PDA

View Full Version : Education


xsk
December 4th, 2011, 08:17
If you're someone who already has a reasonable grasp of reverse engineering and malware analysis, I need your help. I need you to help train more people like yourself.

More likely than not you're "self-taught". Except, when you were teaching yourself you were probably actually relying in large part on the help of others. They freely posted zines, articles, and blog entries. They and answered questions in forums, email lists, and in person. Eventually, once you were confident enough to believe you would be right more often than wrong, you might have tried to pay it forward and share your knowledge back to others.

If so, you're the type of person who is needed. We need people who want to make an impact by more rapidly helping educate those who want to learn. We all know that things like certifications and most college curriculums set a fairly low bar for the expectation of what people should know for security. Certainly in the area of reverse engineering there is almost nothing. Paid training classes can good, but the cost can prevent people from getting all the training they really need.

I believe what's needed are many more people teaching trainings in person. This brings down costs, provides a well-structured learning environment with instant feedback, and results in the education of many more people. If you're a person who already knows the material, becoming an instructor should be an easy step to take. All you need are class materials, and a venue. Finding venues up to the instructors, but now there is a place that lesson plans and class materials can be stored:

www.OpenSecurityTraining.info

This site is meant to act as a repository for class material that have been used in computer security classes at least a day long. The material must be released under an open license to allow the most possible instructors to utilize and adapt the material. It can then be used by new instructors as-is, or piecemeal to enhance or speed the creation of other classes. I didn't want to widely promote the site until we had enough seed content, and now I think we're there, with 8 classes, covering 15 days of training, as well as 8 days worth of videos.

But we need more content, and more instructors. If you have classes which you have taught in the past, or currently teach, and you would like others to use the material, please consider contributing it. And if you're one of the people who already knows a great deal of the material currently posted there, please start thinking about how you could take the material and start teaching others in person, at your job, at conferences, or elsewhere. For more about why you should contribute, and why you should teach, please read this page: www.OpenSecurityTraining.info/Why.html

Thanks

Xeno Kovah

Aimless
December 4th, 2011, 08:53
Personally speaking only Xeno, I think there is a condescending tone in your post... and the one taken by whoever wrote your request on the website. Your website seems so... full of itself. Somehow, it seems.... cocky!

There is hardly any mention of what benefits the people who will read this materials we prepare will get. Real benefits. Just some points about altruism and benefits of education and all that.

Instead, its simply how great the site can be with the help.

And yes, I *HAVE* gone through the 'why.html' on your website.

Inspite.

Sorry, my personal opinion only. Not that of this board. And no skin off your nose.

Have Phun

xsk
December 4th, 2011, 09:05
Quote:
[Originally Posted by Aimless;91490]There is hardly any mention of what benefits the people who will read this materials we prepare will get. Real benefits. Just some points about altruism and benefits of education and all that.


Since the site is targeting potential instructors specifically, I believe that they already experience the benefits of knowing the material, and therefore they know how students would benefit by learning the same knowledge.

Xeno

Woodmann
December 4th, 2011, 22:26
Howdy,

While the effort is a noble one, your perseverance will be tested.

The good Dr. S tried this and was somewhat successful, BUT,
for you, without the credentials, will have a tough road ahead.

I think you will be more successful if people knew from where
the training materials are coming from.

For example, who are you and why should I be interested in your work?
What impact have any of your teachers had in regards to RE?
Will I be able to put what I have learned on a resume and reference
your site? Will it be credible?

I'm not trying to kill your ideas, on the contrary, I am a big advocate
of such things. I would love to see you succeed in this endeavor.

You have much work to do grasshopper.

Woodmann

xsk
December 6th, 2011, 07:36
Quote:
[Originally Posted by Woodmann;91494]Howdy,

I think you will be more successful if people knew from where
the training materials are coming from.

For example, who are you and why should I be interested in your work?


All the existing instructors have listed their real names, so anyone interested in such things is free to use google. But I don't really think that's an important metric. If you were going to be making in-person training in RE, rootkits, or exploits anyway, and we're giving you free and open source material, and you look at it, decide it's accurate, and therefore can incorporate it into your training, why do you care who I or any of the other instructors are? If you have training which you gave a few years ago, but aren't giving anymore (one can look at past blackhat training pages for plenty of examples), then why not make it available for future trainers?

