Profile picture
Alec Muffett @AlecMuffett
, 17 tweets, 12 min read Read on Twitter
@breenemachine @alexstamos 1/ Well, I've been doing this stuff to 30 years and still learn every day/week; that said, the generalities are several thousand years old and after a while you will see the same issues coming up in new clothes. But you can read around the topic in your own time. […]
@breenemachine @alexstamos 2/ Maybe half of the people I have worked with in infosec have been CS students. There is no barrier to entry. I have worked with chemists, physicists (me = astronomer), med students, linguists, performing arts students, english lit majors, and some have have no college degree.
@breenemachine @alexstamos 3/ There are 2x main paths to learning: 1 is to seek formal education - cyber-this, ethical-hacking-that - and it's fine. You'll learn, but if you only learn "security stuff" then you'll be a pentester, and I love pentesters but lord, we have enough already.
@breenemachine @alexstamos 4/ The other path is the "starts as a dishwasher, becomes a great chef" route; that's what I did. Am not saying it's the best, but I was already computer literate (thank you UCL Phys/Astro) & immersed myself for a few years, starting with a job as a systems programmer ("devops"?)
@breenemachine @alexstamos 5/ If we're following food analogies: all the "cyber and policy" lectures will turn you into a food critic; all the "ethical hacking" stuff will either leave you flipping burgers or producing sublime pastries in small batches. You can get a job with these skills, no problem. BUT:
@breenemachine @alexstamos 6/ Neither of these paths to learning will turn you into a chef who can cut code, nor into a restauranteur who can get 3 Michelin stars across 10 restaurants and turn a profit. In the tech world, these are Software Engineer & Enterprise Architect, or similar job titles.
@breenemachine @alexstamos 7/ We need more people who can write code-that-does-not-suck, and we need more people who can deploy-systems-that-scale-and-do-not-fall-over. Security is a quality which cuts across all of these, in 4 dimensions of "stack". Most people think there are only 1 or 2 dimensions.
@breenemachine @alexstamos 8/ Here's 2 slides that I keynoted at Infosec Italia in the early 2000s; it's not perfect but the goal is to say your traffic should be secure end-to-end, your stack secure from cpu-firmware to webserver, your systems integration must not leak...
@breenemachine @alexstamos 9/ …and your code quality has to be up to specification. Come to that, you need a specification, first. Which one of these was the "cybersecurity" you wanted to learn? Answer: all of them. And there's no better way to learn than immersion & "doing".
@breenemachine @alexstamos 10/ So I wish you well, and I certainly encourage you to inhale every reputable-sounding book you can lay your hands on, get a bunch of raspberry pis and set them up in a network, browse /r/netsec on reddit, learn 3x programming languages in the next 2 years, invent your own…
@breenemachine @alexstamos 11/ and sure, hit up the courses: go find coursera, do Dan Boneh's crypto course, try MIT classes, too. Teach yourself a bit of everything. Be bold. Make mistakes. Embarrassing ones. And tell people what you learned, and share what you know and listen lots.
@breenemachine @alexstamos 12/ But above all: go do shit. Daily. Break things, ideally your own things. Try your hands eventually at "capture the flag" competitions, but don't think that just because you've won them that you're "good", it just means that you've got the right skillset. And, importantly…
@breenemachine @alexstamos 13/ the bit that all the red-team bullshitters miss out upon: for each thing that you break, you should MAKE something, too. Don't be a destroyer - they're boring. Create tools, help people. Every project ever has started as 1 line of code. Make more of them. Share them.
@breenemachine @alexstamos 14/ Then: 30 years later you'll bump into someone who will buy you a drink (or possibly: hire you) because they were using your code when they were 13 years old. That's literally what my eventual boss at @fb_engineering told me in my screening interview.
@breenemachine @alexstamos @fb_engineering 15/ One last thing: I said that "winning CTFs does not make you 'good'" -that's true. A good security person measured either as being the world's expert at something really narrow, or (more commonly) carrying around in their head a huge set of diverse & complementary perspectives
@breenemachine @alexstamos @fb_engineering 16/16 if you wanna be "good", be ready to turn your hand to anything, learn, sponge up the learnings, and replay them in circumstances where they will add benefit to those around you. Hence "generalist". Do all the weird shit, it comes up more often than you'd think.

Best.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Alec Muffett
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!