Next meeting is on Nov 15th, at 7pm.
The place is Angelic Brewpub at 322 W Johnson St
View Larger Map
Wednesday, November 7, 2007
MadSec 1.5 report
I hope that we were loud and visible enough.
In any case - hereby we proclaim MadSec 1.5 a success. Quick summary of findings follows:
* Telecommuting is awesome
* It's hard to hire people who know both Windows and Unix well
* If you hire Java developers from San Diego, you might have to re-hire midway through the Wisconsin winter. In town, most Java people are sucked into TDS, American Family or Epic.
* Giving people local admin on windows is bad, and it's near impossible to enforce group policies
* THC Hydra works well, but has issues. Medusa is better.
* PIX fixup is anything but a FIX-up.
* AJAX is super nice, but it is a client side tool - userbase of a reasonably successfull product will have at least a few individuals with interest and skillset to poke in the JavaScript. Obfuscation does not help, weak session security will be broken.
* Apparently, I missed a DR drill call. I did not have work phone (not on call - although I usually carry it anyway), my personal one is broken and I did not yet update the contact database because I just got it. I swear!
* Data leakage prevention is a hard problem, Tablus has a neat product, but there is no technological silver bullet solution.
* AV just plain sucks, bit9 has an awesome product which whitelists software allowed to run an a machine with option to block, ask or log/alert on use of non-compliant apps. It is displacing AV, and I hope it spreads like fire.
* Do not store passwords on line - store salted hash of the password, use random salt, one per user, no need to encrypt salt.
* Fortify has a tool that does source code analysis. Talking to programmers about poor coding practices works very well when supported by examples from their own code.
* phpids was reported to be very usefull
Let me know if I missed anything.
In any case - hereby we proclaim MadSec 1.5 a success. Quick summary of findings follows:
* Telecommuting is awesome
* It's hard to hire people who know both Windows and Unix well
* If you hire Java developers from San Diego, you might have to re-hire midway through the Wisconsin winter. In town, most Java people are sucked into TDS, American Family or Epic.
* Giving people local admin on windows is bad, and it's near impossible to enforce group policies
* THC Hydra works well, but has issues. Medusa is better.
* PIX fixup is anything but a FIX-up.
* AJAX is super nice, but it is a client side tool - userbase of a reasonably successfull product will have at least a few individuals with interest and skillset to poke in the JavaScript. Obfuscation does not help, weak session security will be broken.
* Apparently, I missed a DR drill call. I did not have work phone (not on call - although I usually carry it anyway), my personal one is broken and I did not yet update the contact database because I just got it. I swear!
* Data leakage prevention is a hard problem, Tablus has a neat product, but there is no technological silver bullet solution.
* AV just plain sucks, bit9 has an awesome product which whitelists software allowed to run an a machine with option to block, ask or log/alert on use of non-compliant apps. It is displacing AV, and I hope it spreads like fire.
* Do not store passwords on line - store salted hash of the password, use random salt, one per user, no need to encrypt salt.
* Fortify has a tool that does source code analysis. Talking to programmers about poor coding practices works very well when supported by examples from their own code.
* phpids was reported to be very usefull
Let me know if I missed anything.
Sunday, November 4, 2007
Thursday, October 18, 2007
MadSec1 report
* by popular demand - in two weeks we will not have MadSec2. We might have MadSec0 or MadSec1.4 but not MadSec2.
* otherwise the meeting went fine. It seems that cat5 and weirdo tshirt are not good enough (esp. when I seat in a corner and it's dark), as quite a few people could not find us. Also, getting table for 2-15 people is hard at The Old Fashioned - we are relocating to the Angelic Brewing Co.
* about 10 people showed up. We had people working in hospitals, university, utility, healthcare, manufacturing and internet infrastructure (like CAIDA, just cooler).
* topics (rough)
- web app testing
- content filtering
- funny travel stories
- access enablers (developers, sysadmins) vs. us (IT Security Roadblock Dpt) vs. users
- futility of technological measures to prevent information leakage
- funny car breakage stories
- password guessing
- beer is good
- java sucks, perl is horrible (Ed. no it's NOT!), Python rules
- what do we want pylint to do
- How MapReduce is cool, but Hadoop sucks
- Misc other stuff
* references, the ones I remember
- assessments: wikto and the rest of sensepost's warchest
- wireless work: Matador consulting
- site and mailing list covering security metrics securitymetrics.com
More to come.
* otherwise the meeting went fine. It seems that cat5 and weirdo tshirt are not good enough (esp. when I seat in a corner and it's dark), as quite a few people could not find us. Also, getting table for 2-15 people is hard at The Old Fashioned - we are relocating to the Angelic Brewing Co.
* about 10 people showed up. We had people working in hospitals, university, utility, healthcare, manufacturing and internet infrastructure (like CAIDA, just cooler).
* topics (rough)
- web app testing
- content filtering
- funny travel stories
- access enablers (developers, sysadmins) vs. us (IT Security Roadblock Dpt) vs. users
- futility of technological measures to prevent information leakage
- funny car breakage stories
- password guessing
- beer is good
- java sucks, perl is horrible (Ed. no it's NOT!), Python rules
- what do we want pylint to do
- How MapReduce is cool, but Hadoop sucks
- Misc other stuff
* references, the ones I remember
- assessments: wikto and the rest of sensepost's warchest
- wireless work: Matador consulting
- site and mailing list covering security metrics securitymetrics.com
More to come.
Sunday, October 7, 2007
Woot! MadSec1 on Oct 18th!
The fist meeting - at the Old Fashioned, 7pm, on Oct 18th.
I should have a decent identification aid figured out by than. Note - while drinking beer is advised, it is by no means required.
Actually, I am pretty sure that two members do not drink.
Administrivia - login is no longer required in order to post comments.
Friday, October 5, 2007
[madsec] mailing list
List-Id: madsec.lfod.us
List-Subscribe: madsec+subscribe@lfod.us
List-Post: madsec@lfod.us
List-Unsubscribe: madsec+unsubscribe@lfod.us
List-Help: madsec+help@lfod.us
In essence, send something to madsec+subscribe@lfod.us
to subscribe.
List-Subscribe: madsec+subscribe@lfod.us
List-Post: madsec@lfod.us
List-Unsubscribe: madsec+unsubscribe@lfod.us
List-Help: madsec+help@lfod.us
In essence, send something to madsec+subscribe@lfod.us
to subscribe.
Thursday, October 4, 2007
Welcome to the land of beer and fried cheese curds!
What is this supposed to be?
-- An informal meetup of information security professionals in Madison, Wi. Unlike other meetups, you will not be expected to pay dues, "join up", or present a zero-day exploit to attend.
Where might it meet?
-- I vote for The Old Fashioned, 23 N. Pinckney St, Madison downtown. It might be too loud, it might be just perfect.
View Larger Map
When might it meet?
-- I have no clue yet. Weekday, 7:00PM maybe. We stay until people get tired of hanging out. Assume 3 hours.
Why would you do that?
-- Because I do not know of other place for the ITSec people to meet, trade stories and blame auditors.
// More to come. Idea and text stolen from chisec.
// For details contact Marcin Antkiewicz at marcin*kajtek.org
Subscribe to:
Posts (Atom)
