Ask HN: Can you get into security research self taught?

14 points by the_only_law ↗ HN
The word “research” tends to evoke ideas of long, expensive academic careers you have to put in until you can be considered qualified for industrial R&D type roles. But security research seems to be orthogonal to many fields that tend to focus less on credentialism and more on proven past ability. It’s not uncommon software devs, other security roles, etc. to be able to break into to their respective fields self taught so is it possible for security research roles?

If so, how difficult is it to self teach this sort of stuff and how long would someone with a cursory understanding of exploits, security, etc. to be “ready” for a industrial role in this field. I get that’s a very open question, with widely varied answers based on individuals, but for comparison, it doesn’t seem to take software developers that show existing aptitude for the field very long to have the potential for productivity in a industrial setting. Hell there are entire industries around pumping out new programmers in 6mo-1y, and while they may not all be top of the line, if good at all, getting your foot into the door seems to be the biggest step into separating those who are and getting them into the right track.

23 comments

[ 2.4 ms ] story [ 46.3 ms ] thread
Depending on your auto-didact capabilities, you can start this process by studying with the various on-line paid courses, there may be some free ones as well. Someone already in security can further advise you the degree of specialisation or granularity for you to pursue. The field is both wide and deep. You can sub-study in Windows, Linux, Unix,IOS - in addition there are sub areas, like data base makers, like Oracle and others. Once you have selected the area you want to specialize in you need to study in depth, following reference trees etc. The paid courses offer certification via tests with their fees. Deciding the particular special area, the next stage is to seek employment at your certificate level(you may have a number of certs). Companies also specialise in areas, so inspect the field. Bear in mind, you will need to acquire system expertise on the system you specialise on = buy a typical system as a practice field, you may have several systems. There are many openings, so recruiters will present you with choices = you apply. If your self study is well done, you will get interviewed to plumb your abilities, and you may get offers. Do not neglect the government, NSA and military, there are many valuable roles you can fill. The famed hackers you have read about are often self taught trial-and-error people, who by perseverance and intelligence have become narrowly specialised at hacking. In many respects a lot of the low hanging fruit has been gathered - that said modern systems are bewilderingly complex and there seem to be a huge number of hidden bugs being found daily. Some are sold to companies by their bug bounty programs, which you may have read about. Some are sold to bad actors who keep them quiet and selectively employ them by national actors. Their value goes down once they are exposed and get exploited for gain - the so called 'zero-day' - when it suddenly gets used for mal use widely and the OS makers try to examine the bug and deploy a patch to kill the exploit as fast as they can. Patch negligence extends the life of an exploit - obviously patched systems are immune. Sorry, to repeat what many may already know. Good luck,
In the 90s I was a "hacker". I hacked systems, phreaked, and stuff like that. I wanted to be a security researcher. When I got older and that industry evolved, I realized it wasn't something I wanted to be a part of, and that the majority of people there are bureaucrats. Security cert, no assembly or even C knowledge. A checklist and set of acronyms, plus access to metasploit and tools like that - it was 180-degrees from what I wanted.

Long story very short: if you like systems that much, get out of the security industry and become an engineer in an area that excites you.

There are exceptions (1337 low-level programming hacker in the security industry) but they're rare enough that you and I aren't likely to be one.

If you don't mind my asking, how did you get started in your journey to become a 1337 h4x0|2 during the 90s? BBSs? Usenet? How easy or difficult was it to find learning material, resources, and open PBX systems to phreak? Were you ever familiar with groups like Cult of the Dead Cow?
I got started with BBS' and later Phrack. I used to check out books at the library a lot, on Unix / programming / anything else technical. I used to think cDc was very cool. One grows up and the groups become lame, and the knowledge turns out to be pretty low-level (you can learn a lot more in engineering school than Phrack).

I phreaked more last year than I ever did as a kid since I got back into telephony, set up phones, and started scanning.

I was fascinated into malware reverse engineering a while ago, found that all those techniques such as process hallowing and process doppelgänger to be very smart tricks.

