TLDR; Wanna hack for fun? Have studies to complete? Need a job in infosec? Come to OUSPG to make cunning plans!
OUSPG presents, in the spirit of the Google Summer of Code:
Young,Old, Enthusiastic, Tweaker, Pro, Wanna-be or interested in the Information Security or Hacking stuff?- Still looking for something small or big to do during summer?
- Have a pet project? Need a topic? Need a project? Need a team? B.Sc/M.Sc/PhD thesis to write?
- Student, Worker, Affiliate, Alumni?
- Want to learn new stuff, new tools or create an impact crater on the tech and security landscape?
- Contribute to interesting open source projects out there?
- Or just get a few good pointers for your project/thesis from people that have been in the field for over 10 years?
If any (or none) of the above matches you, come and talk to us about it. See below for the time and place of our next OUSPG Open (doors) session.
If you want to come masked or anonymous you are most welcome, no need to reserve in advance.
If you want to impress your cousin you may make a pull request against this file to this repo and reserve your slot. :)
If still lost but curious, join #ouspg @ IRCnet.
- What we learned from (insanely) repo-centric workflow
OUSPG Open 2016 is now closed. We would like to thank contributors, participants, and anyone who was mentioned in this journal. (We hope we didn't forget anyone!) Encounters and interactions were one of the best things for us this summer!
As of 2016-08-3, it has been almost 3 months since we started. Since that a lot has happened. honeypots project was completed, with smaller image size than the closest alternative, urlhandlers took a leap in research and awareness. libfuzzerfication simplified fuzzing, and TryTLS has already started making impact to the security of programming languages.
OUSPG Open Minimum Viable Gala closed our summer. Click the image to watch the slides, summarizing the results.
- In this session, we celebrated and reflected what got done. We gave awards
in different categories.
We would like to thank the external our judges:
- Tomi Tuominen (T2 & F-Secure) - we named your award as
scene impact award,
- Winner: TryTLS
- David Chartier (Synopsys) - we named your award as marketing award,
- Winner: URL Handlers
- Kostya Serebryany & Abhishek Arya (Google) - we named your
award as Google award (OUSPG Open was funded with Google Grant)
- Winner: LibFuzzerfication
- Also, @nkapu and @mikessu received individual awards.
- Tomi Tuominen (T2 & F-Secure) - we named your award as
scene impact award,
- Food & Sauna @ CWi home in the evening
- Jani Tuovila (@replicant2020) from Bittium
- Anna-Maija Juuso from Oulu University visited us afterwards to hear how the summer went.
This Tuesday, we enjoyed the company of five different companies in Oulu. As we went on, we tried to hijack people from previous company to the next with some success.
- Synopsys
- Antti Kiiveri introduced Synopsys in general and Teemu Vaskivuo (@tevas) presented AbuseSA. We learned that Synopsys has a number of openings today, and more are coming up for different topics.
- Matti Kamunen talked about Defensics, and finally
- Sampo Niittyviita entertained us with his bachelor thesis. presentation dealing with ISTQB testing. We found familiar ground reflecting Sampo's work trough security audits.
- Checked out the new Kielo premises and met
with one of their residents, Radai.
- Jarkko Ruottinen explained the idea of Kielo, Christian Wieser from Radai showecased fancy drones, used for everything else except photography.
- F-Secure
- Sami Hyvönen presented F-Secure in general and Samu Sarivaara presented Rapid Detection service. We were glad to see F-Secure has grown in Oulu, and is eager to grow some more. They are also hiring!
- We also met Atte Kettunen (@attekett) first time with his new hat on (he moved from OUSPG to F-Secure)
- Prove - last but not least! We were
inspired by CEO, Antti Niittyviita.
- Prove indeed is a very successful company, probably due to all the hard work with the feet on the ground.
- Antti recommended Simon Senek's TEDx-talk How great leaders inspire action.
- He shared with us Prove's ups and downs. It Proved to be very good session, as we discovered the truth
-
It was a busy day. We had two tracks.
-
TryTLS shootout -sprint started already at 09:00 with internal QA-work.
