Reddit mentions: The best computer hacking books

Wow, 24 hours and no replies?!

Fine, you know what? FUCK IT!

Alright, first off - While you can concentrate on physical, understanding the basics of the digital side of things will make you more valuable, and arguably more effective. I'll take this opportunity to point you at Metasploit and tell you to atleast spend an hour or so each week working to understand it. I'm not saying you have to know it backwards or inside-out, just get a basic understanding.

But you said you want to go down the physical path, so fuck all that bullshit I said before, ignore it if you want, I don't care. It's just a suggestion.

Do you pick locks? Why not? Come on over to /r/Lockpicking and read the stickied post at the top. Buy a lockpick set. You're just starting so you can go a little crazy, or be conservative. Get some locks (Don't pick locks you rely on!) at a store, and learn the basics of how to pick.

Your fingers will get sore. Time to put down the picks and start reading:

• Social Engineering - The Art of Human Hacking
  
• Practical LockPicking - A Physical Penetration Tester's Training Guide
  
• No Tech Hacking - A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
  
• Unauthorised Access - Physical Penetration Testing For IT Security Teams
  
• Ninja Hacking - Unconventional Penetration Testing Tactics and Techniques
  
• Metasploit - The Pentration Tester's Guide (OPTIONAL but suggested)
  
• The Basics of Hacking And Penetration Testing - Ethical Hacking and Penetration Testing Made Easy (OPTIONAL but suggested)
  
• Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks (OPTIONAL but suggested)
  
  That reading list right there gives you over 2000 pages to read. Read. Read More.
  
  Tired of Reading? Have you been listening to the Social-Engineer.org Podcasts? 53 quality podcasts right there. Time to catch up!
  
  Tired of listening? Take a break! And by "Take a break" I mean grab your lockpicks, a lock, and start picking while you relax with a Jayson Street video. He's fun to watch, and will hopefully distract you while you try picking a lock. Also, he highlights how you don't have to be a computer-genius to be good at PenTesting. Go watch more of his videos while you pick locks - It's entertaining at least, and informative/educational at best. Now go watch Deviant Ollam's videos if you're done with Jayson Street.
  
  Sounds like a lot? It's not. You'll spend a bit of money getting started with picks, locks, and books. It's the nature of the game, no good way around it. It's time-consuming. You may have to give up playing your favourite games for a while. But the things you learn and skills you develop will pay more than that game did. By the time you're halfway through any one of those books you'll have a much better idea of what questions you want or need to ask in order to progress further and faster every day.
  
  Go to Security Cons. DerbyCon is awesome, and happens in late September, plenty of time to start saving money and making reservations. Talk to people, ask questions, and make connections. You will learn more in those 4 days than some people learn in months or years and you'll have tons of fun.
  
  If you can swing it, attend Deviant Ollam's "Physical Security Skills for Penetration Testers" class. The things you will learn in that class will make it worth every damned penny, and you'll feel like a bad-ass at the end of it.
  
  Is this what you wanted?

Let me preface this by saying I know nothing about netsec but can offer a general framework.

To make a career out of netsec you need to know the answers to three questions:

1. Who will I work for?
   
2. What will they want me to do?
   
3. How can I get them to employ me?
   
   As a starting point you might like to check out
   
   http://www.amazon.com/InfoSec-Career-Hacking-Sell-Skillz/dp/1597490113
   
   That book covers nominally what you are after but it's a touch old (2005) so things might have changed since it was published. Apparently it discusses the various job types within the industry which should give you a sense of what is possible.
   
   With this information you next want to find a list of employers you'd like to work for. Your goal is to try to build relationships with those companies: do they offer internships? What knowledge/experience are they looking for from new employees? Could you meet with someone to talk about the industry? Etc.
   
   You might be able to do this by blindly emailing or phoning the companies. However, it will probably be more effective if you can meet someone face to face. The obvious way to do this is to go to university careers fairs, conferences, local clubs etc. If you're at university you might be able to ask your teachers if there is anyone they know of who they could introduce you to.
   
   At the very start of this networking phase you could be quite broad in who you talk to. If you know 20 people and they each know 20 people then you have access to 400 friends-of-friends. Sometimes someone knows of someone who could be helpful for you. Once this lead generation has kicked into gear though you can focus down on the people most relevant to you.
   
   At this stage you hopefully be able to answer the question 'What do I need to know?' with 'If I can do x,y,z then ABC Inc will give me work.'
   
   You will now want to start learning those skills. Your contacts might be able to give you some suggested reference sources but you're probably best off learning by doing a series of small projects. The reason is that they will give you a sense of 'what it is really like' beyond the textbook theory, but also because they will prove that you can actually do something. It's one thing to say "I know some basic reverse engineering." and another to say "I know some basic reverse engineering, here is a 'Hello World!' program I wrote in C and here is a crack I wrote which makes it output 'Goodbye World!' instead."
   
