Monday, May 25, 2015

I've been reading a little

I dislike how many ideas are scattered in tweets, talks, HN comments, and PowerPoint slides. I could tweet about everything but I'd just be retweeting retweets from people like [1][2][3]. So I just made a reading list. Personally I print everything out and underline with a pack of these. I rarely watch a talk or read slides anymore unless I have to. I'll add comments to each link and organize it better when I feel like it.

------------------------Top of the Pile------------------------------------------
Chapters 5 & 6 of Blackhat Python 
Bypass OpenSSL Certificate Pinning on iOS
Spidering Techniques for Content Discovery

------------------------Web Stuff------------------------------------------
PHP: a fractal of bad design

------------------------Classics and Old Matasano Stuff------------------------------------------

------------------------Fuzzing Stuff------------------------------------------

------------------------Native/CTF Stuff------------------------------------------
Great NULL Dereference Bug Writeup from Justin Schuh
Markus from RPI has skills*

------------------------Heap/Kernel Stuff------------------------------------------

------------------------Trail of Bits Stuff------------------------------------------

------------------------Apple Stuff------------------------------------------

------------------------Crypto Stuff------------------------------------------

------------------------Close to Metal Stuff------------------------------------------!msg/rowhammer-discuss/ojgTgLr4q_M/zPTYwFTDRe0J

Monday, June 30, 2014

OpenToAll CTF team

Edit: I made a subreddit you can visit for more information.

tl;dr I made a CTF team anyone can join that wants to play with others remotely.

One of the things you're guaranteed to be ask when you go to a security conference is, "Do you play CTFs?" If the answer is no you feel like a chump. You can get good at CTFs on your own (I haven't yet) but it'll be easier and more fun to get over the learning curve if you join us.

If you're new to CTF or just suck like I do have a look at this (and maybe this (read up to the networking chapter) then this too.) Be sure to have a Ubuntu and Windows VM as well.

Lastly, if you're already good at CTFs and would like to be a humanitarian and help some unskilled but passionate people please do so.

Friday, April 18, 2014

Hopelessly Ambitious Summer Plans

print all the things
just printing stuff
Edit: READ THIS RIGHT NOW I don't need to read books, I need to read write-ups! So my reading goals are crossed out. Too bad there are almost no CTFs in the summer but archived ones and wargames are almost just as good.

Every summer I vastly overestimate how much I'll be able to get done in my free time. I only hope to do as much of this as possible. EPUBs are so much better than PDFs because you can highlight them. Also, I'm gonna try to order the books I read by prioritizing the ones I can move through the quickest and see how that works (the first 13 are all really short or simple or I just need to reread through). This is a must read as far as reading goes.

Matasano Crypto Challenges
Microsoft Bluehat Challenges
The Eudyptula Challenge
        Marcin's Burp Plugin
        Marcin's Blackhat Talk
       Corelan Exploit Writing Tutorials
Play All CTFs and Read Writeups
Pimp out Vim
        Matasano Log
        Jarmoc's Website
        Filippo's Website
        Old Rohlf Blog
        Neal is cool
        Mark Dowd was, in fact, sent back through time to kill the mother of the person who will grow up to challenge SkyNet.

  2 WAHH
  3 JavaScript: The Good Parts
  4 The Browser Hacker's Handbook
  5 Programming Ruby 1.9 & 2.0
  6 SQL Injection Attacks and Defense
  7 The Tangled Web
  8 Android Hacker's Handbook
  9 iOS Hacker's Handbook
 10 Practical Reverse Engineering
 11 Metasploit: The Penetration Tester's Guide
 12 A Bug Hunter's Diary
 13 Cryptography Engineering
 14 Internetworking with TCP/IP Vol. II
 15 Unix Network Programming, Volume 1
 16 Threat Modeling
 17 Computation Structures
 18 Secure Coding in C and C++
 19 Assembly Language and Computer Architecture Using C++ and Java(TM)
 20 Pro Git
 21 Windows Internals, Part 1
 22 Windows Internals, Part 2
 23 An Introduction to Mathematical Cryptography

Tuesday, September 10, 2013

Post First Meeting

Edit: My email is "kevin" [dot] "hock" [at] "" and have a look at the best reading list ever

I'll be at NYSEC next week and you're welcome to join me (you might want to go next month) but here is the stuff I said I'd make a post about during the meeting. Make sure to watch my favorite security person from 37 to 43 if you haven't already. At the end of the meeting someone gave me their laptop and that works on the projector so I can show everyone how to use Olly and IDA myself next meeting (in two weeks). WebGoat might be a pain to install so DO THIS before the next meeting. If everyone could have Windows in a VM though that would probably be a good idea in the future. Preferably XP but 7 is fine too.

There are two main things I want as a result of this club:
1. Good CTF team
2. People to get jobs in the security industry

This is the first CTF we're going to do this semester that is made specifically for beginners. CTFs are waaaaaaay more important than the rest of this blog post and are the quickest way to learn things. I wish I knew about CTFs way sooner instead of just reading a bunch of books. Here and here are great posts about CTFs

Another two hands on things are Matasano Crypto Challenges and Microsoft Bluehat Challenges that I wish I had years ago.

Going along with the rest of this post. I'll give all the resources you need to pass the interviews I've gone on in the past.

Important for interviews:

Practical Development using C#/Java/Python/Ruby or any other major language

SBU has you covered for the most part but of course, the more code on your GitHub the better.
Grey Hat Python 
Matasano Crypto Challenges
I used to dislike coding but now that I have Kinesis Advantage, Vim and experience I really like it.

Binary Reverse Engineering
Practical Malware Analysis
More Sotirov

Exploit Research and Development
Buffer Overflow, Heap Overflow, Format String, ROP there's not too much more they can ask about but so much more stuff to know beyond what you'll get asked in interviews and for defense contractors this is the main thing you should focus on.

Web Application Security
Web Goat

Kinda important for interviews:
Source Code Review

Cryptographic Analysis
Know private key vs public key etc type stuff. Fiestel Networks are good to grok and stuff but not really needed for interviews.
Matasano Crypto Challenges
The one crypto book he recommends

MAKE SURE TO watch my favorite security person from 37 to 43 if you haven't already.