Marcin Wielgoszewski interview me for his TSSCI Blog. He asked me about my start in security, how to be a good analyst, and concerns for the future. Thanks to Marcin for asking solid questions.
Tampilkan postingan dengan label interviews. Tampilkan semua postingan
Tampilkan postingan dengan label interviews. Tampilkan semua postingan
Kamis, 26 Juli 2007
Sabtu, 04 Februari 2006
BSDTalk Podcast Posted
Will Backman from BSDTalk posted a new podcast (.mp3, 16 MB) featuring his interview with me. In the first half of the podcast Will explains ways to obtain BSD. The second half of the podcast is the interview. We talked about my ShmooCon presentation, my blog, book reviews, how I use FreeBSD, and the upcoming PortRequest project implemented by the good people at NYCBUG.
orr:/data/media/audio$ mpg123 -a /dev/dsp0.0 bsdtalk013.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Title : bsdtalk013 - Interview with Ri Artist: Will Backman
Album : Year : 2006
Comment: Genre : Speech
Playing MPEG stream from bsdtalk013.mp3 ...
Junk at the beginning 49443303
MPEG 1.0 layer III, 96 kbit/s, 44100 Hz mono
[23:12] Decoding of bsdtalk013.mp3 finished.
Jumat, 20 Januari 2006
Bejtlich Interview on PaulDotCom
Paul Asadoorian and Larry Pesce from PaulDotCom interviewed me yesterday. The podcast is available as a 30 MB .mp3. Thanks to Paul and Larry for taking the time to speak with me.
Selasa, 30 Agustus 2005
Interview with Def Con CTF Winning Team Member Vika Felmetsger
Earlier this month I congratulated the Def Con Capture The Flag winners from Giovanni Vigna's team. One of the contestants, Vika Felmetsger, was kind enough to answer questions about her experience and the role she played on team Shellphish. I thought I would publish Vika's thoughts in the hopes that she could provide an example of how one becomes a serious security practitioner.
Richard (R): What is your experience with security, and what are your interests?
Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB, where I work as a research assistant in the Reliable Software Group (RSG).
Everybody in the group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area.
As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particular, was last fall when I took "Network Security and Intrusion Detection," which is a class taught by my graduate advisor Prof. Giovanni Vigna.
In this class I learned various techniques that can be used to break the security of computer systems, how to detect attacks, and how to protect a system against possible attacks.
Most importantly, as a part of the classwork, every student was able to apply the learned techniques to write actual exploits to attack various vulnerabilities in real programs within a testbed network.
Also, during the class, I participated in two Capture The Flag (CTF) exercises (which are organized every year by Prof. Vigna) where, together with other students in the class, I could practice attacking other systems as well as defending my team's system. As a result, after that class, I had the background necessary to further develop my hacking skills on my own as well as be able to work on various security problems.
Later I was very lucky to be involved in setting up the UCSB International CTF which was organized by Prof. Vigna on June 10th, 2005. This provided me with a valuable experience being on the organizers' side and helped me to improve my system administration, networking, and network traffic analysis skills.
R: How did you join team Shellphish?
V: Hmmm, I did not really join the team ... Everybody in the RSG is a member of the Shellphish team :-).
R: Did you have a specific role on the team? If yes, can you describe it?
V: During the DefCon CTF I was a "human IDS." I was analyzing (using scripts and manually) network traffic in real time looking for attacks on our system. This helped the team to discover many successful attacks on our system, find out which particular vulnerabilities were exploited, patch the system, and even reuse some of the attacks against the other teams.
[Note: Against sophisticated intruders, only human analysts can prevail.]
R: What was it like to compete at Def Con? Did it meet your expectations?
V: I was dreaming about competing at DefCon the whole year and it certainly met my best expectations! :-) I don't have enough words to describe the feeling that I had sitting 3 days straight in front of the computer when I was absolutely consumed by the game. That is something everybody should experience for him/herself ;-).
I was very lucky to be a part of such an amazing team, to work together with the people whom I highly respect and from whom I have so many things to learn. What can be better?
When we came to DefCon this year, we did not care that much about winning, we simply wanted to enjoy ourselves doing the things that everybody in the team is fascinated with. And, it certainly worked out perfectly!
R: Do you plan to compete next year?
V: Of course.
R: What advice could you give to those who might like to compete, or have skills like yours?
V: Well, I am probably not the best person to give advices right now because I am still have a long way to go myself, but if you ask ;-) ...
Knowing theory is not enough, you need to practice everything that you read about hacking or security (I don't mean attacking real systems, of course ;-).
There are many ways to do it, for example, install known vulnerable software on your own machine and write an exploit for it.
Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for the quals anyway and try it for yourself.
From my own experience, I can say that I learned many practical things from this year quals, not to mention that it was incredibly fun :-). Also, what I am planning on working now is to improve my scripting skills which are very important when competing in real time.
Thanks to Vika for responding to my questions.
If you like these sorts of interviews, let me know. I plan to incorporate these sorts of stories into the TaoSecurity Podcast, when I get time to launch it.
Richard (R): What is your experience with security, and what are your interests?
Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB, where I work as a research assistant in the Reliable Software Group (RSG).
Everybody in the group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area.
As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particular, was last fall when I took "Network Security and Intrusion Detection," which is a class taught by my graduate advisor Prof. Giovanni Vigna.
In this class I learned various techniques that can be used to break the security of computer systems, how to detect attacks, and how to protect a system against possible attacks.