   If you're really pushing this you could start a blog detailing your projects. From your perspective it's a way to track your progress. From a more pragmatic perspective it is an advertisment for yourself and a way to keep bubbling at the back of your prospective employers mind as they can see what you are working on.
   
   As you continue along this path eventually you'll get the necessary skill set to start applying for positions. When you do apply you'll hopefully have two aces up your sleeve: projects which prove you are capable of undertaking the required work, and ideally some sort of reference from an established figure within the industry (or even better, company.)
   
   I am vaguely aware of a netsec one-person consultancy company vibe. I don't know how common that is or how you would set up as an independent contractor but that is another path to look into.
   
   ----
   
   This approach is loosely based on this which might be interesting to you for a much more detailed application in an academic setting.

Let me just say this: if you are wanting a community and spiritual feelings or feel goods are there other places that you could get those things? If you check out r/Frisson/ you might get some of those spiritual feelings without the need for a church. Or you can learn how to get strong spritual feelings anytime you like by just remembering a time when you felt that way and then focus on that feeling. Actors use this method to recall feelings during their plays, shows etc so they can make the scene believable. (usually done with anger sadness joy) As for a community wouldn't you rather just join a meetup that already has ideals that meet your own instead of having to do mental gymnastics to make your worldview work? Also be prepared as Mormons tend to be super friendly when they are trying to convert you but once you are converted they focus their efforts elsewhere. That isn't to say this will absolutely happen but it can just ask some of those that are ex-converts to the church on this subreddit you will see what I mean. I think you would be better off finding some real authentic people that think similarly to you and are able to think critically about everything in their lives instead of just anything that doesn't involve religion. Read www.cesletter.org before you join as well so you know some of the old fallacies and doctrines that are in the history of the church or in other words the un-whitewashed version of TSCC. Also consider do you really want to give your money to a group of con-artists that are working actively to get people to not think critically but instead want people to just have faith in them and their doctrine? If you do this you are perpetuating the problem, if you join, then those who aren't thinking critically of TSCC will just be even more enthralled because "hey look guys an atheist just joined see we have the truth!" Please recognize their niceness for what it is even though they even may genuinely believe they are being nice they are that way because they are told to be from TSCC toward converts not because they actually think they need to help a fellow human just for the sake of helping them, this is especially true if they are trying to pressure you to join. Just think will they still be just as friendly if I decide not to join? If the answer is no then it would seem to me that they are trying to get something out of such as a pat on a back from their bishop, or trying to get a promotion calling such as become a bishop. Think of them as salesmen they actually use many of the same tactics, which also happen to be similar to what social engineers use. Social engineer is just an elaborate name for a con-artist. See what I mean in this book [here.] (https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539) As for social conservative please elaborate do you dislike gays? if not they you will see this church does some real damage with that community with their policy that any gay families children can't be baptized till they are 18 and renounce their parents marriage. It's really outrageous. If you just want limited government then I share that sentiment I don't really love either party, as such you can find people that share your values and don't need to join a church to get spiritual fulfillment and social fulfillment.

Here is a "curriculum" of sorts I would suggest, as it's fairly close to how I learned:

1. Programming. Definitely learn "C" first as all of the Exploitation and Assembly courses below assume you know C: The bible is pretty much Dennis Richie and Kernighan's "The C Programming Language", and here is the .pdf (this book is from 1988, I don't think anyone would mind). I actually prefer Kochan's book "Programming in C" which is very beginner freindly and was written in 2004 rather than 1988 making the language a little more "up to date" and accessible. There are plenty of "C Programming" tutorials on YouTube that you can use in conjunction with either of the aforementioned books as well. After learning C than you can try out some other languages. I personally suggest Python as it is very beginner friendly and is well documented. Ruby isn't a bad choice either.
   
   
2. Architecture and Computer basics:
   Generally you'll probably want to look into IA-32 and the best starting point is the Intel Architecture manual itself, the .pdf can be found here (pdf link).
   Because of the depth of that .pdf I would suggest using it mainly as a reference guide while studying "Computer Systems: A Programmers Perspective" and "Secrets of Reverse Engineering".
   
   
3. Operating Systems: Choose which you want to dig into: Linux or Windows, and put the effort into one of them, you can come back to the other later. I would probably suggest Linux unless you are planning on specializing in Malware Analysis, in which case I would suggest Windows. Linux: No Starch's "How Linux Works" is a great beginner resource as is their "Linux Command Line" book. I would also check out "Understanding the Linux Kernel" (that's a .pdf link). For Windows you can follow the Windows Programming wiki here or you can buy the book "Windows System Programming". The Windows Internals books are generally highly regarded, I didn't learn from them I use them more as a reference so I an't really speak to how well they would teach a "beginner".
   
   
4. Assembly: You can't do much better than OpenSecurityTraining's "Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration" class lectures from Xeno Kovah, found here. The book "Secrets of Reverse Engineering" has a very beginner friendly introduction to Assembly as does "Hacking: The Art of Exploitation".
   
