PaulDotCom mailing list archives

Tips on teaching security

From: tadaka at gmail.com (Jason Wood)
Date: Fri, 4 Sep 2009 14:34:51 -0600

Just for another point of view from an audience member...  I watched the
guys from Mandiant present "Metasploit Autopsy: Reconstructing the Crime
Scene" at Blackhat and thought they had an awesome demo.  They were
presenting their tools to show how a forensics investigator could
reconstruct a Meterpreter session that took place in RAM only.  Nothing went
to disk.  Here's the way it went.

They had a VM of XP which they were using to run powerpoint for the
presentation.  At the beginning of the talk, they popped the XP box, loaded
up Meterpreter, ran some commands in cmd.exe, ended their session and closed
the Meterpreter process.

Then they proceeded to give the talk for the next 40 minutes using the XP
box they compromised.

At the end of the talk, they imaged RAM and dumped it to a file.  Ran their
script against the image file and extracted the entire Meterpreter session,
showed every command they ran and what they got back.

I don't remember much of what was actually said, but I definitely remember
the demo and the capability that they showed.  That presentation is one that
stands out to me for those two days.  I was also a bit impressed that the
Demo Gods didn't strike them down for attempting such a gutsy thing.


Jason

On Fri, Sep 4, 2009 at 10:09 AM, Michael Dickey <lonervamp at gmail.com> wrote:

As a presentation watcher, I think demos are worth their effort in
gold. Especially demos of your topics (OWASP 10 and Mutillidae)! Otherwise
your audience is just going to sit there watching technical concepts be
described...that only gets so far and lasts so long.

Even if you don't demo, specifically, examples of any sort are sexy.
Similar to why analogies get used so often.

On Fri, Sep 4, 2009 at 9:55 AM, Chris Teodorski <chris.teodorski at gmail.com

wrote:

So what is the general consensus on using demos in a talk, good, bad?
I'm giving a talk at the end of September on the OWASP top 10 and
Mutillidae and I'm debating demo or no demo?  If I do a demo it will
be a screencast, because I'm not willing to sacrifice my first born,
I'm kind of fond of her.



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090904/0761959a/attachment.htm

Current thread:

Tips on teaching security, (continued)
- - - Tips on teaching security Richard Baker (Sep 03)
    - Tips on teaching security John Strand (Sep 04)
    - Tips on teaching security Tim Mugherini (Sep 04)
    - Tips on teaching security Adrian Crenshaw (Sep 04)
    - Tips on teaching security Robert Portvliet (Sep 04)
    - Tips on teaching security Chris Teodorski (Sep 04)
    - Tips on teaching security Russell Butturini (Sep 04)
    - Tips on teaching security Brett Hoff (Sep 04)
    - Tips on teaching security Jack Daniel (Sep 04)
    - Tips on teaching security Michael Dickey (Sep 04)
    - Tips on teaching security Jason Wood (Sep 04)
    - Tips on teaching security Philippe Gamache (Symfony Project) (Sep 04)