Slides for a talk at Code Camp Oct. 1, 2016 Sam Bowne City College San Francisco Twitter: @sambowne

1. Honeypots,
Cybercompetitions, and
Bug Bounties
Oct 1, 2016
Sam Bowne
City College San Francisco
All materials available at samsclass.info

2. Violent Python
• Step-by-step project
• Challenges
• No instructions
• Increasing difficulty
• ty @mqaissaunee

8. April 2014: Heartbleed

9. Vulnerable
Android
Devices

11. A Job from One Tweet

12. Exploit Development Class

13. CNIT 127: Exploit
Development

15. Buffer Overflow Vulnerability
• Input more than 1024 bytes will overflow the
buffer

16. DoS Exploit

17. Nonrepeating Pattern

18. Gnu Debugger

19. Generate Shellcode with
msfvenom

20. Construct Exploit

21. The Stack Frame
• The last word is the return value
• Must jump into the NOP sled

22. Listening Shell

23. Pwnage
Remote Code Execution

31. PHP Shell

32. Tripwire

33. Complete Report

34. Simple Violations Log

37. Vulnerability Disclosure

38. • ty @bugcrowd

39. Hacked by Anonsec

40. XSS

41. Rooted My Server

42. Rooted Twice the Same Way
• My first attempt to patch the vulnerability
failed
• With the help of a student, I got my kernel
updated after this

43. Stealing My Password
• Shoulder surfing
• http://tinyurl.com/
samspw

44. CTFs

45. How to Start
1. PicoCTF
2. EasyCTF
3. CTFTime

46. • Many levels, from very easy to very hard
• Complete walkthroughs

47. Graphical Gameboard

49. • 1 week long
• Many easy problems, but also hard ones
• Sign up to hear about other easy CTFs

50. Write-Ups

52. Find CTFs

53. Walk-Throughs!

55. Hacking Club

57. Remote Speakers
• Projector, webcam, Skype, speakers
• Two talks from professional penetration
testers

58. Student Contributions
• Cleaning up the lab to make an inviting
hangout space
• Bridging to the CCSF_Coders club
• Technical expertise from Google vuln labs
• Hacker contacts from Defcon, etc.

59. Hacking Lab
Free Fire Zone

61. Signs on Wall

62. Keylogger
• One student wrote a Python keylogger and
installed it on the lab machines

64. Internships

65. Employers
• OpenDNS
• NASA Ames
• Lawrence Berkeley Lab
• San Francisco Housing Authority
• UCSF Medical Center

66. Job Fair
• Students bring resumes at first (and only) class
meeting
• Employers describe jobs and grab applicants
on the spot
• Everyone welcome, including ex-students,
students from the Computer Science
department, students not enrolled in the
internship class

67. Administrative Resistance
• CCSF administrators cancelled the entire
program in Spring 2015
• I only saved it by appealing directly to the
Chancellor and threatening to resign
• However, the person who cancelled it is now
the Chancellor

68. Administrative Resistance
• The new curriculum review process doesn't
allow any class without lectures, textbook,
final exam, etc.
• This blocks seminar classes and Internship
classes
• The solution is to just break the rules--this is
what tenure is for

69. Guest Speakers
• At least one per class per semester
• "Careers" class consisting of visiting
industry speakers