This post is directed to the people that share my interest in learning and understanding IT-security on a deeper level than most (vulnerability research, exploit development, reverse-engineering). The ones that are not interested in merely learning the tools of the trade, in order to do what any trained monkey would be able to do. Pointing and clicking, using scanners and tools made by other people, to detect and exploit vulnerabilities discovered by other people, without even necessarily having a basic understanding of the actual bugs that are being exploited. Those kinds of things have never had any appeal to me. I want to discover, I want to understand, and I never ever want to stop learning.
While the single best way to learn anything is by doing, having a knowledgeable mentor can speed up the process tremendously. He or she can guide you in the process, provide you with information and challenges chosen to take you from where you are now to where you want to be, and give you a helping hand if or when you get stuck. During my own journey, I have never had the luxury of having a mentor myself. I have, however, had the opportunity to teach and pass on some of my knowledge to willing students a few times. In those cases each student (or rather, the – usually government/defense related – clients that sent them to me) had to pay several thousands of dollars for my services. This time, I have something different in mind…
Perhaps you are currently a “web hacker”, knowing your way around things like XSS, XSRF, LFI/RFI, SQLi and command injection attacks, but want to delve into the realms of binary exploitation and reverse-engineering. Perhaps you are currently more into hardware hacking, and want to learn more about the software side of things, or perhaps you are well versed within the field of cryptography but want to have a better understanding of the software flaws that can often be used to circumvent it completely. Perhaps you are a beginner to the IT-security field, but with an ability to quickly learn and understand whatever you set your mind to.
I am searching for people with potential. Your current level of knowledge is not the most important part, rather, I want you to have the right kind of mindset to go a long way. I don’t care about whether you are a college dropout or a PhD, or if you are in fact still in school. Degrees, certifications and titles tell me absolutely nothing worth knowing. I do care about whether you have that same insatiable desire to learn and understand the world in general, and computers, networks and IT-security in particular, that has taken me to where I am today. You should have a genuine desire to learn, and a willingness to spend the time and energy it will require.
I will provide you with resources, I will give you challenges and hints about how to proceed to overcome them, adapted to your current level of knowledge. I will review your work, and give you information and suggestions on what you can do to improve even further. If or when you reach a certain level, I may even be able to provide you with some work for paying clients (if that’s of interest). If you really have potential, and live up to it, there will always be opportunities.
By now you might be wondering what the catch is, and you would be right to do so. I do not want your money, but I do want some of your time, and some of the talent you can provide. I am currently in the position of having a lot of ideas about things I would like to do, but far too little time to spend on them myself. A lot of these ideas revolve around the web, creating certain sites and services, or small applications (including mobile ones). Some of them are security related, and some of them are completely unrelated to security. Although none of them would be impossible for me to do on my own, I have slowly but surely come to the realization that it would take me a lot more time and effort to do these things than for someone that is already experienced within these fields, and time is something that I have far too little of already. In general, I have always avoided anything that has to do with developing user interfaces, so that is an area I am admittedly weak at. I do have strong opinions on how I would like them to look and work though. Although functionality always trumps beauty, aesthetics are important to me. In code, as well as in the visual side of things.
So, if you are experienced with rapid development and/or prototyping of web sites, including the backend, and/or mobile development, your chances of being chosen is definitely increased. The technologies I would prefer for these purposes are Node.js (perhaps in combination with the full “MEAN”-stack, Node, Angular, Express, MongoDB) in the backend, and probably Bootstrap in the frontend. Experience with building REST APIs, real-time web applications and customized widgets and components is a plus. I have spent some time researching various alternatives for developing the types of sites and services I would like to create, and those technology choices are what I am currently leaning towards, but feel free to come with other suggestions if you feel you have something else to bring to the table. A smaller subset of my ideas also require hardware hacking experience, and/or low level driver development, so those kinds of skills may be interesting to me as well.
As part of your training, my plan is also to let you participate in CTF competitions. I am currently competing with HackingForSoju, although we (and me in particular) have not been as active this year as we would have liked to. Last year, when we tried to be a bit more active, our team ranked between #4 and #7 in the world at ctftime.org (out of 3529 teams in total, to give you some perspective). This year we are currently at a modest 28th place (out of 4382 teams), but that’s a direct result of being so inactive (even when we have participated in a CTF, usually only a few of us have been able to play, and often only for a small part of the CTF). Personally, I have not been able to participate since Codegate (where we got 2nd place in the quals, and 6th place in the finals). My plan is to try to be a bit more active again in the future, and participate in some competitions with HackingForSoju and some with the people I’m mentoring. If I find 10 people (which is probably very optimistic, but one can always dream) with real potential, my goal would be to get you in the top 10 within a year.
If you are interested, send me a comment through the Contact-page, or send me an e-mail at je [at] clevcode [dot] org.
Anyway, if you are not already acquainted with me and my work within the IT-security field, it’s quite natural for you to want to know a bit more before considering this opportunity. As for my professional background, you can take a look at my CV. In short, I have participated in a number of challenges and competitions over the years, I have lead teams of talented IT-security researchers, I have been a speaker at conferences such as BlackHat, DefCon and the RSA conference and I have found vulnerabilities and created exploits for a number of targets (including smartphone and kernel vulnerabilities). Due to the sensitive nature of a lot of my clients, a lot of the research I have done remains confidential (including the most interesting), but there should be enough of public information available to give you a pretty good idea of the kind of skills I provide. :) If you have not already done so, browsing the rest of this site is a good idea as well.