-
09:00 TryTLS shootout-0.3alpha
- found fixable TryTLS issues
-
10:30 Review and head off to shootout-0.3beta
-
12:00 Aapo Audit Round II (etherpad), and shootout continues
- We had special guest stars Juhani Eronen from NCSC-FI and Mika Seppänen from Synopsys participating
- Ari Vaulo, Matti Suuronen and Laura Saukko represented Oulu University.
-
14:30 shootout II Review and head off to shootout-0.3
-
15:00 Reviewing potential vulnerability coordination cases.
-
18:30 sauna @ Boogie Software (map)
- Christian Wieser (OUSPG), Attek Kettunen (F-Secure), Sampo Niittyviita (Prove), Thomas Wahlberg (Boogie Software), Marko Haataja (Bittium), and freshly graduated Daniel Asked joined for Sauna at beautiful Boogie Software premises.
- A lovely Sauna, a lovely view
- TryTLS and Libfuzzerfication popularisation plans revisited. Going after more challenging, but more important audience education-wise, e.g. the developers instead of security pros.
- Recap from URL Handlers crew about what we learned from Assembly popularsation efforts
- Petteri Parhi from OP stopped by and talked about kaenkky.com early popularisation efforts. kaenkky.com was the "restaurant app" of Oulu in early 2000.
- The great TryTLS shootout - took official Docker images of different Linux distributions and ran TryTLS for as many languages as possible. Results are at TryTLS repository
- Inspired by other popularisation efforts, especially Kickstarter
In this Friday Helsinki -special we had a impressive 23 experts consisting of people who have influenced OUSPG and the cyber security in Finland.
- Jani Kenttälä (@evilon) coordinated a workshop about OUSPG & Oulu - past, present
and the future.
- URL handlers, HoneyPots TryTLS, and Libfuzzerfication were also introduced.
- Jarkko Saarimäki from NCSC-FI presented NCSC-FI's future plans. Finnish collaborative/networked model is going to get some steroids.
- Kauto Huopio @kautoh from NCSC-FI gave an update on NCSC-FI news followup.
- Kasper Kyllönen (@nkapu) of OUSPG and Juhani Eronen (@execgit) of NCSC-FI/OUSPG gave a rerun of their URL handlers Assembly presentation, with a more technical twist.
- Tomi Tuominen (@tomituominen) of T2 and F-Secure provided a lot of pointers and anecdotes from InfoSec scene developing in Finland, and Internationally.
- Pekka Ylitalo from Finnish Defence Forces (FDF) gave pointers troughout the session on how FDF have managed infosec/cyber over the course of past 20 years.
- Erka Koivunen from F-Secure squeezed some time to stop by while handling international press relations.
- Heikki Kortti from Synopsys reflected how OUSPG's reality-check culture has helped to shape the industry.
- Eero Kurimo / F-Secure with shared past and interest on fuzzing gave pointers throughout the day on various topics.
- Samuli Syrjänen from OP brought the perspective of a critical enterprise. Samuli talked about the strengths and weaknesses of solutions available for enterprises. Acknowledged unique aspects of NCSC-FI's services for the Finns and threw a challenge: security products are being APIfied everywhere - who is going to be the orchestrator?
- Other participants were:
- Aki Tauriainen, Ilkka Sovanto (@wraithh) / NCSC-FI,
- Simo Huopio / FDF,
- Antti Savolainen / FORMIN,
- Tomi Juntunen / F-Secure,
- Pekka Tetri / OP & Xensense,
- Toni Koivunen / Fitsec,
- Joachim Viide / OUSPG,
- Bogdan Mihaila, Lari Huttunen, and Sindri Bjarnasson / Synopsys, and
- Ari Knuuti / Cyblem.
- For this play our stages were the Square - Teamwork Area and the Frost Club at the Tellus Innovation Arena.
- Act I (12:00 - 15:00): Critical reading about Engineering, Productization,
Popularization and Social Enterprises
- All participants
- used the etherpad at http://muistio.tieke.fi/p/ouspg-reads for reservations & notes - see also the persistent notes
- picked an article to read from below or added one of your own choice
- summarized it (at least verbally) to the others
- reflected the message against whatever they were working on
- praised or criticized
- Marko's suggestions:
- Jani's suggestions
- Jukke's suggestions
- Ossi's suggestions:
- All participants
- Act II (15:00 - 17:00): Productization & Popularization news & plans
- Kasper Kyllönen (@nkapu) - URL handlers
- Mauri Miettinen (@vaulthunter) - TryTLS
- Mikko Yliniemi (@mikessu) - libfuzzerfication
- Pauli Huttunen (@WhiteEyeDoll) - SampleCloud
- For rest of the summer the world will be our stage!
