Hacking/Security Meetup


#1

Does anyone around here to ethical hacking, penetration testing or have an interest in security?


(Daniel Hollands) #2

Hey @MrJ, welcome to the community - feel free to come and introduce yourself -> #introductions.

I don’t know of any groups myself, but if you take a look at meetup.com I’m sure you’ll find something. As for people with interests in security, I know we have a few ops people here, who I’m sure must have some knowledge.

Anything in particular you’re looking for?


#3

Cheers - tried meetup but, well, it’s pretty underused

I have a lot of ideas - but somewhere to chat, try out stuff, bug hunt etc

It’s all well and good doing stuff at home but you might learn more or help others learn. Heck, could even do some teaching for small businesses or charities.


(Daniel Hollands) #4

We’re more than happy to host these discussions here - the best thing to do is just post what’s on your mind (your ideas, what you’re trying to achieve, etc…) and people with the knowhow will happily jump in.


(Steve Jalim) #5

Malvern has a cyber security cluster which meets once a month. It’s more biz and policy types than hackers I think, but might be interesting

http://www.malvern-cybersecurity.com/


(Andy Wootton) #6

Birmingham has had 2600 conferences in recent years. ‘Ethical’ is such a nuanced word, in information risk management. I sometimes trust the crackers more than the security companies.

I found out about 2600 via Wolves LUG. You could try there.


(Andy Wootton) #7

Ah, maybe not as recent as I thought. I’ve been out of that world about 8 years. The trail seems to go cold about 6 years ago. I was involved in policy rather than tech. I got sick of being in an unfair fight.


#8

Thanks both - I definitely think there’s room for it in Birmingham

Would welcome your thoughts


(Steve Pitchford) #9

https://www.owasp.org/index.php/Birmingham ?


(James) #10

I am definitely interested in something like this, particularly if it’s focused on the hands-on/technical side, rather than policy. I managed to miss the last owasp meeting, but as far as I’m aware, they’re pretty infrequent.

The University of Birmingham CS department has a great hacking club & CTF team that I was a part of when I was a student, but a) I don’t know how welcoming they are to non-students and b) It’s at something like 2pm on a Friday, so not much good for us 9-5ers.


#11

Nice one - definitely hands-on and technical. Currently working my way through some bug bounties so maybe a group effort would be good and any money we get could be out forward to larger events :slight_smile:

I asked the Uni and they said only students :frowning:


(James) #12

That sounds good to me. I’m in the middle of the PWK/OSCP lab, so it would be fun putting those skills to the test. I’ve only really dabbled (unsuccessfully) with bug bounties in the past.

Do you have any ideas as to what sort of frequency/location you’re looking for in a meetup?


#13

Excellent. I want to do OSCP later this year.

I reckon bug bounties in a crowd might work well.

Happy to change location when needed and have it as often as is needed.
Somewhere with free wifi :slight_smile: then learn wifi hacking and anywhere else
after :wink:


(James) #14

Excellent. I want to do OSCP later this year.

It’s really good.

then learn wifi hacking and anywhere else after

I see the “ethical” bit has gone out the window already!


(Andy Wootton) #15

@jsrn There isn’t much point in the technical side unless you have policies to establish which of your information assets are worth protecting, compared with the cost of risk mitigation. It’s too easy to spend a lot of money on a carbon-fibre aerofoil for a clapped out Vauxhall Nova or to build a business based on selling them to other people who make bad decisions.

At the last Agile Staffordshire, we started to take a risk-based approach to messing with the basic assumptions of Lean/Agile under the threats of growing teams, multiple sites and multiple business cultures. It was educational. The greatest value of agility comes from ‘work not done’. I think the same may be true for InfoSec.


#16

:wink:

So I guess you would be up for a meet? Where abouts you based?

I tried the Uber bug bounty. Found one but left it to play with my kids.
Came back, someone else submitted it and got $3k!!!


(James) #17

@Woo, I agree that from the perspective of a company looking to protect its assets, the “what” and “why” should definitely come before the “how”, otherwise you’re just throwing money at fancy toys without really assessing what’s at stake or how likely the risks are.

However, I’m coming from the perspective of a hobbyist who likes the mental challenge of trying to break things, rather than someone who should be trusted with a defensive position within an actual company with actual risks to worry about, so I probably don’t think about that stuff as much as I should.

@MrJ, I would be up for it, yeah. I’m currently carless in the Selly Oak area, but I can get around easily enough with public transport. How about you?

I guess you’ve learned an important lesson about kids. If you’d just neglected them, you could buy some of that love back with $1000, and spend the rest on ironic t-shirts.


#18

@jsrn I’m down the road in Oldbury so should be good for us.

CTFs, VMs and most red team based exercises don’t care about policies. Hackers don’t. You always have to come at it with the view of a hacker. They don’t care.


(James) #19

For sure. An attacker doesn’t care what your password policy says, only that nobody paid attention to it and the router password is still “admin”. :smiley:

Do you know anybody else who’s interested?


#20

Just me and you at the moment. As creepy as that is, that might work for the first one/few.

I’m a developer by trade so can kick out a website for it. We couple work through OSCP together, do bug bounties, try out VMs, metasploitable etc