Then not long after I realized that I probably would not learn much unless I bag enough positive engineering experience under me. A few years of Windows system programming is pretty much needed.

Yeah this makes me apprehensive. Every time I see windows system API (particularly userland stuff) I kinda get sick, as the docs seem to be in a bad state and nothing feels consistent.
Yeah I figured unless you do sys programming (operating system/driver development) as job it's really confusing where to start because there is no clear route to the mountain top.

What I find a bit more useful is to find malware analysis and especially articles that examine the _methods_ malwares use with simple examples (e.g. Process Hollowing is used by some malware, but if you are to read the source code for that, good luck, it's a lot easier to read a blog that explain what it is and how to do it in a naive way). But even those are not easy for a layman so I figured I' still far from the doorway.

Don't forget that unlike normal engineering, in the security world, malware, anticheat, cheats, DRM, etc all love to use the most obsecure, undocumented private APIs, memory writing, all sorts of bizarre and unnecessary calls that would get you physically attacked in a code review.
How does anyone even approach these kinds of things? I mean I don't even know how to approach the much more legit business of say Windows Driver Development or Kernel programming which I'm pretty sure can lead to a fruitful malware re career. I mean there are definitely books out there such as "Windows System Programming" but it looks like a huge leap from your average programming job and even from the average Computer Science undergraduate education.

I'm getting into a Graduate Diploma of Computer Science in my late 30s so it's more as a hobby than a career. While the department is out of top 200 of global ranking, I did get A+ on Comp Arch and am going into Advanced Programming which is based on C++. From the few malware reports that I read and can understand a bit, malwares in general don't deal with sophiscated algorithms,unlike in the business of Database Engine development. I only have a shallow deeling but they seem to care a lot more about hidden entries, side-channel attacks or even upstream attacks (Solarwind). And there are a LOT of vectors to approach.

This further confused me so I figured it's better for me to concerntrate on the fundementals a.k.a. general programming (problem solving in general but not really focused on leetcode style questions), computer architecture and assembly language, compiler theory and operating system. How the operating system load and execute code and how does virtual memory and processes work, these kind of things.

It feels very much like a detective job in which one needs to reverse engineer the motives and etc. In the meantime, although the detectives are not suppose to commit crimes (positive engineering a malware), he/she must learn all those tricks to fight the criminals.

How often do you do this for fun? My coworker and I both got into this type of thing from game cheating when we were small children. I remember having a CEF (Cheat Engine forums) account way back in the single digit age group, angrily trying to figure out why I got banned for not hacking and just listening to music.
yeah I remember doing this when I was young, but for now, actually, I can't think of anything that I have particular need for RE. Maybe that's the reason?

BTW kudos for whatever you achieved :D

Were blue boxes dead by the '90s or did they still work?

Anything that you picked up in particular from engineering school that was more rigorous than what you could glean from Phrack or txt files?

I would've thought phreaking was a dead art after the move to digital phone systems and VOIP. Any way for someone interested in 21st century phreaking to get started?

Long answer:

I never used a blue box (I was not that advanced as a teenager). I made and used less-cool boxes (red, beige) in the 90s. Blue boxes theoretically still work in some countries, but not the US (even the last 1AESS was removed a few years ago, and that was a digital switch.)

There are (or very recently were) MF trunks with in-band signalling to overseas locations that could be boxed... but the owners of the trunk(s) knew that risk and so used a very non-standard method of signalling that would be hard to figure out. I'm talking about this year, even.

The cool thing about phreaking now (just scanning, really) is that the traditional (POTS) phone system is dying. So it's like exploring ancient architecture. There's a ton of stuff out there to find. Just get an account with a provider like voip.ms (much cheaper than AT&T or other traditional POTS), install Asterisk and hook up a retro phone to it, and dial around randomly.

About school: One can learn to program or hack (even well, if they have the knack) from text files. I went to engineering school about 1.5 decades after the "hacking" career and it's a completely different approach to knowledge.