- Next we take Helsinki, then we will take them all! :)
| TryTLS | libfuzzerfication | urlhandlers | honeypots | SampleCloud | |
|---|---|---|---|---|---|
| Do you use source control? | 1 | 1 | 1 | 1 | 1 |
| Can you make a build in one step? | 1 | 1 | |||
| Do you make daily builds (or CI)? | 1 | 1 | 1 | ||
| Do you have a bug database? | 1 | 1 | 1 | 1 | 1 |
| Do you fix bugs before writing new code? | |||||
| Do you have an up-to-date schedule? | 1 | 1 | 1 | 1 | 1 |
| Do you have a spec? | 1 | 1 | 1 | 1 | 1 |
| Do programmers have quiet working conditions? | 1 | 1 | 1 | 1 | 1 |
| Do you use the best tools money can buy? | 1 | 1 | 1 | 1 | 1 |
| Do you have testers? | 1 | 1 | 1 | 1 | 1 |
| Do new candidates write code during their interview? | |||||
| Do you do hallway usability testing? | 1 | 1 | 1 | 1 | 1 |
| Total score | 10 | 8 | 9 | 10 | 8 |
- A really casual, free-for-all hangout in the comfy office of OUSPG
- Organized by the summer trainees themselves, old OUSPG beards begone :)
The two teams will give a little progress update on their work (TryTLS and LibFuzzerification if you haven't seen the previous episodes)Free discussion on topic "Repo And You: How To Manage Your Life In 9000 Easy Steps"But Nobody Came
-
This time was a Etherpad-based thesis reviews at the Nest, enjoying the Fatboys. This is a quiet zone, with sun shining through the windows in the ceiling, so reading and cheering was quiet and commenting took place in Etherpad, Slack or IRC. Naturally, you were also able to participate virtually. We had a 15 minutes debrief break after each sprint.
- (12:00 - 13:00) Review of Aleksi Klasila's trytls B.Sc. thesis draft on etherpad, see persistent notes [8 reviewers]
- (13:15 - 14:15) Review of Ossi Herrala's secudep B.Sc. thesis draft on etherpad, see persistent notes [11 reviewers]
- (14:30 - 15:15) Review of Ilkka Sovanto's pahuus M.Sc. thesis draft on etherpad, see persistent notes [11 reviewers]
- (15:30 - 16:30) Review of Pekka Tetri's secmalady Ph.D. research plan on etherpad, see persistent notes [8 reviewers]
-
Thank you to all reviewers, local and remote!
- Strangely attracted to the Frost Club at the the Tellus Innovation Arena.
- TryTLS team starts with hands-on training to easily test whether your favourite library checks certificates properly. TryTLS stubs were started:
- How to write TryTLS Stubs training given
by Mauri Miettinen (@vaulthunter)
stubs/php-file-get-contents- Marko Laakso (@ikisusi) & Kasper Kyllönen (@nkapu)- Coogle Cloud Platform App Engine URL Fetch Service - Christian Wieser (@chwieser) of OUSPG
- clojure-http-kit - Aki Helin (@aoh) of Solita
- idiokit - Ville Kalliokoski and Timo Mattila of Synopsys AbuseSA team
- python requests - Jani Kenttälä of OUSPG
- bash-openssl-sclient - Aleksi Klasila (@) of OUSPG TryTLS team
- rust-rustls - Ossi Herrala of Synopsys
- we learned that a stub can be (barely) written by someone outside the TryTLS team in 2.5 hours :)
- libfuzzerfication follows up
with hands-on training on easy libfuzzer testing.
- Howto write libfuzzerfication stubs by Mikko Yliniemi (@mikessu)
mysamplelib- a demonstration stub against simple artificial target by Marko Laakso (@ikisusi)- we learned that a stub takes a bit over 2.5 hours to write if the target's build is not already familiar
- Jani Tuovila (@replicant2020) from Bittium and Antero Metso dropped in as well, unfortunately without their laptops this time.
