Security Workshops: Difference between revisions
No edit summary |
No edit summary |
||
(39 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
In light of the orwellian nightmare we've built ourselves into, now is a good time for the CSClub to pick up the slack it usually picks and teach people how to be safe out there. |
In light of the orwellian nightmare we've built ourselves into, now is a good time for the CSClub to pick up the slack it usually picks and teach people how to be safe out there. |
||
=Topics |
=Topics= |
||
⚫ | |||
⚫ | |||
⚫ | |||
This information is fuzzy and subject to change. Do not trust it. |
This information is fuzzy and subject to change. Do not trust it. |
||
Line 13: | Line 8: | ||
sharvey, m4, and nguenthe are adminning this term's series |
sharvey, m4, and nguenthe are adminning this term's series |
||
Though the topics are diverse, the ones we will favour actually running are seminars that are short, to the point, and give a specific skill(set). |
|||
⚫ | |||
⚫ | |||
Note: might be worth organizing this better by theme -sharvey |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* ?????? on ''Storytime: Snowden Roundup'' (sharvey might be able to get some people from CrySP to discuss this; perhaps a panel followed by a Q&A?) |
|||
⚫ | |||
* ?????? on ''Storytime: [http://en.wikipedia.org/wiki/Weev Weev]'' |
|||
⚫ | |||
* ?????? on ''Storytime: Kevin Mitnick'' |
|||
⚫ | |||
* ?????? on ''Time Machines'' (Google-hacking, pleaserobme.com, etc) |
|||
* ?????? on ''Security Proofs: How Many Joules does the NSA Have?'' |
|||
* ?????? on ''Full Disk Encryption'' (zablache maybe) |
|||
* ?????? on ''SSH'' |
|||
⚫ | |||
* yd2dong on ''Tunnelling, Mix Networks, and VPNs'' -- he's done original research on this area, would discuss censorship techniques (for example, DPI filters), how to defeat them, and significant additional hurdles for anti-censorship compared to simply protecting against eavesdropping. (live demos of blocking from China) |
|||
* ?????? on ''Your Wifi Network is Insecure'' (cover: aircrack-ng and reaver. maybe nmap and metasploit) |
|||
* [mailto:silver@callysto.com Sean Howard] on ''How your ISP owns you'' (UW grad, ex Watsfic president, currently working for sentex.ca, knows details of Bell's network infrastructure and where the chokepoints are) |
|||
* [http://cybersecurityinstitute.ca/ The Canadian Cybersecurity Institute] on ''Social Exploits'' (this person is via Sean Howard. Seems legit.) |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* v2buterin on ''Bitcoin and Bitmessage'' (maybe? pretty please?) |
|||
* IST Security: |
* IST Security: |
||
** [mailto:pmatlock@uwaterloo.ca Patrick Matlock] on some combination or subset of oauth, identity, data privacy ([https://uwaterloo.ca/secretariat/policies-procedures-guidelines/policy-8 Policy 8]), and web pentesting |
** [mailto:pmatlock@uwaterloo.ca Patrick Matlock] on some combination or subset of oauth, identity, data privacy ([https://uwaterloo.ca/secretariat/policies-procedures-guidelines/policy-8 Policy 8]), and web pentesting |
||
*** csrf |
|||
*** script injections |
|||
*** .... |
|||
** [mailto:tlabach@uwaterloo.ca Terry Labach] on [http://ist.uwaterloo.ca/~tlabach/safer/ safer web browsing] |
** [mailto:tlabach@uwaterloo.ca Terry Labach] on [http://ist.uwaterloo.ca/~tlabach/safer/ safer web browsing] |
||
** [mailto:cpbell@uwaterloo.ca Colin Bell]? |
** [mailto:cpbell@uwaterloo.ca Colin Bell]? |
||
* Sapphyre? |
|||
* Hatguy! |
|||
* ?????? on ''Passwords'' (touch on [http://xkcd.com/936/ security proofs], hashapass/pwdhash, alternatives to passwords (biometrics, one time pads, challenge-response, ssh keys), NOT SHARING YOUR DAMN PASSWORDS ACROSS SITES (cite: the ps3 attack, the [linkedin attack], the [http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ rockyou attack] ([http://www.tomshardware.com/news/imperva-rockyou-most-common-passwords,9486.html super] [http://reusablesec.blogspot.ca/2010/01/more-analysis-of-rockyou-password-list.html interesting] [http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php analysis], myspace's hack, FaithWriters, purerave.com's attempt at better security that made it worse, the ....) and how to use jacktheripper/[http://hashcat.net/hashcat/ hashcat]) |
|||
* ?????? on ''Browser Fingerprinting'' |
|||
* ?????? on ''Filesystem Forensics and the Dangers of Log-Structured Data Storage'' (live demo!) (zablache maybe) |
