Gee is for Geek.
Hola, I’m Gareth, also known as Gee. I reside in Wellington. I’m a security enthusiast looking to get a start in security.
I've been interested in computer “security” from a very young age starting with my mother password protecting the family computer and making comments like; “Well, if you can get past that, sure, you can play Commander Keen.” A control break before the boot loader menu followed by starting windows form the MS-DoS prompt fixed that. The new password on BIOS a few days later was her partners name ….was she smarter than a 7 year old? I think not. Ever since then I’ve adopted the number 8 wire approach to computers and often hack around a problem which could indeed have a reasonable fix.
In my humble opinion computer security, especially penetration testing, is the epitome of IT. Which is one of the reasons I want to get into IT security. Another is because I want to help protect and educate companies and people from having their shit owned. From my experiences a lot of people in IT, sadly including some System Administrators, believe that virus scanners and firewalls are all the protection they need and this is simply not the case (I was gonna list some examples but there is just too many to choose from). In fact it is that mindset that leads you to being owned. Another great mindset is why would “hackers” want to target "us"? It’s often not that hackers want to target a specific company it is that they know a vulnerability and search for anyone they can find that is susceptible. Also, it's one of the few areas of IT with creative aspects. To be a penetration tester you have to be constantly thinking outside the box and being creative - well apart from all the red-tape, scoping, paperwork and meeting with clients.
Security very much feels like an old boys club. It's very hard to get information on exactly what you need to learn. It's very hard to get a start. It's very hard to breach the barrier between book learning, as such, and, well, to become a penetration tester you have to (as a potential employer of mine once said) “you sorta need to be hacking in the real world” to learn the skills you need. If you don't want to be out there - its more ok when you are a teenager, when you can't be tried as an adult - risking your livelihood on pwning some stuff but once you are an adult the stakes are much higher and you can't afford to get caught. Getting caught and having a record doesn't actually help you get into security, it hinders you.
While actually reading books on penetration testing gives you a lot of the fundamentals they don't actually teach you what you need to know. Often the information is quite outdated, which isn't necessarily all bad because the theory behind the exploit or how to discover the exploit is useful. But it will only carry you so far along your journey. The podcasts, if you are listening to recent ones, get around the information being out of date but I've found them to not necessarily be helpful - they are more like a bunch of security people keeping you up on news and events and having some lulz. They aren't actually teaching what you need to know to get into the security field. There are a lot of good resources from Foundstone and other projects such as WebGoat to learn web application penetration testing; they have vulnerable web applications, especially the hackme series eg. hackme bank, hackme shipping etc. Another thing that I've done to understand, learn and find peers and interest groups is to attend Kiwicon - NZ's own hacker conference. With a motto like 'share the knowledge' they do a good job of it. It definitely rekindles my passion for security each year and has aided greatly in social networking for finding likeminded people.
This year I'd like a start in security. I hope that working with in2security throughout this year will help me reach that goal. You can follow my progress through my blog posts.