- There was a Sauna excursion from 18:00 to 20:00 @ Oulun Sauna. The Sauna was excellent, a swim in the river was relaxing, our company was enjoyable and weather was smiling at us. :)
- It was a rainy and stormy day and there as a very big screen. :)
- Back at the Frost Club (12:00 - 14:00) and Square - Teamwork Area (14:00 - 17:00) at the Tellus Innovation Arena.
- Status update presentations and brainstorming (12:00 - 14:00) at the
Frost Club - YouTube capture
- Imoh Edet and Bastien Coeuret visits to tell us about the IoT security analysis and testlab progress
- Mikko Yliniemi (@mikessu) updates us on the libfuzzerfication progress
- Mauri Miettinen (@vaulthunter) updates us on the TryTLS
- Kasper Kyllönen (@nkapu) kickstarts the URL handlers in the OUSPG context
- Hands on hacking and planning on followed at the Square - Teamwork Area (14:00 - 17:00)
- Mikko Hiltunen (Oulu Vocational College) and Christian Wieser (OUSPG) drop in and are drawn into the planning.
- This was an advanced fuzzing workshop to share experiences with exotic platforms, fuzzing engines, speed and other drugs. :)
- Location was the Ice Breaker Stage at the Tellus Innovation Arena.
- Impressive 22 fuzzing experts from OUSPG, Synopsys, NCSC-FI, F-Secure, Solita, Ericsson and Bittium participated.
- Plenty of hands on activity, people brought their laptops!
- Agenda:
- Collaborative
3090 minutes on the State of Art in fuzzing via shared Etherpad on Kapsi's infra (Everyone) - Fuzzing with Docker by Atte Kettunen (OUSPG)
- libfuzzer by libfuzzerfication team (OUSPG)
- Fuzzing beyond C by Ossi Herrala (Synopsys) (slides)
- Competitive coding to familiarize ourselves with the idea of fuzzing stubs to bring fuzzing closer to development (Everyone)
- Collaborative
- Thank you all!
- Back at the Square - Teamwork Area at the Tellus Innovation Arena.
- Latest news from and brainstorming with the
libfuzzerfication team:
- Team reduces
ouspg/libfuzzer-basedocker image size radically. - Ossi Herrala (@oherrala) conducts rocket science experiments in applying libfuzzer to Haskell.
- Pauli Huttunen (@WhiteEyeDoll) officially joins as a salaried insurgent and draws up ambitious plans to scale ("vertically") from a stub to a cloud scale fuzzing of that target.
- Plans to scale ("horizontally") from a stub to a horde of stubs for the myriad of libraries, parsers and decoders out there. We need to help developers directly to achieve this.
- Team reduces
- Frenzy of coding and scripting with the
TryTLS team:
- Team writes test (driver) stub experiments with Python and Lua.
- BadSSL is studied further and used as the initial backend for the test stubs.
- Codification of the TryTLS backend prototype proceeds.
- We did a dive into security audits with help of Katakri:
- We used Aapo audit as a case study.
- Battle hardened auditors Mikko Kenttälä (@Turmi0) and Mika Seppänen (@mseppanen) of Synopsys visited us to workshop with us and walk us through Katakri in practice.
- Aapo project team was represented by Laura Saukko, Kaarlo Määttä, Matti Suuronen and Ari Vaulo of University of Oulu and Hannu-Pekka Heinäjärvi of Futurice.
- Kasper Kyllönen (@nkapu) wraps up the honeypot push. Docker packaged Cowrie ended up small and neat compared to our few years old Kippo iteration. Work was done in 76 man hours out of 60 originally allocated, not bad at all. :)
- G-BOA (Grand bearded OUSPG Alumni) Erno Kuusela of Solita, Ari Kauppi (@kauppi) of Ericsson, Jesse Hulkko (jhulkko) and Jani Huhtala (zaux) with Kapsi hat drop in and share ideas and help all the teams and day's topics.
- Our first time at the Tellus Innovation Arena, testing out the Square - Teamwork Area, worked out well.
