[Noisebridge-discuss] what if: network forensics class

David Stainton dstainton415 at gmail.com
Sun Jun 14 19:51:05 UTC 2015


Dear Noisebridge,


Two things to say:

1. every popular TCP analyzer software needs to be rewritten to handle
TCP injection attacks properly. Here are all the TCP injection attacks
that are possible:
https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-badger-the-puppet-masters.rst#tcp-injection-attack-categories


2. I'd like to start a class/group that regularly meets in person or
online; collectively writes network forensics tools.

I'm not sure if there's enough technical interest on this subject...
but if there is then I'd like to teach about TCP protocol
analysis/anomaly detection, low level network programming, ethernet
sniffer packet capture methods, offensive packet spraying for
detecting Great Cannon MITM etc.

Those of you that know me might've noticed that in the past year I've
become completely obsessed with network protocol anomaly detection,
forensics, attack detection etc. especially when it comes to the
subject of NSA attacks on TCP mentioned in Snowden documents.

Ultimately I feel that a more healthy and balanced interaction in a
group setting would be a "working group" instead of a class... in this
case a low level network programming working group... but we could
start out as a class.


Are others interested in getting together to talk about the gory
technical details of writing "network forensics software"?
If the answer is no then I'd like to just move to Germany forever and
find actual hackers over there to work with. Your move.


Sincerely,

David Stainton


More information about the Noisebridge-discuss mailing list