Building a Cohesive

Undergrad Security Club

or, how to navigate the intimidating field of security and train a bunch of freshmen to make a great team

​

get these slides: ___klatz.co/cyphercon4

​

Who is the queen of cyber?

whoami: ian klatzco https://klatz.co/

• ece senior @ UIUC (please hire me)
• fierce kindness
• I like building organizations
• DDRIllini (dance games)
• SIGPwny (security club)

i made this >

Other interests

• Fuzzing / symbolic exec - github.com/grimm-co/killerbeez
• Compilers (LLVM)
• Programming languages
• Copyright
• Usability / Safe systems
• Voting machines / election security
• Polish pop music - klatz.co/cyphercon4
• Going to Japan 3mo (hit me up with suggestions)

SIGPwny

^ special interest group:

^ pwning

​

​

SIGPwny

^ special interest group:

^ pwning

​

​

made the logo last night when i asked thank youuuuu

Daniel

UIUC

Michael Bailey

Supporting Professors

Joshua Mason

Kirill Levchenko

Getting new people into security is hard.

PROBLEM

Getting new people into security is hard.

Learning technical things is hard!

PROBLEM

Getting new people into security is hard...

• The subject is challenging
• Life is busy; distractions aplenty
• It’s a newer field; resources are scarce
• Hard to make new ones

ROADMAP

Security training = Hard

​

PROBLEM

MOTIVATION

QUESTION

ANSWER

… but also important!

• Jobs (talent gap)
• Concepts are useful
• Threat modeling, password managers, avoiding scams
• It’s cool!

ROADMAP

Security training = Hard

But important!

​

PROBLEM

MOTIVATION

QUESTION

ANSWER

CTF - capture the flag

Solve puzzles, get points

Points!

CHALLENGES

FLAG

Points!

CHALLENGES

PWNY〜

FLAG

But... this is still really hard.

SIGPwny

^ special interest group:

^ pwning

​

​

SIGPwny does not compare to top uni CTF clubs.

• RPISEC and PPP place at the top of leaderboards
• Enough people for two teams!
• Cool research/training output
• ForAllSecure, Modern Binary Exploitation
• We had cool projects by individuals, but not as a team.
• Conference talks, a couple CVEs

“I want SIGPwny to be good.”

How can we make SIGPwny better?

ROADMAP

PROBLEM

MOTIVATION

QUESTION

ANSWER

Security training = Hard

But important!

How can we get better at it?

​

​

SIGPwny meetings are the core of our club.

SIGPwny meetings weren’t good. Why?

• Long, uninformative, hot.
• Unfun and HARD.
• Dwindling attendance.

We need to make it easier to learn.

​

​

​

We need to make it easier to learn.

​

We need to get better at teaching.

ROADMAP

PROBLEM

MOTIVATION

QUESTION

ANSWER

Security training = Hard

But important!

How can we get better at it?

Get better at teaching.

​

Teaching is easy right?

Actually….

teaching is hard.

​

​

Actually….

teaching is hard.

​

​

Why wait until senior year?

• I had to learn about security:
• I didn’t start until college.
• No defined structure for young’uns contributing.

Meetings should be:

• Kind.
• Approachable.
• Drop-in.
• Interesting.
• Somewhere you learn.

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

A typical week for SIGPwny

Monday:

Decide topic

A typical week for SIGPwny

Monday:

Decide topic

Tues-Weds:

Prepare Meeting

Breakdown of Challenges

medium

hard

you taught

a meeting!

Attendance

easy

easy

easy

A typical week for SIGPwny

Monday:

Decide topic

Tues-Weds:

Prepare Meeting

Thursday:

Teach it

A typical week for SIGPwny

Monday:

Decide topic

Tues-Weds:

Prepare Meeting

Thursday:

Teach it

Weekend:

They solve it

A typical week for SIGPwny

Monday:

Decide topic

Tues-Weds:

Prepare Meeting

Thursday:

Teach it

Weekend:

They solve it

before 7PM ON THURSDAY:

DO EVERYTHING

Meeting happens

Let’s walk through one.