   
5. Exploitation: OpenSecurityTraining also has a great video series for Introduction to Exploits. "Hacking: The Art of Exploitation" is a really, really good book that is completely self-contained and will walk you through the basics of assembly. The author does introduce you to C and some basic principles of Linux but I would definitely suggest learning the basics of C and Linux command line first as his teaching style is pretty "hard and fast".
   
   
6. Specialized fields such as Cryptology and Malware Analysis.
   
   
   Of course if you just want to do "pentesting/vuln assessment" in which you rely more on toolsets (for example, Nmap>Nessus>Metasploit) structured around a methodology/framework than you may want to look into one of the PACKT books on Kali or backtrack, get familiar with the tools you will use such as Nmap and Wireshark, and learn basic Networking (a simple CompTIA Networking+ book will be a good enough start). I personally did not go this route nor would I recommend it as it generally shys away from the foundations and seems to me to be settling for becoming comfortable with tools that abstract you from the real "meat" of exploitation and all the things that make NetSec great, fun and challenging in the first place. But everyone is different and it's really more of a personal choice. (By the way, I'm not suggesting this is "lame" or anything, it was just not for me.)
   
   *edited a name out
   
   
   
   
   
   

I mean, the requirements are all spelled out for you in the job description:

KNOWLEDGE, SKILLS, ABILITY(IES):

• Knowledge building out a complete IoT solution stack, identifying gaps with current platform and developing plans to fit those gaps
  
• Knowledge planning and building demo centers for specific vertical solutions
  
• Knowledge develop plans to scale an IoT practice at the City of Dallas as standalone or cross-functional entity
  
• Effective oral and written communication skills
  
• Ability to lead technical conversations with customers to design and execute pilots
  
• Ability to Collaborate internally with relation functions
  
• Ability to develop plans for training
  
• Ability to work directly with business representatives to understand the specific requirements that are driving the need for a solution to be designed; then plan and implement the design activities required.
  
• Ability to develop plans to scale an IoT practice at the City of Dallas as standalone or cross-functional entity.
  
• Ability to lead technical conversations with vendors to establish valuable partnerships.
  
  -----
  
  You need to analyze each of those bullet points and expand on what they mean.
  
  Let's look at the first, and very significant bullet point:
  
  > Knowledge building out a complete IoT solution stack
  
  
• What is IoT?
  
• What are the components of an IoT stack?
  
  It should be noted that else where in the job description, the concept of IoT as a component of Smart Cities is added to the conversation.
  
  
• What is a Smart City?
  
• How is IoT used to create a Smart City?
  
  > identifying gaps with current platform and developing plans to fit those gaps
  
  Gaps in an IoT platform... so some infrastructure and software development systems integration is expected.
  You will need to be comfortable with large scale systems design work.
  
  What is a large scale system, and how does one design one? Perhaps starting with smaller scale first might be a wise path...
  
  -----
  
  Now lets take some of those buzzwords and explore them:
  
  https://www.amazon.com/dp/0393082873
  
  https://www.amazon.com/dp/1498702767
  
  https://www.amazon.com/dp/0262527731
  
  
  
  
  

Oi. Disclaimer: I haven't bought a book in the field in a while, so there might be some new greats that I'm not familiar with. Also, I'm old and have no memory, so I may very well have forgotten some greats. But here is what I can recommend.

I got my start with Koblitz's Course in Number Theory and Cryptography and Schneier's Applied Cryptography. Schneier's is a bit basic, outdated, and erroneous in spots, and the guy is annoying as fuck, but it's still a pretty darned good intro to the field.

If you're strong at math (and computation and complexity theory) then Oded Goldreich's Foundations of Cryptography Volume 1 and Volume 2 are outstanding. If you're not so strong in those areas, you may want to come up to speed with the help of Sipser and Moret first.

Also, if you need to shore up your number theory and algebra, Victor Shoup is the man.

At this point, you ought to have a pretty good base for building on by reading research papers.

One other note, two books that I've not looked at but are written by people I really respect Introduction to Modern Cryptography by Katz and Lindell and Computational Complexity: A Modern Approach by Arora and Barak.

Hope that helps.

I'm not an expert here but I've picked up interest in the last 3 months and have been pouring through a lot of online resources related to Cryptography and coding. Here's some of what I've been working with:

Hacking Secret Cipher with Python: http://inventwithpython.com/hacking/
> Great hands on book teaching you about various types of ciphers, how they work, how to break them. If you don't know much coding, that's still okay for this book, you learn some of the Python basics.

Applied Cryptography
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1?s=books&ie=UTF8&qid=1394549623&sr=1-1&keywords=applied+cryptography
> Great book, essentially a cryptographers bible. I got the latest edition on Ebay for $20 total, nearly brand new, so it's cheaper than Amazon

Online course in Cryptography by Dan Boneh - standford
https://class.coursera.org/crypto-preview/lecture
> I'm halfway through this course and I'm loving it. I would be done by now but I've been busy the past couple of weeks.

