Re: Security experts in Mauritius

From: Loganaden Velvindron <logan_at_afrinic.net>
Date: Sun, 1 Nov 2015 11:49:43 +0400

On 11/1/15 11:23 AM, S Moonesamy wrote:
> Hi Logan,
>
> I read http://logan.hackers.mu/2015/10/security-experts-in-mru I
> noticed the following:
> http://www.elandsys.com/~sm/crestconsulting-mu-compromised.png How
> come nobody else reported that?

Mauritians are still deeply rooted in the culture of secrecy, and
avoiding talking about problems that impact them.
>
> I agree that most people view security as an "add-on". From your blog
> article:
>
> "After doing a short presentation, on Heartbleed, we gave ample time to
> participants to come up with a working code, and a reasonable
> explanation. Heartbleed is fairly old: it happened in 2014.
>
> 2 months later, and we still didn't receive a single submission."
>
> Isn't it too much to expect a LUGM member to write an "exploit"?

The heartbleed exploit wasn't that hard to write. You could copy bits
from various sources on the internet. The key point was understanding
the exploit you are copying, by analysing, and building a mental picture
of heartbleed. We validated the contest by asking you questions.

>
> 'There are many self-proclaimed "Hackers" and "Security experts"
> in Mauritius. However, none of them are able to understand Heartbleed
> in a detailed manner.'
>
> Are you referring to me? :-) I leave it to you to determine whether I
> would be able to understand Heartbleed in a detailed manner.
Let's look at numbers. How many CVE originate from Mauritius ?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1224
https://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc

What are the security experts of Mauritius doing ?

>
> "We need security experts who can understand the small details of
> security
> flaws and come up with reasonable counter-measures to protect our
> CyberInfrastructure. This requires a LOT of mental effort & time
> investment."
>
> I agree with you that security requires a lot of effort and time. As
> you mentioned, the person would need to understand the small details.
>
> "However, I get the impression that most students are more interested
> in Computer Security as a fashion trend . Few want to do the hard
> mental work."
>
> In my opinion, you may be asking too much of undergraduate students.
> It requires much more than hard work; the person would need to have
> someone with expertise in the security area to guide him/her.
>
Hence, why we did a 1 hour presentation on Heartbleed using diagrams. We
explained the TLS stack, going back to TCP/IP basics.

HSC students are now learning computer science and they have a chapter
on Security for TLS. How much of that material are they really
understanding ?

When I was 16 years old, we were doing those kind of stuff for fun. It
wasn't in the syllabus, but heck, we did it for the thrill as we were
curious.

> Regards,
> S. Moonesamy
>
Received on Sun Nov 01 2015 - 07:39:36 PST

This archive was generated by hypermail 2.3.0 : Sun Nov 01 2015 - 07:45:00 PST