This writing on computer security is a piece of advice that I wish someone had told me. I started taking security seriously near the end of my first year at college. This advice should be helpful to anyone who has spent at least one month learning about computer security and wishes to pursue it seriously.
I got interested in computer security while I was in school. I think a lot of people fail to see the reason of why that's better than getting interested at college. While at college your efforts might be driven by a prospect of job or a need to secure a professor's recommendation, your efforts in school are almost always driven by pure curiosity. And a distorted drive is almost always a receipe for disaster[1].
While in school, I used to solve challenges on the website hackthissite. It was easy to solve the initial challenges on hackthissite because they were very specific, so I didn't have to read/code a lot before I could even understand what the challenge was all about. In school, I would spend most of my time just solving such challenges.
However, I had an open mind for learning in college. I had beforehand decided that I'd explore other things in college - things like robotics, machine learning etc. As I entered college I had already lost touch with computers; for two years I was just preparing for the college entrance. So starting again with computers in college was starting on things that were not related to security or what I had previously done in school - which was mostly web development, apart from some C and Java programming on toy problems like prime factoring. It was only after a gap period of almost a year, that I started again with computer security.
By the time I was in 10th standard, I already knew about XSS, SQL Injection and remote code execution. But that's where I went wrong. I thought knowing their names and a little about them was equivalent to knowing them. It was only in college where I started attempting harder challenges (for eg by Plaid Parliament of Pwning) that I realised I was wrong. For almost all hard challenges, I could easily figure out the kind of the challenge (eg: SQL Injection or XSS), but had trouble making any further progress. It was an important lesson that just learning names didn't do any good. In fact quite the opposite - it gave me a false feeling of knowing things[2].
In college I realised an important thing about security. Before college I had never thought that security required a creative component. In school I thought all that was needed was to learn a lot about a lot of different things. But what I failed to see was that all this learning also helped increase my creativity - since I was then able to see fresh connections between things[3]. It's hard for someone to be good at security and not be creative.
Another thing that I realised, was the importance of zero-days[4]. If I ever decide to pursue computer security I would just try to find zero-days. I take a lot of pleasure in breaking things. And if you are looking forward to do something challenging, I would suggest go find zero-days. But don't just directly start with it. First learn a lot about computer security. The best way to do that is to solve a lot of challenges on wargame sites[5]. I'd personally suggest backdoor as you can easily ask it's admins for hints[6]. Once you have solved a large number of challenges, team up with someone you like and start playing together in different capture the flag events[7].
If I had to pick a goal in this field I would aim to either get inside Google's Project Zero team or join a team that's working on tools to accelerate the process of finding zero-days - this also includes research groups. By accelerating I mean reducing the time to find, verify and exploit zero-days. Tools that enable this can be seen as similar to how programming languages enable you to write code faster. If our brains could handle all the details, we could just write code in machine language. One might argue that such tools already exist and might refer to gdb as an example. But if such tools are efficient why are we seeing a rise in the development of new interactive and visual tools[8]. That can't be a coincidence.
The other part of security that I haven't talked about yet is defensive security[9] - things like end to end encryption[10] and sandboxes[11] are great example of it. If someone asked me to give just one great example of defensive security, I'd say it's the Touch ID feature in Apple devices. Apart from being extremely secure[12], it's also highly effective[13].
Though defensive security seems interesting, working on it only makes sense once you have practiced a good amount of offensive security. I am not saying that defensive security is less important. It's not. What I am saying is that you'll be way better at building defences if you already know where someone could possibly hit you. And there is no better way to know this than to try hitting other systems yourself.
This is the reason, that I only wrote about offensive security in the first half. It was not a conscious decision to do so. I didn't decide beforehand that I would just write about the offensive part of security - it just somehow turned out to be. I guess this is because somewhere subconsciously I knew that talking about offensive security will leave no topic related to security untouched. And since offensive security is boring without defensive security, I think the former automatically leads to the thought/need of the latter.
After having done a lot of offensive security, if I was to pursue defensive security seriously, I'd aim to either join the team behind Google Chrome's Sandbox or join a team within an important company that is working on securing its systems and software. Google, Stripe and Facebook are examples of companies in this sense. But if I wanted to learn super-fast and was willing to take a big risk, I'd join an early-stage startup or a research group working on some technology that could be widely applied. A great example of such a technology is the ability of a software program to change itself when an intrusion(illegal access) gets detected[14].
When it comes to computer security, no one can say that they're an expert in defensive security and an absolute noob in offensive. It just doesn't make sense.
So if you plan to pursue computer security, my advice to you is "first offend then defend".
[1] The question of drive matters a lot more than the paragraph makes one realise. When I see the word drive, my mind always thinks of at least Elon Musk. It's hard to image a company as good as Tesla without it's founder having a drive for its mission. It's harder to image that a company like SpaceX even exists with a core mission to make humans an interplanetary species without its founder truly believing in that mission. When it comes to drive, I guess Musk beats everyone else. Distorted drive is also the reason so many startups fail.