That first resource is great and really easy to follow. It'll give a nice foundation for computer cryptography. I was able to get through it in a little over a week.

I have some experience with attacking password hashes and I want to clear a few things up regarding password strength. While I'm by no means an expert, I have actually performed these attacks against passwords I've generated and hashed myself.

It seems like the linked source is mostly talking about how long it takes to brute-force, which is far from the only way to get a password. I did check the expected brute-force times and they are mostly accurate, but they are certainly falling behind. My GTX 1070 is expected to crack all 8-character md5 hashes in about 4.5 days at 16 gigahashes/second compared to the 2015 estimate they used of 11 GH/s. It's no quad-TitanX build, but it's strong enough to illustrate the widening gap.

But I think it's important to understand that real password attacks are much, much more sophisticated than a raw brute-force, and keyspace can be drastically reduced by taking advantage of the flawed ways that people try to "strengthen" their passwords. I'll bold it so it's clear: Number of characters is not an effective assessment of password strength unless they are generated randomly. Let's use some of the passwords from the source as examples. "security1" is an uncommon English word with one number - a common password pattern and an easy dictionary+digit mask attack. "P@ssw0rD", aside from likely being in many top X password wordlists itself since it's a mutation of "password", is a common word with the first and last letters capitalized and has a few very common replacements(a->@ and o->0), and would easily be caught in a dictionary+rule attack. It doesn't matter that your password is 10 characters long when it's a somewhat common 6-character name + a year. Massive real-world password dumps like rockyou also change things significantly and make raw wordlist and wordlist+rule or mask attacks much more effective.

The hashcat wiki has a lot of information about intelligent attacks against password hashes. There is also a great book about it, Hash Crack.

As you mentioned, diceware is one of the best ways to generate a passphrase, with a keyspace of 7776^(number of words), assuming that we know that it's a diceware password. Five words is stronger than most real passwords. Seven to ten words is basically uncrackable with current technology and should stay that way for a few years. Best of all, it's very easy to remember.

	

	

	

