Make Tools, Not War.
There is this computer insecurity related YouTube channel that I subscribe to and they live stream almost every day. The beginning of every live stream is devoted to answering questions from the chat. Normally the questions asked fall roughly into the following categories:
1. I quit my 6-figure a year job 1 year ago to do bug bounties full time and haven’t found a bug ever in my whole entire life. I don’t know how to find bugs. Where can I learn how to find bugs?
2. I copied and pasted some random payload from X, formerly Twitter, and it’s not working. Why?
3. I don’t know much about computers but I just heard about Penetration Testing and/or Web Application Testing because a video showed up in my YouTube recommendations. I fell down the rabbit hole and watched a bunch. I love Penetration Testing and/or Web Application Testing. How do I get a job as a Penetration Tester and/or Web Application Tester with no experience or training?
On this particular day a question was asked that was totally different from all of the questions asked before it. I know this is the case because a few days later the YouTube channel released a tier-list video on the subject of the question. Unfortunately, they didn't credit the question as the inspiration for the video.
The question asked about projects that would be good to show prospective employers. The host’s response was something along the lines of that he thought projects were fine, he then listed a few that he deemed acceptable, he also added in a caveat that he believed that working on projects that do something that an undisputed “Best of Breed” tool does should be avoided as it is a waste of time. Please, keep in mind that I am paraphrasing. “Best of Breed” and "waste of time" are the words I chose to help summarize what was said.
I agree with 95% percent of this.
I disagree with the idea that working on projects that mimic “Best of Breed” tools should be avoided or that it is a waste of time. It's not.
A lot of success in computer insecurity whether defensive or offensive comes down to methodology, tooling, and workflow. You should never be afraid to examine any of these, either jointly or severally . Make your own tools. Further, make your own tools that help you both improve upon and manage your methodology and workflow. Don’t become obsessed with making the next Metasploit or Nmap but absolutely do make your own tools when and where it makes sense. It’s a great way to learn and put those all too valuable programming skills to use.
Most importantly, you do it because you never know how things will end up.
DISCLAIMER Everything discussed herein is done so within the context of Boot2Roots, Crackmes, CTFs, and various other types of Cyber Security/Information Security/Programming challenges and competitions, Cyber Security/Information Security/Programming education, the Cyber Security/Information Security/Programming industry, and the Cyber Security/Information Security/Programming education industry. DO NOT "ATTACK" ANY SYSTEM(S) WITHOUT FIRST OBTAINING PROPER AUTHORIZATION. The Unsecured Nerd cannot and, most importantly, is genuinely not interested in helping you hack your personal enemies, family, friends, significant other, your government, governments that oppose your government, random remote targets that you managed to locate on the internet, and/or really anything at all. If reading something on this site causes you to wonder how it can be applied to hack any of those aforementioned things it’s best that you keep wondering. Stay safe.
This site relies very heavily on design elements provided by Barebones which is "a modern, responsive boilerplate laid bare". Download your copy from https://acahir.github.io/Barebones/.