I'm a security auditor and researcher, Ask Me Anything!

Paula on November 26, 2018

My name is Paula, I've been here for a while now, but I haven't done this "ask me anything" thing yet, and felt like doing it now. I'm 22 years ol... [Read Full]
markdown guide
 

I see you bio, and I have to admit that we have same interests. I do information security training for few investigative journalists but it does not earn me any money, so I have to do SW development (mainly in Kotlin) for living.
My question is do you earn enough (in infosec field) to focus only on those issues? Or have you some other job?
Also I understand the importance of anonymity in some cases, but do you think that TAILS is really way to go? IMHO it has extremely high threat model, I would rather to suggest solution like this one .
Thanks for what you do though, you focus on right issues and we need more people in this field!

 

Hello Ondrej, thank you for your answer!

I'm happy to meet other DEV user interested in security. Regarding your question, yes, I can manage to earn fairly enough for a living working exclusively in security, I'm currently switching the company I work for, but yes I do.

I think Tails is interesting in some cases, such as outside home, when you don't have your laptop available at the moment or something, like a lifesaver. The option you suggest is better for home setup, of course! and thanks for sharing btw, the repository is interesting.

Thank you!

 

I would highly recommend to go through other Shawn's repositories and articles - they are very interesting, especially if you are interested about Tor. It is *BSD focused though, but you can do almost same things on Linux.

 

Ah, I forgot second question - if you use Debian, do you use Testing (Unstable) version? If yes, do you patch your kernel with grsecurity patches? I have tried in in the past but it was nightmare in terms of maintenance and some binaries did not even work.
Don't you think that CentOS (which has SELinux by default) would be safer in case if you don't use kernel hardening patches? Thanks!

 

Hi Paula! Thanks for doing this and willing to share your knowledge. ¡Muchas gracias!

I was curious of your recommendations in personal privacy? Specifically your personal workflow in which you ensure your own privacy?

  • How do you have your tails set up?
  • Daily drivers for web browsing? brave vs firefox/iceweasel vs opera or do you just use tor?
  • Trusty VPN service(s)?
  • Preferred chat apps: signal, keybase, etc?
  • Password management? 1password or perhaps a physical key for passwords?

Or anything in general your willing to share to ensure or enhance privacy?

 

Hey! thank you!

How do you have your tails set up?
with extra memory that can be accessed from one time to another using a passphrase... but everything else as default, for now!

Daily drivers for web browsing? brave vs firefox/iceweasel vs opera or do you just use tor?
FIrefox with duckduckgo, https everywhere, privacy badger, mailvelope and metamask. Sometimes I use tor, too.

Trusty VPN service(s)?
I aim to build my own using rpi!

Preferred chat apps: signal, keybase, etc?
I jave signal but what I use the most (with family and friends) is actually Telegram.

Password management? 1password or perhaps a physical key for passwords?
I actually have a memory methodology to remember them all, but in case I forget, I store some of them using keepassX. I'd like to have a physical key, tho. I have something similar, too, for a couple of passwords, but that's a secret ;) no, it's not a post-it, don't you worry.

Oh well! you should take a look at security in a box, it's pretty usefull for daily privacy management. Also the eff privacy area could be interesting!

 

Cool! Awesome reply, thank you for sharing 🙏🏽🎉!

That 🍓🥧vpn project sounds like a lot of fun. I'll definitely be on the look out for your post sharing that experience 😉

 

How have your thoughts on security changed in the past ~3-4 years, since you were a teenager.

 

Quite a lot. I used to think in security as movies pictured it, and never imagined the kind of work (like, seriously, not Hollywood-like depicted) that was behind our daily life security. Also realized the importance it has in every technology area.

 

Hi, Paula.
I'm very interested in what you specialize with passion: security, journalism and community formation.
Your challenge to organize a python girls club sounds great to me.

I have a question:

  • In order to improve yourself, what kind of daily or habitual routines do you have? For example, getting rss of some news. I want to use it as a reference when studying about security, especially designing secure architecture/network for myself.

I'd appreciate if you gave me your answer at your free time : )

 

Hi Heddi,
I would recommend to follow sec people on Twitter, register to a Bug Bounty program and read about the public disclosures described on the Bug Bounty site (hackerone is the most famous in my opinion).
And last but not least, practice some CTF/Capture The Flag to enhance your knowledge about security in general.
Youtube and other services can teach you a lot as well.

 

Hi Rémi.
I really appreciate your specific and useful advice.
Yes, I'll register hackerone and also practice CTF trainings!!
Although I haven't known how to make the best use of them yet, I have taken Twitter/Youtube as useful tools in order to improve myself on both studying tech and reading/listening to English.
Merci beaucoup : )

 

Hello! thank you for your kind words. I'm very used to check news in different Telegram groups and channels about security, either Spanish and International. I like to also over read eff.org news and blog, as I think they do a great work regarding digital rights. I have to keep an schedule in order to remember all my stuff, but I have it in paper, as using the computer makes me go faster (read faster, answer faster, act faster) and in order to organize myself, is okay to go slower, and force myself to think twice, this works the same in security. I'm studying a Linux Foundation course about networking, and I keep paper notes, too. I'd check on EDX and other university open education websites for helping yourself organize your aimed specialization, there's where I'm coursing the Linux Foundation certificate. I'm kind of a chaos in the rest of my life, but I hope to have answered your question, in a general way!

 

Hello. Thank you for your careful reply. Yes, you have answered my question.
Using paper is so impressive and interesting! The idea "is okay to go slower" to "organize myself" didn't exist in my mind. I'll try to make the habit to "think twice" also mine : )
Also, I'll check news and blogs such as Telegram's/eff.org's, courses such as Linux Foundation's and education websites such as EDX's.
Muchas gracias.
Welp, a chaos is a part of my life, too. Haha.

