___                 _             _
  /   \/\/\   __ _  __| | /\  /\__ _| |_ _ __
 / /\ /    \ / _` |/ _` |/ /_/ / _` | __| '__|
/ /_// /\/\ \ (_| | (_| / __  / (_| | |_| |
/___,'\/    \/\__,_|\__,_\/ /_/ \__,_|\__|_|

On SDF

#Why Cyber Security 'Expert' Johnny can't code

##DATE: 07-14-2024

This past weekend and Friday was interesting to say the least.  The ironic part
was, sometime around Thursday I watched Laurie Wired state the obvious on her
Youtube channel.

https://www.youtube.com/watch?v=bJk_NThPbyE
Cybersecurity Security "Experts" Suck at Coding. Here is why.

This is worth a good fifteen minutes to watch, other than the sheer eye candy
and smartly thought out points of someone who gets it.

I think, probably, the key take aways are there are alot of people getting into
'cybersecurity' as researchers (I'm not sure if that is the best term, analysts
or forensic analysts, would be better) that really can't read code.  They may
know, "Oh, that looks like BASE64, best go to Cyberchef" or something like that,
but it's the extent of what they know.  Rarely, if ever, do I find people in the
field that actually have a degree, serious experience or in some cases, got
popped at 15 for selling credit card data on some Tor site.  If they do have a
degree, it's going to be from Phoenix or Govenors.  The point is, they can't
code.  No amount of time trying for a certificate is going to fix that issue.

Coding requires a mathematical mind.  Basic Trig, Calc and Algebra helps a
person understand why statements, functions and calls are the way that they are.
If you have a grasp of algebra, you can learn to code. Most cybersecurity people
can't do math - any math.  That's at the central core issue of why cybersecurity
Johnny can't code.

I forget who, and how they put it - but someone said "Holding a sword doesn't
make you a samuari".  Swords or guns, there is no difference - in the hands of
even the most inexperienced person, they can hurt or kill - but they can't do it
with some level of proficiency.

Back in the day, when I got my first degree, we didn't have CompSci yet at the
college (now university) that I attended, we had Business Information Systems -
that was it.  So, I got a B.S. in Accounting with a secondary in B.I.S. and a
third degree in, no crap, Military Science (yes, it's real).  My best scores
were in Biology/Chemistry, I sucked at Physics (but too it) and I learned alot
about my deficiencies in math because I came from a rural school district, but
tested high on the SAT (enought to get into a good schoo.).  I grew up
programming, my first computer book was called "Computer Monsters" and I coded
that out on a Tandy TRS-80 in BASIC.  I loved it. I mentioned this before.

Security was second nature, because if you read anything that I wrote before
here on SDF, I was in a Combat Unit at 17 years of age (but not deployed with my
unit due to my age - you have to be 18 to go across the wire).  So, I loved that
stuff, both coding and doing coolshit.  I got into networking for a local ISP,
became a Lead tech and the rest is history.

I was nearly arrested in the late 90's for finding a government firewall bug,
however, got cleared by the special agents in charge who simply said after
looking at the facts- "This is stupid, fix the bug" to the person that tried to
have me arrested the same agency at 26 years of age. A year later, the same
agency asked me to come back to work.  You can't make this up.

Stated,after that I hung up my hat for a few years and worked in kinectic
security (read physical), had a badge, gun and a suit. I got to travel to some
cool places, met alot of well known musicians and really enjoyed it.  I also met
alot of scum bags, junkies and other surley types you don't get to met - most of
whom had money.  My clients were usually women, a few most of you know, one who
was now famous, was only a few feet tall when I met her.  Sometime in the early
2000's, I found a database issue, which lead to fraud.  My boss was happy, cut
me a check and let me go that day.  He gave me a good letter, but reminded me
that what I figured out wasn't good for my vital signs (read breathing), so I
left the kinetic security industry and went back into IT.

Other than being a physcial trainer, I don't do much in kinetics anymore.  After
a few years, I went to work in defense and aerospace as an ISSE, then onward.
The rest is history.

So yeah, Laurie is right.  Real right.