People interested in the topic area routinely read tons of information from people they don't know the skill level of, why should this be any different? Furthermore, I've put up 8 days worth of videos from my own classes, so when the slides don't stand on their own, one can simply skip to the video at that area and have me explain specifically what I was trying to convey. To me none of this hinges on reputation. I'm well aware that people will pay more attention based on reputation, but this is merely the phase where I try to make people aware of the site, to find like-minded people who want to increase their educational impact. I have about 16 more days worth of class material from my place of work which I'm trying to get released. And as much as I think the material speaks for itself right now, a year from now I think it will be overwhelming.

Quote:
[Originally Posted by Woodmann;91494]What impact have any of your teachers had in regards to RE?
Will I be able to put what I have learned on a resume and reference
your site? Will it be credible?
Woodmann


It's not conveyed graphically on the site, since it would be detrimental to accepting other people's contributions, but at least for the training I'm involved with, there is a clear prerequisite path for a couple different specialties. They look something like this:

Deep systems security:
Intro x86 -> Intermediate x86 -> Life of Binaries -> Rootkits -> (Future: Advanced x86 "Real Mode edition" (BIOS/SMM/MBR) -> Advanced x86 "VT-x edition" -> Intro to TPM -> Advanced x86 "TXT edition". The VT-x and TPM classes are already under development, and the real mode and TXT classes probably won't start development until the summer at the earliest.

Malware analysis:
Intro x86 -> Life of Binaries -> Intro RE -> Intermediate x86 -> Rootkits. (Future: Static Malware Analysis -> Dynamic Malware Analysis -> Malicious document analysis -> Memory analysis). The Static Malware Analysis class is already under development, and the memory analysis class is being expanded from 1 to 2 days. Classes like SANS 610 already cover things like dynamic analysis and document analysis, so we wanted to focus specifically where we thought the largest gaps were.

Exploits:
Intro Exploits -> (Future: Exploits 2 -> Intro RE-> Exploits 3). Exploits 2 is under development and will add things like fuzzing and bypassing exploit mitigations. Exploits 3 will probably focus on kernel exploits.

So again, I think a year from now the material will be overwhelming, with or without the help of others. But I would prefer it to be with peoples' help.

But the reason I pointed out the order of class viewing both now and into the future is because I think if someone were to for instance watch the videos for all the classes I've already posted videos for, twice, I think they would be able to blow some people away on an interview. And they would also be able to get to the truth about interviewee skills. But I don't think saying "I read X off side Y!" has ever convinced anyone of anything on a resume or in an interview.

I once interviewed a person who claimed 5 years of reverse engineering experience, and listed himself as an "OS expert" on this resume. First question: Explain to me in as much detail as possible, how does a debugger work? He knew that you find the location where you want to set a breakpoint, and you click there, and you have the option to either set a hardware or software breakpoint. I asked what the difference between the two was. He didn't know. Someone who has taken the Intermediate x86 class knows how debuggers put in the interrupt vector 3 one byte opcode (0xCC) form directly overwriting a byte in the instruction stream, but will often try to hide this from you from within the interface if you try to look for it. They also know how hardware breakpoints are set up in the debug registers DR0-DR7 (sans DR4&5), and how they can invoke interrupt vector 1 on execute, write, read-write, and port IO. They would know overall how interrupts are utilized by an OS, and how segmentation is used to calculate the linear address from the logical address (far pointer) which is what is actually in the interrupt descriptor table entry (and how it might not always be pointing where you think it is, if you don't understand segmentation). But to be clear, the x86 classes are mean to be OS-agnostic, so we don't get into the details of how any one OS exposes an API for debuggers to hear about such interrupts, though had the interviewee known anything about that it would be good. I know this is old-hat to most of you, but in interviews I always look for the difference between tool-users and tool-understanders. (The "OS expert" also didn't know what the CR3 register or page tables were, despite this being the OS-agnostic basis for virtual memory. Again, had he the knowledge from a class like Intermediate x86, he would understand how things work, instead of just how things were presented to him.)

Aimless
December 6th, 2011, 08:32
Yet, You seemed to have missed the point Woodmann and me are trying to make.

You have made a good case for the website. Rest assured there is no 'let's-dissuade-him-from-doing-this' motive here. I appreciate what you are going to do. It is commendable.

But Fravia and Woodman's website are good because they have quality AND quantity. I do not see you making that distinction. You seem to assume that thousands of papers equate bigger educational quotient. From your replies to Woody's posts, I assume that you're just looking for 'CRITICAL MASS'. That zeitgeist that bumps one from moderate fame, to the rarefied stratosphere.