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

Attendance Flags

DEMO

(backup,

in case of no internet)

Newcomers instantly see the point.

​

Attendance data!

Attendance Data

Attendance data!

Exams

Attendance data!

Peak attendance

CTF Event w/ Northrop Engineers

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

15m / 45m meeting format

Fight boring meetings.

Security (Tech):

Learning by doing

15m talking.

45m doing.

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

Walking around and being friendly goes a long way.

Who is the queen of cyber?

twitter.com/

swiftonsecurity

​

We run a CTF each year called… what?

​

(short break)

hint

what comes up when you search twitter for "uiuctf" and that account?

We learned:

• Giving them the parts
• Being ready to help
• Pushing them towards the solution

Give them a foothold.

Once they had that, they can do the rest.

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

24-7 CTF with live feedback

Bring the CTF to them.

24/7?

24/7?

( gamer slack )

• people already use it
• forked CTFd and added webhooks
• github.com/sigpwny/ctfd

James

Making CTF friendlier is great.

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

Documentation

building institutional knowledge and saving organizer effort

“Canning” meetings

Packaging them to save future effort

Remade meetings every year

What’s in a meeting?

• Slides Still takes work….
• Challenges
• Email blurb

Research credit for freshmen/sophomores

Doing CTF work…. for class credit???

Research credit for freshmen/sophomores

Doing CTF work…. for class credit???

“Defined structure” for young’uns

(boxing)

(boxing)

Example Canned Meeting

sigpwny.com

Please use them!

Disclaimer

• We re-use a lot of existing content.
• We attribute it as best we can.
• The value we add is:
• Slides
• 15m presentation
• 45m walking around and helping

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

✔️

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

Attendance

VishBK, 15

Jesse, 13

Thomas, 12

​

​

​

Thursday 7pm

People staying after!

Attendance data!

Jesse

18 people / meeting average

A less than successful moment....

We got hacked.

organizational failure

How?

• Kali VM on the public internet
• User: root
• Pass: toor

Things that give me dopamine

six hours later

Getting new people into security is hard.

ORIGINAL PROBLEM

We need to teach better,

at meetings.

ORIGINAL ANSWER

Meeting features

• Attendance Flags
• 15/45 minute meeting format
• 24/7 CTF w/ Feedback
• Documentation & Canning meetings

How can we get better at teaching security?

• How can we keep them coming back?
• How do we make this less work?
• How do we measure our success?

PWNY〜

Questions

Experienced/talented students?

• Pentesting Group
• Bug Bounty Group

Pentesting group

• The pentesting / red-team-y side of security is alluring
• Students interested in it, can practice that.

Bug Bounty group

• Let’s take the senior members
• Do real projects, together
• Find some bugs in things!

Neither of these are very far yet.

• They’re trying to do hard things.
• They require committed, interested members.
• But, we’re getting there.

How you can help

• Come give talks! (we can offer a bed w/ local hackers)
• Donate money for subsidizing conference trips, server hardware, binja licenses, hackable hardware, …
• Use our meetings! Join our mailing list!
• Hire us!
• Follow @ twitter.com/sigpwny

Fall Recruiting CTF

like the earlier Northrop one

Fall Recruiting CTF

• “hackathon with actual hacking”
• We need engineers
• We need money for food and prizes

Key Takeaways

• Up the social aspect of activities
• Flipped classrooms are the way to go, period
• Do as little work as possible

at the end of the day, SIGPwny’s about more than teaching 200 freshmen how to install linux.

it’s about forming a friendly, compassionate group that wants to see each other each week and learn things together.

the “leet” follows.

Hire me! https://klatz.co/ @ian5v

• Seattle
• March 2020
• I dig healthy teams

That’s all! Thanks for coming.