A Security Curriculum

• SOC threat analyst

SOC means Security Operations Center. This is somebody working in shifts for a 24/7 (usually remotely) enterprise tier threat response contractor who is paid to anaylze system logs (almost always Windows OS logs) and network traffic to spot problems. You primarily extract and filter data mainly with in-house tools or using things like OSquery and do 'threat intelligence'. To get into this find some kind of learning path for SOC Level 1 and 2 but these almost always cost money. This one is the cheapest I could find or you could simply use their syllabus to look up everything yourself like OSquery, wireshark, MITRE etc. To find these companies search for security operations center jobs or try Sophos. I imagine these kinds of outfits exist so companies can satisfy some kind of insurance compliance or lawsuit protection from any breaches or leaked data.

• Security consultant

Someone charging 7-20k+ per week for an application security assessment. This kind of person can do the 'full stack' of security review from source code review/dependencies to cloud deployment to how developers handle the keys for signing into the source repository. With large security consulting outfits the typical engagement is 2-3 consultants for 2 weeks where there is juniors competent in running security procedures like penetration testing and the principal consultant oversees them and presents all the reports the juniors produced justifying the money spent. On large contracts they will have reverse engineers and all kinds of other specialists charging insanely high hourly rates. The major outfits are Leviathan security, IOactive, Bishop Fox, NCC group, Crowdstrike, or search for security consultant jobs.

• Freelance

Security researchers who win pwn2own competitions, reverse engineer, chase bug bounties and sell exploits sometimes on APT or Advanced Persistent Threat marketplaces. These guys often get contracted by the above companies to be specialists or they run their own companies. They sometimes build entire target models to simulate attacks or use formal verification methods on program control flow graphs to expose logical flaws and other techniques we'll see. Look at all the shady stuff here there seems to be nonstop nation state tier malware in the wild.

If you haven't seen it, watch the CS19 lecture on security.

Immediately npm breaches is brought up, the JavaScript package manager. If you've ever installed some Node.js software to run it locally you will have noticed there's hundreds of dependencies being automatically installed. If you missed the attack description the stream dependency was attacked to specifically target some Bitcoin wallet software in hopes that the wallet developers themselves would include it in their builds and they did. All the attacker had to do was find some unmaintained but popular dependency and took over the entire project. Many browser plugins have had this happen too, either sold to adtech or malware writers or they helpfully take over the abandoned project.

@9:00 we're getting into nightmare scenario where VSCode the IDE most developers use is now compromised. The point is some dependency nobody pays attention to got turned into malicious code and found it's way into almost every critical program on earth.

@19:50 the seemingly benign software you find in the wild like adding colors to your terminal or javascript console is actually filled with malware of course but you probably knew that already. Famously this was almost all the flashlight/torch apps on app store before they cracked down.

@28:14 he's reminding us again the most dangerous software is the software you least expect to be dangerous. @35:27 every basic shell copy program in every OS will bring in fopen() and then you're screwed, it has access to the entire filesystem.

'The internet, operating systems, all programming languages, these things were built to be maximal insecure'.

He talks about SELinux also known as MAC or mandatory access controls like AppArmor. MAC is something enterprise security people love because it's knob tweaking but state can become so complex in modern systems you cannot guarantee your policy doesn't allow illicit states without some kind of logical assistant to model everything and run tests on. Whenever you search for AppArmor or SELinux the number one recommendation or most-searched for query is how to turn it off because it's intefering in someone's work and in the real world that's what everyone does.

This talk is from 2014 but very relevant still. Since he is involved in FreeBSD project he thinks about it from an open source sabotaging viewpoint.

@5:10 is very interesting. It reminds me of back in the day when there were many people writing 'security Android ROMs' or those in-memory operating systems you loaded up with a boot live DVD/USB or advanced security OSs like Subgraph OS. They all disappeared and abandoned their projects and he imagines in the talk how legit developers are purposely bribed to do so being put on some nice salary at a 'friends of NSA' company. Reminder this is just a thought experiment what he would do if tasked to sabotage he's not accusing anyone of anything.

@12:28 this is what we came for how modern open source projects are derailed or infiltrated. @16:40 some mobile browser versions won't even let you use self-signed certs anymore even after clicking all the 'omg but are you aware of the risks!' buttons. @25:45 is great, wait for some security problem and then 'find a helpful patch' and claim you reviewed it but oops missed something. The deceptive defaults I have been burned by many times.