LOL you said node.js.
you are invalid.
What would be your suggestion, PHP? ;) Node.js is based on v8, the Javascript engine in Google Chrome, and even though no browser is completely secure I would say Chrome has the best track record of them all. Google also has, without any doubt, some of the best security researchers. Security is, by far, the most important factor to me when choosing a language/framework for this kind of stuff, after that comes convenience and availability of useful modules etc.
I actually used to do web development using C/C++, with my own template engine, my own database layer wrapper, and so on (many years ago, though). I simply did not trust anything that I did not create myself, and it actually turned out to be quite useful and convenient. Compared to the kind of frameworks available today, it’s still very limited though.
I would definitely not say that I trust Node.js completely (or even close to it), and I would still be more comfortable with building everything from the ground up myself, but I have to draw the line somewhere. PHP and many other languages are out of the question for me, due to not trusting the developer teams of the interpreter in question to make good security choices. Ruby has some appeal, but after the major security screwups made by the Rails team, I rather not go there. Python is a nice language (admittedly, much nicer than Javascript when just comparing the languages, Javascript is admittedly quite a mess). Django, the most popular Python-based web framework, is out of the question though. Again, too many major security screwups. Flask is a bit more appealing, but ultimately I don’t trust that either.
Building everything from scratch using C/C++ (something that a lot of people think would be a crazy endeavour, nowadays, and probably back when I did it as well) would still be an appealing option for me personally, but it would simply take too much time and too much work to maintain. People seem to take things like buffer overflows and other memory corruption based vulnerabilities for granted when dealing with C/C++ codebases. I don’t (when dealing with my own code). C/C++ (C in particular) does exactly what you tell it to do. No more, no less. When I code, I make damn sure that I tell it the “right things”. ;)
People make sloppy code all the time, which is a real problem. Due to exploit mitigation mechanisms getting better all the time, they get used to not having to care as much about the potential security consequences. This is a sad and dangerous development. Yes, memory corruption based exploits get harder all the time, but they will not disappear. You simply need to find better bugs. Combine information leak bugs with arbitrary memory overwrites. There’s always a way around even the best types of mitigations. Even strict seccomp()-based sandboxes can be circumvented when a kernel vulnerability in one of the allowed syscalls can be exploited. Such as the futex-vulnerability found a while ago, since futex() is one of the few syscalls allowed from things such as the strict Google Chrome sandbox.
At the moment, Node.js is one of the few alternatives that gives me a somewhat reasonable sense of basic security while still being useful for rapid development (I would still separate any really sensitive parts of a Node.js based web application to separate servers though, using simple C-based code that I have complete control over, down to the bits and bytes). I also trust Google to continue improving the security of the v8 Javascript engine, which is more than I can say for most other alternatives out there.
Cheers. ;)
So, have you already decided who you’ll be mentoring? If not, do you expect to have a decision by a given date?
-CM
Copyright © 2011-2013 Joel Eriksson. All rights reserved.
What base level of knowledge are you looking for, from someone who was born with “the hacker mentality” but has only recently been introduced to networking concepts, programming, and IT in general?
As an old, avid script kiddie, app developer/pen testing wannaB, who is re-learning everything again… here’s my thoughts for you. This is only for a prototype or to get something out the door and I by no means will state that this will help secure anything….
1) Prototype with Node.js, add web app firewalls, and lock down server, etc. On the cheap you could use something like a reverse proxy where all of the traffic would be forwarded through a WAF/firewall service provider like incapsula or cloudFlare….before hitting the nodejs server (nginx could do this), or even being L@m3 and using a nodejs hosting provider like nodejitsu to blame if your stuff gets pwnd/0wn3d or 0day attacked…
2) Build a REST API interface with NodeJS. Take a look at NodeJS express/REST APIs. Put it in a docker.io container or separate the process from the data that it is using thus if REST API server gets 0wn3d, you would have to use the box as a bounce pad to find the data server. Sure I know you can do it and that it can be done, but this is to get to the prototype/mvp stage…Do not run REST API as root or have any access to the direct data, instead call a localhost process and stream the data back and forth encrypted on local host in a separate docker.io instance on a port….Its similar to what Google Chrome does with its sandboxing…
Of course thats not hard to 0wn, if you take down the nodejs server, then root kit the box, but you can make it a little more complex so that if it gets owned you have to take down the next container and so forth… this could possibly buy some time to change the passwords to the data server or other responsive type actions based on how you want to handle logging attacks and responding to guys like yourself :)
3) Use pure javascript framework like AngularJS/Go/Backbone… for web app on front end and make it directly use the REST API. If you want a mobile app, then also make it use the REST API. Do not have any random nodejs pages that process anything except through the REST API.
4) For data storage, you could start with a raw database like mysql but then your going to have to keep up with patching etc etc so it might be better to store the data into something like AWS simpleDB or an online DB storage provider that is already concerned about security (yea I know we can laugh at it) but at the same time trying to protect or develop all of your own components may complicate things as your trying to get to your first stage of a product/service etc.
5) Next finish your prototype / web app / mobile app or whatever cool thing you want to build…
6) After you have something working…..Then invite everyone to attack it….offer bounties, or offer free services etc.
7) Next start replacing the major components that you find vulnerable with hardened portions of the code, and start to think of everything as small containers.
Just some thoughts….
I’m interested in this offer currently I know the basics of RE and Exploitation but would like to learn more advanced techniques. my email is zophike1@gmail.com
Is this still valid? i am into security stuff… chupy35@gmail.com