Profile picture
Alec Muffett @AlecMuffett
, 17 tweets, 12 min read Read on Twitter
@breenemachine @alexstamos 1/ Well, I've been doing this stuff to 30 years and still learn every day/week; that said, the generalities are several thousand years old and after a while you will see the same issues coming up in new clothes. But you can read around the topic in your own time. […]
@breenemachine @alexstamos 2/ Maybe half of the people I have worked with in infosec have been CS students. There is no barrier to entry. I have worked with chemists, physicists (me = astronomer), med students, linguists, performing arts students, english lit majors, and some have have no college degree.
@breenemachine @alexstamos 3/ There are 2x main paths to learning: 1 is to seek formal education - cyber-this, ethical-hacking-that - and it's fine. You'll learn, but if you only learn "security stuff" then you'll be a pentester, and I love pentesters but lord, we have enough already.
@breenemachine @alexstamos 4/ The other path is the "starts as a dishwasher, becomes a great chef" route; that's what I did. Am not saying it's the best, but I was already computer literate (thank you UCL Phys/Astro) & immersed myself for a few years, starting with a job as a systems programmer ("devops"?)
@breenemachine @alexstamos 5/ If we're following food analogies: all the "cyber and policy" lectures will turn you into a food critic; all the "ethical hacking" stuff will either leave you flipping burgers or producing sublime pastries in small batches. You can get a job with these skills, no problem. BUT:
@breenemachine @alexstamos 6/ Neither of these paths to learning will turn you into a chef who can cut code, nor into a restauranteur who can get 3 Michelin stars across 10 restaurants and turn a profit. In the tech world, these are Software Engineer & Enterprise Architect, or similar job titles.
@breenemachine @alexstamos 7/ We need more people who can write code-that-does-not-suck, and we need more people who can deploy-systems-that-scale-and-do-not-fall-over. Security is a quality which cuts across all of these, in 4 dimensions of "stack". Most people think there are only 1 or 2 dimensions.
@breenemachine @alexstamos 8/ Here's 2 slides that I keynoted at Infosec Italia in the early 2000s; it's not perfect but the goal is to say your traffic should be secure end-to-end, your stack secure from cpu-firmware to webserver, your systems integration must not leak...
@breenemachine @alexstamos 9/ …and your code quality has to be up to specification. Come to that, you need a specification, first. Which one of these was the "cybersecurity" you wanted to learn? Answer: all of them. And there's no better way to learn than immersion & "doing".
@breenemachine @alexstamos 10/ So I wish you well, and I certainly encourage you to inhale every reputable-sounding book you can lay your hands on, get a bunch of raspberry pis and set them up in a network, browse /r/netsec on reddit, learn 3x programming languages in the next 2 years, invent your own…
@breenemachine @alexstamos 11/ and sure, hit up the courses: go find coursera, do Dan Boneh's crypto course, try MIT classes, too. Teach yourself a bit of everything. Be bold. Make mistakes. Embarrassing ones. And tell people what you learned, and share what you know and listen lots.
@breenemachine @alexstamos 12/ But above all: go do shit. Daily. Break things, ideally your own things. Try your hands eventually at "capture the flag" competitions, but don't think that just because you've won them that you're "good", it just means that you've got the right skillset. And, importantly…
@breenemachine @alexstamos 13/ the bit that all the red-team bullshitters miss out upon: for each thing that you break, you should MAKE something, too. Don't be a destroyer - they're boring. Create tools, help people. Every project ever has started as 1 line of code. Make more of them. Share them.
@breenemachine @alexstamos 14/ Then: 30 years later you'll bump into someone who will buy you a drink (or possibly: hire you) because they were using your code when they were 13 years old. That's literally what my eventual boss at @fb_engineering told me in my screening interview.
@breenemachine @alexstamos @fb_engineering 15/ One last thing: I said that "winning CTFs does not make you 'good'" -that's true. A good security person measured either as being the world's expert at something really narrow, or (more commonly) carrying around in their head a huge set of diverse & complementary perspectives
@breenemachine @alexstamos @fb_engineering 16/16 if you wanna be "good", be ready to turn your hand to anything, learn, sponge up the learnings, and replay them in circumstances where they will add benefit to those around you. Hence "generalist". Do all the weird shit, it comes up more often than you'd think.

Best.
@breenemachine @alexstamos @fb_engineering @threadreaderapp unroll, please
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Alec Muffett
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @AlecMuffett see all

Profile picture
justsecurity.org/62114/give-gho…
1/ Applying this idea to WhatsApp, it would mean that—upon receiving a court order—the company would be required to convert a 1-on-1 conversation into a group chat, with the government as the third member of the chat. But that’s not all.
2/ In WhatsApp’s UX, users can verify the security of a conversation by comparing “security codes” within the app. So for the ghost to work, there would have to be a way of forcing both users’ clients to lie to them by showing a falsified security code, ...
Read 39 tweets
Profile picture
THREAD: QUESTION FOR ALL SECURITY PEOPLE — in this day and age, would you buy a single-vendor IT security solution which advertised itself as "the gold standard" for data security protection?

