2010-02-07 16:50 Experiences from the First AbuseHelper Training


About a week ago, we were at FIRST Symposium, giving a hands-on class on AbuseHelper. AbuseHelper took its first steps towards the community.

The Class

We kept 2 x 4h hands-on classes on Abuse Helper. The hands-on class introduced the context of automated Abuse Handling, lessons learned from a total of 7 automata generations in CERT-EE and CERT-FI. The class also covered briefly processes, challenges, workflows, architectures, terminology, and the context of abuse fighting. The audience received process building blocks and supporting software. In the class, the audience practiced hands on with AbuseHelper Toolkit - a modular, scalable and robust software - that is designed to help organizations to automize part of their Internet abuse handling process. The toolkit and documentation are available for the participants under a permissive opensource licenses. To demonstrate the expandability of the toolkit, the authors wrote new proof-of-concept components during the class on sources suggested by the audience: Project Honeypot (implemented in 10 minutes) and MalwareURL (some time behind the curtains writing the parser, then 20 minutes, explaining on the projector how to insert it to a code template).

The (Not So) Hidden Agenda

The time and money we invested to this course was considerable, compared to the size of our company. Why we provided free training for already opensourced AbuseHelper?

In the long run, we want to establish AbuseHelper community. We had an opportunity to introduce AbuseHelper in practice for over 40 people from AbuseHelper's target audience. The introduction also worked as a test - can we convey AbuseHelper benefits to the people who hear about it for the first time? The ideological reason is to pull the already existing communities together, by taking the next step in fighting Internet abuse. The business reason is that we are creating a market to the field we love and think we have something to give. If we succeed in establishing systematic workflows for ?AbuseHandling, we have an opportunity to sell

Work done in those fronts will grow the AbuseHelper further, brining benefits for the whole community and our cusotmers. Everybody should win, so ideologically its a no-brainer. The following years will show how it plays out commercially.

Too small market you say? Lets just say for now, that AbuseHelper is a toolkit and the same tech bends for a lots of other stuff too. :) Basically we are building our second generation collaboration platform, partially killing two birds with one stone.

Postmortem Analysis on Planning the Class


Picture: Hacking at hotel room, writing examples for the next
day's class. Jussi has his famous poker face on.

Planning the training was a bit challenging as we didn't know our audience. We identified that there could be three AbuseHelper interest groups present:

Our method of survival was to prepare to serve all of those audiences. That ment some sleepless nights prior the training, reviewing all the material we have documented in past couple of months. Next step was to throw in a number of people onsite, as we guessed there actually will be people from all the interest groups. So we sent, Joachim, ?Sebastian and Jani to Hamburg.

Also the techincal environment had to be considered. We had several plans to survive the challenges set by unknown training infra. We knew that there will be Internet connectiviti and local net inside the class. But we had no idea how reliable they were. So we had the following plans:

  1. Reliable Interent connectivity - use Clarified readily installed infra for the exercises, just have local copies of big software components to make sure that people do not need kill the Internet connectivity with large simultaneous downloads. Training documentation also in AbuseHelper collab environment.

  2. Unreliable Internet connectivity - Jani takes a local copy of AbuseHelper collab and provides the documentation and XMPP server for the class

  3. No Internet connectivity - people work with their VMWare machines

What we didn't consider was:

People had hard time connecting to our laptops in the classroom. Same issue was with Sebastian and Joachim. In retrospective, I suspect a combination of running VMWare fusion and some weirdness in the local net. Unfortunatelly we did not have time to debug properly. Only thing we checked was that the OS in the target laptop never saw the packets sent by the source.


Overall, we got very positive feedback on the class. We scored quite nicely on topics such as did the class meet your expectations, would you attend hands on class again, I would take another class from this instructor. Which was slightly below the other scores, was teaching skills of the instructor. I knew at least couple of things which we would have done better to increase the score no that:

-- jani 2010-02-07 15:02:10

return to the blog ...