I'm a paid hacker, AMA
Scroll to see replies
Original post by AcseI
Title is only slightly clickbait. I graduated from a Cyber Security and Forensic Computing degree, and am currently working as a Cyber Security Researcher. In short clients give us stuff (hardware, software, etc.) and we check it for security flaws by trying to break it.
AMA
AMA
Iwas gonna pay for a very special thing....
Original post by AcseI
•
Bug hunting - Identifying bugs in software, which can lead to vulnerabilities
I don't think bug hunting is all that effective is it?
I mean look at Sony. Literally ALL of it's consoles have got hacked. They've now put up a "bug bounty" programme, where if you find a bug and tell it to them they will pay you, and pay depends on how critical the bugs are. Last time I viewed the list on submitted bugs there were quite a lot which people had found, and some big bounties awarded. upto around 40k IIRC ...so it seems there was some critical bugs that it's own bug hunting team missed.
Original post by ANM775
I don't think bug hunting is all that effective is it?
I mean look at Sony. Literally ALL of it's consoles have got hacked. They've now put up a "bug bounty" programme, where if you find a bug and tell it to them they will pay you, and pay depends on how critical the bugs are. Last time I viewed the list on submitted bugs there were quite a lot which people had found, and some big bounties awarded. upto around 40k IIRC ...so it seems there was some critical bugs that it's own bug hunting team missed.
I mean look at Sony. Literally ALL of it's consoles have got hacked. They've now put up a "bug bounty" programme, where if you find a bug and tell it to them they will pay you, and pay depends on how critical the bugs are. Last time I viewed the list on submitted bugs there were quite a lot which people had found, and some big bounties awarded. upto around 40k IIRC ...so it seems there was some critical bugs that it's own bug hunting team missed.
Well simply put, software is complicated. When you have potentially hundreds of people, writing thousands of lines of code, as part of different systems and everything has to work together you inevitably get problems. A lot of bugs don't tend to follow "common sense" either, and sometimes no amount of testing is going to find all the bugs. It's difficult to really guage how effective bug hunting is though, because you'll never get inside numbers on how many bugs have been squashed in the course of daily work.
Bug bounty programs are becoming more common, whether it's in partnership with services like HackerOne, or independently provided by the vendor. There are thousands of people who engage with them specifically looking for bugs, and that can be thousands of eyes and tooling that a company otherwise wouldn't have had access to. Many people write their own custom tooling, have their own processes, etc. and it results in a huge array of approaches rather than just an internal team doing the same thing they always do. These programs aren't a replacement for internal testing, but reward people for finding bugs.
Ultimately no system is bug free. For every bug found and submitted, there's probably dozens that go unfixed. But not all bugs are created equally. Writing exploits for modern systems is a somewhat difficult process given all the protection mechanisms in place. And of course not all bugs are exploitable. Bug bounty programs are therefore a good way to get people focused on the high impact bugs, and payouts often reflect that. Of course not everyone is getting 40K per submission, and it's not at all uncommon to see smaller payouts in the 2 or 3 figure range. But every bug fixed is one less for an attacker to use. It's all about reducing attack surfaces as much as possible.
Is this actually true?
Original post by DiddyDec
Is this actually true?
The general premise is correct yes. Using "correct horse battery staple" specifically as a password would be an awful idea nowadays as a result of the comic, but you're generally much better picking some random words over the substitution approach.
Of course it's more complicated than that when you dig into it, and it's rarely a simple matter of "X days to guess a password". But as approaches go, the second is better than the first.
Bump, let's do some more Q&A
Original post by AcseI
Title is only slightly clickbait. I graduated from a Cyber Security and Forensic Computing degree, and am currently working as a Cyber Security Researcher. In short clients give us stuff (hardware, software, etc.) and we check it for security flaws by trying to break it.
AMA
AMA
What’s the most shockingly bad security flaw you’ve come across and what were the potential implications if the problem was not resolved?
Original post by hajima
What university did you go to?
What are the main differences between a Computer Science degree and a degree in Cyber Security & Forensic Computing?
What are the main differences between a Computer Science degree and a degree in Cyber Security & Forensic Computing?
I'd rather not provide my university, as understandably I want to keep personal information out of the public domain. Feel free to PM me if you want to have a discussion about uni though.
The primary difference is really depth and breadth. I didn't take CompSci, and each CompSci degree is a bit different so I can't give a fair comparison. But for me the primary difference is the emphasis on Cyber and Forensic topics that would not be present in CompSci. Given degree content is fairly fluid, this isn't a hard and fast comparison. But some of the things I covered that probably won't be covered in CompSci (or you might get one optional module at best) include:
•
Reverse Engineering
•
Binary Exploitation
•
Forensic Investigations
•
Cryptography
•
The business side of things (so GDPR and other laws, risk assessments, cyber response, etc.)