Egor Homakov a security researcher once wrote this post (now deleted) Why it sucks to be a Security Researcher. He is completely blackpilled and tells us how nobody cares or wants to fix the problems. If you raise the alarm you often threatened or dismissed. He wrote multiple warnings to the Rails github repository only for them to hand wave the problem away as 'impractical' and 'would never happen' so he started his security career by hacking the repository. They still denied the problem so he opened an issue 999 years in the future.

Now cancelled former Tor developer and 'Wikileaks associate' Jacob Appelbaum quietly got a PhD from two of the world's premiere crypto experts DJ Bernstein and Tanja Lange at TU/e in the Netherlands. I don't know or care about any of the details of his fall from being the darling of the hacktivist scene all I care is he did write a thesis/dissertation that was overseen by advisors I respect so we may as well read it. The pdf is here or direct link here.

Skimming the intro this is more of a political manifesto instead of a thesis I'm surprised the school didn't demand he remove a lot of cringe here. In the section he calls bad mathematics he shames on cruise control others who take fed cash yet seems completely unaware he once worked for the Tor Project which is funded by US federal agencies like the DoD. If you follow DJ Bernstein then you know he amusingly rants on the IETF crypto working group mailing list whenever some stooge proposes yet another badly designed or patent trolled elliptic curve scheme so that to me is the definition of 'bad mathematics' trying to sneak in broken by design protocols. In 1.2 Thinking about the future some of the claims derived from the questionable sources he lists are so wild even Wikipedia jannies wouldn't have green lighted this so I skipped but the theme as far I can tell is crypto still works if it's designed/used correctly. Everything else he is trying to say in way too many words can be summed up by this video.

Section 2 Background on network protocols skimming this quickly OpenVPN is demonized as being the target of NSA weakening but OpenVPN code is so ridiculously bad and convoluted that they probably didn't really have to do anything nefarious to it except promote it's use.

Section 3 Background on cryptography if you look at Tanja Lange's crypto course page she recommends for general background this free online book so we can refer to it as we very lightly read this section. The hash functions chapter a hash function h maps bit-strings of arbitrary but finite length to strings of fixed length so the domain of the function (inputs) maps to a range (outputs) that is many-to-one as the inputs are larger than the range so there exists the possibility of collisions where 2 distinct pairs of inputs have the same output. Now you know how password hashing works, the hashes map to a plain text input but the Appelbaum thesis notes these password hash functions are designed to be extremely slow by purposely running inefficient calculations that require large amounts of contiguous memory so you can't easily brute force the hash bombing it with millions of strings to guess passwords.

Block ciphers chapter seems to be a function that accepts as input a n-bit sized vector of plaintext and a key vector then a product transformation occurs to create ciphertext that is the same size of the input. If the input exceeds the size of the n-bit block then it's partitioned into same size blocks and encrypted seperately using a mode of operation to do so one old example is ECB or electronic-codebook mode. A symmetric key is shared via some Diffie-Hellman like public key system we can learn later. The term 'nonce bit' is called IV or initialization vector in older books. Djb's ChaCha20 high speed crypto and Poly1305 MAC is mentioned and detailed here using C like pseudocode if interested. Skimming the rest there's an interesting comment about NIKE or non-interactive key exchange that has a deniability property where finding encrypted content that decrypts with someone else's key is not definitive proof of any communication between each other.

Chapter 4 you probably already know most of this if you read the Snowden leaks and 2017 Wikileaks CIA files and there's a bunch of material here on glowie PSYOPS strategies all laid out in chronological order. Applebaum goes totally off the rails here back into political manifesto territory. A lot of content here is straight up ranting but the later content going through all known shady nation state malware and explaining how it works is worth reading. Even though a lot of these exploit 'products' in the leaked ANT catalog are from 10 years ago I doubt much has changed especially what data they were after.

Chapter 5 GNU naming system has a good crash course on how DNS works. The NSA shenanigans here running some global monitoring bot network to hide their DNS queries is interesting. GNS is a GNUnet app which I like way more than all the blockchain nonsense going on right now requiring massive amounts of mining. Note to self look into GNUnet more.

Chapter 6 WireGuard tweak it only works for some future quantum adversary meaning if traffic is vacuumed up and held to be broken years later then this tweak works otherwise an active quantum adversary you have to redesign the entire WireGuard protocol. That's if quantum computers aren't a total scam every company involved always makes suspect promises of massive amounts of qbits then nothing happens.

Chapter 7 Vula has code to read here and is developed anonymously obviously because of Appelbaum's pariah status. I'll have to come back here after we get familiar with post quantum crypto an automatic LAN encrypting scheme is a pretty awesome idea.

Chapter 8 REUNION is a PAKE for real life key encrypted key exchange, a kind of Assange tier tradecraft meeting protocol for short message exchanging like contact info.