Next meeting is on Nov 15th, at 7pm.
The place is Angelic Brewpub at 322 W Johnson St
View Larger Map
Wednesday, November 7, 2007
MadSec 1.5 report
I hope that we were loud and visible enough.
In any case - hereby we proclaim MadSec 1.5 a success. Quick summary of findings follows:
* Telecommuting is awesome
* It's hard to hire people who know both Windows and Unix well
* If you hire Java developers from San Diego, you might have to re-hire midway through the Wisconsin winter. In town, most Java people are sucked into TDS, American Family or Epic.
* Giving people local admin on windows is bad, and it's near impossible to enforce group policies
* THC Hydra works well, but has issues. Medusa is better.
* PIX fixup is anything but a FIX-up.
* AJAX is super nice, but it is a client side tool - userbase of a reasonably successfull product will have at least a few individuals with interest and skillset to poke in the JavaScript. Obfuscation does not help, weak session security will be broken.
* Apparently, I missed a DR drill call. I did not have work phone (not on call - although I usually carry it anyway), my personal one is broken and I did not yet update the contact database because I just got it. I swear!
* Data leakage prevention is a hard problem, Tablus has a neat product, but there is no technological silver bullet solution.
* AV just plain sucks, bit9 has an awesome product which whitelists software allowed to run an a machine with option to block, ask or log/alert on use of non-compliant apps. It is displacing AV, and I hope it spreads like fire.
* Do not store passwords on line - store salted hash of the password, use random salt, one per user, no need to encrypt salt.
* Fortify has a tool that does source code analysis. Talking to programmers about poor coding practices works very well when supported by examples from their own code.
* phpids was reported to be very usefull
Let me know if I missed anything.
In any case - hereby we proclaim MadSec 1.5 a success. Quick summary of findings follows:
* Telecommuting is awesome
* It's hard to hire people who know both Windows and Unix well
* If you hire Java developers from San Diego, you might have to re-hire midway through the Wisconsin winter. In town, most Java people are sucked into TDS, American Family or Epic.
* Giving people local admin on windows is bad, and it's near impossible to enforce group policies
* THC Hydra works well, but has issues. Medusa is better.
* PIX fixup is anything but a FIX-up.
* AJAX is super nice, but it is a client side tool - userbase of a reasonably successfull product will have at least a few individuals with interest and skillset to poke in the JavaScript. Obfuscation does not help, weak session security will be broken.
* Apparently, I missed a DR drill call. I did not have work phone (not on call - although I usually carry it anyway), my personal one is broken and I did not yet update the contact database because I just got it. I swear!
* Data leakage prevention is a hard problem, Tablus has a neat product, but there is no technological silver bullet solution.
* AV just plain sucks, bit9 has an awesome product which whitelists software allowed to run an a machine with option to block, ask or log/alert on use of non-compliant apps. It is displacing AV, and I hope it spreads like fire.
* Do not store passwords on line - store salted hash of the password, use random salt, one per user, no need to encrypt salt.
* Fortify has a tool that does source code analysis. Talking to programmers about poor coding practices works very well when supported by examples from their own code.
* phpids was reported to be very usefull
Let me know if I missed anything.
Sunday, November 4, 2007
Subscribe to:
Posts (Atom)