You want to become a "go-to for RCE" site based solely on the quantity. Though, you'll be old enough to know sheer volume never helped anyone. The motives, remain suspect.

Still, understand you WILL get what you want. You will be overwhelmed. But in a different way. When you have no QUALITY, just quantity and contributions from all and sundry, then your website, in a year like you put it, will resemble a vast-reaching ocean. Yet one that's just two inches deep. Pretty soon, you'll have 30 presentations on how a debugger works. Or 100 presentations on what is Ring-0. Comprehend?

And while newbies *could* be overwhelmed into thinking "Golly!" at the amount of material, the serious ones will not, because there is no CREDIBLE source that they can depend upon. Thirty tuts on cracking winzip in different ways. That's what you'll be getting soon. But I repeat myself.

So the message is do not be discouraged. But make sure you *also* give importance to Quality. I've not found that anywhere on your website. Not in enough detail. Many reverse engineers, some of them VERY popular, have tried, and then fizzled out. Content and Source. Very important. See if you can achieve it.

And one way to quality is to have known RCE people (their NICKS, not real names) telling or instructing them. Videos, presentations, calls, whatever.

Finally, your biggest adversity, the challenge of your life, will be in persisting when your site does not do what it's meant to do. Or when you don't get hits. Will you stay strong and persist? Or will your sulk and put it all on the 'MTV generation' attitude? And believe me, quality will play a big role here.

Till you decide to get quality, I remain suspect you'll remain "another brick in the wall"

But, STILL wish you all the best. I hope you do well in your endeavors.

Godspeed.

Have Phun,

Woodmann
December 6th, 2011, 20:10
Howdy,

I absolutely meant no malice. I am certainly no expert in anything BUT,
I know of people who are/were very famous and tried to make a go of
the exact same thing you are trying to do.

One that I endorsed was by Zero. He had the correct path and vision but
for some reason it disappeared with no explanation.

He was the one that came the closest to achieving what you desire.

We are not trying to dissuade you in the least.
The world needs such a "thing" that you want.

+f and I have sat a few times to discuss it's possibility.
(enjoying beers of course:cool

You can ask of me anything to help you.
I really want to see you succeed at this. It is important that it be done.

NOW, stop being defensive and relax. You will do this and realize
your dream. Understand?

Woodmann

xsk
December 6th, 2011, 21:05
Quote:
[Originally Posted by Aimless;91499] But Fravia and Woodman's website are good because they have quality AND quantity. I do not see you making that distinction. You seem to assume that thousands of papers equate bigger educational quotient. From your replies to Woody's posts, I assume that you're just looking for 'CRITICAL MASS'. That zeitgeist that bumps one from moderate fame, to the rarefied stratosphere.


I know of very few good engineers who are looking for fame. Like most of them, I'm looking for efficiency. Efficiency in education. I'll return to that later. But I'll take in stride your attempts to grapple with (and impugn) my motives, because I know I'm just some lurker come forth.

Quote:
[Originally Posted by Aimless;91499] Still, understand you WILL get what you want. You will be overwhelmed. But in a different way. When you have no QUALITY, just quantity and contributions from all and sundry, then your website, in a year like you put it, will resemble a vast-reaching ocean. Yet one that's just two inches deep. Pretty soon, you'll have 30 presentations on how a debugger works. Or 100 presentations on what is Ring-0. Comprehend?


I can't quite decide whether you're misinterpreting a key element of the desired training, you're vastly over-estimating the generosity of your fellow man, or both. To reiterate, the site is meant to house training which is presented before an live studio audience, for classes lasting one or more full business days (but in my experience, with breaks and so forth, that only ends up translating to about 6 hours of continuous speaking.) I originally wanted to set the floor as 2 days of content, but to start with I wanted to be open to the possibility that there might be good one day presentations that could build on each other. Given the nature of the content I am purveying, and seeking, I speculate I will have exactly the opposite problem to what you describe. Because, you see, training is big business in security. ISC^2, SANS, conferences, and many other private companies offer paid security training. As such, most anyone who is going to develop training is only going to do so in response to the prospect of mad cash, and they're going to keep the training to themselves. I began doing training because it's easy extra money at my company and directly helped my project by building and allowing me to pick from a larger talent pool. But where I differ from some other trainers is that I have a primary job which I like and which pays well enough, and therefore I don't want training to be my primary income source, and I don't mind giving my training away and letting others benefit or even profit from it. (The other way I seem to differ from others is that I seem to be a lot more aware of my mortality, and it's hard to craft a compelling narrative for why what we do in security might eventually help transhumans escape the heat death of the universe...But maybe more efficiency will help )