> # How does a big company full of smart people miss a revolution?
>
>
>
> The Friendly Orange Glow: The Untold Story of the PLATO System and the Dawn of Cyberculture (Brian Dear 2017; Pantheon) tells a story of business blindness.
>
> The programmers of the powerful CDC mainframe had all of the technical knowledge, and more, of the PC pioneers, but they didn’t want to drop everything and rush to the PC. The business folks behind the mainframe were similarly mentally locked into their well-trodden paths of sales and applications.
>
> The CDC/PLATO folks actually built a modern distributed system, with a microprocessor in every terminal (“desktop PC”) and communications lines back to a server.
>
> > Instead of orange pixels, they were grayish white. The new terminal, called the IST (short for Information Systems Terminal), looked more like an early personal computer. A big, wide, heavy base, with a black grille in front, to which a detached keyboard was connected via a thick cable. On top of the base was a monitor, a special elongated CRT with a square display featuring exactly 512 x 512 black-and-white pixels and, mounted directly over the surface of the CRT’s glass, a reflective, acrylic touch screen with barely visible gold wires crisscrossing across the display. During the nine months of development, the price of CMOS (complementary metal-oxide semiconductor) memory chips had plummeted even further than Hill had anticipated. “According to the really long-haired predictions,” says Hill, “it was going to come down, by six or eight to one, and it came down about ten to one, right when we were doing our development. The result was that we could produce a memory-mapped video terminal, which as far as I know had never been done before, because it was cost-prohibitive.
> >
> > “We produced what in effect was a PC,” says Hill, “in 1975.” When one considers the year this machine was developed, and compare it to what else was available at that time, it is suddenly apparent that CDC had just leapfrogged over the entire microcomputer field. Here is Hill describing his machine: “[ It had an] 8080 microprocessor, it had plugin cards, it had a separate monitor, with a cable going to the main box, it had a separate keyboard, it had plugin modems, plugin memory, plugin communications, and we even had a plugin disk driver, that wasn’t part of the standard stuff, but we had it networked, so it was revolutionary. And our big problem was producing it at low cost. And we did that. That terminal came in with something like a $ 1,300 cost, in the first few terminals. And that was beyond everybody’s belief.” By the time the IST was ready to be sold to consumers, the marketing people had marked up the price to over $ 8,000, says Hill. It was the beginning of a long line of very bad decisions at CDC. Hill believed the terminal should have been sold for $ 100 above cost. “If we’d done that, we would have flooded the market because people knew they could use it for other things. It would take loadable programs— we could load programs down from the mainframe into that terminal.”
>
> Note the last sentence. The system had the same capability as a modern Web browser that may download a Java or JavaScript program from the server.
>
> The author says that CDC had roughly $1 billion in revenue in 1969 ($7 billion in today’s mini-dollars) so it was about one seventh the size of IBM. Management went all-in on computer-delivered education, which meant trying to sell to governments such as the Soviet Union, Iran, and Venezuela. The U.S. government delayed the Soviet sale due to security concerns and then killed it after the invasion of Afghanistan (imagine how many trillions of dollars we could have saved if we had let the Russians support the secular government in Afghanistan and not supported the Mujahideen!). The Iranian deal fell apart due to political instability:
>
> > CERL and CDC created Persian-language support in PLATO as part of the demos, and eventually the Shah’s government agreed to a deal. However, it required that the IST terminals had to be made in Iran (or at least have a decal with “Control Data of Iran” and Persian script on it affixed to the screen bezel). In the end, the Ayatollah Khomeni and the Iranian revolution ended CDC’s hopes in that country. Several of the government ministers, including Prime Minister Amir-Abbas Hoveyda, who had attended the demos back in 1975, were executed. CDC personnel had to evacuate the country, and the company lost a lot of money.
>
> The Venezuela dream didn’t pan out either…
>
> > “Venezuela was more corrupt than Iran, if that was possible…. In South America, the Venezuelans were known as the ‘Iranians of South America’ and not just for their oil reserves. You could get anything you wanted in Caracas— anything. Like many CDC international offices, CDCVEN [the acronym CDC used for its Venezuelan business] had its own guy specializing in local bribery and ours was good.” This was CDC’s fixer for Venezuela, “used for more local practical bribery associated with licenses, permits, getting employees and families out of scrapes, etc.” … “My short version,” Smith once explained in an email, “is the PLATO buy became entangled in Venezuelan politics and did not survive the massive political infighting and jockeying for a bite out of it for all concerned (including two or more of our own guys). I do not believe we lost it because we did not bribe. True there was a corporate public effort to clean up our act (I have seen CDC bribe all over the world— even in places like Germany, supposed to be un-bribable) but HQ never backed off of doing business along those lines (anyway it was very difficult to stop the local CDC folks from making deals HQ did not know about). In a lot of countries it was the only way to do business. When the U.S. government started with pressure on U.S. companies to not bribe they started our downfall in the business world….
>
> Are you a big believer in social impact investing? So was the imperial CEO of CDC:
>
> > Morris tried to explain to [William] Norris the benefits of pursuing business and education markets at the same time— charging more to business customers so they could charge less to education customers— but Norris did not see it this way. “Norris logically could see it that way,” said Morris. “But his concern was, ‘I’m doing this because I want to make a social impact on education. And if you guys go and turn your attention to selling in the business environment, you’re going to start forgetting about education, and start forgetting about our end goal. I want you to concentrate on education. Okay?’ And so based on that, we did concentrate on education, I still think today if we had sold into the business environment we would have been able to fund more of the stuff that was getting the price down and achieving the educational objectives that we were out to achieve.”
> >
> > “Addressing society’s major unmet needs” became Norris’s rallying cry, a remarkably progressive mantra for a tech company in the 1970s and 1980s, and one that the rest of the industry and financial world regarded with befuddlement or derision.
> >
> > In 1984, Randall Rothenberg wrote a profile of Bill Norris and Control Data for Esquire magazine. The article never ran. However, Rothenberg’s recollections of the article’s conclusions shed light on the predicament Norris and CDC were in, particularly with regard to PLATO. “Control Data,” he says, “was an example of what we’d later call industrial policy; its expertise was in seeking government funding for technology projects relating to supercomputing. When the government market for supercomputing for military and economic applications began to dry up (because of, e.g., the advance of minicomputing), CDC, instead of adapting its business model, began to seek new uses within a government welfare structure for its existing supercomputing technology. Using the technology for training, small business development, etc., was a logical extension of this. What CDC could not do was diverge from a model predicated on powerful central control. The whole notion of distributed systems— in computing, in social welfare, in anything else, it seems— was totally foreign to it. So the inapplicability of its technology to the social-welfare aims it was seeking to address was something the company could not work around. Put another way, it had come up with the perfect Great Society solution— twenty years late.”
>
> CDC and PLATO were successful in some markets:
>

> (continues in next comment)

I remember reading this one

I went to the NCSU stacks and grabbed an armful from the psychology section so my memory is fuzzy. The best one had a profile of two people's faces yelling at each other but I can't remember the title.

Other good reads that will roundabout teach the same mechanics:

A classic

A more fun read, but less relevant.

With more entrenched ideas like politics it may be useful to look into books on the mechanics of brainwashing. If you learn how to build a bomb, you learn a lot about diffusing them. You also may learn we're all mildly brainwashed in some innocuous way or another.

And if you're not much of a reader, Chris Voss puts most of these ideas pretty eloquently.

Edit: The ones that look more like textbooks than self help tend to be more useful with the exception of Dale Carnegie.

