The Path to Hacker Mastery

[ziggy_567]

Oh and could you please tell me a bit about the life of a pen-tester,

The pay(when you start out) (and as you gain experience)

 Every pen-tester's dream (like to get employed in _______________ company(please fill the dash))

And also working hours

I imagine there isn't really a "typical" road to becoming a pentester. But mine was fairly windy....

I got my Bachelor's in Sociology/Anthropology. I got out of school and within a few years realized I couldn't find a job that paid enough to cover my bills. So, I went back to school to get my Master's in Information Systems. Upon graduation I joined a Fortune 500 company in FL on their Security Operations desk. I was very fortunate in that the head of the Computer Science department at my school had close contacts at this company, so they recruited heavily from our school. I spent two years working on the security desk configuring IPSEC tunnels and changing passwords while learning how to monitor a network for anomalous behavior. It was while I was here that I soaked up as much of the basics as I could - Linux commands and operation, OSI, basic networking concepts, etc. etc.

After a couple years, I decided to move back to my home state for family reasons. I had also begun to want to do something different at that time and was really interested in finding a Unix/Linux Systems Administrator position. So, I found a small, privately held telecommunications company that was looking for a linux admin and got the job. This was a very lucky break as this company didn't have anyone with a security background and they EXPECTED everyone to go to training twice a year. I racked up most of the certifications you see in my signature there. I worked for them for almost 3 years and actually got to start doing a little pentesting at the end of my tenure there.

The company I work for now is a small, boutique security consulting firm. We do a little of everything, but I would say PCI is our 'bread and butter." Because we're small, everyone does everything. In other words, if a Web App assessment comes up and I'm the engineer on deck, I do a web app assessment even though its not really my strength. Most of what I do, though, is external and internal penetration tests. Web app assessments are probably the third most common module I do. But, we also do interview driven assessments, console audits, password policy assessments, etc. etc.

It's an incredibly fun job for the most part. There are definitely parts that aren't nearly as exciting (documentation), but the thrill of the hunt is the best part, because at the end of the day when you can show a client the impact that a risk poses, you can see that light bulb come on where they realize that they really need to fix the problem. When I was in operations, it didn't matter how hard I pushed, my manager never really got how important it was to mitigate risk. That can be very frustrating.

As far as pay goes, that will depend largely on your situation. If you're an independent consultant, your pay is determined by how well you can market yourself. Typically, I think that security folk in IT tend to be paid a little over the median income of IT fields and I think the highly technical roles like penetration tester tend to be on the high end of the security pay scale. So, you are generally compensated well, but I don't know if anyone is raking in millions of dollars from pentesting alone. Go check out salary surveys  on the web. I know Information Week just released theirs this month. You can find them in other places too, though.

Anyway, good luck with your studies/development. You've found a good place in Ethical Hacker. Stick around and ask questions, but more importantly, look around for all the nuggets that are here already.

[unicityd]

I think the Security+ is a fine way to start.  It won't get you a job but it will help you to learn the basic concepts and terms.

Purchase “Operating System Concepts, Seventh Edition” (Why is this more than 3 times cheaper than its successor?

Older editions drops in price because schools use the newest edition for their texts.

(Should I read the other Cisco books on routers and stuff now)
5)   Start gaining knowledge of specific OS. Preferably Linux, Windows server, XP, 7)

If you're already through the CCNA books, I'd suggest focusing on Linux/Windows before doing more Cisco.

Which programming language

Python.

before you said to learn web-app stuff too

You can leave the web app stuff until after you've gotten the IT basics down and started learning about hacking/pen-testing specifically.  Since it's not your particular interest, learn about pen-testing systems/networks first then web apps.

The pay(when you start out) (and as you gain experience)

The pay is going to vary a lot by company and location as well as experience/skill.  Location matters a lot both for job availability and for the value of your dollar.  Your money will go a lot farther in Boise than San Francisco or New York, but there are definitely more security jobs in SF/NY.  I'm not advocating for or against living in any of those places btw, they are just examples.

