da_667Y'all, I'm starting to worry for this intern we got.
This dude claims to have worked at akamai for three years, but can't generate a pcap for a directory traversal proof of concept that is as basic as can be.
I'm doing my best to keep an open mind, because there was a time when we were all noobs, but I have some concerns.
da_667Now, I'm not doing this to be a bully, but I'm going to just note that this fella stated he was knowledgable about Snort, Suricata, Regular expressions, Vulnerability Management, Wireshark, and tcpdump.
I wanna remind you, that I gave him a quick tutorial blog post on how to generate pcaps from a proof of concept exploit. and that his resume says he is competent in this skillset.
https://community.emergingthreats.net/t/come-sail-the-cves-part-2-turning-data-into-rules/2751
My boy took four hours to tell me that his pcap was empty and had nothing int it. So I ask 'em. what is the command you're using?
he copies it to me. The -i option is reserved for the interface you want to sniff packets on. I have not a single clue why, but his -i switch was an IP address.
da_667I demo using ip -br a to briefly list the network interfaces in one's VM. And show how how to figure out which is which. According to the IP address next to it, and by process of elimination. He generates a pcap.
Then he generates rules. Plural. For a directory traversal attack. Both rules trigger alerts, but neither rule actually detects the directory traversal attack. I even gave him the regex string we typically use for catching directory traversal attempts, because it's kind of complex, but it's extremely effective.pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R";
In laymans' terms this reads: "IMMEDIATELY after the previous content match, (^, /R flag), look for one to two period characters, at least one forward (/) or backslash (\), in either plain format, OR url-encoded, and find this entire pattern at least twice."
No where in either rule was the regex I gave him a hint that he should definitely use is in either rule. No, he focused on the curl user-agent, and the fact that python3's http.server module throws a 501 error and doesn't support POST requests when I told him, straight up, we do not care what the server responds with, we just wanna see what the exploit looks like being throw at a server.
darf :BlobhajMlem:@da_667@infosec.exchange why is someone with 3 years of experience an intern?
Viss@da_667@infosec.exchange i tried to do the mentor thing. i gave up after fourteen tries.
0xfeedc0fe@Viss@mastodon.social a had a classmate last year who graduated with two degrees and couldn't understand why repeatedly double-clicking the msi for autopsy failed to launch the executable it installed. Another who couldn't comment out code in Python by the end of the semester yet somehow still passed the class. I suppose the only bright side is that the employment market starts to look a little less cutthroat once you figure out that this is much of the competition @da_667@infosec.exchange
da_667@Viss@mastodon.social this is a paid internship. I'm not even really mentoring him per se, he just keeps asking for assignments from everyone like this is supposed to be homework or something. I'm just doing my best to be nice, and try to guid him along.
Viss@da_667@infosec.exchange its plausible this guy is gonna pad his resume with this shit, call himself an expert, then bail out to another shop and try to get a mid-level job and gpt-up his resume
Viss@da_667@infosec.exchange its plausible this guy is gonna pad his resume with this shit, call himself an expert, then bail out to another shop and try to get a mid-level job and gpt-up his resume
da_667@Viss@mastodon.social reminder that everyone we gave our take-home test to, all from prestigious universities -- UCLA, Mitre, I think we even had a NYU candidate who claimed he made a CTF challenge for CSAW. They all used AI to answer the questions.
da_667@Viss@mastodon.social reminder that everyone we gave our take-home test to, all from prestigious universities -- UCLA, Mitre, I think we even had a NYU candidate who claimed he made a CTF challenge for CSAW. They all used AI to answer the questions.
Viss@da_667@infosec.exchange that should have been a canary to shitcan applicants
Viss@da_667@infosec.exchange that should have been a canary to shitcan applicants
da_667@Viss@mastodon.social So I do wanna address this, because yes, you're absolutely right. The first three candidates, me another one of my co-workers, whom I respect very much both began comparing their answers to chatgpt and copilot AI output.
We both noticed that , aside from changing a few things around, and changing the order or some output, it was very close to the AI's output. And for the first two rounds of resumes (that is, three resumes were considered a single round), we flat-out rejected candidates who we knew from analysis were just using AI.
da_667@Viss@mastodon.social So I do wanna address this, because yes, you're absolutely right. The first three candidates, me another one of my co-workers, whom I respect very much both began comparing their answers to chatgpt and copilot AI output.
We both noticed that , aside from changing a few things around, and changing the order or some output, it was very close to the AI's output. And for the first two rounds of resumes (that is, three resumes were considered a single round), we flat-out rejected candidates who we knew from analysis were just using AI.
da_667@Viss@mastodon.social But then the hiring process was dragging on and the choice was "Warm body in the intern's seat, or nobody at all." and we choose to settle with someone being in the chair.
da_667@Viss@mastodon.social But then the hiring process was dragging on and the choice was "Warm body in the intern's seat, or nobody at all." and we choose to settle with someone being in the chair.
da_667@Viss@mastodon.social in retrospect, if I had any notion that he was padding his resume so heavily, I would've settled for nothing, and yet, here we are.
da_667@Viss@mastodon.social in retrospect, if I had any notion that he was padding his resume so heavily, I would've settled for nothing, and yet, here we are.
John Timaeus@da_667@infosec.exchange @Viss@mastodon.social
Trying not to sound like the grumpy curmudgeon that I am, but the best informed, most trainable segment is 40-something.
I just had a class of 20-30ish year olds that knocked it out of the park. But they were heavily pre-selected for smart and experienced. They were the exception.
It seems most under 35ish can't find a file without search, or read and parse an error message. And 45+ can't learn unless they're already well into the discipline.
John Timaeus@da_667@infosec.exchange @Viss@mastodon.social
Trying not to sound like the grumpy curmudgeon that I am, but the best informed, most trainable segment is 40-something.
I just had a class of 20-30ish year olds that knocked it out of the park. But they were heavily pre-selected for smart and experienced. They were the exception.
It seems most under 35ish can't find a file without search, or read and parse an error message. And 45+ can't learn unless they're already well into the discipline.
Viss@johntimaeus@infosec.exchange @da_667@infosec.exchange i have literally said for like fifteen years that security is not a starter career. and its nice that folks are finally realizing that to be effective in security you have to take existing knowledge of stuff and "then abuse what you already know"
Viss@johntimaeus@infosec.exchange @da_667@infosec.exchange i have literally said for like fifteen years that security is not a starter career. and its nice that folks are finally realizing that to be effective in security you have to take existing knowledge of stuff and "then abuse what you already know"