I wrote a book a little over a year ago to answer exactly these types of questions...
https://www.amazon.com/Hacker-Ethos-Beginners-Ethical-Penetration/dp/1523764368
There is a free preview with 100 pages from one of my early drafts if you want a sneak peek at what you'd be reading...
https://drive.google.com/file/d/0B8JvWS_y2CHqZ2EwWG9pcENjazQ/view

Reading the subreddits is certainly helpful as well. I would definitely recommend building your own lab of vulnerable machines to practice. You can get plenty of these from Vulnhub.com

Of course, you'll need some tutorials, chiefly of which I recommend www.cybrary.it, an excellent site for tutorials on all things security and infosec, including pentesting.
Other books I highly recommend...

• Mastering Metasploit
  
• Mastering Kali Linux for Advanced Penetration Testing
  
• The Web Application Hacker's Handbook
  
• The Hacker's Playbook
  
• The Shellcoder's Handbook
  
• Hacking: The Art of Exploitation
  
  Good luck, OP hat-tip
  

Books that changed the way I look at things, and thus changed my life:

Light by M. John Harrison Helped me understand that my feelings of smallness and impotence were pointless. In the greater scheme of things there is always two things: Someone better-off than you, and Someone worse-off than you. Whining about it helps no one.

Crank by Ellen Hopkins Helped me understand my mother's drug abuse. Not condone it of course, but understand it. Within six months of me reading this book, my Mother actually started to get clean. Maybe she found it in my room or something.

House of Leaves by Mark Z. Danielewski Through this I learned the true power of fiction. This book makes movies look bad. It is the biggest must-read on my list.

Social Engineering: The Art of Human Hacking by CHristopher Hadnagy taught me how better to interpret my actions and the actions of others, and in general made me a more observant person. Barring the manipulative side of things, (which it helps you notice as other people do it or you do subconsciously) it helps you understand social interaction on a deeper level than just words.

A Child's First Book of Virtues by Emily Hunter

I'd have to say that this was one of the single most important books of my childhood. It taught me all the important bits. This book was gifted to me right after I learned to read, and I am quite frankly a better person because of it. It helped form the model by which I judged my own character.

And of course a set of the Encyclopedia Britannica and Compton's interactive encyclopedia.

Buh I like reading.

I do agree they could and have tampered with shipping on things in the past (Countdown to Zero Day ); however, for the NSA (as an example) to target ordinary citizens seems a bit out of focus for what the NSA would want to use resources on. I'm not saying they would not (please excuse the double negative), it seems like a lot of effort for next to zero gain. They would want to target individuals of high interest for sure and have shown in the past to be very specific on how they target them. Again the above mentioned book details how specific the Stuxnet virus was to avoid it from activating on every logic controller or found. I feel the same would be true for certain agency's to target select individuals not an entire group.
Also, if this bothers you then how can you trust VPN encryption at this point? Who can say they have or have not broken that? How can you trust they haven't broken HTTPS encryption? We can "what if" this to death.
For myself, I'm really looking forward to this phone for the lack of a company tracking me. No more Google listening to everything I say within ear shot of my phone. No more Google tracking everywhere I've been all day Watch this.

The NSA cares about national security, you downloading that new album of MP3s with Bit torrent is a matter for other agencies. Why waste the resources?

I imagine that their warehouses will get some in up to two weeks before they ship. There are a few ways to score one early. My favorite method for getting early deliveries from Amazon requires you to spend a little bit more money. Add this, this, this and this to your cart and use your Amazon prime to get overnight shipping.

Now you've got a little reading to do (no big deal for us Kindle lovers though, right? LOL!) Give this a read. On your PC, I guess since you don't have a kindle right now :(. Maybe print it out.

You've still got a few weeks before they hit the warehouses. Give this page a once over. Which one of those is nearby you? Take a drive down to the airport and do a little Kindle-lover pilgrimage! Make some notes about what people are wearing. You'll want to get an outfit like that.

Go back a few more times at different times of day. Get a feel for the flow of the place.

Now we have some more reading to do! Pick up the Kindle edition of this and read it on your PC (you'll get to put it on your new Kindle soon!). (I <3 Calibre's reader for this sort of thing.)

Hold on, someone's at my door. Probably about that slick "free TV from Best Buy" deal I posted a while ago! BRB!

I would recomend you to read Future Crimes by Marc Goodman https://www.amazon.co.uk/Future-Crimes-Digital-Underground-Connected/dp/0552170801?SubscriptionId=AKIAILSHYYTFIVPWUY6Q&tag=duckduckgo-ffab-uk-21&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0552170801 mostly deals with the non existence of electronic security though and how it is and can be exploited

Information and Corporate security is a very big subject, so it kind of depends where you intend to take your story. But you can start by reading the Wikipedia article about InfoSec https://en.wikipedia.org/wiki/Information_security and then see how each area fits into your story and work out from there.