If you're willing to start your own company, the pay is potentially higher but with more risk (i.e. your business could fail).  To get to the higher salaries ($100k) within a company, you'll probably have to get into a role where you are supervising other people.  And, depending on where you are the senior roles may not pay that much. 

You don't have to be a manager, but you will be a "Senior" whatever and have to provide supervision to junior staff on technical matters.  You need to be the guy that other people go to when they have questions.   

[Novice hacker]

@ziggy

          Thanks for that account into your pen-tester life. It helped me to get a better idea of what a pen-tester does.   

It's an incredibly fun job for the most part.

I don't know if anyone is raking in millions of dollars from pentesting alone.

Does anybody know if this is even possible?

Anyway, good luck with your studies/development. You've found a good place in Ethical Hacker. Stick around and ask questions, but more importantly, look around for all the nuggets that are here already.

Thanks a lot for your wishes and help   

@unicityd

Python.

I really wanted to hear that 

To get to the higher salaries ($100k) within a company, you'll probably have to get into a role where you are supervising other people.  And, depending on where you are the senior roles may not pay that much. 

I'l let that remain a goal along the path but my ultimate interest will always be hacking   


Thanks a great deal for answering my other questions with patience too.     


Do you know any resources for network mapping?

Thanks, I'm going to jump into my plan soon


" A journey of a thousand miles begins with a single step"

[Novice hacker]

Oh yeah, when you said I have to learn about databases, do you mean knowing SQL commands is enough?

And is ok to be able to read shellcode or should I be skilled enough to write it too?

Thanks again

[unicityd]

Knowing basic SQL is the bare minimum; it would help if you had some familiarity with MySQL or MS-SQL. 

You don't really read shellcode.  Shellcode is just the hex representation of actual executable code.  When you make shellcode, you write it in assembly, build (assemble) it, and then do some by-hand modification to remove null bytes.  It's a very low priority; Just worry about the other stuff for now.

[Novice hacker]

Thanks for the info unicityd,

Do you think learning Microsoft Access is of any use? (I have an old book and was wondering whether I should take a look at that.

Oh and going back through your replies, does TCP/IP first edition talk about how network traffic goes from a local network to another?

Thanks again,

Oh and does anybody know if "anybody is raking in millions of dollars in pen-testing?"
                             

[ajohnson]

For example, you could set obtaining your CCNA as your first short-term goal,

Ok, but I did some research of my own and CCNA cert is not even mentioned here:
http://infiltrated.net/TechnicalSecurityRoadmap.html#   (I still plan on getting it, I just would like your opinion on this)

That's probably because it's not a security certification (although there is a security specialization you can add on and earn a CCNA: Security -- that list is still a WIP and may not contain everything at this time). Remember, you can't effectively secure/attack something you don't understand, so you need to build a foundation first.

Your short-term priority should be learning the basics and getting your foot in the door somewhere so you can start accumulating real-world experience. You don't want to end up with an impressive amount of knowledge and credentials but not have any demonstrable evidence of ever applying it. The CCNA is practically required for any entry-level networking administration position, and it is a logical starting place. However, as others have said, you may benefit from developing a stronger foundation in Windows/*nix first. Systems run on the network, so understanding how they work will make you a more effective network administrator/engineer.

Edit:

Oh and does anybody know if "anybody is raking in millions of dollars in pen-testing?"                           

You're asking about annually? Maybe if you were the owner of a successful company.

Otherwise, it's definitely possible to become a millionaire on a six-figure salary if you're smart with your money.

[MaXe]

So I heard you like hacking..   (Read through the entire thread at work today)

The reason why you need to learn how systems function, is also because you need to know what happens when you run an exploit. Sometimes, you have to reboot the server, and if you're testing in a production environment and your scope says you should avoid crashing services or entire servers for that sake, then you should make sure which exploits could DoS or crash servers or services. (And thereby avoid crashing them. It also serves the purpose, of being able to identify why the vulnerability exists, in case of configuration errors, and how to resolve it. Running a "canned exploit" as mentioned earlier, is the easiest part.)

