___                 _             _
   /   \/\/\   __ _  __| | /\  /\__ _| |_ _ __
  / /\ /    \ / _` |/ _` |/ /_/ / _` | __| '__|
 / /_// /\/\ \ (_| | (_| / __  / (_| | |_| |
/___,'\/    \/\__,_|\__,_\/ /_/ \__,_|\__|_|

On SDF

DATE: 07-14-2024

This past weekend and Friday was interesting to say the least.  The ironic part was, sometime around Thursday I watched Laurie Wired state the obvious on her Youtube channel.

https://www.youtube.com/watch?v=bJk_NThPbyE
Cybersecurity Security "Experts" Suck at Coding. Here is why.

This is worth a good fifteen minutes to watch, other than the sheer eye candy and smartly thought out points of someone who gets it.

I think, probably, the key take aways are there are alot of people getting into 'cybersecurity' as researchers (I'm not sure if that is the best term, analysts or forensic analysts, 
would be better) that really can't read code.  They may know, "Oh, that looks like BASE64, best go to Cyberchef" or something like that, but it's the extent of what they know.  Rarely, 
if ever, do I find people in the field that actually have a degree, serious experience or in some cases, got popped at 15 for selling credit card data on some Tor site.  If they do 
have a degree, it's going to be from Phoenix or Govenors.  The point is, they can't code.  No amount of time trying for a certificate is going to fix that issue.

Coding requires a mathematical mind.  Basic Trig, Calc and Algebra helps a person understand why statements, functions and calls are the way that they are.  If you have a grasp of 
algebra, you can learn to code. Most cybersecurity people can't do math - any math.  That's at the central core issue of why cybersecurity Johnny can't code. 

I forget who, and how they put it - but someone said "Holding a sword doesn't make you a samuari".  Swords or guns, there is no difference - in the hands of even the most inexperienced 
person, they can hurt or kill - but they can't do it with some level of proficiency.  

Back in the day, when I got my first degree, we didn't have CompSci yet at the college (now university) that I attended, we had 
Business Information Systems - that was it.  So, I got a B.S. in Accounting with a secondary in B.I.S. and a third degree in, no 
crap, Military Science (yes, it's real).  My best scores were in Biology/Chemistry, I sucked at Physics (but too it) and I 
learned alot about my deficiencies in math because I came from a rural school district, but tested high on the SAT (enought to 
get into a good schoo.).  I grew up programming, my first computer book was called "Computer Monsters" and I coded that out on a 
Tandy TRS-80 in BASIC.  I loved it.  

Security was second nature, because if you read anything that I wrote before here on SDF, I was in a Combat Unit at 17 years of 
age (but not deployed with my unit due to my age - you have to be 18 to go across the wire).  So, I loved that stuff, both 
coding and doing coolshit.  I got into networking for a local ISP, became a Lead tech and the rest is history.

I was nearly arrested in the late 90's for finding a government firewall bug, however, got cleared by the special agents in 
charge who simply said after looking at the facts- "This is stupid, fix the bug" to the person that tried to have me arrested - 
the same agency at 26 years of age. A year later, the same agency asked me to come back to work.  You can't make this up. 

Stated,after that I hung up my hat for a few years and worked in kinectic security (read physical), had a badge, gun and a suit.  
travel to some cool places, met alot of well known musicians and really enjoyed it.  I met alot of scum bags, junkies and other 
surley types you don't get to met - most of whom had money.  My clients were usually women, a few most of you know, one who was 
now famous, was only a few feet tall when I met her.  Sometime in the early 2000's, I found a database issue, which lead to 
fraud.  My boss was happy, cut me a check and let me go that day.  He gave me a good letter, but reminded me that what I figured 
out wasn't good for my vital signs (read breathing), so I left the kinetic security industry and went back into IT.

Other than being a physcial trainer, I don't do much in kinetics anymore.  After a few years, I went to work in defense and 
aerospace as an ISSE.  The rest is history.

So yeah, Laurie is right.  Real right.