- Jani Kenttälä (@janike) and Marko Laakso (@ikisusi) have a initial kick off meeting with the current Aapo project team about an educational security audit. We plan to take two hackathon type sessions during the summer on auditing Aapo in open and educational fashion with help from invited external experts.
- Group planning around our summer social "startups"
libfuzzerfication
and trytls TryTLS. Fresh brains
to pick were most welcome.
- Both teams presented their plans.
- First libfuzzerfied stubs appeared.
- TryTLS received expert consultation from Ossi Herrala on SSL/TLS/X.509/DH/CA quirks.
- Competition was announced. Team with more contributors to their repo at the end of the summer wins.
- Jani Kenttälä (@janikenttala) and Joachim Viide (@jviide) (re)join OUSPG staff as hired guns for our summer of the hacking :)
- Kasper Kyllönen (@nkapu) is half-way through his first 2 weeks sprint with us. First sprint is about updating the foundations for a affiliated Kippo-honeypot community. Updated instructions will be available in a public repository.
- Ossi Herrala (@oherrala) has a counseling meeting with Christian Wieser (@chwieser) on Ossi's B.Sc. thesis on Secure Deployment in Challenging Environments. Ossi's wrap-up: "Implementation progressing. Experiments to be done. Writing almost halfway done. Draft 0 to be delivered to prof next week."
- We were around at Vectorama, thank you very much to the organizers. A great event!
- Vocational Guidance Counseling and Cunning Hacking Plans at Oulu* Showroom and Lounge
- Topi Ruokamo with a strong career interest in wellness technology visits to get some pointers.
- Antti Tennivaara and Pyry Lindberg from Rovaniemi drop by to chat about studies and game development. Guys turn out to be 8th graders with more experience from software teamwork, python and game jams than your average much older university student might have. :) We end up going through Git conflict resolving & merging with them and Ossi Herrala (@oherrala).
- Samuel Ylitalo (?) (@ixutiin) came in to talk and mentioned participating in Koodikärpät this summer. Discussion spiraled in to SDR and radio frequencies and Ossi Herrala (@oherrala) joins in and gives plenty of pointers, e.g. good work by Windytan.
- Aaro Marjala (@dessu) gets invited to visit OUSPG Open session(s) at Linnanmaa during the summer. We promote him Tarlab and Tapsa (@burner) Haapala goes archeology and donates Aaro a bit of old gear to help with home brew networking.
- Onsite Capture the (h4x0red) Flag Combo on Friday 12:00 - 00:00. See the table of results below.
- While running the CTF-Combo Mikko Yliniemi (@mikessu), Atte Kettunen (@attekett) and Pauli Huttunen (@WhiteEyeDoll) have initial kick-off meeting as the core team of the libfuzzerfication. Deep dive into technical details was observed.
- Prof. Juha Röning drops in to coordinate the work contracts for our summer enforcements.
- Mikko Hiltunen ja Juho Juopperi are intercepted in Vectorama crowd and both promise to visit us later this summer.
- Ilkka Sovanto (@Wraithh) (NCSC-FI) meets with Christian (Krisu) Wieser (OUSPG) for a walk through of writing M.Sc. thesis and books regular meetings with Christian to ensure steady progress on the writing part.
Vectorama CTF "official" for the Rasberry Pi 3 B and 32GB SD-card prize:
| Nick | Score | Placement |
|---|---|---|
| dessu | 5 | winner |
| ixutiin | 2 | runner-up |
Vectorama CTF "open" for the pros (working in the trade, Kapsi Ry or JK Ry gurus disqualified from the main prize:
| Nick | Score | Placement |
|---|---|---|
| turmio | 12 | winner |
| nkapu | 5 | runner-up |
- Pauli Huttunen (@WhiteEyeDoll) came to wonder how many clustered virtualization platforms could one person learn about, break and fix in a single summer.
- Heikki Vesa visited to network. Heikki has long running and interesting hobbies ranging from lock picking, reverse engineering to building honeypots. Linked Heikki with Tarlab and @turmio.
- Timo Lintonen and Kimmo (hash) Halonen from VTT meet to discuss opportunities for mathematician interested in security and potential thesis topic. Thanks to Kimmo for visiting and consultation!
