If people actually care about this topic, and want to see someone doing a genuinely good job, check out LiveOverflow. Some other posters here will make fun of his dubstep intro music, green on black terminal text intro with the Rabbit, but he admitted in his first QA it was tongue and cheek.
I have taken more traditional infosec coursework for $DAYJOB. I must say this stuff, the more novice stuff beneath and the more advanced stuff above my head, is well structured, even if informal, entertaining, and inspiring. I definitely want to give back to the community like him with solid content and a very unassuming attitude. This is exactly the kind of teacher we need in this space!
(This is not to say F Security is assuming or crappy, I just wanted to talk up someone who really is teaching how to hack the way I think it ought to be done!)
I have also recently started building https://liveoverflow.com, which might have a better structure than a YouTube channel or subreddit.
Also some people may have actually seen a video of mine, because my most popular video so far is the DirtyCow video which got referenced by news sites and on the dirtycow github repository.
I am so glad one of my highest grossing comments is talking you up, sir!!! How do I donate to you, by the way? I have been meaning to.
Your Angular stuff is my personal favorite, as I have not even done a sufficient amount of web hacking.
I happened to bring up your videos at a recent, very expensive infosec cert course and no one had heard of you. The instructor did take refs to the guy you cite for the Angular XSS bypasses, as he was European knew that guy, and I sent him your stuff too. Super happy to talk you up!
As you wish. I will be more vocal on your subreddit.
More stuff with radare, please! Hopper seems cool, as does Binary Ninja, but I see us like scientists, and I don't like IDA and their ilk with their price tag. Not because I cannot afford it, but how do we as IT professionals not take reproducible research seriously!?
Also, keep up with your slick GDB fu. I watched you Boston Key Party vids last night and they are an education, let me tell you.
So what's the business of this company and its CEO? Other than trying to collect subscribers to his blog.
Also really confusing name considering there's the Finnish security company called F-Secure who also have a technical blog:
https://labsblog.f-secure.com/
If you think I am trying to collect subscribers, I have removed the "Subscribe to us" text from the post. F stands for my name and I liked the domain.
There is no business of this company. All I do is learn stuff, try to come up with good articles and post them. I plan to convert it into a proper company once my studies are over. I am just a student at the moment.
"All I do is learn stuff" sounding phrase dot com would be more inline with your stated objectives.
Currently, name & logo look like something a company would use and are potientally easily confused with other companies using similar names; as mentioned in other comments.
Just to be clear, it is obvious you put a lot of work into this, thanks for sharing. Keep it up!
I find it deeply disappointing that this totally skips some very important parts, namely attitude, motivation and ethics. (Except for so-called "Ethical Hacking". On the other hand, what should one expect from the blog of a security company?)
I recommend the all-time classic "How To Become A Hacker" by Eric S. Raymond:
Except all this has in common with the original post is the word 'hack'. Actually what you've posted is quite clearly against what the original post is about.
> There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.
I suspect this is a cultural thing. Here in Germany, most journalists and writers use the term "hacker" for both, the constructive and destructive parts. For example, the Chaos Communication Congress is described by media as "hacker congress" even though it has a wide scope where presentations about breaking into systems are just a minor part of it.
oh, for sure. Hacker I think has a much more broad meaning than JUST security. I don't think security should be excluded from it though as the How to be a Hacker article promotes.
Apologies if you find it disappointing. The people who daily ask me questions about hacking are mostly interested in "Getting a swag from Google" part and I was a little bit inclined to give resources to such people. It is by no means a thorough guide covering everything. It's just a start for people wanting to learn some stuff. I found these resources to be quite good.
I just read How To Become A Hacker the other day and I highly recommend it. Not only is it a good read but the resources for continued reading mentioned in the text is very good content.
Just read the linked post in full and that's an awfully reductive comment on the experiences he describes there. I suggest taking a more intellectually honest look at that writing (not to defend any of his other writing or views, which I haven't read).
I think we're all pretty sure ESR is not in fact a god, and that nothing could have occurred with ESR or his magic flute to have demonstrated to him that he was. Rather, the story is more broadly illustrative of a pretty extreme narcissism and --- challenging --- variant of self-awareness. For a more down to earth example, consider how many of us would non-ironically write the following passage:
I’m wondering about this because my wife Cathy asked me a simple question last night, and I realized I didn’t have an answer to it. “Are you” she asked “the most famous programmer in the world?”
This was a question which I had, believe it or not, never thought about before. But it’s a reasonable one to ask, given recent evidence – notably, the unexpected success of my Patreon page. This is relevant because Patreon is mainly an arts-funding site – it’s clearly not designed for or by techies.
It goes on in this vein. Here, by the way, is a link to his Patreon page:
Apparently we value "the code that makes our digital world work" a bit less than we value the person who fries our french fries at McDonalds. If that sounds mean, well, it is, but it was also Eric Raymond who put forward the idea that his Patreon page may indicate that he's among the most famous programmers in the world.
For a nerdier take on ESR's merits, hunt down Terry Lambert's take on fetchmail. (You should know who Terry Lambert is, if you don't already).
Not to mention that ESR was, at some point, a multi-millionaire. Pretty sure he still is, in which case that Patreon page of his would be nothing but a con.
As a junior security employee, I am still trying to figure out where to take my career. I have thought about various different paths: pentesting, development (JS, C, python, exploit...), reverse-engineering, web-app hacking, network-engineering and I cannot for the life of me decide where to focus my studies. I have reservations about pentesting because For example, I think a lot of it is unskilled work (e.g., pressing scan on nessus, clicking exploit on Burp) or work which will be automated in the near future. So for those who are more experienced than me, or for those who can share some insight on security-careers, what tech-careers would you choose and what would you study if you were starting right now?
> I have reservations about pentesting because For example, I think a lot of it is unskilled work (e.g., pressing scan on nessus, clicking exploit on Burp) or work which will be automated in the near future
My job title is "Penetration tester" but I don't fall into that category. That's why I often refer to it as doing "application security analysis/audits". My current job is to do black/white box testing of single applications - and not a huge organisations where you just phish some employees. I have not worked for other companies, but as far as I can tell, many "penetration testing jobs" are actually what I do.
It's fun, challenging and very technical. And obviously no scanners are used - I have never in my career used nessus or any other click2exploit tool.
Unrelated: It's not cool to put all the logos of companies just because you found some low sev bug there, not even saying the name is kinda similar to known security corp F-Secure...
I thought it would be a good motivation for others. Also, I did receive a book "Intro to Algorithms" by MIT Press Director on urgent delivery. So I think its okay to show other people what exactly they can achieve by going through the stuff I posted.
His subreddit:
https://reddit.com/r/liveoverflow
His YouTube channel:
https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
I have taken more traditional infosec coursework for $DAYJOB. I must say this stuff, the more novice stuff beneath and the more advanced stuff above my head, is well structured, even if informal, entertaining, and inspiring. I definitely want to give back to the community like him with solid content and a very unassuming attitude. This is exactly the kind of teacher we need in this space!
(This is not to say F Security is assuming or crappy, I just wanted to talk up someone who really is teaching how to hack the way I think it ought to be done!)