Security Forum discussion

LoLth

Currently the security forum is ambling along with some excellent security based challenges from several users and a few threads on various scams that have hit the unsuspecting public . there's even a sprinkling of gmail skulduggery for good measure.

However, a recent post by 900913 which linked to a discussion from 2001 raised the question of a policy on disclosures....

so, I'd like to invite all posters on the security forum, and hopefully a few of the lurkers, to post up what you would like to see here and not jsut in terms of Disclosure, what, in all the field of security, would you liek to see discussed? what type of security forum would you like to see here?

from my point of view (and this is not the rule here, its just an opinion): I dont ever see the security forum becoming a shining resource of vulnerability disclosures. I feel we should leave that to Full Disclosure and sites dedicated to cataloguing and managing disclosures like mitre.org etc.

I'd like to see discussion of disclosures made on a reputable source as well as any analysis or extrapolations users might have.

I'd like to read discussion about frameworks (like OWASP) or evaluations of pentesting platforms and methodologies.

Discussions on various vulnerability types along the line of dlofnep's MITM essay would be great to see more of as well as any thoughts on Forensic analysis of various platforms.

links to resources for education and experience

Announcements of Events (that are primarily focussed on security), public challenges (free, if paid, check with the mods first) and upcoming talks/lectures (again free, if paid, check with a mod).

What I would hate to see here would be:
"see this site I ha><ored!" posts.

links to vulnerabilities or maliscious code for the purposes of propogation rather than disection and discussion.

OS/webAPP wars alogn the lines of "X is crap and Y is cool!"... really, who cares. just present the flaw and let the rest discuss it and make up their own minds.

---

For disclosure (if it were to be allwoed here) I would suggest the following rules/guidelines:

Disclosure may only be made AFTER the owner of the vulnerable application/site has been notified and given a fair period of time to address the vulnerability.

Disclosure should include a timeline of events (date discovered, date notified, correspondance etc since then)

Disclosure may inlcude POC code but it may not be in a compiled form. code listing ONLY please, if its too long, attach it to the post in a plain text attachment (or a PDF if you want to be fancy)

Disclosure should include a listing of anywhere else disclosure has been posted (if only to avoid the "you copied that form FD you git" "no, I posted it on FD you spa" type arguemnts that are bound to come up).

Common sense should be used at all times. I prefer to place the emphasis on the word responsible when it comes to responsible disclosure.

Posters should be aware that posting a disclosure in this forum automatically assumes that it is open for discussion and should be prepared to have users question its validity or flat out not believe that its real. Remember that they are discussing the disclosure, not the person disclosing it (in the same vein as attack the post, not the poster)

---

I cant guarantee that every suggestion made here will be taken on board as even if myself and Koolkid think "grand", they will still have to be passed by the boards.ie staff who may or may not be comfortable with the legal ramifications or the general direction it would nudge the forum towards.

dlofnep

I like the way the forum is going. I often glanced in here, but there wasn't much traffic.. But that seems to have picked up in the past few months. We are having legitimate discussions, community-driven challenges and going beyond basic security questions.

I think we have a very good chance to build up a strong security community here. So long as everyone remains humble, I think we can achieve that. Many security boards often have a few posters that believe they are beyond everyone else, and any questions that might be beneath them aren't worthy of being asked. I think we need to challenge this, and make sure that everyone is able to ask a question without being chastised. Nobody is perfect, and nobody knows everything. I'm here to learn, and to share with what I know. I don't know all, and I'm always learning new things. But I'm happy we seem to have a core group of well educated posters that are willing to put the time in to help everyone.

I was actually thinking about getting a discussion going about boards.ie's security forum hosting a security event - perhaps with some talks, and a few beers and a capture the flag event. I think if we could advertise it enough, we might get a good few willing participants. Nothing too formal - just enough to keep it serious, but also informal enough that everyone from beginner to expert feels welcome and can learn or offer something.

Regarding disclosures - I don't think this forum is the appropiate place for them. I think that website vulnerabilities should be sent onto the web-developers of the website in question. If it's something like a mass-used CMS that has a flaw, then bugtraq and the likes could be used.

I think a discussion on the specifics of a given vulnerability would be a very welcomed discussion however!

Just my two cents.

900913

I was actually thinking about getting a discussion going about boards.ie's security forum hosting a security event - perhaps with some talks, and a few beers and a capture the flag event.

That's a great idea

I did post a live XSS here. It should normally never be done, But I did alert the owners and got no reply, I might get away with posting it because it was relevant to many boards_ie users. 80,000 people go to Oxegen and many are members here.

I think posting vulnerabilities that may have a direct effect to members of this forum is acceptable, Turning the forum into an exploit database won't and shouldn't happen .

The members and mods of this section would shred anyone who posted generic exploits/vulnerabilities that are available all over the web.

Dissecting and discussing vulnerabilities is the best way to learn.
I'm only here to learn, and I'm having fun too.

Gavin

It would be nice to try and stimulate some more conversation and build an open forum of Irish security professionals. What I would find interesting is new trends, analysis of attacks, malware and exploits.

Of course, how to encourage that is a fairly difficult question to answer... People are not going to give up valuable information on an open forum when there's no gain.

biko

I lurk in here and am interested in Sec tools mainly.
As said above, I wouldn't want to see the forum turn into "how do I hack this and that?" but more about various ways to protect your computer/server/network by using various techniques and tools, both to pen test and to shield the system.

Like this or this

Gonzovision

I'd like to see some tutorials and maybe some challenges specifically set up for begginners.

dlofnep

We've run loads of challenges over the last few months, you can be sure that we'll run some more soon

Phractal

I would love to have some stuff like collaberative malware analysis going on.

I myself enjoy dissecting bits of nastyware (like ZeuS and SpyEye, which I have ripped apart) and other stuff - for example the Stuxnet decompiles.

However I would love to work with someone who is handy at reading debugger output - it gives me headaches!