[2] A false feeling of knowledge is hard to detect. Partly because you don't know "what is it that you don't know" or rather "how much do you actually know" and also because a response to the question "do I know this thing?" would be a quick yes. The quick yes is a testament to the human nature of underestimating things.
[3] For me, this realisation was similar to the realisation that rapping was not just about carefully chosen words but also about the way those words were sung. The ups, downs and the confidence reflected in those words was also important; probably more. I only realised this when I started writing raps myself. Some might argue that words matter more, that's debatable, but you get the idea here.
[4] A zero-day is a computer jargon. It's basically a bug in some popular software that allows someone to do naughty things with it; like gain access to credit card data. Such bugs are usually hard to notice when writing the software - some of these become zero-days. But someone with just the right intent might be able to discover it even when the software is only partially visible to them. Access to only the compiled version of some source code is one such example. And NSA is a prime example of someone with an intent.
[5] https://github.com/apsdehal/awesome-ctf#wargames
[6] Backdoor was my idea. I created it with my juniors in college. From the start our focus was to keep it beginner friendly, hence the chat. While learning do keep in mind that backdoor still doesn't have very hard challenges, so make sure you try a lot of other war games. The link for chat is https://chat.sdslabs.co/
[7] CTFs by Plaid parliament of pwning and DEFCON are the best ones. CTF websites: https://github.com/apsdehal/awesome-ctf#websites
[8] QIRA is a tool build by the hacker Geohot. Its important to note here that such tools being developed by hackers makes one even more suspicious of the tools that already exist. Since hackers always try to automate/eliminate redundant tasks there must be something wrong with the existing tools. Link: http://qira.me/
[9] Nemo mentioned that this advice is too biased towards offensive security, so I decided to talk about defensive security as well.
[10] WhatsApp chats are end to end encrypted by default. And Messenger also provides an option to start a secret end to end encrypted chat with anyone. It's interesting to see a lot of mainstream applications using e2e encryption. This was not the case 5 years back. The reason being that, back then there was no secure algorithm that just sort of worked. So when someone developed an algorithm for secure communication that just worked, it saw widespread adoption. This happened much for the same reason iPhone saw widespread adoption after it's launch in 2007. Until then there was no smartphone that just worked. But this is not the only reason for the widespread adoption of this e2e encryption algorithm. To be honest I think, it's partially also because Snowden exposed NSA for it's unlawful monitoring. This sort of caused a ripple effect which made people more cautious of their privacy. Suddenly the interest in encryption grew and security became a prime concern for a lot of companies.
[11] A sandbox is basically an environment where bad programs can run(like a computer virus), but they still can't access or affect important things on your computer. So by default, a program that is run inside a sandbox will have access to only a limited set of resources. For eg: it probably cannot issue a shutdown command on your computer. But this explanation is really minimal. You can read more about sandboxes here: https://en.wikipedia.org/wiki/Sandbox_(computer_security)
[12] The Chaos Computer Club, a bunch of European hackers, have bypassed the security of Touch ID. Though such a demonstration by a reputed group of hackers makes one question if they can trust the security of Touch ID anymore, the reality is quite different.
What their method really says is that "you're better off using a pass code, just to cover all the edge cases". No one is going to pour in efforts trying to recreate a high resolution fake of your fingerprint to unlock your iPhone unless it has something as important as a strategy or some credit card information. So if you are an average Ramesh at present(which you and I probably are), who is surrounded by semi trust-able people, this will not be a cause of concern for you. The benefits (extremely fast unlock with an otherwise extremely secure implementation) far outweigh the shortcoming of not covering all the edge cases.
One rare yet plausible scenario where I can think of this not being the case is when someone is determined to access your iPhone and won't let it go - say you clicked an indecent photo of someone who hates you. In this case it looks like having a strong pass code (hard to guess and brute force) will be better. He might be willing to fake your fingerprint by looking for traces of it left over by you and then using it to create a high resolution fake, but he won't be able to force you to tell your pass code. However I'd consider the odds of that ever happening to be very slim and stick to the Touch ID feature.
If you were to read more on their method, you'd realise just how unlikely it is for someone to do it without a strong motive: http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en
[13] See this: http://daringfireball.net/linked/2013/09/10/mogull-fingerprints
Touch ID indeed has seen widespread adoption through usability. Apple has said that nearly 90% of iPhone users now use a secure passcode because of Touch ID (compared to around 50% before Touch ID's launch).
[14] It's not very hard to detect an illegal access. An access white-list based on IP+user can cover most common cases. However it is very hard to fix the surface crack in a piece of software which led to the illegal access in the first place. It is hard for the same reason your front door cannot be made absolutely secure; there are just too many cases to cover.
Thanks to Dhaval Kapil, Nemo (Abhay Rana), Jay Bosamiya, Abhishek Das and Priyanshu Sheth for reading early versions of this piece.