 

I know that cyber security is a massive field that takes years to master. Do you have any suggestions of things people can do today to boost application/website/server security?

 

Hi Jack,
I am a security engineer as well.
I would recommend to start with reading the OWASP Top Ten and figure out if your app, service, etc... follow the very basic rules described there.
I see very often that developers don't know/care enough about security and release really unsecure piece of software that could be way more challenging for "BlackHat Hackers" and so remove all the "basic" flaws that you can encounter.

 
 

If you mean to start studying, I would go reading a lot, learning programming, playing capture the flags, joining sec communities and going to events...

But if you mean, as another kind of specialist (such as a dev or something) it depends on your role. If you are in charge of a project and are resourceful, I would hire an actual professional, an auditor, to perform the required tests. There are many automatized tools that can gives you a general idea of your security status, but for a real protection, a professional is needed. If you are a developer, your responsibility is to perform a clean understandable code, and acknowledge the latest vulnerabilities in the tools you choose to use. Most of the security issues in web apps are due to irresponsible use of versions. There's an interesting katacoda course about security in containers that could be used in such situation.

Hope to have cleared your mind about this topic!

 

Hey Paula. Say I have fair amount of high-level programming experience, moderate experience with C, moderate understanding of how OS works in general, and call pull off a simple ROP attack. Wanna be one of those people that discover Spectre/Meltdown/SSL Heartblead/Dirty COW. Where would you suggest to start?

 

Hi Pavel,
The Meltdown/Spectre vulnerability are a pretty hard to find vulnerability.
If you really want to find one of that kind one day, I should say, start with a Phd in CyberSecurity targeted on hardware and then get to work into a security lab.
Cheers

 
 

As you already have a solid programming base and general understanding, I would suggest you to focus your efforts in joining online communities to be updated. Some people think security is kind of a lone-wolf job, nothing further than reality. Keeping the right news, communities and tech-pals around you is important. I'm mostly in Spanish communities, but there are tons around the world.

I would experiment, too. Either trying online capture the flag, or building your own laboratories. Take a close look to OWASP wiki.

I think you are aiming to be a zero-day hunter. For that, I think reading and learning about older vulnerabilities could guide you into what kind of vulnerabilities appear in new versions of different applications and OS. Good luck with it!

 

Hi Paula,

That is interesting.

I would love to understand what kind of audience you are presenting security topic?
And how you can find conferences to present this?
I am looking to present some information about security to some conferences but I find it (conferences) hard to find in France and Europe.

Cheers

 

I have had many types of audience, from kids to professionals. I mostly present in events where I can find security students, security auditors and other security-related professionals, where I usually have to show a demo or something technical of medium or high level. If I have to explain stuff to another kind of audience, such as kids, I tend to explain the importance of security, rather than technical information.

I check from time to time (usually I wait 2 months or so) on the internet, looking for open call for papers. On summer is a nice date to look for C4P, because some of them are pointing to September-October, and these dates, November and such are nice for incoming 2019 events. I tend to think of interesting topics, regarding security researching, open source projects, experiments and such, and create abstracts of the highlights. Always about topics I enjoy.

I hope to have helped you.

 

Hi Paula! I love your security and digital privacy posts on this site. Thanks for sharing your knowledge and passion.

I've found that talking to people (particularly in the US) about digital rights, they have a hard time connecting the individual impacts ("but I don't care who knows my internet history!") with the broader societal impacts (censorship, election influencing, automated discrimination, etc.). Do you have any tips on how to convince people that they should care about digital rights not only for themselves but also for the future of society? Thanks!

 

hey thanks for your nice words. I have to face those kind of comments a lot, due to my interests. I use to start saying the same thing Edward Snowden once said: "saying you don't care about privacy because you have nothing to hide is the same as saying you don't care about freedom of speech because you don't have anything to say". It's a matter of empathy, to be responsible of others rights. Not everyone who needs privacy is a criminal, there are activists, journalist, and other kind of users that are in need of privacy and digital rights to get a better situation and to help others. Internet should be open to work, if we don't care about other countries censorship, we are actually censoring ourselves too, as we will be unaware of their situation from the outside. As users we have both rights and responsibilities, as any human being in a society/community does. I think US is very committed to neighborhoods, or that's what we think from the outside. It doesn't make any sense to be like that in real life, but being individualist on the internet.

I hope to have given you some consistent arguments for that kind of situations :)

 

That's very helpful, thanks for the thoughtful reply! I really like the rights & responsibilities angle and I'm definitely going to try that next time :)

 

What are your OSINT tools/feeds of choice?

Are you currently hunting/researching a specific observable?

 

Hi Beatriz,

If I can share my experience on that as well, I would say that on Android security, I am using nmap, Burp, apktool and shell commands (grep, strings, etc...).
And I think that for mobile security Frida is very interesting and useful, as well as gdb. For security, mastering a debugger is really interesting.

Cheers

 

Oh hey! I recently assisted an OSINT workshop and these are some of the tools I discovered:

Also python scripts! Shodan is a nice tool, too.
I'm currently into other things right now, but surely is an interesting area. Hope you find those useful!

 

What has been the most challenging topic to learn the last couple of years in security?

 

hey! sorry I missed this one! This is a very difficult question, but I think the most challenging thing to learn has been distributed ledger security. It requires knowledge of so many things and it seems like a pretty new topic (compared to other security related stuff) so, yep. ON the other hand I found difficulties on many topics so far, but precisely I find interesting that challenging environment. Thank you for your question!

code of conduct - report abuse