Ten years sounds absolutely possible, because I began as the lowest factor around 12 years ago, where I only knew basic HTML, minimal hardware information, and how to fix common (easy) problems, and a few other things. I didn't have anyone to guide me most of the time, and when I did, it was mostly people I found out wouldn't last as mentors for a very long time. (But they became good friends.)

When I began my education as SysAdmin back in 2007, and learned all the basics I had tried to skip or avoid, it actually gave me a much better understanding of everything, filling in points that made me able to learn even better and more. (And yes I had to learn about the OSI model too, and outdated modem technology as well, but I had an awesome teacher who encouraged me and still does, to learn and improve.)

So the last ~5 years or so I've been "serious", and with people showing you the way, which books to read, which websites to check out, certifications, jobs, and much more, I'm sure you'll be fine and if you worked on it most of your time, you could probably do it in 5 years All it takes, is dedication and the ability to find information on your own as well.

I should say however, that even though I have had time for parties and girlfriends in periods, using a few hours a day, to learn more about hacking or talk about hacking with likeminded individuals like us, is not unusual as this is what we love.  


To answer your question about a pentesters dream, it's in fact more simple than you may think. As you're probably aware of, hacking is a huge area, and there's many areas to specialize in. Some wants to do social engineering, others malware research, others forensics, web apps, etc., but sometimes, they're not doing what they really want to do, they're doing what they're able to do, because it brings profit to the company and thereby, also gives the pentester a job, but the pentesters' dream is, to work with their area of expertise first and foremost. At least, if they are truly great hackers. (Some people value money higher than knowledge unfortunately, this is why pentest jobs exists though, so it's both good, and bad.)  

My 2 cents for the day, I'm sure someone disagrees with my point of view xD  

[Novice hacker]

@ajohnson

Thanks a lot for replying

you can add on and earn a CCNA: Security

I think it would be safer to start finishing with the CCNA and then progress onto security later, but thanks for the recommendation.

Your short-term priority should be learning the basics and getting your foot in the door somewhere

I'm currently trying to do this.....Do you think my ABSOLUTE FIRST STEP should be to read A+ material? (Assume I have no knowledge other than HTML and basic C,C++...? Thanks please be sure to mention the FIRST STEP.

you can start accumulating real-world experience.

After I have some knowledge in some thing, I plan to practically apply that and when I actually get to hacking I will build a hacking lab, though I might need some help on that.

Systems run on the network, so understanding how they work will make you a more effective network administrator/engineer.

Its OK if I study networking and then concentrate on individual OS, right? Or is that a must?

Otherwise, it's definitely possible to become a millionaire on a six-figure salary if you're smart with your money.

I really think that pen-testers don't get paid as much as they should....

And I think that a six dollar sum comes only with 10 years in pen-testing......

What if I become really good at it but my starting salary is still like only 50,000, right? Is it possible to land a six dollar starting salary?

@MaXe

So I heard you like hacking..   (Read through the entire thread at work today)

Yes! Thanks for taking the time to do that It was very kind of you   

The reason why you need to learn how systems function, is also because you need to know what happens when you run an exploit. Sometimes, you have to reboot the server, and if you're testing in a production environment and your scope says you should avoid crashing services or entire servers for that sake, then you should make sure which exploits could DoS or crash servers or services. (And thereby avoid crashing them. It also serves the purpose, of being able to identify why the vulnerability exists, in case of configuration errors, and how to resolve it. Running a "canned exploit" as mentioned earlier, is the easiest part.)

Thanks for the info mentioned above and for taking the time to type that.