ANYWAY, the question is, do you really think there are 30 one-or-more day presentations on how a debugger works? Or 100 one day talks on ring 0? If you're right, then I'm right that we need more efficiency. Because while it's fine. This is a problem them have in academia, which is why they came up with opencourseware, which you will note is listed on my front page as one of the primary motivators for the site (much more so than khan academy, because we already have things like securitytube which are the equivalent of khan.) I've been watching and waiting for some decent amount of computer security class material to show up through OpenCourseWare since its inception, but it's never happened. I think you will find that given all the hype around "Cyber" these days, academic institutions have more reason than ever to try to keep their security classes to themselves to try and use them as a differentiator to get people into their programs. So, having given up on seeing anything coming out of opencourseware, and seeing pitiful offering of many colleges in security, let along RE, I decided it was time to "Make my OWN <opencourseware>...with BLACKJACK! And HOOKERS!" (-Bender ) Said site could hold my own material which I was already making for my own project's benefit, as well as anyone else's material.

Let's see...back to the point. Ah yes. So I agree that there can be many different people who's been forced to reinvent some training for the basics. Preventing that from happening any *further* would be a win in my book. But what about the non-basics. Can you point me to the 30 groups in the world who are currently giving training on how to make a minimal VT-x hypervisor in a couple days rather than a couple weeks of reading the manuals? The only one I've ever seen that was close was Invisible Things Lab's training, which they don't seem to be offering anymore (publicly). How about you point me to where I can go find a class on how to send the right command blobs to memory mapped IO to talk to the TPM to perform key generation conducive to performing remote attestation of PCR state? No really, it's only a little rhetorical, I would actually like to know too. So when I said I think the material will overwhelmingly speak for itself in a year, it's because there will be high end material available, for free, which as far as I know isn't available anywhere currently. And when we say we want all comers on the low end (so long as they meet the length guideline), it's because I want people to have a place where it can be made clear that no further time need be wasted making training which already exists, and which is explicitly free to use.

Quote:
[Originally Posted by Aimless;91499]So the message is do not be discouraged. But make sure you *also* give importance to Quality. I've not found that anywhere on your website. Not in enough detail.


At the risk of sounding pedantic, when you are teaching a class, you do not read the textbook to the students. Similarly when you are teaching x86, you do not read the manual to people. Rather, you pull out the elements you think are most important, and will get them the furthest the fastest. You then reference more in-depth material for them to read later. And they will absorb it easier by having had the places and means where the knowledge can be used explained to them ahead of time. That's the kind of thing which can never fully be captured in training, and which usually just comes out in the audio track of trainings as asides and anecdotes. Knowing that I wouldn't be able to capture all of the side-bar discussion which goes on is one of the reasons I'm pushing to get videos released from all my and my colleagues' classes. This way future instructors can better understand the originator's intent if it isn't fully written down explicitly (I know when I start making a class I try to write everything down explicitly, but by the end of content generation I tend to get lazier and rely more on the voice track.)

So I'll just point out again that you're evaluating the materials out of the context in which they're meant to be used. It's not an article archive, we've already got those and we don't need another. It's an archive of in-person instruction material, which as far as I know we don't have. And with any presentation material, rarely can (or should) you get through a single slide per minute for instance.

Quote:
[Originally Posted by Aimless;91499] And one way to quality is to have known RCE people (their NICKS, not real names) telling or instructing them. Videos, presentations, calls, whatever.

I'm not going to care whether people use their nicks or their names as long as they share

But since this is the one concrete suggestion you offered on the quality front, let's run with this concrete brainstorm, shall we? One of the other fields I had thought to potentially add to the class pages is "Where this has been taught:". I opted against this for now for two reasons. First, I currently only have buy-in from other people at my place of work. As such, all the training would just say it was taught at my work. If every training says it's from the same place, that might lead people to think it's an us-only affair, and dissuade contribution. (It was for this same reason that I waited to announce the site until I had materials from my colleagues instead of just me, so that it didn't look like a self-aggrandizing me-only affair. I guess I failed on that objective eh Aimless? :P) The second reason I didn't put that is because we developed all of the class materials on our own time (that's how you get the extra money ), and it's specifically because of this that I was able to get the materials public released "easier" (and it was by no means easy getting the videos released for instance.) If we put our training as having been specifically for our company, then I feel like they're going to make it go through some extra bureaucracy as if they are being asked to officially endorse the site. At a minimum they will make us then add some sort of disclaimer to go with it. So this wasn't a issue I was particularly interested in raising, BUT humble reader, if you think there is clear value in having this field, I could perhaps be convinced to go down the route of adding it once I have material delivered at an organization other than our own, to alleviate my first concern.

