Honeypots, Cybercompetitions, and Bug Bounties
Websites get hacked frequently, and most administrators cannot determine how the attacker got in. We are developing techniques to detect and prevent attacks usig deliberately vulnerable "honeypot" sites and watching the attacks on them. We use Tripwire, Dropbox, Twitter, crontab, and shell scripts to detect intrusions and rapidly exfiltrate the evidence to external servers. The evidence we gather helps us understand current real-world threats and methods. Cybercompetitions are extremely valuable to test and sharpen hacking skills, but they are typically too difficult for security beginners. We have found helpful training tools to guide and encourage students including PicoCTF, EasyCTF, and CTFtime. We now have a strong competitive hacking team, CCSF_HACKERS, competing in more than ten contest per semester. We also have an enthusiastic hacking club, including security students and coders, which is growing rapidly. Every website should offer bug bounties, or at least have a responsible discosure policy. This is easy to do, costs little or nothing, and greatly improves security. I'll explain how to do this and report the results of my own disclosure policy--students and other researchers have hacked me many times, getting into my email and Twitter accounts, rooting my servers, and adding harmless defacements to my Web sites. They all got my thanks and were placed on a Hall of Fame page. These people are heroes, helping me stay secure, not criminals or enemies.
- Not Interested