About Awgh

5 comments

Please direct comments to:  awgh at awgh.org

This blog will be used for technical notes, howto’s, and little tidbits of information I accumulate or discover in my work.

me-related links

I spoke at DefCon 13.

I also spoke at DefCon 15 and CCCamp 07.  There is painful video where I say uhm way too often here.  The one at CCCamp was either much smoother, or I was more drunk.  When that video comes out, the truth will out.

The code I was talking about is on SourceForge.

work

I like my job.

I get to examine all kinds of complicated systems and find flaws.  Then I write up a list of these flaws and give it to the people who designed and built the system.  Then, and this is the kicker, they THANK ME FOR IT.  And here I’ve been going through life criticizing everything for free, and with precious little appreciation I might add!

I’ve also spent a lot of time doing software development.  In other incarnations, I’ve worked…

for a security consulting company,  IOActive

for the mathworks

for a security testing startup, Imperfect Networks, which was later purchased by Spirent

and shorter stints at IBM on Lotus Domino, at an avionics company called Astronautics, and a bunch of other places I won’t bore you with

school

I liked school.  I’ve got a BS and an MS from WPI.  I also learned how to stay awake for three days and still be able to function well enough to write code.  The secret is avoiding caffeine as much as possible, full spectrum lights, protein powder and OJ.  This turns out to be a skill that actually comes in handy in some industries, although I’m not pointing any fingers…

My master’s thesis was funded by DARPA.  That was a really good time.  I caught up on sleep after the undergrad death march part.

dog

I have a dog.  His name is Lex.  I don’t know what breed he is.  All I know is that his dad could jump a 5-foot solid wood fence, get it on with Lex’s mom, and jump the fence again before anyone got a look at him.

{ 5 comments… read them below or add one }

[stupid] February 3, 2009 at 9:45 am

Hi, I came across your blog through some links and stuff and i was wondering.. if i am interested in learning a programming language for “Security” reasons, where should i start? Assuming that i do not have any experience with progamming whatsoever. Thanks

awgh February 3, 2009 at 6:05 pm

I don’t think one language will give you what you need. You’ll need to know x86 assembler to reverse binaries and develop exploits. Pay special attention to the stack and memory layout. Intel provides free books (including free shipping!) or PDFs for their architecture specification. Get those. Really, right now.

Experiment with disassemblers: especially IDA Pro and OllyDbg for Windows and gdb for everything else.

You’ll also need to understand Java and C/++ in order to actually audit code. I would also recommend learning either Perl or Python for writing quick attack scripts. If you’re interested in web security, you will also need to know Javascript and understand SQL.

Sounds like a lot, but these are minimal requirements. Once you have learned one language, the others are easier to learn. I would recommend learning assembly and Java first, and then move from assembly to C and from Java to C++ and Python. Your mileage _will_ vary. Don’t get too bogged down in all the details yet, just learn how to write a few sample programs in each language and try to get a sense of what they do and how they differ.

Remember – Working in security isn’t about knowing everything, it’s about knowing where to look anything up. Make lists of useful references as you find them. Don’t try to memorize too much, just remember where you can find that information later.

Also, the most important thing: Cheat. Cheat at everything. Lie to the computer all the time and see what you can get away with. Most of the language APIs are dirty lies, and most documentation is trying to convince you the program works correctly, even if it doesn’t. The only truth, such as it is, is in the compiled binary.

chrisu October 15, 2009 at 1:33 pm

WOW, what you just wrote is very inspirating. It gives me motivation… I am learning programming a few months now(OS-Dev, embedded-assembler, C, C++, Pascal, BASIC, JAVA, PHP…basic-SQL.) How long will it take untill I can find exploits by myself? (i did the basic buffer Overflow.. format string vulns…)
Do you have an advice what to learn next to get to that level?

Thanks
chrisu

admin October 15, 2009 at 1:49 pm

As a matter of fact, I do.

Go through gera’s exercises in order http://community.corest.com/~gera/InsecureProgramming/

Once you understand those, you’ll be just about as good as anyone I’ve met.

chrisu October 15, 2009 at 3:25 pm

Thanks, thats a great resource. I’ll try them :) I think it will take some time….

Leave a Comment