I don't know EXACTLY what you meant but I've got a good idea, and it really helps in learning something when you know WHY you're learning it

you could probably do it in 5 years  All it takes, is dedication and the ability to find information on your own as well.

Thanks for the encouragement   

You're explanation of the pen-tester's dream was also very satisfying. I plan to work in whatever I specialize in   

Oh and do you know if learning Microsoft Access is of any use?


Thanks   
As for the 'dream company' do you have any ideas? (I was thinking Microsoft ......?)

 

[ajohnson]

You're asking for some perfect predefined path when one doesn't really exist. If you ask a dozen people how they got into penetration testing, you'll probably get a dozen different stories. I can throw out A+ > Network+ > Linux+ > Security+ > CCNA (which is a fairly standard novice path), but that doesn't mean it's going to be right for you. Just pick a topic and dive in. You'll find that the topics you study tend to be cyclical, and regardless of which topic you start with, you'll end up on another one sooner or later. It's not like you learn everything about Cisco, then go learn everything about Windows, then move on to Linux, the programming, etc. Personally, I study multiple topics simultaneously so I get a little variety. Maybe try starting with A+ and a beginning Python book.

Also, start general and get more specific over time. Don't worry about MS Access; learn about databases in general. That way, you'll have a starting point regardless of what kind of database you encounter. To answer your question more directly, no, MS Access isn't going to be very useful knowledge. You're going to want to focus on real DBMSes (Oracle, MS SQL, MySQL, PostreSQL, etc.)

The dollar amounts are going to vary greatly around the country. $50k is feasible for a junior pentesting position, but you're not going to start off with that in general IT.

Regarding pen testing jobs, you're probably going to want to find a company that specializes in it. However, large organizations may have a niche team that provides the same type of experience.

[Tazziewan]

Would it be advisable to start out as a junior system administrator and work my way up to network security / pen testing role?

[unicityd]

And I think that a six dollar sum comes only with 10 years in pen-testing......Sad

What if I become really good at it but my starting salary is still like only 50,000, right? Is it possible to land a six dollar starting salary?

With no experience, you just can't give a company the value they need to justify paying you a six figure salary.  By the time benefits, hiring costs, training, etc. are factored in, the company is spending twice as much on you as they actually pay you in salary.  If you want to make $100k a year, you need to be able to justify the company spending that money.

A typical first IT job is probably close to $40k (depending on location).  The people who make over $100k are mostly top technical people, managers, and consultants.  You're not going to fill any of these roles fresh out of school or self-taught with a couple of certs.

[MaXe]

@ajohnson

Your short-term priority should be learning the basics and getting your foot in the door somewhere

I'm currently trying to do this.....Do you think my ABSOLUTE FIRST STEP should be to read A+ material? (Assume I have no knowledge other than HTML and basic C,C++...? Thanks please be sure to
mention the FIRST STEP.

I know a few hackers who began with A+ and Security+ material, they turned out to be great.

you can start accumulating real-world experience.

After I have some knowledge in some thing, I plan to practically apply that and when I actually get to hacking I will build a hacking lab, though I might need some help on that.

There's a book by Thomas Wilhelm on that. (Publisher: Syngress, they publish a lot of good books on hacking.)

Systems run on the network, so understanding how they work will make you a more effective network administrator/engineer.

Its OK if I study networking and then concentrate on individual OS, right? Or is that a must?

You can learn networking first and then Operating Systems, or the way other way around if you desire so. Learning how TCP/IP functions first is a good idea, as learning about Operating Systems in depth, can be a bit boring. (Paging & Memory Handling algorithms, Filesystems, Program structure (not as deep as reverse engineering though, just what I'd call an "overview" of e.g., PE (EXE) and ELF formats. Just so you know what it means.) There's a lot more, you'll read about it when you need to 

Otherwise, it's definitely possible to become a millionaire on a six-figure salary if you're smart with your money.

I really think that pen-testers don't get paid as much as they should....