Some realisim in how difficult it can be to track down a hacker, read The Cuckoo's Egg by Clifford Stoll
https://www.amazon.co.uk/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/ref=sr_1_1?s=books&ie=UTF8&qid=1500888747&sr=1-1&keywords=clifford+stoll very different from what you see in the media

IMHO the most interesting area in Information security is Social Engineering, it requires cunning and skill, and sometimes you can't stop admiring the talents and genius of some of these people. Read Social Engineering: The Art of Human Hacking https://www.amazon.co.uk/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?s=books&ie=UTF8&qid=1500889212&sr=1-1&keywords=social+engineering+the+art+of+human+hacking

Each year Verizon release their data breach report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ it is free to download (don't have to register, just click the download only button) I think that is possibly the best insight you can get into corporate security challenges in 2017

Bruce Schneier is Chief Security Technology Officer of British Telecom, one of the world's leading security experts and a very vocal advocate of strong security practices that benefit common people. He's published his crypto-gram newsletter since 1998, which is translated into several different languages, and published several books on the topic, including Applied Cryptography. If anyone is qualified to give testimony to Congress on the subject of technical measures to ensure airport security, it's this man.

I am an avid "people watcher" and notice things other people don't. I often accidently memorize things I would never need to memorize.
(like the license plate from the car in front of mine while driving)

Advice (things I have noticed):

Watch things, see a bird? Watch it. See a group of people? Watch them. It helps to be in a higher place. Have you ever noticed people almost NEVER look up when in the mall? Stands at the edge and look down.
Always, always, always, look around. Never stop looking around. Learn to do it naturally and to pay attention to something or someone while still studying your surroundings.

If you feel wierd watching people, wear headphones or hold a phone. Sounds dumb, I know. But what I have found is if you are wearing noticable headphones or have a phone in your hand. People don't expect or think it's wierd that you are staring in random directions which include theirs. Act like you have a reason to be there.

Remember how tall you are, it can help you find the height of objects or people.

Remember, most of the things you learn in a day will vanish within 20 seconds because of your short term memory and the way your brain sorts what to keep and what not. But that's not the point right now. The more you watch and pay attention. The more you will retain.

Make it a game, it will eventually give you a feeling of having the upper hand on people.


EDIT: If you also want to learn about people, not just details then I suggest you read about Social engineering. One of my personal favorite books is http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1318521071&sr=8-1

The guy that wrote that blog post has a good book called Spam Nation that talks about his deep dive investigation into Russian cybercrime gangs. It's incredibly good, and he's one of the best reporters on the cyber underground.

I'd also look for the coverage of Stuxnet. There's a really good documentary about it called zer0days, and since you specifically asked about books you could do Countdown to Zero though I haven't read it so I don't know how good it is. If you haven't heard about Stuxnet it's a fascinating story about just how advanced US cyber warfare capability is.

For what it's worth, cryptography is famously hard to get right and I would strongly recommend that you use existing crypto software if you are actually trying to secure your computer.

That said, if you're interested in coding and want to learn more about encryption just for fun, you should check out the Matasano Crypto Challenges. They teach you about the fundamentals of cryptography by having you build a bunch of ciphers and then break them.

If you're looking into doing this more professionally, I've been told that Cryptography Engineering and Applied Cryptography are some good resources, though I haven't read them myself.

Unfortunately, most of the university programs lag significantly behind industry. I've interviewed candidates with graduate degrees in cybersecurity that were not aware of most modern techniques used to find persistent adversaries. The good things those programs provide is a broad coverage of information security as a whole.

I saw you mention "finding the vulnerabilities before the bad guys do". Unfortunately, in the real world the code is either unpublished and you're a software security consultant, analyst, or tester, or it is published and you're fixing a hole that the adversary has already discovered. If your interest is in the software security side, I would recommend two books above all others.

The 24 Deadly Sins of Software Security: https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0

Writing Secure Code: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228/ref=sr_1_1?s=books&ie=UTF8&qid=1499038741&sr=1-1&keywords=writing+secure+code

That said, there is also a lot of work in the systems engineering side of the house - along the lines of credential theft and secure enterprise design. If you think this might be interesting to you, I would recommend reading papers such as these:

Microsoft Pass the Hash Whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=36036

Think Like a Hacker (shameless plug for my book): https://www.amazon.com/Think-Like-Hacker-Sysadmins-Cybersecurity/dp/0692865217/ref=sr_1_sc_1?ie=UTF8&qid=1499038880&sr=8-1-spell

Cybersecurity is typically broken into various subfields, such as reverse engineering, forensics, threat intelligence, and the like - each with its own set of tools and skills. Ultimately, I would recommend attending a decent hacking conference such as DEFCON, DerbyCon, ShmooCon, or the like to get familiar with the field.

Yes and no. A minimal keyspace password is still a problem but I covered that in a previous post. It's up to the engineer and the user to expand on that, not the hash. Or you have to go with lunatic 1s hash stuff which just creates it's own problems as you've pointed out - I believe there's better novel approaches to making sure more entropy is captured from the user.

