Hacking/Security Meetup


(James) #21

Sounds great. :slight_smile: I’m a developer too, so happy to pitch in with that. My twitter is @OtisBoxcar if you want to do some bikeshedding.


#22

Do you use Reddit at all? https://www.reddit.com/r/brum/ is where some of the talk is happening but happy to continue it in here

What stuff do you develop? I’ve done legacy stuff mainly because it’s less faff whether it be ColdFusion or Classic ASP (with dots of PHP around the place).

How far into OSCP are you in and how long did you go for? I’m really looking for a career in it but only really picked up the challenge back in December when i had a go at the SANS hack challenge and won most creative entry :slight_smile:


(James) #23

I use reddit a fair amount, yeah. I’ll post in that thread for added visibility.

I work mainly in ruby on rails, with some reluctant front end stuff in JS.

I’m about 2 months into a three month stretch. I’ve dabbled with infosec for years, on and off, but the OSCP course is definitely the most I’ve progressed in a short amount of time. The lab setup is incredible.

What was your entry about?


(David Davidson) #24

Just going to register interest here as well (seeing as the chats are now across two platforms :slight_smile:).

Bit of a long shot, but if we find a space (I was thinking perhaps collaborate with the people at Fizzpop), would people be interested in a hands-on embedded/IoT/hardware reverse engineering series of workshops?
The general idea is, I’d be bringing a bunch of routers, switches, and other embedded crap, and people can bring along their own stuff, and over the course of it we reverse engineer them, extract firmware and such, find bugs in them, and generally have fun and share knowledge/learn things.


(James) #25

would people be interested in a hands-on embedded/IoT/hardware reverse engineering series of workshops

Sign me up.


(Andy Wootton) #26

Then the policy is clearly wrong.


#27

Great stuff. I reckon a meetup in a pub or somewhere just to have a chat and get to know each other a bit more first and then see where it takes us.

Sound good? Should we have our own site going forward?


#28

So what are your reddit usernames? Mine is festivalgeek.

Oh yeah - my SANS entry: http://janusz.co.uk/sans/2015/solution/

I’m a legacy full stack developer… because I work for the NHS. I won the SANS NetWars continious as part of it. Excellent resource.


(Stuart Langridge) #29

that sounds really interesting!


(Andy Wootton) #30

Is it also slightly illegal?


#31

No. At worst, it voids warranty.

Finding bugs is huge business. Maybe if we could use the group as a platform for bug hunting, it could start to fund ‘stuff’.


(David Davidson) #32

Nothing illegal about reverse engineering stuff you own in the UK as far as I am aware. Warranty goes out the window, and you might be violating some end-user licence agreement, but that is stuff that I tend to ignore anyway.

Some vendors do get a little bit tetchy and lawsuit-happy over it from time to time, the worst I have had are vague threats that never amounted to anything, and the odd bit of slander/namecalling from certain parties who took unkindly to bugs being disclosed.


#33

Proper bug disclosure is good for your credibility but if the company do not recognise it then you’re free to publicly disclose it


(James) #34

I’m rdogwood on reddit, I think I replied to you both in the thread. If you lot want to kick things off with a casual pub meetup, I’m game. :thumbsup:


(Andy Wootton) #35

You are right, of course. I’m confusing US software law with UK attempts to break into a system, so, as long as the firmware didn’t give access to a back-end system you don’t own, you’d be OK.


(David Davidson) #36

US software law is a disaster :frowning:, pretty much any reverse engineering could run afoul of the DMCA or some other absurd copyright law.

Usually, if I come across something that “talks to” some back-end API when reversing things (and it happens often enough), I make note of it and leave it well alone.
If I happen to be made aware that said API is in-scope for a “bug bounty” program, I might go explore it at some point, but usually it is best to err on the side of caution to avoid unwanted interactions with law enforcement or lawyers :slight_smile:


#37

So how about a meetup in July?


(Daniel Hollands) #38

From experience, the best thing to do here is to specifically choose a date, and tell people what it is, rather than just some vague idea of July. If people want to come, they’ll make whatever arrangements they need to get to it.

Alternatively, you could use something like http://doodle.com/ to let people choose from a selection of dates - just make sure that specific dates are involved.


(James) #39

July sounds good to me! Any day, really. Shall we decide on something arbitrary like the first saturday?


#40

Sounds good to me!