hmmm - I read this twice.  is it some sort of zen poem?
I tried to summarise and got this:

-------------
Hands without brains
No use is money, need brains
we have all the brains

we melt for money.
that's what makes them a step high
just mend what they have

Keep on mending.
Look at each others Faces!
-------------


nope, sorry I still don't get it. 

why not contact your local defcon group (there's pretty much one in every major city) and organise a CTF night every month or something?  most guys I know would jump at the opportunity if you mention "LAN gaming night", surely a bunch of security-type guys would jump at a CTF night.

going to suggest it in anycase at the next meeting I go to.

we've all probably had similar issues.

for me, it's made some really awkward social situations - sometimes you just can't win.

if you make a judgement on how much you think the other person knows about technology and dumbify your job description down, it gets awkward. however recently I've been trying to leverage the sexual inuendo that comes with "penetration tester" in order to spice up the conversation a bit.  the awkwardness always comes later when they ask the inevitable "so how hard is it to hack a computer?" and you can't deliver an acceptable answer without getting into sleep inducing technical detail...  :-(

I usually therefore stick with:
"so what do you do?"
"computer stuff... hey, nice weather we're having!"


guess it would be similar us having a conversation with a specialist in an unrelated field:
"I'm a brain surgeon specialising in neuro-psychosis induced loboto-discombobulation therapy"

some questions that will help us point you in the right direction:

> do you understand computer networking?
> do you know how to program (in what languages)
> are you comfortable with unix/linux operating systems
> do you understand databases and SQL?
> can you read assembly language

"hacking" has many different aspects - do you want to reverse engineer applications, write tools, penetration test for a job? 

I found that useful Don,  I'm not a penetration tester yet but my day job is as an analyst/programmer and there is a component of documentation that needs to happen in additional to doing the fun technical stuff.  Currently I spend much more time designing and coding than I do documenting, but I'd imagine that perhaps for pen-testers the documentation and "other" components would be a higher proportion.  I'm concerned about this because I would (as I guess most people would) prefer to spend time doing the fun technical stuff.   The only place that I can think of where the percentage of research and actually "doing stuff" would be greater than the peripheral stuff would be in a government cyber-security squad or as part of a mercenary cracking group.   Perhaps blackwater-esque cyber security companies might start springing up around the place if they haven't already.

Anyway, just thoughts.

nice - I found the first one very inspirational - I'm looking forward to hearing this one

not to mention the fact that it teaches sloppy programming habits (although I've not used vb.net)

last I heard, rumour had it that NSA agents can break RSA, walk on water and intercept forum posts before people hit the "post" bu

if your subject line is accurate and you want to "learn to be a good hacker" stay away from VB as your first language.

learn python or perl and definately learn to at least read C/C++

Hi all,

I just wanted to stimulate some discussion on Documentation in general.
Specifically documentation that is not going to be presented to a client at the end of a paid session, just personal and highly technical notes.

So far in my time learning about security matters, I have mostly dealt with reversing binaries. I have found that although the skills required for this are similar to the bug-hunting or impact evaluation components of my day-job, my usual method of scribbling on a piece of paper as I go along is not sufficient as I would also like to include various other bits of media and disparate bits of information: screenshots, memory addresses, text notes, occasionally flow diagrams or pseudo-code and very occasionally videos of something in progress.

What I have been trying to do is place comments on the code in my debugger of choice, however, I often use more than one tool - such as interchanging between IDAPro and OllyDbg, meaning that my comments are spread between two bits of software.   Extracting these comments with their associated memory addresses into a text file is one option, but I also want to maintain the original notes file produced by the debugger for future reversing sessions.

Being a fan of Mind-Maps in general I've found Free Mind to be very useful for producing broad overviews, but I have yet to find a method I'm completely happy with.  Perhaps each method varies depending on what you're documenting - e.g. just analysing one binary as opposed to documenting a pen test.

I'd also imagine that for penetration testing or any sort of security assessment documentation would be very important. So I'm wondering if there are any preferred methods of producing documentation - either after the fact or as you go.  I've noticed in other threads that people have kept a wiki of their notes on certain subjects - I have thought about this, but is it overkill if it will only be for your own use?

Perhaps it's just a matter of at the end of a reversing session to collate everything into an informal document and embedding everything necessary with references to other files in the same directory.

Thoughts?

I've also been wishing for a full license for one of these also.

do you think hex-rays would give a discount if we bought a largeish number in bulk?

Chris gates had blog post about this last year in october:

http://carnal0wnage.blogspot.com/2008/10/thoughts-on-why-we-need-exploit-code.html

I responded there.  he raises an interesting point about proving to managment or non-techies that a certain thing is vulnerable - it's ok for someone to say "I think we have a security issue we need to spend x to fix it" but it's much more effective to say "we have a security problem - here, let me demonstrate how I can break into the network and compromise your computers. "

here's my response:

You know, it's weird - I react almost the opposite of the stereotype.  When I solve an IT related problem I completely relax, with a complete sense of peace and rightness rather than jumping about energetically.  Anyone else get this?

I think that it may have come from when playing multiplayer and console games when younger - everyone else physically moves when they're trying to drive the car around corners or get all tense during FPS games, whereas I've tried to train myself to focus on doing only the necessary movements, and staying calm to reduce adrenaline flow (usually resulting in me beating the person next to me jumping around as if in an epileptic fit). When the win comes or the problem is solved, the serotonin still makes me quite happy but with out the energy provided by adrenaline.

I'd love to do an actually scientific experiment on this one day.... any neuroscientists in the house?

I guess due to my (potentially) overinflated self opinion of my inteligence I've always avoided "x for dummies" books so it may well be very good, but from the ones I've flipped through previously they tend to either be very light on in details and/or hand-holdy (is that a word?).  if you're going to shell out cold hard cash for a book you would be better off to buy one that will take you a while to understand and/or serve as a reference text.

you'll find that if you're going through a book on computer security and you don't understand a particular concept or term you'll get overwhelmed with information the instant you type it into google.   just my opinion anyway  :-)