29 replies to this topic

[orion]

I've been thinking of going into the computer security feild and i was wondering what you lot think. I've heard people saying that programmers are write better code and that it is getting alot harder to find bufferover flows and format string etc, and that black hats are losing the war. The only thing left would be bruteforceing remote connection to gain entry.
I would like to hear what you people belive if black hats are losing and if the security feild is worth getting into and its not going to die in five years.

Have a good day.

[gloomer]

I've been thinking of going into the computer security feild and i was wondering what you lot think.

WOW. There was JUST a topic about this Please read for further info

Well.. people are finally realizing the importance of security. Basically, black hats have helped force the programmers to program better.

But as long as there are computers, there will be vulnerabilities. As long as there are average joes and clueless users, there will be issues.

People are finally starting to get that using "12345" as a password, just doesn't cut it anymore.

The security field will never stop. No need to worry.

[n3xg3n]

Sure, buffer overflows are being cut off on the language level and the operating system level, and people are writing more secure, but people will screw up, admins won't patch, and programmers will include logic errors that allow hackers to bypass the security...

[Multi-Mode]

I think it takes longer then five years to get into the "field", I don't think security will ever be a dead field. Talent is in demand if you got talent you're set but there’s a growing abundance of people in the "security field" who lack it or worse lack any motivation to develop any. Not only are you going to need talent but your going to need to prove it. Everyone in their mother wants to be a l33t hacker or get into the security "field". (Myself included but it takes a little time and a lot of work)

You need a foundation in the basics before you start specializing in shit. Your going to have plenty of nay sayers. Go get your ccsp and start looking at the requirements for the cissp once your there you should have an opinion of your own....

But wtf do I know, I do some fun shit at work but I’m not sitting behind an ids yet. All's I'm saying is it takes a lot of dedication, as in ongoing life dedication that you might want to consider before committing yourself to security. Keep in mind that all the shit in your head is probably always going to be right on the cusp of being obsolete.

[baby-Hackribs]

Hit the breaks. Hacking is all about the challenge... have faith. Where there's a will, there's a way. couldn't be more true. I mean seriously, people will always screwup, code will always be borked, hacking is about creativity allot of the time. So all in all, hackers aren't dieing; with new frontiers bring new flaws and mistakes, and technology is always changing. No, hackers are not dieing.

No way will the security field die... ever, it may diminish significantly within the next 80+ years but it will never go away. I mean, think about it if you're company manages a website for advertisement purposes and promotional purposes and all that cal, why would you risk security.... if your a level-headed company anyway.

....
One can only hope skiddies will.

Edited by baby-Hackribs, 21 June 2007 - 08:27 PM.

[gloomer]

Skiddies exist because people refuse to patch software. And then they blame it on "hackers"

If you don't patch your software, the obvious is bound to happen...

[Ohm]

It's an arms race, just like any other arms race in human history. Programmers make mistakes, blackhats exploit the mistakes, programmers make new mistakes or blackhats come up with new techniques (holy shit crazy hacks like ret into libc) and the cycle continues. It'll never end, as long as code is accessible to the blackhats, they'll find a way to break it.

But in any arms race, there are points where someone is winning. Now, the programmers seem to be winning. This is not 1998, simple buffer overflows don't cut it anymore. Not only are they much more rare (due to some programmer enlightenment, compiler warnings and better functions), but there are protections (W^X or NX, canaries, etc) put in place. On the other hand, with the prevalence of ignorant PHP programmers (no shortage of those), there are new and different vulnerabilities to exploit. You don't need buffer overflows when you have SQL injection and such.

No one will ever win. The blackhats will never go away (especially now that there are cyber-armies in china and such), and the programmers will never be completely safe. There will be lulls where one is clearly "winning" in some corner of the computer world, but there will always be something interesting going on.

[n3xg3n]

On the other hand, with the prevalence of ignorant PHP programmers (no shortage of those), there are new and different vulnerabilities to exploit. You don't need buffer overflows when you have SQL injection and such.

No kidding, I'm writing a short piece on RFIs, and the concept is so simple that I am amazed that Buffer Overflows are more of an "issue" to the programming population... The problem could be fixed overnight if PHP set it so that Remote File Inclusion is disabled by default

[stacksmasher]

If you like security, It is a great profession. My family will never go hungry and I make more money then all of my friends for hacking and cracking, lets face it information security is a "cool job" and you can go anywhere in the world and work.

Edited by stacksmasher, 21 June 2007 - 09:43 PM.

[DamienAK]

Since this is kind of related to my thread I started earlier I feel obligated to respond. You can't get into "security" if you don't already know about "security". It's not like a regular job where, let's say C# is a hot skill right now, you go out and you learn C# and you get a job developing some database front-end for a local real-estate firm. If you truly want to be successful in the security field you have to become an expert at it. The guys that are making the big bucks doing Pen Tests and being security consultants also happen to be the guys that are out there finding vulnerabilities, starting consulting companies, writing books, writing software, etc. Take for example the whole buffer overflow thing. So programmers are finally catching on, but guess what, Mudge wrote a paper on buffer overflows in 1995 (one of the first on the subject I believe, way before Aleph One). So it took about 10 years for people to smarten up, and before buffer overflows there was an array of other vulnerabilities, and even if they fix every single buffer overflow new methods will be developed. My point is that if you want to be in security you can't be the guy who reads about buffer overflows in Hacking Exposed in 2007, you have to be the guy who first reports on them in 1995. You have to be the guy who looks at a new technology and says "Hmm, I wonder what happens if I do this to this where this is supposed to go". If you're the guy who is sitting around reading books trying to get a job in the security field you are competing with the guy who wrote the book and the guy who helped him research the book, and the guys they hang out with and share their research before the masses find out.