•
I had the option to do a placement with the police, and naturally my placement year was Cyber oriented too
Additionally some CompSci degrees focus heavily on programming, whereas Cyber emphasises well rounded knowledge that can be applied in a Cyber context. We had additional modules on networking for example, that weren't present in my unis regular CompSci degree. We had the option to take more traditional CompSci modules though, such as advanced programming or data structures.
Original post by boulderingislife
What’s the most shockingly bad security flaw you’ve come across and what were the potential implications if the problem was not resolved?
I don't think this is really something I can answer in any great detail. Generically speaking you'll hear about a lot of different stuff on the news. But when it comes to stuff I've personally encountered there's obviously a very limited subset of details I can provide. Plus I only started my grad job recently, so in a professional context I don't have much experience anyway.
The most generic thing I can say is that I found a payment portal (the sort of thing where you put your card details in before submitting an order) that allowed me to set the prices of products myself. So quite trivially I could say "nope this £99 product actually costs £1" and that's what I'd get charged. I think the implications speak for themselves there.
On a broader level, I found out that the Thames Barrier (I think, it was a long time ago) was accessible over the Internet. This is also one of my favourite videos that covers the sort of everyday "shockingly bad" security issues someone might come across. Hopefully this sort of answers your question.
Original post by Ahmed.S1
How much do you get paid
I answered this one in an earlier post.
I'm going to cheat and ask myself a question.
Q: What's the most misunderstood cyber security technology?
A: VPNs. Advertising companies have made the average user thing that a VPN is some sort of necessity in the modern age, and that it'll protect them from all the bad guys. Neither of these are true, and VPNs do not do what the vast majority of people think they do.
Q: What's the most misunderstood cyber security technology?
A: VPNs. Advertising companies have made the average user thing that a VPN is some sort of necessity in the modern age, and that it'll protect them from all the bad guys. Neither of these are true, and VPNs do not do what the vast majority of people think they do.
(edited 3 years ago)
Original post by AcseI
I'm going to cheat and ask myself a question.
Q: What's the most misunderstood cyber security technology?
A: VPNs. Advertising companies have made the average user thing that a VPN is some sort of necessity in the modern age, and that it'll protect them from all the bad guys. Neither of these are true, and VPNs do not do what the vast majority of people think they do.
Q: What's the most misunderstood cyber security technology?
A: VPNs. Advertising companies have made the average user thing that a VPN is some sort of necessity in the modern age, and that it'll protect them from all the bad guys. Neither of these are true, and VPNs do not do what the vast majority of people think they do.
can tell more about this....this thing is making me more worried...
Original post by maniali123
can tell more about this....this thing is making me more worried...
More worried in what sense? What do you want to know?
Original post by AcseI
Title is only slightly clickbait. I graduated from a Cyber Security and Forensic Computing degree, and am currently working as a Cyber Security Researcher. In short clients give us stuff (hardware, software, etc.) and we check it for security flaws by trying to break it.
AMA
AMA
Which uni did you do your degree at?
Original post by geek_kid
Which uni did you do your degree at?
I'm not going to share the uni I attended publicly. You are free to PM me if that's a discussion you want to have.
Ahhh you're a white hat hacker 
Original post by Nialler x
Ahhh you're a white hat hacker
Correct, although the various hat colours have got a little out of control.
Original post by AcseI
Correct, although the various hat colours have got a little out of control.
I studied ICT for GCSE so I know the hat colours. How do you mean??
Quick Reply
Related discussions
- I need help. Instagram account.
- Cyber security at uni
- I'm a student at LIS, ask me anything!
- GSK Assessment Centre Invite
- Coventry University or De Montfort University for Ethical Hacking/ Cyber Security
- Doing a Psychology Placement Year - AMA
- Unethical American Surveillance Recently,
- EO DWP Conditional offer West London campaign
- Crypto and bitcoin - any purpose and use beyond their plethora of scams and frauds?
- Back From My 4 Year Hiatus & Today Is My 10th TSRVersary! #AMA
- Advice on Cyber Security Course
- KCL or Nottingham
- Physics and maths tutor not working :(((
- I've been on the studentroom 13 years but this is a new account AMA
- Most attractive guy of the following
- what does VPN do?
- Asperger Female. AMA.
- I'm a girl that doesn't like women's football AMA
- How many of you have 2 Factor Authentication (2FA) set up for instagram and Faceboo
- Swapping courses at the same uni
Latest
Trending
Last reply 4 days ago
If you could instantly become fluent in any foreign language which one would it be?Last reply 3 months ago
About the NCUK IFY Program for university Studies in the UKTrending
Last reply 4 days ago
If you could instantly become fluent in any foreign language which one would it be?Last reply 3 months ago
About the NCUK IFY Program for university Studies in the UK