|||
* ?????? on ''SSL: It's Broken'' |
|||
* ?????? on ''Storytime: Exporting "Munitions"'' |
|||
* ?????? on ''Stegonography'' (might be able to get sharvey's SO to cover this) |
|||
* ?????? on ''Digital Watermarks'' |
|||
* ?????? on ''Getting root in 5 minutes with physical access'' (cover how to boot single-user in all versions of Windows, OS X, Linux, and when that fails how to pull a drive and crack the password with l0phtcrack (Win32) or simply editing /etc/shadow (*nix). also the [https://citp.princeton.edu/research/memory/ compressed air->frozen RAM] and Firewire-DMA attacks) |
|||
* ?????? on ''What is Identity'' (maybe toss this out to WPIRG?) with info on how sites and overlords (facebook, google) identify you, and how to split your identity digitally |
|||
* ?????? on ''Physical Security'' ([http://lockwiki.com/index.php/Main_Page locks], safes, etc.) |
|||
* ?????? on ''Crypto: terms, definitions, and why software still sucks'' |
|||
* ?????? on ''Entropy and Randomness and why you shouldn't trust your router'' |
|||
* ?????? on ''Network things'' (ARP, DNS, etc.) |
|||
* ?????? on ''Side Channels'' (sharvey's SO will probably do this) |
|||
And remember kids, '''''educational-use only''''' |
|||
=Hand Outs= |
|||
TOR? ahh! |
|||
=WPIRG cross promotion= |
|||
[http://wpirg.org WPIRG] wants to cross-promote a "privacy forum" with us. They are imagining as an expert panel + QA session, during November. Probably the ideal distribution is csc events on the technical side ("how to shot pgp", "how to make tls go", "wat is passwurd") with WPIRG on the human-scale and politics side, with advertising to both of our cohorts for all events. Some ideas for expert participants: |
[http://wpirg.org WPIRG] wants to cross-promote a "privacy forum" with us. They are imagining as an expert panel + QA session, during November. Probably the ideal distribution is csc events on the technical side ("how to shot pgp", "how to make tls go", "wat is passwurd") with WPIRG on the human-scale and politics side, with advertising to both of our cohorts for all events. Some ideas for expert participants: |
||
* [https://cs.uwaterloo.ca/~iang/ Ian Goldberg] (sharvey) |
* [https://cs.uwaterloo.ca/~iang/ Ian Goldberg] (sharvey) |
||
* [http://www.michaelgeist.ca/tags/privacy Michael Geist] |
* [http://www.michaelgeist.ca/tags/privacy Michael Geist] |
||
* RiseUp.net (WPIRG has direct contacts with them) |
|||
* ???? |
|||
* Someone from WikiLeaks (we have direct contacts with them) |
|||
* [http://www.qpirgconcordia.org/?page_id=9#ats Anarchist Tech Support] (latter group seems dormant) |
|||
* Terry Labach (this sort of thing is, actually, directly within his job description) |
* Terry Labach (this sort of thing is, actually, directly within his job description) |
||
* [http://thoughtcrime.org Marlie Moxinspike] |
|||
* UofT Citizen Lab People |
|||
=Related work and Telling Evidence= |
|||
⚫ | |||
[https://ssd.eff.org/ EFF's Surveillance Self-Defense Guide] |
|||
[https://www.encrypteverything.ca/ Pirate Party's EncryptEverything] |
|||
https://citizenlab.org/ @ UofT |
|||
[http://cm.bell-labs.com/who/ken/trust.html Ken Thompson - Reflections on Trusting Trust] |
|||
http://www.jbonneau.com/publications.html |
|||
====Evidence==== |
|||
http://readwrite.com/2010/08/04/google_ceo_schmidt_people_arent_ready_for_the_tech |
|||
====IMPORTANT MEDIA==== |
|||
3 Dead Trolls in a Baggie - The Privacy Song |
|||
MC Frontalot - Secrets from the Future |
|||
[http://www.xkcd.com/538/ XKCD: Security] |
|||
[http://xkcd.com/936/ XKCD: Password Strength] |
|||
⚫ | |||
⚫ | |||
... |
Latest revision as of 14:55, 8 October 2013
In light of the orwellian nightmare we've built ourselves into, now is a good time for the CSClub to pick up the slack it usually picks and teach people how to be safe out there.
Topics
This information is fuzzy and subject to change. Do not trust it.
sharvey, m4, and nguenthe are adminning this term's series
Though the topics are diverse, the ones we will favour actually running are seminars that are short, to the point, and give a specific skill(set).
Note: might be worth organizing this better by theme -sharvey
- sharvey on Why Should You Care About Security and Privacy
- ?????? on Storytime: Snowden Roundup (sharvey might be able to get some people from CrySP to discuss this; perhaps a panel followed by a Q&A?)