Would you give that claim any credence whatsoever?
The infosec world has a long-established term for such glib claims: "Snake Oil" - this terminology goes back to the 1990s or earlier, for vendors who were selling sub-par cryptography as "military-grade" or other supposed but meaningless description interhack.net/people/cmcurti…
Particularly telling for "Snake Oil" are the words and phrases that are used to describe the security solution, process, or tool, its development, mechanism, or vendor:

* "Trust Us, We Know What We're Doing"
* "Unbreakability"
* "Military Grade"

interhack.net/people/cmcurti…
Read 27 tweets
Profile picture
@NCSC Hey Mat; your categorisation has issues at the very first hurdle - understandable considering that it comes from a perspective of attribution. In the private sector it's rarely about how godlike the attackers are, it's about how long they persist before if they get bored.
@NCSC It's a concrete example of the old joke about "I don't have to outrun the bear, I just have to outrun you" - the private sector is not and should not be collectively responsible for each other's security. As such we strive amongst ourselves to be secure sufficient to our needs.
@NCSC Of course one of the benefits of a "elitism based approach" to qualifying hacking risk is that it sediments GCHQ as role as arbiter of how bad threats are; NCSC becomes a bit like the IOC, vetting the state of the hacker "athletic" field...
Read 7 tweets

Related threads

Profile picture
Well, here is some made-up stuff... Let's look at these numbers, shall we? #Loopyhype
4000 vehicles/hour means 0.9s separation between them. It takes 15s to brake to a stop from 155mph, assuming the system can decelerate at 0.5g (you'll get whiplash much faster than that).
Assuming the same acceleration, it will take vehicles 500m to get up to speed and 500m to slow down again.

So for each access shaft, you'll need 1000m of parallel tunnel to get vehicles on and off the primary tunnel. And 0.9s separation doesn't leave much space for error.
Read 11 tweets
Profile picture
I try to escape my bubble as much as a I can. My old face book page is 99% my old life. So I go back there every once in a while just to see what the nut jobs are up to. But this last time was a stark reminder to never go back.

A short story of the times: 👇
I have this old "friend." We met in the 90's. We were ravers. We broke into warehouses, danced + took drugs. We rebelled against the "man". We were culture warriors at a time when the culture war meant more freedoms for all.

Now she's a lawyer and has become the establishment.
She has a law degree from Georgetown University. She was a clerk at the Supreme Court. She left a high paying Big Law job to become a federal public defender, because she has the luxury of choosing whatever career she wants.

She owns a home, has a dog, and is single.
Read 18 tweets
Profile picture
Day 11 of the Bates v Post Office group litigation at the High Court Rolls Building. It's the last day of evidence for Post Office witnesses and the only day court sits this week. A lot of info has gone up on postofficetrial.com over the weekend. Enjoy. #postofficetrial
Live tweets start at 10.30am from court 26 of the Rolls Building.
Nine minutes to go before Day 11 of #postofficetrial gets underway. Very few members of the public in court today, none of the regular claimants (except Alan Bates). A full complement of claimants lawyers but no one at all from the Post Office - visitors or lawyers.
Read 144 tweets
Profile picture
One year ago today I played THE best game of hide and seek with the police. A thread⤵️
Okay guys buckle up and grab some snacks because this is gonna be a long story consisting of an underage party, some teens, and a mattress.
So where do I begin? Well a little background first.
•I was 18 years old when this took place.
•It was the summer after senior year.
•I was not typically labeled as a regular partygoer and only occasionally drank, but didn’t like smoking.
Read 28 tweets
Profile picture
A) I've been warning about the dangers of TMZ with respect to what they cover, don't cover, and how they frame "news". Now they're trying to mess with my friend @LisaLampanelli and just like my support of @iamsambee, I'm not going to allow TMZ to do to Lisa what they did to me.
B) Last weekend Lisa did a gig in San Jose and dealt with a heckler which is typical. The guy kept interrupting her act and when she confronted him and said he was getting thrown out (with a refund) he tried to give her $100 to shut up. So this jerk is at her show, ruining it..
C) For people who paid good money to see Lisa and then has the audacity to tell her to shut up. So Lisa, doing what she does best, goes off on him. It's something she always does with hecklers. Someone sent a tape of it to TMZ and this is how they framed it: "Nuclear Meltdown"
Read 18 tweets
Profile picture
*hops on bandwagon to talk about this as someone who turned tweets into a career* Okay so first read all of this advice. Got it? Good. Now let's talk a sec about roads to success & how you don't have to follow what anyone else is doing.
I'm 41 years old. I have the kind of career path that makes career counselors sit down & take a drink. And stare at my resume & ask me quietly, plaintively if I ever bothered to think about long term goals or if I just spun the dial & leaped. (Door #2 is the answer mostly)
I've always been a writer. But writing doesn't pay the bills at first unless lightning strikes & I don't believe in starving. Also I have kids & a husbeast so you know...responsibilities. So I built the giant platform & then I started trying to publish. It works better that way
Read 5 tweets

Trending hashtags

#AccidentsWillHappen #soon #AnOpenSecret #KevinSpacey #HappyLaborDay #WomensChristmas #getoffmylawn #weinsteinscandal #RecordStoreDay #DNA #TheList #NTS2 #KevinSpcaey #worldbuilding #RTC18 #amquerying #PeakTV #TRS80CoCo #HarveyWeinstein #InternationalMigrantsDay #ElvisCostello #FakeNews #StephonClark #LostHighway #TheBeatles

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!