And I think that a six dollar sum comes only with 10 years in pen-testing......

What if I become really good at it but my starting salary is still like only 50,000, right? Is it possible to land a six dollar starting salary?

PenTesters often get higher salary than rest of the IT-world, hence the reason many sysadmins, even those that has absolutely no desire for infosec, moves into "infosec" with a CISSP or CEH and gets 10k extra a year or so.

Generally I'd say, a penetration tester's pay / salary, is pretty decent. Starting out as a junior, at some companies at least, pays good enough to have an acceptable living where you can eat properly. Plus you get to work with hacking, other hackers, and possibly get free training and perhaps even certs, that's pretty good.

Remember that money isn't everything. It should be second to hacking, if you want to be a true hacker that is.  (Some of the best hackers in the world, have normal jobs outside IT and their salaries are not that good, but they hack because they love it. But go for corporate hacking, because you will probably have a lot more fun if you want to work with it daily.)

No matter how "good" you are, you have to be able to justify what you're worth, by knowledge but also in many cases proven experience. If you can't prove your knowledge besides saying you're really good, the company won't be able to know whether it is true or not. (If you on the other hand, have written several tools, advisories / pocs (0days), and much more, they can at least have some sort of picture even if you have no experience.)

The more you learn, the bigger the picture will be, and sometimes it can be overwhelming to know (and don't make this disencourage you), that you will never stop learning  There is always something new to learn, something to research, and this is what gives me that happy feeling inside, that we have not yet discovered all the vulnerabilities in every single program or operating system, and that we haven't explained every mathemetical flaw there are in the implementation of several protocols.

@MaXe

So I heard you like hacking..   (Read through the entire thread at work today)

Yes! Thanks for taking the time to do that It was very kind of you   

The reason why you need to learn how systems function, is also because you need to know what happens when you run an exploit. Sometimes, you have to reboot the server, and if you're testing in a production environment and your scope says you should avoid crashing services or entire servers for that sake, then you should make sure which exploits could DoS or crash servers or services. (And thereby avoid crashing them. It also serves the purpose, of being able to identify why the vulnerability exists, in case of configuration errors, and how to resolve it. Running a "canned exploit" as mentioned earlier, is the easiest part.)

Thanks for the info mentioned above and for taking the time to type that.

I don't know EXACTLY what you meant but I've got a good idea, and it really helps in learning something when you know WHY you're learning it

you could probably do it in 5 years  All it takes, is dedication and the ability to find information on your own as well.

Thanks for the encouragement   

You're explanation of the pen-tester's dream was also very satisfying. I plan to work in whatever I specialize in   

Oh and do you know if learning Microsoft Access is of any use?


Thanks   
As for the 'dream company' do you have any ideas? (I was thinking Microsoft ......?)

 

Even though you plan to work in whatever you specialize in, be prepared to work in what you're capable of working with for starters and some time. This experience gives you more knowledge, but also proven experience on your CV / resumé, plus you will meet other great hackers most likely, and perhaps change specialization. (You never know.)

Learning Microsoft Access, I would say no, you should rather learn MySQL and / or MSSQL. MS Access isn't that widely used in web apps, I think I've seen it once where it was definitely not easy to exploit, but it's nice to know about. If you know SQL which generally is quite easy (of course 'easy' is relative), but then you pretty much just need to know the difference between MySQL, MSSQL, and use the cheatsheets you can find online for both, but also the others like MS Access. (Yes there's cheatsheets to help you inject, not tools, but knowledge you can use.)

The way I learned SQL during my education, was with this query: SELECT piece FROM cake WHERE size < mouth;

All the words in big letters are SQL "commands", the semi-colon needs to be there in almost all, if not all SQL queries at the end, and the words in small letters, are entries in a database, meaning there's at least "4 variables" in this query.

SQL is defined into databases, tables, and columns. The database is where you store all the data for a specific application, such as this "cake factory app" (or whatever you want to call it). The word after "FROM", in this case 'cake', is the >table name<.

