapter (issa.org),and in Canada there is the CIPS Security Interest Group (through cips.ca). Also, talk to your local VARs and express an interest in security products. Usually they'll invite you to free morning seminars pushing security products.
The point of going to these meetings is to find peers. Once you know a few people, swap email addresses and war stories, that kind of thing, you'll get a base.
I've used these groups to meet colleagues, put together CISSP study groups, discuss issues, and share job opportunities and the like. Once you get a critical mass of people, it becomes very useful and interesting. It's not the same as a conference, but it is far better than working in a vacuum.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
http://www.securityfocus.com/
Join your local ISSA group. Yes, they local chapters may vary, but on the whole I have found that is is worthwhile. In the Denver chapter we had some great speakers this past year. Plus, you get a couple of hours away from the office every lunch to network with others in your same position.
Who is John Galt?
I work with SANS so I know more about SANS than other organizations.
SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.
Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.
In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)
One important link is NSA Infrastructure security page Sure they focus here mostly on Windows, but the litterature is good and many of the ideas are pertainent to other environments.
LedgerSMB: Open source Accounting/ERP
Well I work for a small company TIM Computer Systems Inc. and we do offer security training for Unix/Linux systems every once in a while. Other then going to those big guys that Cost huge amount of dollars try smaller companies in your areas. Just open the Yellow Pages and call a bunch of computer companies up and ask them if they do computer security training. You may be suprised on the skills you can learn from these small companies.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
why go to expensive seminars when you have such a great resource right here at your fingertips
Step 2: post systems IP address to slashdot and say 'hack this'...... you should at least quickly see all the scripts that are all the fad right now.....
XML is like violence. If it doesn't solve the problem, use more.
I've found some of the monthly 2600 meetings helpful. They're a good place to go to to meet new people (beats sitting in front of the computer all day), and who knows, you just might learn something useful (or useless).
I'm in Guyana, South America so the cost of the conferences with airfares etc is way outside the budget.
I agree that the literature is a good starting point - the reading room at SANS is a mighty fine
resource.
When I'm ready (read "can do no more without expert help") I'll look into courses/conferences.
Backward%20compatibility%20is%20over-rated
I've gone the last two years and though the price is quite good, from year to year the quality can vary a lot. Two years ago it was really quite good. A decent number of interesting speakers, got to hang out a bit with Bennett Haselton, the guy who runs peacefire.org. Overall had a good time.
:)
:). While certainly there's something inherently anti-establishment about a hacker convention in the first place, that energy can be channeled into mindless destruction or it can be channeled into creative/constructive efforts. Seems that this varies from year to year :)
The last year though the topics really didn't seem to be quite as good and there were endless mindless pranks going on. I'm all for clever interesting pranks, but this was dumb stuff like smashing hotel lights, etc. I mean, the prank hilight was dry ice in the pool. Neat effect, but hardly breaking new ground
That's the only problem with Defcon is that it tends to attract a certain anti-establishment sophmoric crowd (because unlike most similar cons, they can afford to get in
It's sorta well suited to vegas. You put down your money and take somewhat of a gamble on what you are going to get. I'd suggest checking the website for the speaker list and see if they have things that interest you. If it looks good, then go for it, give or take airfare and hotel it's a bargain.
This sig has been temporarily disconnected or is no longer in service
I'm assuming you are using UNIX... I consider Windows insecure and don't use it myself...
Start out by getting and reading a copy of "Practical UNIX & Internet Security" Oreilly Simson Garfinkel and Gene Spafford.
After that read the documentation on your tools, apache, bind, sendmail, etc and watch www.securityfocus.com
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
- Plan 9 security
- How to 0wn the Internet in your spare time
- Felten presents SDMI Research last year
The deadline for discounted registration is this Wednesday. See http://www.usenix.org/sec02/ to register.I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).
... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.
So, my low budget solution is the following:
- Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
- Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
- Buy and read a lot of security related books
- Download and play around with free and/or commercial (if available) softwares
- visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles),
Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.
And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.
Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.
When it comes to security, I have found that training classes and seminars are "cool" and "fun" to watch, but have very little applicability to the configuration at my local site.