Most importantly, as a part of the classwork, every student was able to apply the learned techniques to write actual exploits to attack various vulnerabilities in real programs within a testbed network.
Also, during the class, I participated in two Capture The Flag (CTF) exercises (which are organized every year by Prof. Vigna) where, together with other students in the class, I could practice attacking other systems as well as defending my team's system. As a result, after that class, I had the background necessary to further develop my hacking skills on my own as well as be able to work on various security problems.
Later I was very lucky to be involved in setting up the UCSB International CTF which was organized by Prof. Vigna on June 10th, 2005. This provided me with a valuable experience being on the organizers' side and helped me to improve my system administration, networking, and network traffic analysis skills.
R: How did you join team Shellphish?
V: Hmmm, I did not really join the team ... Everybody in the RSG is a member of the Shellphish team :-).
R: Did you have a specific role on the team? If yes, can you describe it?
V: During the DefCon CTF I was a "human IDS." I was analyzing (using scripts and manually) network traffic in real time looking for attacks on our system. This helped the team to discover many successful attacks on our system, find out which particular vulnerabilities were exploited, patch the system, and even reuse some of the attacks against the other teams.
[Note: Against sophisticated intruders, only human analysts can prevail.]
R: What was it like to compete at Def Con? Did it meet your expectations?
V: I was dreaming about competing at DefCon the whole year and it certainly met my best expectations! :-) I don't have enough words to describe the feeling that I had sitting 3 days straight in front of the computer when I was absolutely consumed by the game. That is something everybody should experience for him/herself ;-).
I was very lucky to be a part of such an amazing team, to work together with the people whom I highly respect and from whom I have so many things to learn. What can be better?
When we came to DefCon this year, we did not care that much about winning, we simply wanted to enjoy ourselves doing the things that everybody in the team is fascinated with. And, it certainly worked out perfectly!
R: Do you plan to compete next year?
V: Of course.
R: What advice could you give to those who might like to compete, or have skills like yours?
V: Well, I am probably not the best person to give advices right now because I am still have a long way to go myself, but if you ask ;-) ...
Knowing theory is not enough, you need to practice everything that you read about hacking or security (I don't mean attacking real systems, of course ;-).
There are many ways to do it, for example, install known vulnerable software on your own machine and write an exploit for it.
Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for the quals anyway and try it for yourself.
From my own experience, I can say that I learned many practical things from this year quals, not to mention that it was incredibly fun :-). Also, what I am planning on working now is to improve my scripting skills which are very important when competing in real time.
Thanks to Vika for responding to my questions.
If you like these sorts of interviews, let me know. I plan to incorporate these sorts of stories into the TaoSecurity Podcast, when I get time to launch it.
Senin, 08 Agustus 2005
Short Interview with Giovanni Vigna
I used a congratulatory email to Giovanni Vigna to ask about his team's recent Capture the Flag win. Here is the short interview.
Bejtlich (B): What sorts of skills were required to win Capture the Flag?
Vigna (V): The skills required are many, from network analysis (looking at the traffic and figuring out what the hell is going on) to code auditing (both source and binary).
B: Did you practice?
V: We didn't really practice, but I organize an international inter-university CTF competition every year, as part of my grad class on network security. Therefore, we had (maybe) more experience in that sense.
B: How did this year's contest compare to those of the past run by the Ghetto Hackers?
V: The contest was somewhat different than the one run by the Ghetto Hackers. The new things I like the most where the SLA (service level agreement, or something like that) and the "breakthroughs".
The SLA represented how much your services were up during the contest. Your final score was weighted by that. Pretty cool idea. The Ghetto Hackers had something similar, but it didn't take into account the whole duration of the game.
The breakthrough were sort of advisories that you could submit to the organizer when you found new vulnerabilities, so that you could get credit for being the first to find a specific flaw.
Finding flaws is a big part of the game and previously when you found a flaw you had a small window of advantage, because the exploit was very soon copied by others.
By using breakthroughs it was possible to give credit (and points) to the people who actually did the hard work.
B: What can you say about your team members?
They are mostly UCSB grad students and they are definitely the best people I have ever worked with... so I would say I got lucky!
Bejtlich (B): What sorts of skills were required to win Capture the Flag?
Vigna (V): The skills required are many, from network analysis (looking at the traffic and figuring out what the hell is going on) to code auditing (both source and binary).
B: Did you practice?
V: We didn't really practice, but I organize an international inter-university CTF competition every year, as part of my grad class on network security. Therefore, we had (maybe) more experience in that sense.
B: How did this year's contest compare to those of the past run by the Ghetto Hackers?
V: The contest was somewhat different than the one run by the Ghetto Hackers. The new things I like the most where the SLA (service level agreement, or something like that) and the "breakthroughs".
The SLA represented how much your services were up during the contest. Your final score was weighted by that. Pretty cool idea. The Ghetto Hackers had something similar, but it didn't take into account the whole duration of the game.
The breakthrough were sort of advisories that you could submit to the organizer when you found new vulnerabilities, so that you could get credit for being the first to find a specific flaw.
Finding flaws is a big part of the game and previously when you found a flaw you had a small window of advantage, because the exploit was very soon copied by others.
By using breakthroughs it was possible to give credit (and points) to the people who actually did the hard work.
B: What can you say about your team members?
They are mostly UCSB grad students and they are definitely the best people I have ever worked with... so I would say I got lucky!
Langganan:
Postingan (Atom)