[seven]

I'm sorry, it's a pet peve of mine. It's "dying" not "dieing".

[Elf]

C coders may be getting better about sanity checking and use of fixed length buffers, so sure, that one method of exploitation may be getting less attention.

However as others have pointed out, with the new "everyone's a programmer" web environment, it would seem that there are actually more holes than before. Watch any security lists and you'll be overwhelmed by the number of exploits for "Joe's Discount Guestbook" or whatever other dodgy web application someone has slapped together.


Also as per the topic, hackers die every day! It's only natural.

[Sidepocket]

I've heard people saying that programmers are write better code and that it is getting alot harder to find bufferover flows and format string etc, and that black hats are losing the war.

Yes, recently we lost 2,000 troops to the joint treaty between the NSA and Microsoft stormtroopers. The cyberwars are in a dark period were Darth Bill Hilf is force choking our captives and has sent the Script Kiddies to sabotage our Botnetz. Our only hope right now is a tiny packet named R2FU who has the plans for the current Death Star called the "iPhone".

May the code be with you.

[twirlz]

as long as there are free thinkers and people that think outside of the box there will be hackers.

[feverdream]

Since this is kind of related to my thread I started earlier I feel obligated to respond. You can't get into "security" if you don't already know about "security". It's not like a regular job where, let's say C# is a hot skill right now, you go out and you learn C# and you get a job developing some database front-end for a local real-estate firm. If you truly want to be successful in the security field you have to become an expert at it. The guys that are making the big bucks doing Pen Tests and being security consultants also happen to be the guys that are out there finding vulnerabilities, starting consulting companies, writing books, writing software, etc. Take for example the whole buffer overflow thing. So programmers are finally catching on, but guess what, Mudge wrote a paper on buffer overflows in 1995 (one of the first on the subject I believe, way before Aleph One). So it took about 10 years for people to smarten up, and before buffer overflows there was an array of other vulnerabilities, and even if they fix every single buffer overflow new methods will be developed. My point is that if you want to be in security you can't be the guy who reads about buffer overflows in Hacking Exposed in 2007, you have to be the guy who first reports on them in 1995. You have to be the guy who looks at a new technology and says "Hmm, I wonder what happens if I do this to this where this is supposed to go". If you're the guy who is sitting around reading books trying to get a job in the security field you are competing with the guy who wrote the book and the guy who helped him research the book, and the guys they hang out with and share their research before the masses find out.

Good reply.

I'm currently in the security field. In my experience, the guys I work with have done it all and know there code well from DOING it. They sit there and hack there own code as much as other peoples, attempting to exploit what they and there own peers write before it goes public just for the look on there face.. and that is just the Devs on the team, I'm not talking about the guys in Test like who are doing it as well. They are typically brains who live life secure in the knowledge that if they lose the job they have then they can simply accept an other offer somewhere else and get a small raise doing it at the expense of no longer working with long time friends, and that is what keeps them from doing it. Many of the guys I work with have also have PHD's in one of the 'hard' sciences like mathematics or physics, and view security as a challenge that is always changing and worthy of them enough that it is the one thing they have not gotten bored with doing.

[Eggy Sadow]

as long as there are free thinkers and people that think outside of the box there will be hackers.

Boxes Are Scary

[kingospam]

I don't like the terms blackhat, whitehat, greyhat, etc. People get hired to find vulnerabilities. Does that make them a blackhat? No. It proves that they are good at what they do. Other people do things are on their own. That doesn't mean they're bad at vulnerability development. It just means that they're not looking for a job in that field. Yes, there will ALWAYS be vulnerabilities. Yes, there will ALWAYS be people who want to find those vulnerabilities (whether for good, productive use (updating bugs, securing products) or for bad use (extortion, theft, etc.)). As a .NET/Java programmer and network security consultant, I see vulnerabilities naturally in the software/network I deal with. Just today I found basic issues with passwords stored in a database for a California-based company. I talked to the person in charge of the database, and he's not even worried about it. Someone without ethics would prove him wrong by exploiting the vulnerability. Someone with ethics would leave it alone.

So, in short, yes, there will always be a need for security researchers. It was my experience in C/assembly/Linux/computer security that got me hired.

[The_STDstroyer]

as long as there are free thinkers and people that think outside of the box there will be hackers.

Boxes Are Scary

What are you talking about? Why are you even here?

[Eggy Sadow]

I am here to learn becuse i am a NOOB.

Edited by Eggy Sadow, 04 September 2007 - 09:30 PM.

[Ark Rat]

Yeah, these guys are right. Everything has a backdoor, from barrooms, to programs. And it always will. Those backdoors exist to allow the programmers in if something goes bad in the program, because often there isn't a front door. Not our fault if we find the backdoor a little too enticing to pass by.....

Yeah, I'm here to learn too.