If you're new, it's the same advice as any other field. Find a way to stand out. Build a portfolio, have great grades, come from a good university program, ping contacts from your alumni network, do bug bounties, find and fix issues in open-source, etc.
It looks like you made the best of a frustrating situation and, at the very least, have an excellent piece for your portfolio.
With the rise in number of new security engineers all competing for few "security research" jobs (security research/hacking is the "I want to be a game developer" of security), you start getting into these convoluted hiring processes. Unlike standard software engineering, there aren't even remotely enough positions to accommodate everyone, so the bar can get absurdly high.
Honestly, if the team is asking CTF questions, they clearly want hires with previous CTF experience and should just do targeted hiring from the top teams at different conferences.
At least send people a free t-shirt if they complete the challenge.
I took Seacord's virtual class (CMU SEI? Can't remember) on Secure C coding a few years back and own, love, and regularly use the The CERT C Secure Coding Standard.
I learned from K&R, but highly recommend Seacord's books if you're looking for how to write secure C and a more modern take on some of the trickier parts of C.
Thanks! I wish there was a service I could pay for where I could ask lawyers vague security-research related questions like this. Right now I wouldn't even know where to begin looking for a lawyer that would be an authority on this type of stuff. If I found that person, I'm also not sure I could afford their time.
I agree, but I don't have a consulting-firm/reputation/team of lawyers etc. to hide behind. Reporting flaws to companies related to embedded is often still scary today.
The point of this is that hey, this isn't actually that hard if you're willing to put in the time. If you're moderately talented, you can probably learn it too!
As opposed to the standard exploit write-up/security conference circuit thing, where a lot of the details are kept secret and it seems like the entire point is to make other people think you're cool instead of teaching something. :)
1. I believe Harman had a previous device hacked back around 2014 due to a weak shadow hash. My guess was that they learned their lesson and made the password more complex. An easy way to test would be to diff the latest shadow file in the updated Subaru images (assuming they exist) -- if it changed, you may be right, if not, I'd still wager it is strong enough.
I don't like the idea of a backdoor like that available, but it is what it is.
2. The QNX6 hashing mechanism, to the best of my knowledge, isn't fully understood. Upstream changes to JTR seem to indicate that it has some form of bug in it or isn't fully reverse-engineered. That, along with having to spend presumably a large amount of time learning about contributing to hashcat & gpu programming, made this seem like a potential dead end without massive time investment.
So, is it possible it is crackable? Almost certainly, but I'm one guy doing this and you have to spend your time carefully in these ventures.
My guess is that yes, absolutely, but very few people know about it / a Doctor or nurse was blamed.
Medical system security does not seem very good. When I was operating in the area a while back, one comment I kept seeing was similar to yours. "Yes, the security is bad, but the good these devices do outweighs the bad."
I agree with that, but my follow-up has always been, why can't these devices continue to help patients, but in a secure way? The manufacturers really don't want to spend the money to try and have some form of a security posture?
Rhetorical question. At the end of the day, my pessimistic view is that nothing will happen until some firm finally proves that there has been a high profile attack, there is an ensuing media firestorm, and the regulation process starts happening.
Just read the r7800 had the best range for an all-in-one unit. Not sure if it's true, but it has been an amazing router. I picked one up for myself -- they are 130$ refurbished on Amazon every now and then.
To answer your question: I have no idea. Would be neat if a much cheaper model had the horsepower though.
Parents live in a smaller town with two awful ISP selections. They had a bunch of WiFi devices on an ISP router and the connection quality and latency was just terrible when more than one device was in use and any bandwidth intensive services were being used. (Low quality Netflix is intensive on small-town monopoly internet.)
I purchased them a Netgear R7800 and installed hnyman's LEDE build [1] to enable SQM. Night and day difference in latency response. No more staring at a white screen for 3 seconds per URL click.
The build has been stable for several months. I wouldn't recommend this for non-technical users or anyone not willing to spend time troubleshooting, but it has been a great improvement. I couldn't find any other device capable of doing this without running x86 hardware or something else silly.
A few other people mention it, but yes, this is only going to work on slower connections on current SOHO hardware. I think the R7800 can do software SQM at up to 150mbps or so. Plus, if you have a gigabit symmetric connection, hopefully you aren't having bufferbloat issues.
Just wish a popular manufacturer would release an easy-to-use router with SQM so I could install it for non-technical users and forget. Ubiquiti is somewhat close to that, but I believe their prosumer hardware (USG) is running a slow processor at the moment and doesn't even support SQM without installing custom kernels.
Well done to the author. I always found working on more obscure systems to be a lot more entertaining as a hobby and I'd definitely recommend it -- you'll almost never run into the issue of another researcher coming out with something first. Most security researchers seem to shy away from embedded VR due to an unjustified fear of obscure assembly languages and hardware (or perhaps they just realize there's no money in it...), but isn't nearly as hard as anyone thinks.
I expect to see drastically more work into IoT devices once tooling and knowledge sharing gets better. A lot of the articles right now begin and end with binwalk. Great tool but that's just the start.
The only hard part of embedded work is that it's really, really difficult to collaborate with anyone as VR is always filled with incredible drama and the talent pool of individuals willing to work on this (for free) with the prerequisite knowledge is almost non-existent.
Good luck. And thanks for not coming out with another media campaign first and interesting research second.
I don't think anyone with experience hacking kindles believed it was a permanent solution. Unfortunately, most of the technical expertise in that area is fleeting.
I'd recommend an older Kindle if you want to get root easier. 5th generation Paperwhite and older models should be cheap and have various exploits.
Probably would recommend a Kobo or something else though. Kindles are awesome pieces of hardware but they do try to keep them secure. Not the best choice for an open platform.