Friday and this past weekend sucked. We had some bad stuff go down - real bad -
news worthy bad, and during a few hours of the suck, I realized I was, outside
of one real awesome cat  who knows his stuff (and ironically one of the few that
paid attention in one of those online courses), the only person that knew what I
was looking at (code wise).  I was like "this is bad".  After alot of heeming
and hawing, the 'experts' called in some actual folks that knew what I was
looking at and said, "Nope, this isn't B.S., this is bad."

The reason they needed 'experts' to come in to look is because, like the video
says, most cybersecurity experts can't code.

## A Possible Fix

There is a way to fix this issue, it's super simple, but not easy. For starters,
getting an A+ never hurt anyone, if I could recommend a cert, it's a good one -
you may not be working tech support, but if you don't know harware,
that's the one.

So;

1) Take a basic algebra class for adults - where, ironically doesn't matter,
but take one.

2) Take a class on C - I know that sounds stupid, but it teaches the basics of
most stuff we see in the field.

3) Take a basic network course that isn't cert oriented.  Cert oriented classes
teach you to pass, not learn, a subject.

The above caveat applies to HAM radio.  It takes time to learn HAM.  Anyone can
get the license, it's just a cert.  What is harder is to learn the math behind
making an attena (J's, bi's, etc.), power and how to code radios (freqs, bands
and offsets).

And last but not least, a person should know some basic scripting;

A) BASH

B) PowerShell

As a cherry on top, I'd suggest some Forensics.  There are some good teachers
out there.  Most of whom can be had for a small fee, live and interactive, with
a training group like Anti-Syhphon.

If one focuses on just those things (I'm sure some of the guys/girls reading
this could add more), it would be them far ahead of anyone that has a cert that
starts with C (or offered by a company that starts with C).

While it takes alot of to say "I suck at this, I need to learn this - I don't
want others to know I don't this", drop the ego, and just do it.  People, real
people, depend of good people doing better for themselves. It's OK to be
incorrect, just adjust, move on.

So, why I am I writing this gopher article (also going on gemini) on SDF? I
spent my weekend installing a 9Front box, screwing with drivers, formatting USB
flashdrives (which, ironically, 9 likes 16 Fat for some reason - and because
nsport's git is broken on github - just push it to shithub.us already)  and
coding my Rio (with a background because, I'm vain in some ways I guess).
Having to code some C funcitons to make the wifi not suck made me think of
Laurie's video.  She's young enough to be my kid, but in some way, she's wise
about the issue (though, as with anyone on youtube, she has detractors).

She's also not the only person discussing the issue.

I'm preaching to the choir here.  Most of the SDF folks could code circles
around me - but that's not the point.  The deal is, you have to keep going at
it, reading mans and just try to wrap your head around stuff you don't know.

Make it, break it and learn it - do it over.  Do it for the love of the game.
And honestly, if you don't have a love for this stuff, move on and find
something else.

America can't fix it's 'cyber security' problem by creating more certs, or
making preachers out of drunkards (and old Southern term for putting square pegs
in round holes), it needs to address the core issues of it's entire educational
system.

Basics.  The Trivium and Quadrivium.  The Greeks understood it, somehow, we
forgot it.

The issue here is simple - do the work, it's not easy, but it's what makes
everything make sense.

If you can't code, you don't understand why your ports are getting hammered,
Rob in accounting clicked on a link (and now the entire SQL database is getting
ported to some country you can't spell - while the same dropper is doing writes
on the tables/sectors you don't want the writing on - usually with encryption
that you don't understand) or why the IP you found in the powershell script was
not actually what you thought it was originally (protip - reverse the octects by
order, not literally and AbuseIP will give you a more 'intresting' report).

There is an intesting document out there on the web called 'Why Special Agent
Johnny can't encrypt' that was written by some federal agency a while ago - it
dovetails nicely into the what we are discussing here.  With some searching, you
can find it.

This is a good read and it sheds light on why things are the way that they are.

And lastly, instead of Leads assigning more busy work (usually it's their work
they assign to people), they should insist on training during down time -
period.  You don't know what you don't know.  Also, if you aren't reading CVE's
or BurpingComputer once a day (or something like it), you are wrong - it's basic
OSINT (another topic), you can do on your own so you atleast know your IOCs and
why 'Bad things happen'.

### References

REF: https://arxiv.org/pdf/1510.08555 - Why Johnny Still, Still Can???t Encrypt:
Evaluating the Usability of a Modern PGP Client