I share the same opinion of others. The best way to stay on top of security is to subscribe to Bugtraq. Other subscription lists like CERT and vendor specific lists, are always lagging behind (sometimes as much as WEEKS) since they tend NOT to announce a security issue until the vendor has a fix/patch available. Bugtraq is pretty close to zero day disclosure and is not vendor specific, thus you have to wade through the subjects to see if anything applies to your site. Additionally, BUGTRAQ is moderated which cuts down on the quantity and noise, unlike other sources which can become excessive.
To subscribe to the list, send a message to:
bugtraq-subscribe@securityfocus.com
This is my securty mantra, "security is an illusion".
If you are connected to the Internet, you can be hacked. All humans make mistakes and all code is written by humans. The best you can do is manage your risk and increase your odds of not being a hackable target by staying informed and being proficient in application configuration.
My advice is to spend your training money on the specific applications that are Internet facing e.g. (RedHat, Apache, Sendmail, DNS, POP3S, IMAPS, Oracle, MySQL, CISCO IOS), make sure you understand the security configuration and hit it hard in the class. Application Security Mis-configuration and weak passwords are probably the number one source of Internet compromises. Often times if you have your applications locked down and secure, the security exploit of the day may be a non issue.
Good Luck!
The proper link is http://nsa1.www.conxion.com/ WOW that is just plain amazing thanks!!
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Well, first you must know tcp/ip very well. ORA's "Internet Core Protocols" is an excellent start and a very good book.
The "hacking unix exposed" series of books are also very good.
Forget windows. Get yourself a free unix and learn tcpdump and netfilter or ipfilter inside and out.
Talking about learning security by going to conferences is kinda ridiculous, like expecting to learn archeology by going to archeology conferences.
Some security consulting firms host free 1-day seminars which combine some useful security information with blatant sales pitches for their security products. Just be cautioned that the speaker giving the talk may mix useful information with a few thinly-veiled attempts to scare you into buying their services. But pick their brains clean if you get a chance to ask questions, it's free.
This may have been mentioned already...
Subscribe to mailing lists like Bugtraq and NT Bugtraq and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.
Bad boys rape our young girls but Violet gives willingly.
You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.
You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf:
- setup a box with default installation of an older distro
- turn on extensive logging
- connect to the internet
- wait...
- when cracked, do forensic analysis
nothing can beat real life practice. it just needs time.Registration for that was only $50. I hope to go to blackhat later too.
My $0.02 will always be worth more than your â0.02, so
In contrast, USENIX is actual security technology. Take the tutorials for in-depth learning on important issues, and the technical sessions for cutting-edge practical security research. We have a paper this year on the LSM (Linux Security Modules) project.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase
I attended the SANS Network Security 2001 conference last fall in San Diego. I didn't initially even want to go, but was pressed into it by management.
I was surprised at the quality of the presentations. I attended Track 5 taught by Jason Fossen, and learned quite a bit that I had not seen before, especially with regards to configuring IIS and PKI.
I went on to complete the GCWN certification, which was also an interesting learning experience. It's one thing to talk about these various ideas, but it's quite another to try to formulate them into a cohesive paper and communicate it to others. I've used a lot of the knowledge from the class and the research I did for my practical to help secure our new desktop images for Windows XP, something that probably wouldn't have happened if I hadn't taken that initiative.
Very worthwhile, and worth every penny. Although I can see where an individual would have a hard time coming up with the cash, as I believe the conference, travel, lodging and so forth resulted in about a $5k reimbursement check. I think if you were in consulting this would be a valuable skill to sell yourself with and make back that $5k pretty quickly.
Well what I was more going at was understanding what *could* be bad and what couldn't. Alot of unknowing admins let alot of things go that are potentially very very bad (plaintext passwords, user installed software, etc) and imo knowing coding can help the admin know what can be done.
As for inside jobs, it's actually 60% (give or take) of actual FBI cases...
www.nsa.gov/programs/kids ;)
(OK, I admin-- I find that site somewhat disturbing)
LedgerSMB: Open source Accounting/ERP
In a shameless plug, I'm hosting a BOF at O'Reilly's OSCon 2002 in San Deigo that's geared towards the systems administrator and one of the main topics I hope to cover is security. The conference is pricey, but not as much as others I've been to. If you're coming to O'Reilly, swing by on Tuesday night.
Some people take their .sig way too seriously
If you're writing software for Linux/Unix systems, go see my book, the Secure Programming for Linux and Unix HOWTO available at http://www.dwheeler.com/secure-programs. It's freely available and redistributable (GFDL license), and it's got lots of information on how to write secure programs. There's lots of information on the Internet on how to write secure programs, but this book gives a lot of information in one place. Enjoy!
- David A. Wheeler (see my Secure Programming HOWTO)
Delivered-To: dcooley@panicdump.org
Date: Wed, 5 Jun 2002 18:34:16 -0400
From: Beth Corcoran
To: dcooley@panicdump.org
Subject: Re: Payment Options
In-Reply-To:
User-Agent: Internet Messaging Program (IMP) 3.0
Quoting Don Cooley
> SANS folks,
>
> I don't know how exactly to ask this so I will just explain my situation.
>
> I currently work at a startup dot com.
>
> They have cancelled all training and let go of everyone in IT except me.
>
> I am the lone Windows/Solaris/BSD/Linux admin. (I am learning wireless/Cisco
> also)
>
> I live in Denver. I would really LOVE to go to SANS this year.
>
> Do you have any scholarships for systems/security admins?
>
> I would also be willing to do data entry, technical reviews, (I have done one
> for O'Reilly)
> etc... "insert odd job" for the chance to go the SANS conference this year.
>
> Please let me know if there is any way I could *work off* the price of the
> tuition.
>
> Thanks for your time.
>
> Don Cooley
> Systems/Security Administrator
> http://www.panicdump.org
Hello! We do have a Volunteer program where you help the SANS staff "run" the
conference. You are required certain things, time, labor, etc., that other
attendees are not obligated to do. For more information, please visit
http://www.sans.org/conference/volunteer.p
Rocky Mountain is July 1. Please let me know if I can be of further
assistance.
Sincerely,
Beth Corcoran
Tuition Office Manager
The SANS Institute
tel: (540)548-0977
fax: (540)548-0957
beth@sans.org
www.sans.org
Just look for a SANS coming to a city near you and be a slave for a week.
Hope that helps
I have been involved in running Science Fiction conferences (we call them "cons" for short) for about 20 years now. We have attendancess between a few dozen, and a few thousand, with some going over the 5 thousand membership mark. We get some of the best people in our community to be guests of honour( GoH), and then stock panels with people both attending and from the local area. How much do we charge? Well, the going rate is around $40 for a weekend pass. That usually includes a program book, access to the hospitality suite (with either free or cheap food/drink). You can usually find crash space one someone's floor for $10 a night. And there are usually lots of open parties.
SF Fans don't have any "sugar daddies" to pay for their memberships, as is expected by the various Computer Conferences, and thus cannot charge large fees. And we are about community, not making money.
About the only event that has crossed the SF con with the Computer con is Andrew Hutton and his Ottawa Linux Symposium. But then again, he has attended a number of SF cons, including a few I helped run (Can-CON). More people need to learn how to run SF style cons, and run Open Source gatherings on the same format. SF fandom has a model that works, and all it takes is a few people in some of the larger population bases to put together SF style cons to get this going. And seek out your local SF con, and volenteer...it's the best way to learn how to run these things!
ttyl
Farrell J. McGovern
Staff for:
Maplecon, Pinekone, I-Con, Ad Astra, Concept, and Can-CON.
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
>
;)
>"Computer (esp. network) security isn't really something that can be
>learned in a class. It's more of an ongoing awareness of what the
>threat of the week is. If history has shown us anything, it's that any
>useful networked system has flaws and can be broken into. As such,
>it's important to always keep on the forefront of what the enemy is up
>to.
>
>"Irritatingly time-consuming? You bet. A pain in the ass to keep up
>with? Oh yeah. The only effective way to keep systems and networks
>secure? Unfortunately."
>
Are you out of your mind?! Keeping up with stuff is the
best excuse I ever found to lurk on (counts mail filters) Bugtraq,
Incidents-l, ISN, vuln-watch, nanog, SANS newsbytes, CERT, NTBugtraq,
sec-focus, (and even... Slashdot, 'cos you'll hear about the new IE/
IIS hole-du-jour faster here than anywhere
Seriously, I really enjoy following the changing scene, the constant
arms war between the kiddies and the defenders. I just wish *I* could
find someone to pay me to do it. As it is I'm off work this week and
spending most of my time catching up with list backlog. And loving it.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
If you can't find the NANOG signup info, you don't need to read it.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe