Ask HN: Where did you learn about security/attacks?
I have noticed quite a few HN users are well versed in security and various attacks (recently mentioned is the "cleaning lady" attack by cperciva (http://news.ycombinator.com/item?id=895411)). I consider myself well versed in basic web attacks (SQL injection, CSRF, etc.), but I would love to learn more about the algorithms themselves and I'm wondering where you guys/gals learned about encryption algorithms in general and the various attacks on them. Same thing with the general security issues (like the one discovered by dfranke on hacking arc).
Are there any resources you could recommend to those (like me) who want to learn more?
5 comments
[ 223 ms ] story [ 1114 ms ] threadhttp://www.cl.cam.ac.uk/~rja14/book.html
It's unclear what exactly you want to concentrate on. Do you want to learn about encryption algorithm details and want to understand the design decisions behind them or do you just want to effectively use them? Do you want to learn about proper architecture and general principles?
edit: feel free to contact me if you have any specific questions, I'll try my best to weigh in on specific issues.
If it's not too technical, try finding some articles in phrack(.org) magazine. They usually outline the details of attacks and will let you see what vulnerabilities attackers take advantage of. If you want to stay technical, I'd look for exploits online and try to understand how they work. If you start at the defensive end, it might not be exactly clear why some counter-measures are in place and might be more dry than playing with something you can actually break.
Get a very old Linux install, disable ASLR, PaX, W^R and anything that might stand in your way and create write your first buffer overflow attack. Then try a a heap exploit. Then move on to more interesting things. Try to follow security conferences and the papers presented there. Attend security-related meet ups in your area. Idle in irc channels, etc.