Slashdot Mirror
Security Gatherings for the Little Guys
NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"
And if you're cought, pretend that you were testing their security procedures.
http://www.h2k2.net/ is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
JMR
Speaking ONLY for myself, as always.
Try e-gold - (contact me). I'm NOT e-
DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.
If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.
Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.
Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
The key to learning more about security and making connections is to get involved with your local scene (or generate one, if necessary).
Find your local ISSA chapter (issa.org),and in Canada there is the CIPS Security Interest Group (through cips.ca). Also, talk to your local VARs and express an interest in security products. Usually they'll invite you to free morning seminars pushing security products.
The point of going to these meetings is to find peers. Once you know a few people, swap email addresses and war stories, that kind of thing, you'll get a base.
I've used these groups to meet colleagues, put together CISSP study groups, discuss issues, and share job opportunities and the like. Once you get a critical mass of people, it becomes very useful and interesting. It's not the same as a conference, but it is far better than working in a vacuum.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
I've gone the last two years and though the price is quite good, from year to year the quality can vary a lot. Two years ago it was really quite good. A decent number of interesting speakers, got to hang out a bit with Bennett Haselton, the guy who runs peacefire.org. Overall had a good time.
:)
:). While certainly there's something inherently anti-establishment about a hacker convention in the first place, that energy can be channeled into mindless destruction or it can be channeled into creative/constructive efforts. Seems that this varies from year to year :)
The last year though the topics really didn't seem to be quite as good and there were endless mindless pranks going on. I'm all for clever interesting pranks, but this was dumb stuff like smashing hotel lights, etc. I mean, the prank hilight was dry ice in the pool. Neat effect, but hardly breaking new ground
That's the only problem with Defcon is that it tends to attract a certain anti-establishment sophmoric crowd (because unlike most similar cons, they can afford to get in
It's sorta well suited to vegas. You put down your money and take somewhat of a gamble on what you are going to get. I'd suggest checking the website for the speaker list and see if they have things that interest you. If it looks good, then go for it, give or take airfare and hotel it's a bargain.
This sig has been temporarily disconnected or is no longer in service
I'd also recommend spending some of the cash on a programming course if you've not taken one. Generally something in C would be best as it's one of the most common (and low-level and broken) languages. Understanding the bugs that can lead to exploits can help alot in understanding exploits themselves.
Intro Cisco courses are also a great help in the same vein as the first bit of the course goes over networking details if you're mainly a systems admin, and aren't up to snuff on the details of networking.
I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).
... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.
So, my low budget solution is the following:
- Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
- Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
- Buy and read a lot of security related books
- Download and play around with free and/or commercial (if available) softwares
- visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles),
Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.
And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.
Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.
My self-education went like this:
1) "Computer Networks" by Andrew S. Tannenbaum
This will teach you what's really going on
2) "Firewalls and Internet Security" by Cheswick and Bellovin.
The BEST book on firewalls. Online version at
http://www.wilyhacker.com
3) "Hacking Exposed" by McClure, Scambray and Kurtz.
Not as systematic as the others, but this one has the specifics that let you see what the other books were talking about.
4) Run a GNU/Linux system and start watching logs, etc. I'm on a dial-up and get hit several times per week. Follow up and see if you can figure out what they're doing; hopefully they don't get in!
5) Keep abreast with CERT, SANS, BUGTRAQ, etc.
6) There is no Royal Road to NetSec; you'll just have to dig in and learn it the hard way.
Well, first you must know tcp/ip very well. ORA's "Internet Core Protocols" is an excellent start and a very good book.
The "hacking unix exposed" series of books are also very good.
Forget windows. Get yourself a free unix and learn tcpdump and netfilter or ipfilter inside and out.
Talking about learning security by going to conferences is kinda ridiculous, like expecting to learn archeology by going to archeology conferences.
You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.
You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf: