[SATLUG] Security Issues
typedeaf at yahoo.com
Tue Jun 17 23:03:51 CDT 2014
The word 'Security' is about as vague as the word 'Programming'. Security, even in the context of IT, can mean things from strength of cryptography algorithms, to least privilege access controls on a firewall, to input validation in software applications, to patching policies for 0-days.
I looked at the SAHA website and from a brief glance, despite what they claim 'not' to be, they appear to be... well mostly the things they claim not to be. Their content appears to focus on mainly how to exploit things through commonly known vulnerabilities. There is no discussion of preventative measures, nor is there a deep dive in to the mechanics of the exploit or the vulnerability. One of their presentations actually ended with the words, 'Booya!' and reference to it being 'like Christmas' when their exploit worked on said target.
That being said, that is all I am seeing in this thread as well. You showing people how to potentially exploit advanced Google search features to reveal private information on perhaps poorly configured web sites, but you have said nothing as to what to do to prevent it. That is in no way different than posting 0-day exploit script. 'I don't promote or condone...', really? Most people would call posting an exploit to a mailing list, 'promoting it'.
Discussing the advantages of RBAC that SELinux offers, would be a healthy Linux security topic. Weighing the differences between SELinux and PAX/GRSec would be another healthy topic. The downfall of various cryptographic algorithms and their impact on Linux and its most common services. How to code defensive PHP-based websites ie. input validation, data scrubbing, etc. How distros like Linux custom patch binaries, like Bash, to protect against common/known exploits eg. suexec. All of these are healthy Linux security topics that would be appropriate for discussion in this venue, but how to exploit something 'for fun and profit' is not.
I am all to familiar with the 'Security Demonstrations' that show how to take the equivalent of a Metasploitable image and ..exploit the heck out of it. To what end? Generally it was done to either win street cred, or someone was pushing scare tactics to sell their security services/product. If you go back to the (in)famous 'Smashing the Stack' paper, sure it included lots of pre-fabbed shellcode and and kiddie-scripts, but at its core it was hugely informative in explaining the memory mapping of a running process, the sections of the object code, the ways different program sections were used (eg. heap, stack, txt, bss, etc.), how the standard C library is too trusting, and ultimately how all those things could be used to exploit software by injecting the return address into the call stack. It was a brilliant paper that was informative, educational and eye opening. My point is, there is a huge difference in the way the information was presented. If you
arm a person with a weapon and all they can do is choose where to aim it, what can they do other than destruction? Instead, you can arm a person with knowledge, and it will be up to them as to how they use it
More information about the SATLUG