This is where the columns 'piece', 'size', and 'mouth' are defined.

The database could look like this:
 ______________________
|________ cake ________|
|             piece            |
|             size              |
|________mouth________|

So it (cake) is a table with 3 columns (piece, size, mouth) in it. 

'cake' itself can't have a value assigned to it, but 'piece', 'size', and 'mouth' can.

Now, there's a lot more to databases, but this is the basics and I'm sure if you think about it for a while, it'll make sense if you didn't get it right away. (If not, think of Excel and use rows and columns as a reference instead. Same principle.)


Back on topic, the 'dream company', is not Microsoft. No offense intended toward Microsoft, but it is just not them, unless your entire world is about Microsoft and you love everything they create, then you should join their security team, but keep in mind you should aim to become a developer instead, not a penetration tester then. It's the same thing with IBM generally, and Google too. They're big in the global IT market, but they're not big when it comes to Penetration Testing.

Dream companies, are those that perform real penetration testing, hires the good hackers, and knows what they're talking about. One of them could be: Rapid7 (they're sometimes hiring, mostly developer positions), but there's a lot of companies I can't remember the names of, that I know from friends' experience are more than great. Some of them have awesome bonuses and encourages research, others have crazy parties, some almost always go to the big conferences (Black Hat LV and Defcon, but also Derbycon too), and some will let you travel around the world.

So when you have job interviews with companies in your country, ask them about the job, what they generally do, which conferences they go to if any, and of course if they're doing work for the government, or the private sector, but also whatever else is on your heart. (Just don't ask about the salary.)


What I like the most, is primarily web application security, research, sharing my knowledge, and hopefully sometime in the future, go to various conferences and one day at least Defcon. But I can't just say I only want that, I have to bend and give the company the value they expect and learn various things I may not usually consider learning, but in the end, the only result will be that I'll be smarter. 


What you should focus mostly on, is getting relevant and correct information, so when you research something, it's useful to read the same thing from several resources in some cases unless you know it's a fact from a trusted source. (Keep in mind that Wikipedia can be edited by anyone, and even though it generally is quite correct, it does contain various mistakes in some topics, so be careful trusting what you read. The best way to make sure something you read is true, is to test it locally on your own systems in a safe way, in case it is a hacking method.)


~ MaXe

[ajohnson]

Would it be advisable to start out as a junior system administrator and work my way up to network security / pen testing role?

That'd be a good choice. That'll hopefully give you an opportunity to work with a variety of different technologies. Even if you're not in a security role or have "security" in your title, take the time to understand the various security mechanisms that are present in the technologies you're working with. When you switch to an offensive position, you can use that knowledge to your advantage.

Welcome to the forums btw.

Is it possible to land a six dollar starting salary?

I think we all assumed you meant "six-figure," but if you're really looking for a $6 wage, there's probably a McDonald's hiring near you

[Novice hacker]

Wow......great responses        

Before I respond, I would like to thank all of you guys for taking the time to help me out                      

Thanks  !      

@ajohnson

Your reply was extra-informative and I realized some of the things that you said just a day before I read your reply......

Thanks for the novice path, I won't strictly adhere to it (read below)
but its useful as a guideline.

It's not like you learn everything about Cisco, then go learn everything about Windows, then move on to Linux, the programming, etc. Personally, I study multiple topics simultaneously so I get a little variety. Maybe try starting with A+ and a beginning Python book.

This was beginning to dawn on me....I couldn't prevent myself from reading other stuff on that list like kind of simultaneously...

In fact, I started following exactly what you suggested before you suggested it!! I've started reading A+ material    (PC hardware and A+ handbook by Kate Chase was the only book I could find in my town's library, so I've started reading it. Since its a bit outdated I will read some current version of A+ version after I finish it and I've also kind of downloaded a Python library of books and I've started reading one.  (A learner's guide to programming using the python language)

Regarding database management, your advice was also very helpful. As for the salary, read on.....
The pen-testing specializing companies advice was also very interesting so thanks again (once again, read on....)

@ unicityd

Thanks for the info.  

 It gave me a better idea of the current situation.

This is kind of further addressed down the post, so read on

@MaXe

Woah, that's the longest post I've ever seen in my life  

Thank you very very very much for posting all that info    

But, before I address it, I would like to make my position a bit more clear. You have misunderstood me.

I plan to come to the Infosec field purely because of my great interest and passion for hacking and security. I'm not doing it for the money but the reason why I posted those question was because

1) I feel that "rewards stimulate me a great deal".  

2) There will probably be pressure from my family to earn a lot when I choose an 'unconventional' field like ethical hacking. I feel as if i have to prove myself. But other than that, I joined this field ONLY because of the burning desire in my heart to learn hacking and my ULTIMATE dream is to become THE BEST or ONE OF THE BEST.....

I assure you that I am not doing it for the money alone  

On a happier mood,

I know a few hackers who began with A+ and Security+ material, they turned out to be great.

Thanks! That is very encouraging

There's a book by Thomas Wilhelm on that. (Publisher: Syngress, they publish a lot of good books on hacking.)

I read the table of contents and it looks great but there were a couple of negative reviews saying "Unfortunately, PPT should be called "Professional Pen Testing Project Management." Have you personally read the book? Would you give it the thumbs up?( because it looks good to me)

Learning how TCP/IP functions first is a good idea, as learning about Operating Systems in depth, can be a bit boring.

I went through(skimmed through ) MOS by Andrew Tannenbaum in the library today and it was kind of outdated, but I will talk more about that when I get to that step.  

Which volumes of TCP/IP should I read? (Is the I vol. enough?)

pays good enough to have an acceptable living where you can eat properly

 

And I plan to go for 'corporate hacking' because as you already stated I get to work with it DAILY    

No matter how "good" you are, you have to be able to justify what you're worth, by knowledge but also in many cases proven experience. If you can't prove your knowledge besides saying you're really good, the company won't be able to know whether it is true or not. (If you on the other hand, have written several tools, advisories / pocs (0days), and much more, they can at least have some sort of picture even if you have no experience.)

 I will try to do atleast one of these before I apply for a job......
Do you have anymore suggestions to prove my worth? (It would be very useful for me, thanks)

The more you learn, the bigger the picture will be

I like that the infosec field is a broad one too      

Oh and I will be ready for all things coming   (Regarding specialization)

And I have to thank you a ton for that mini-SQL lesson. I found that highly instructive as well as interesting to learn. (It was a great analogy, though it took me a few seconds to grasp what it meant)

Dream companies, are those that perform real penetration testing, hires the good hackers, and knows what they're talking about. One of them could be: Rapid7 (they're sometimes hiring, mostly developer positions), but there's a lot of companies I can't remember the names of, that I know from friends' experience are more than great. Some of them have awesome bonuses and encourages research, others have crazy parties, some almost always go to the big conferences (Black Hat LV and Defcon, but also Derbycon too), and some will let you travel around the world.

WOW! That's my idea of a DREAM company! What you described is almost exactly what I want to do!! PLEASE tell me if you can remember the names of those companies and if you can contact your friends for the names. They seem to fit into my interests a lot.....    (Do you work for a similar company?)

Thanks for sharing your interests, it has kind of stimulated me to be more interested in Web App Security...its ok if I learn that last right?


As for correct info, I try to get my info from two sources or so.

@ajohnson

I think we all assumed you meant "six-figure," but if you're really looking for a $6 wage, there's probably a McDonald's hiring near you

 

My bad.    

Sorry, I meant six-figure sum.

But, I think MaXe has provided some great suggestions regarding that, do you know any more? (other than publishing books and other stuff)

And once again a HUGE thanks is called for:

Thanks!