- ?????? on Storytime: Weev
- ?????? on Storytime: Kevin Mitnick
- nguenthe on OTR -- or IanG if we can get him!
- ?????? on Time Machines (Google-hacking, pleaserobme.com, etc)
- ?????? on Security Proofs: How Many Joules does the NSA Have?
- ?????? on Full Disk Encryption (zablache maybe)
- ?????? on SSH
- Stephen Palmateer of KWLUG on Tor (vs i2p vs Freenet vs /r/darknet?)
- yd2dong on Tunnelling, Mix Networks, and VPNs -- he's done original research on this area, would discuss censorship techniques (for example, DPI filters), how to defeat them, and significant additional hurdles for anti-censorship compared to simply protecting against eavesdropping. (live demos of blocking from China)
- ?????? on Your Wifi Network is Insecure (cover: aircrack-ng and reaver. maybe nmap and metasploit)
- Sean Howard on How your ISP owns you (UW grad, ex Watsfic president, currently working for sentex.ca, knows details of Bell's network infrastructure and where the chokepoints are)
- The Canadian Cybersecurity Institute on Social Exploits (this person is via Sean Howard. Seems legit.)
- nablack and sjcglads with a security demo + open ended question session
- sjcglads on Secrets of a DDoS
- wlritchi on Reversing SBeam and pnwing ur phone
- mtrberzi on GPG, Keyservers, and You and with a keysigning party to boot
- v2buterin on Bitcoin and Bitmessage (maybe? pretty please?)
- IST Security:
- Patrick Matlock on some combination or subset of oauth, identity, data privacy (Policy 8), and web pentesting
- csrf
- script injections
- ....
- Terry Labach on safer web browsing
- Colin Bell?
- Patrick Matlock on some combination or subset of oauth, identity, data privacy (Policy 8), and web pentesting
- Sapphyre?
- Hatguy!
- ?????? on Passwords (touch on security proofs, hashapass/pwdhash, alternatives to passwords (biometrics, one time pads, challenge-response, ssh keys), NOT SHARING YOUR DAMN PASSWORDS ACROSS SITES (cite: the ps3 attack, the [linkedin attack], the rockyou attack (super interesting analysis, myspace's hack, FaithWriters, purerave.com's attempt at better security that made it worse, the ....) and how to use jacktheripper/hashcat)
- ?????? on Browser Fingerprinting
- ?????? on Filesystem Forensics and the Dangers of Log-Structured Data Storage (live demo!) (zablache maybe)
- ?????? on SSL: It's Broken
- ?????? on Storytime: Exporting "Munitions"
- ?????? on Stegonography (might be able to get sharvey's SO to cover this)
- ?????? on Digital Watermarks
- ?????? on Getting root in 5 minutes with physical access (cover how to boot single-user in all versions of Windows, OS X, Linux, and when that fails how to pull a drive and crack the password with l0phtcrack (Win32) or simply editing /etc/shadow (*nix). also the compressed air->frozen RAM and Firewire-DMA attacks)
- ?????? on What is Identity (maybe toss this out to WPIRG?) with info on how sites and overlords (facebook, google) identify you, and how to split your identity digitally
- ?????? on Physical Security (locks, safes, etc.)
- ?????? on Crypto: terms, definitions, and why software still sucks
- ?????? on Entropy and Randomness and why you shouldn't trust your router
- ?????? on Network things (ARP, DNS, etc.)
- ?????? on Side Channels (sharvey's SO will probably do this)
And remember kids, educational-use only
Hand Outs
TOR? ahh!
WPIRG cross promotion
WPIRG wants to cross-promote a "privacy forum" with us. They are imagining as an expert panel + QA session, during November. Probably the ideal distribution is csc events on the technical side ("how to shot pgp", "how to make tls go", "wat is passwurd") with WPIRG on the human-scale and politics side, with advertising to both of our cohorts for all events. Some ideas for expert participants:
- Ian Goldberg (sharvey)
- Michael Geist
- RiseUp.net (WPIRG has direct contacts with them)
- Someone from WikiLeaks (we have direct contacts with them)
- Anarchist Tech Support (latter group seems dormant)
- Terry Labach (this sort of thing is, actually, directly within his job description)
- Marlie Moxinspike
- UofT Citizen Lab People
Related work and Telling Evidence
Related Work
EFF's Surveillance Self-Defense Guide
Pirate Party's EncryptEverything
https://citizenlab.org/ @ UofT
Ken Thompson - Reflections on Trusting Trust
http://www.jbonneau.com/publications.html
Evidence
http://readwrite.com/2010/08/04/google_ceo_schmidt_people_arent_ready_for_the_tech
IMPORTANT MEDIA
3 Dead Trolls in a Baggie - The Privacy Song MC Frontalot - Secrets from the Future
XKCD: Security XKCD: Password Strength
Past by Term
Fall 2013
...