[SATLUG] Security Issues

Garrett Heaton gbear14275 at gmail.com
Wed Jun 18 09:21:23 CDT 2014


Chad,

That is true, "security" is very undefined these days.  And you are correct
in that the presentations are slanted towards an audience who laughs at
those sorts of things.  You are free to critique if you like but you'll be
missing the forest for the trees.  SAHA has all types and kinds as it's
membership.  Professional penetration testers, licensed forensic analysts,
college kids in information security programs and people off the street
just interested.  Some of the presentations are much better than others.
 San Antonio actually has a number of experts in the field who present at
conferences like Defcon (https://www.defcon.org/), blackhat (
https://www.blackhat.com/), schmoocon (http://www.shmoocon.org/) and bsides
(http://en.wikipedia.org/wiki/B_Sides_(Security_Conference)) and sometimes
SAHA gets to prescreen those presentations (which don't get posted to the
site).  It's also home to the 24AF (http://www.24af.af.mil/) and NSA Texas (
http://en.wikipedia.org/wiki/Texas_Cryptologic_Center) as well as all of
the contractors and other associated community surrounding those
organizations.

As far as the group agenda at SAHA?  Talk, Pizza, Present, Network.  It's
your choice to come if you like and we would welcome you raising the bar
with a discussion along the lines you outlined but also not required.
 There are many starving minds and they seek anything they can get.  Most
meetings have between 20-30 people attend and we are always short on
content so it would be fantastic if you would be able to come and present.

-Garrett




On Tue, Jun 17, 2014 at 11:03 PM, Chad Wilson <typedeaf at yahoo.com> wrote:

> The word 'Security' is about as vague as the word 'Programming'. Security,
> even in the context of IT, can mean things from strength of cryptography
> algorithms, to least privilege access controls on a firewall, to input
> validation in software applications, to patching policies for 0-days.
> I looked at the SAHA website and from a brief glance, despite what they
> claim 'not' to be, they appear to be... well mostly the things they claim
> not to be. Their content appears to focus on mainly how to exploit things
> through commonly known vulnerabilities. There is no discussion of
> preventative measures, nor is there a deep dive in to the mechanics of the
> exploit or the vulnerability. One of their presentations actually ended
> with the words, 'Booya!' and reference to it being 'like Christmas' when
> their exploit worked on said target.
> That being said, that is all I am seeing in this thread as well. You
> showing people how to potentially exploit advanced Google search features
> to reveal private information on perhaps poorly configured web sites, but
> you have said nothing as to what to do to prevent it. That is in no way
> different than posting 0-day exploit script. 'I don't promote or
> condone...', really? Most people would call posting an exploit to a mailing
> list, 'promoting it'.
> Discussing the advantages of RBAC that SELinux offers, would be a healthy
> Linux security topic. Weighing the differences between SELinux and
> PAX/GRSec would be another healthy topic. The downfall of various
> cryptographic algorithms and their impact on Linux and its most common
> services. How to code defensive PHP-based websites  ie. input validation,
> data scrubbing, etc. How distros like Linux custom patch binaries, like
> Bash, to protect against common/known exploits eg. suexec. All of these are
> healthy Linux security topics that would be appropriate for discussion in
> this venue, but how to exploit something 'for fun and profit' is not.
> I am all to familiar with the 'Security Demonstrations' that show how to
> take the equivalent of a Metasploitable image and ..exploit the heck out of
> it. To what end? Generally it was done to either win street cred, or
> someone was pushing scare tactics to sell their security services/product.
> If you go back to the (in)famous 'Smashing the Stack' paper, sure it
> included lots of pre-fabbed shellcode and and kiddie-scripts, but at its
> core it was hugely informative in explaining the memory mapping of a
> running process, the sections of the object code, the ways different
> program sections were used (eg. heap, stack, txt, bss, etc.), how the
> standard C library is too trusting, and ultimately how all those things
> could be used to exploit software by injecting the return address into the
> call stack. It was a brilliant paper that was informative, educational and
> eye opening. My point is, there is a huge difference in the way the
> information was presented. If you
>  arm a person with a weapon and all they can do is choose where to aim it,
> what can they do other than destruction? Instead, you can arm a person with
> knowledge, and it will be up to them as to how they use it
>
> Chad Wilson
>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>


More information about the SATLUG mailing list