- Jani Yli-Kantola and Harri Hirvonsalo from M3S research group visit to discuss research around how people gain more control over their personal data (MyData) and to brainstorm on the TLS/SSL certificate check checking.
- Kick-off meeting of libfuzzerification with Mikko, Pauli, Atte (browserbane) Kettunen, Mauri and Aleksi.
- Jani Tuovila (@replicant2020) from Bittium visited to get an update and ask few Kippo-questions.
- Mikko Yliniemi (@mikessu) visited to prepare for the OUSPG intership starting next Monday.
- Jani Tuovila (@replicant2020) from Bittium visited to network and share experiences from Capture the Flag competitions. Jani was convinced to join our Kippo medium interaction honeypot network.
- Mauri Miettinen (@vaulthunter) and Aleksi Klasila (@OMISTAJA) come around to fill forms to prepare for their part time summer sprints on our libFuzzer and TLS themed topics.
- Ari Kauppi (@kauppi) drops in to plan AFL on QEMU for fuzzing ARM/embedded targets too clumsy to be tested in native targets. Honggfuzz was discussed. We agreed to keep "Advanced" fuzzing workshop on 28th of June to share experiences with exotic platforms, fuzzing engines, speed and other drugs.
- Timo Lintonen revisits. We did set up a meeting with Kimmo (hash) Halunen from VTT at the next OUSPG open. We have pointers to Dan Geer and his publications.
- Finnish Cyber Scene mapped - go watch the video and comment what we missed.
- Jesse Hulkko (jhulkko) from Kapsi Ry, Remod Oy & etc. visited and helped us to see what we missed in the mapping and to hash our summer ideas.
- Teemu Laurila with reverse engineering and mobile game development background visited looking for things to do during the summer.
- Scouted Tellus - perfect location for workshops.
- Joonas Kuorilehto (@joneskoo), Maria Toro and Kimmo Toro from F-Secure visit to discuss devops, fuzzing and practical co-op opportunities in Oulu area.
- Mikko Yliniemi (@mikessu) visits to plan month Master's phase internship.
- Mauri Miettinen (@vaulthunter) with game-modding & NPC Lua scripting background drops in to find side projects for the summer.
- Aleksi Klasila (@OMISTAJA) with "a bit" of coding background, e.g. couple of games visited to find "a bit" to do during the summer. :)
- Timo Lintonen - a mathematician with interest on crypto, discussing on practical implementation issues
- Janne Määttä (Synopsys) revisited - zeroing in to the scope to avoid an accidental Ph.D.
- OUSPG Open referenced at Kaleva
- Antti Järvinen (old school hacker with many hats) visited and is looking for collaborators to continue work on the his server-free p2p communication software called Classified ads. Seems perfect for crisis comms in case of the Zombie apocalypse and we agreed to link this to the Cyber Exercises.
- Engaged Pekka Tetri (@Theasolon) (OP-Pohjola Group) with his Ph.D. on Information Security: Panacea becoming a malady? Still missing a technical experiment/tool to analyze the complexity added by the add-on-security, if any. Needs help there.
- Engaged Ilkka Sovanto (@Wraithh) (NCSC-FI) on his M.Sc. thesis about a testbench of various proposals to extract evil from network events.
- Had a visit from Janne Määttä (Synopsys) about M.Sc. thesis topic. Initial discussions revolved around protocol reverse engineering and MITM-tools. We will get back to this next week.
- Engaged Ossi Herrala (@oherrala) (Synopsys) on his upcoming B.Sc. Thesis on the Secure Deployment in Challenging Environments
- Opened ouspg-open github repository to share the plans
- Opened Slack for the OUSPG and Affiliates, get your invite from OUSPG team
Short videos of happenings during OUSPG Open on summer 2016.
- Finnish Cyber Security Scene
- Open session 2016-06-07 - we need a bigger room!
- OUSPG Open - TryTLS and Libfuzzerfication teams kick off @ Tellus
- Aapo as a case study for audit ponderings
- OUSPG Open - Fuzzing Workshop at Tellus Ice Breaker Stage
- OUSPG Open - Frost Club Presentations
- How to make money with computers?