Friday and this past weekend sucked. We had some bad stuff go down - real bad - news worthy bad, and during a few hours of the 
suck, I realized I was, outside of one real awesome cat who knows his stuff (and ironically one of the few that paid attention 
in one of those online courses), the only person that knew what I was looking at (code wise).  I was like "this is bad".  After 
alot of heeming and hawing, the 'experts' called in some actual folks that knew what I was looking at and said, "Nope, this 
isn't B.S., this is bad."  

The reason they needed 'experts' to come in to look is because, like the video says, most cybersecurity experts can't code.

There is a way to fix this issue, it's super simple, but not easy. For starters, getting an A+ never hurt anyone, if I could 
recommend a cert, it's a good one - you may not be working tech support, but if you don't know harware, that's the one.

So;

1) Take a basic algebra class for adults - where, ironically doesn't matter, but take one.
2) Take a class on C - I know that sounds stupid, but it teaches the basics of most stuff we see in the field.
3) Take a basic network course that isn't cert oriented.  Cert oriented classes teach you to pass, not learn, a subject.

The above caveat applies to HAM radio.  It takes time to learn HAM.  Anyone can get the license, it's just a cert.  What is 
harder is to learn the math behind making an attena (J's, bi's, etc.), power and how to code radios (freqs, bands and offsets).

And last but not least, a person should know some basic scripting;

A) BASH
B) PowerShell

As a cherry on top, I'd suggest some Forensics.  There are some good teachers out there.  Most of whom can be had for a small 
fee, live and interactive, with a training group like Anti-Syhphon.

If one focuses on just those things (I'm sure some of the guys/girls reading this could add more), it would be them far ahead of 
anyone that has a cert that starts with C (or offered by a company that starts with C).

While it takes alot of to say "I suck at this, I need to learn this - I don't want others to know I don't this", drop the ego, 
and just do it.  People, real people, depend of good people doing better for themselves. It's OK to be incorrect, just adjust, 
move on.

So, why I am I writing this gopher article (also going on gemini) on SDF? I spent my weekend installing a 9Front box, screwing 
with drivers, formatting USB flashdrives (which, ironically, 9 likes 16 Fat for some reason - and because nsport's git is broken 
on git hub - just push it to shithub.us already) resolution is broke on github) and coding my Rio (with a 
background because, I'm vain in some ways I guess).  Having to code some C funcitons to make the wifi not suck made me think of 
Laurie's video.  She's young enough to be my kid, but in some way, she's wise about the issue.

I'm preaching to the choir here.  Most of the SDF folks could code circles around me - but that's not the point.  The deal is, 
you have to keep going at it, reading mans and just try to wrap your head around stuff you don't know.

Make it, break it and learn it - do it over.  Do it for the love of the game.  And honestly, if you don't have a love for this 
stuff, move on and find something else.

America can't fix it's 'cyber security' problem by creating more certs, or making preachers out of drunkards (and old Southern 
term for putting square pegs in round holes), it needs to address the core issues of it's entire educational system. 

Basics.  The Trivium and Quadrivium.  The Greeks understood it, somehow, we forgot it.

The issue here is simple - do the work, it's not easy, but it's what makes everything make sense.

If you can't code, you don't understand why your ports are getting hammered, Bob in accounting clicked on a link (and now 
the entire SQL database is getting ported to some country you can't spell - while the same dropper is doing writes on the 
tables/sectors you don't want the writing on - usually with encryption that you don't understand) or why the IP you found in the 
powershell script was not actually what you thought it was originally (protip - reverse the octects by order, not literally and 
AbuseIP will give you a more 'intresting' report).

There is an intesting document out there on the web called 'Why Special Agent Johnny can't encrypt' that was written by some 
federal agency a while ago - it dovetails nicely into the what we are discussing here.  With some searching, you can find it.  
This is a good read and it sheds light on why things are the way that they are.

And lastly, instead of Leads assigning more busy work (usually it's their work they assign to people), they should insist on 
training during down time - period.  You don't know what you don't know.  Also, if you aren't reading CVE's or BurpingComputer 
once a day (or something like it), you are wrong - it's basic OSINT (another topic), you can do on your own so you atleast know 
your IOCs and why 'Bad things happen'.

Cheers.