Do you want to get into code review or improve your code review skills?
Make sure you check out my upcoming live trainings: "Web Security Code Review Training"!
I saw a guy reporting a vulnerability today.
No logo.
No website.
No drama.
He just emailed a write-up.
Providing all the details needed to reproduce and fix the issue.
Like a psychopath.
The world needs an old-school CTF...
So far the challenges are:
- Read this 5.25" floppy
- Read this 3.5" floppy
- Burn a CD
- Crimp your own ethernet cable
- Deploy a Peg DHCP server ()
- Connect to this token ring network
Anything else?
Unpopular opinion:
No one will be work as a "pentester" in a few years.
People will perform pentest as part of their job as a security engineer, appsec engineer or redteamer.
It has already started.
Too many people fall into the traps of gamification or certification, focusing on the wrong objectives.
Your goal should be to learn, not to be at the top of the leaderboard or merely to pass an exam.
[1/2]
Blackhat swag as seen by people outside of infosec:
"This person is definitely a badass hacker".
Blackhat swag as seen by people in infosec:
"This person is most likely not doing any hacking".
Hackers: 25 years later.
Zero Cool manages a team of pre-sales engineers solving APT.
Acid Burn and Lord Nikon are both CISO.
Cereal Killer works for the government.
Joey Pardella is trying to cover up a security breach.
They are all
#infosec
thought leaders on twitter.
If you're looking for a job, try to blog regularly about CVEs (one you didn't find):
📚 You will learn so much
✍️ You will have something to show for it
🆓 It is completely free (unlike certifications🤔)
🎲 It removes the randomness out of your study/content (finding the bug)
Metasploit: $0
Exploiting known unpatched vulnerabilities: $0
Leveraging public security research: $0
Deploying 0-dayz to compromise random phones using public USB power charging stations: $3000000
Someone who is good at the economy help me budget this my APT group is dying.
For people being surprised to see so many security tools in the twitch leak...
This is what a modern security team looks like.
Less buying off-the-shelf tools, more building tools based on your actual needs.
🛠🧰💰
Do you want to find new vulnerabilities?
1. Look at the patch for a recent CVE (for example: CVE-2021-43350)
2. Write a
@semgrep
rule for them (tune your rule using the CVE you picked)
3. Scan a lot of code repository with this rule.
4. Manually confirm the matches.
When people subscribe to
@PentesterLab
, they give me two things... Their $ and their time, I can't refund the latter and that's why I try to provide a lot of value...
Unpopular opinion:
A lot of people stick to CTF instead of Bug Bounty or Vulnerability Research because it is a lot more comfortable.
Not easier, more comfortable, you know there is something to be found.
I remember trying to learn Linux by printing pages and pages of Mandrake/RedHat manuals and trying to read them...
THAT DID NOT WORK.
What worked?
Using Linux as my daily driver for months. It was hard, it was annoying, it was frustrating but this was the way.
Not that it matters but since I saw another tweet on this:
I have 0 CVE, 0 certification.
People judging others on CVE or certs are at best lazy, at worst downright stupid...
This one seems very relevant to security/hacking:
"It doesn’t matter if you’re a beginner or an expert as long as you’re on the path.
If a beginner is on the path, all they need is time.
If an expert is off the path, they won’t be an expert for long."
–
@JamesClear
One of the cheapest and most efficient way to improve your infosec skills is to read code.
Literally, linux+vim+git on a raspberry pi with a 12” display is enough...
Read the code of opensource projects, tools you use, diff from advisories.
You don’t even need a browser!
"Do you need to learn to write code to get a job in infosec?"
Absolutely not! You need to learn to write code because that is one of the coolest things you can do with a computer.
I make a living teaching how to hack JWT, I will even run a workshop at Defcon on hacking JWT.
If you are a developer and your application uses JWT spend 5 minutes and watch this video!
Level up your
#AppSec
skills with our new video on JSON Web Tokens (JWT)!
Join us as we share six practical tips to enhance your security practices. Arm yourself with these insights today! Watch, learn, apply! 🔒🎥💡
@j2k3k
1. Take screenshot of desktop.
2. Use screenshot as screensaver/lock screen.
3. Leave laptop "unlocked" in public places.
4. Wait for outrage or LinkedIn thoughtleadership
If people were spending as much time learning to code as they are spending debating whether or not you need to code to work in infosec, they will be pretty decent programmer...