For example I remember picking up a tech manual for a radio at the age of about 20 and seeing a bunch of 'cos' and 'sin', knowing they were trig functions and related to radio, but not understanding what they were actually getting at with their description. It was just "deep and probably irrelevant" in my mind. Now I can understand (to some extent) those kind of things.

Engineering school provides a lower-level understanding of the world, just as assembly language provides a lower-level understanding of the machine

Would that retro phone be dial-tone or pulse? Any models you'd recommend if I wanted to scan fast?
I have both. Pulse gets old fast though. Western Electric 2500 series is my favorite dtmf phone. To scan fast I set up custom extensions in Asterisk that let me program in a prefix (npa-nxx), then after that I just press 'x-yyyy' where 'yyyy' is the last four of the number.
>Security cert, no assembly or even C knowledge.

Work at a security company. Everyone I know with "research" in their title is legitimately great.

That being said there are different types of security researchers. It seems like you were focused on vulnerability research/exploit development/offensive stuff. There's also malware analysis, intelligence, and detection research.

Just like exploit development, malware analysis requires reverse engineering skills. However, Intelligence analysts and people doing detection research often have incredibly deep and broad skillsets that don't involve knowing assembly or C, yet they are still doing amazing work. Some of them are also reverse engineers, but depending on the role its not the standard by which I would judge competence.

I've seen orgs that hire mostly bureaucrats, but if a person has genuine passion for security they can find a fun and challenging place to work.

Is there any space for Data Scientist here who knows his way around ML and AI? I see some roles that require some Data science but they are not widely prevalent.
Where have you looked? If you have domain specific experience with security it would really help but security is growing so rapidly I suspect they probably have trouble filling all of the data science/ML/AI roles without also hiring people who have focused on other areas.

I hear quite a bit about security companies/large companies with mature security programs trying to build services/products that utilize AI. FireEye/Mandiant, Rapid7, Palo Alto Networks, Microsoft, Apple, Google, Talos, would probably be good places to look.

I was looking into this role here : https://careers.microsoft.com/us/en/job/1041386/Security-Dat...

Two more questions: a) Is it possible to get domain specific experience without getting into an cyber security role? b) Did you mean to say that Companies will be open to hire non-Cyber Security folks due to the high number of vacancies? I am sorry. I did not understand what you meant.

Thanks a ton!

Yes I mean that companies may hire someone with data science skills but no security specific work experience.

In fact the job you posted says this:

"Passion to the cybersecurity is mandatory, though no previous experience or knowledge is required"

"that the majority of people there are bureaucrats"

I'm an Application Security Champion (ASC). This is very true. My job is basically filling out paperwork, scheduling meetings, and stuff like that. Of course this is only a partial role that is in addition to my regular dev duties.

Well yes, back in the old days most of us were self thaught through articles such as Phrack, or connections on IRC, and lots and lots of experimentation.

I would say today it is both easier and harder. It is harder because the body of knowledge is so much larger, it is easier because so many more materials and exercises are available.

From my perspective, and I lead a team of these security researchers, it is an advanced career path, and still requires a lot of self-motivation. That said, there are more and more definitions of what "security researcher" means, in some cases it means being able to find web vulnerabilities without using Burp, so YMMV.

I would suggest to focus on fundamental skills such as reverse engineering, code review, low-level languages such as C and assembly, interfacing at a low-level with binaries through debuggers and instrumentation etc etc. Those are all broadly applicable. Playing CTF games is a good starting point too, as is auditing open source software.

But make no mistake, it will be a challenge, and it will require tenacity on your part. Good luck !

Yes, but you need a lot of motivation, a lot of curiosity and the ability to work through lots of adversity. "Back in the day" almost all of us were self-taught, aside from those epic standouts in good CS programs doing amazing stuff.

I'm not trying to be insulting here, but you asking this here gives me the impression that you don't have that motivation. Because if you did, you would have sought this answer on your own. It wouldn't be the first time, I'm wrong, though.

Dip your toe in and see where it goes. If it's not for you, move onto something else that interests you. It's fine to explore.