The value of the field of course is that if a training has been delivered in many different venues (and perhaps it needs a modifier to also say how many time the given class has been taught in the given venue, so many venues and many days), then a potential instructor who wants to utilize the material can use that in making his decision of whether to even open this one of the theoretical 100 presentations on what ring 0 is And again, a reminder that the site is first and foremost for instructors, so ultimately there is some assumption of them being familiar with their desired area of instruction, so the final determination of usefulness of the curricula is going to be made based on the content itself and how it conforms to what they had wanted to teach about anyway. Which is why I envision instructors picking and choosing the best-prepared material from multiple presentations where multiple presentations exist.

Quote:
[Originally Posted by Aimless;91499]Finally, your biggest adversity, the challenge of your life, will be in persisting when your site does not do what it's meant to do. Or when you don't get hits. Will you stay strong and persist?


Since it's clearly not meant to do what you think it is, I don't anticipate a problem. But thanks for your kind attempt to delude me into believing that my biggest adversity is not my mortality and the heat death of the universe

Xeno

P.s. I want you to visualize a concrete-brain storm

xsk
December 6th, 2011, 21:21
Quote:
[Originally Posted by Woodmann;91502]
One that I endorsed was by Zero. He had the correct path and vision but
for some reason it disappeared with no explanation.


Can I get a link so I can look it up on the wayback machine? (assuming it's no longer live)

Quote:
[Originally Posted by Woodmann;91502]
We are not trying to dissuade you in the least.
The world needs such a "thing" that you want.


I get that you're not trying to dissuade me. And I'm not being defensive, I'm just elaborating on my reasoning and motivations. The first post was a common post that I put in a number of locations to get awareness and to get conversations started. I could have posted much more, as you're seeing now, but it would be met with a resounding tl;dr! But since the conversation here got off on the wrong foot, I feel it's necessary to provide more complete justifications.

Xeno

blabberer
December 7th, 2011, 00:18
Quote:

Can I get a link so I can look it up on the wayback machine? (assuming it's no longer live)


sorry to be frank but i skipped reading your post #8 way too verbose

Zero aka Dr Thorsten Schneider had an awesome site the erstwhile anticrack.de that had a course REA I that i can say was very good while it existed
some great reputations that probably lurk here honed their skills in there he also hosted the erstwhile Crackmes.de which afaik till recently was playground to most of the sorcerers out there either by name or by nick

Aimless
December 7th, 2011, 03:24
Best of Luck then.

No more from me on this thread.

Have Phun

evlncrn8
December 8th, 2011, 03:49
bit too long so i tl;dr ed some parts...
your focus is quite strange, plenty of focus on malware, rootkits etc.. which will attract the script kiddies (is that your target audience?)... and theres a bit of running before you can walk too

Elenil
December 8th, 2011, 10:45
what exactly is new what you post xeno ? gmer your favorite tool there so many of that tools

Indy
December 9th, 2011, 05:18
xsk
So you aver(AV) ?

CrackZ
December 14th, 2011, 12:09
xsk; I for one will wish you a resounding 'all the best' with your endeavour and I'm sure in a year or so you'll know yourself whether its been as successful as you are clearly hoping (you certainly seem enthusiastic which will help).

The guys here are giving you some good advice, albeit delivered with a healthy dose of experience based cynicism ;-). Unfortunately a lot of us are scarred by memories of 'pie in the sky' concepts /ideas that never materialised, I hope you have a lot of free time to make this work.

Regards, and once again, good luck.

CrackZ.

Darkelf
December 14th, 2011, 19:17
Quote:
[Originally Posted by xsk;91504]Can I get a link so I can look it up on the wayback machine? (assuming it's no longer live)


Not everything has vanished. Actually it was a bit overhauled lately. There is a complete training package which you can find here:
http://www.binary-auditing.com/

It seems that something is going on with crackmes.de also.

Regards
darkelf

Maximus
December 20th, 2011, 09:57
...before or later, things will get surely back. I wildly guess it is only matter of time.