Quick mention about rainbow tables; The input keyspace of any password is relatively small, which is why rainbow tables on unsalted hashs are the cheapest attack, but once you salt the password, it's impossible to predict where in the expanded hash keyspace the collision will occur, thus the whole keyspace of the hash is relevant.
You'd have to have a rainbow table for every salt (presuming another 1KiB) and for the common keyspace for user passwords. Using xkcd's easy example of 28bits entropy, that's still 8000^28 entries, so (8000^28 )*(10[pw]+1000[key]+1000[salt])bytes aka 3.888 x 10 ^112 bytes - ie. not feasible.

Which brings us back to brute forcing taking longer than the universe is old.

So entropy is the key and bring us back to xkcd... again. Educate users to make better passwords or provide better ways of capturing entropy like patterns, colours, picture (key files) and puzzles.

If you're really into the subject, go read Applied Cryptography. It'll better explain the situation than I! :D


edit: for superscripts going crazy and refocus the point.

check out r/oscp Lots of blogs being posted over there almost on a weekly basis on what people did to get ready for the test and about the test.

> I have just set up simple virtual lab (Metaspolitable + Kali ) so where should I start ?! Is there any curriculum or learning path I need to follow to make my life easier ?!

What is your background when it comes to this stuff?

https://www.jpsecnetworks.com/week-1-oscp-preparation-lab-setup/

You need also learn about Windows exploitation

>Would you recommend specific course where you can get all what you need for OSCP in one place ?!

https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

They already have a course to get you going. If you are totally new to this world, check out CEH, it will hold you hand and at least introduce you to the concepts of pentesting but the cert doesnt mean jack shit unless you are going for a 8750 requirement.

elearning has some basic pentesting courses to get you started and its a lot more hand holding that OSCPs material. However they seem to focus on relying on metasploit a lot more than you are allowed to use

https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2

Well, it mostly depends on what you’re trying to achieve. You definitely do not want to drop tools on the disk of the compromised machine if stealth is the main goal. You would load stuff into memory instead (reflective PE injection, reflective DLL injection (Powersploit toolkit) in case of Windows, /dev/shm in case of linux) and that way leave a minimal footprint for the blue team.


As to what would get picked up, that depends on the configurations. Process injection, process hollowing, outgoing connections, etc. can all be detected with the right (YARA) rules. Your best bet would be to use non-standard protocols such as DNS (look up dnscat2), ICMP and use the compromised host as sort of a pivot. Sending tool traffic through it instead of installing the needed tools on it.


Here are two writeups from the real world:

https://www.exploit-db.com/papers/41915

https://packetstormsecurity.com/files/155392/HackBack-A-DIY-Guide-To-Rob-Banks.html


Here are some other resources you may like (including DA compromise):

https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa

https://youtu.be/dKUS26BlKlc

https://youtu.be/q7DfaaUHXYE

https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2


PS: I do not condone malpractice. Provided links are purely educational... Also sorry for the formatting, on mobile. Feel free to DM with more questions, this is a wide topic.

Schneier's Applied Cryptography can be difficult to get through, but it is a really good book to spot read / keep as a reference.

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

I'd also start reading blogs to get into the security mindset. Schneier on Security, Krebs, the podcasts that have been mentioned by other posts. They often have really good archives, too.

I made a similar jump, IT to Security Analyst.

I spun up a home lab in vmware with Kali, metasploitable, splunk, pfsense and security onion (for snorby).

I read a couple books:

Network Intrusion Detection:

https://www.amazon.com/gp/aw/d/0735712654

Applied Cryptography:

https://www.amazon.com/gp/aw/d/0471117099

Between this and diving into security centered news sites I went from 0 to (what felt like 60) in about 3 months. I was picked up as a security analyst for a pretty solid tech company.

The ever-excellent Khan Academy has produced a very nice and short series of videos explaining how cryptography works. Anyone who understands basic high school arithmetic can follow this. If you have ever been interested in the science of codes, ciphers, breaking them, etc. this is worth a look:

http://www.khanacademy.org/science/brit-cruise/cryptography

More in-depth treatments of cryptography can be found here:

https://www.coursera.org/course/crypto

and here:

http://www.youtube.com/playlist?list=PL71FE85723FD414D7&feature=plcp

And for the truly hard-core some of best books on crypto are:

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Edition/dp/0471117099/ref=sr_1_1?s=books&ie=UTF8&qid=1340524661&sr=1-1&keywords=applied+cryptography

and

http://www.amazon.com/Practical-Cryptography-Niels-Ferguson/dp/0471223573/ref=sr_1_1?s=books&ie=UTF8&qid=1340524712&sr=1-1&keywords=practical+cryptography

and

http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/ref=sr_1_2?s=books&ie=UTF8&qid=1340524751&sr=1-2&keywords=practical+cryptography

Super helpful! Thanks for the response. Might be dumb but what does CEH stand for? I'll avoid it as it sounds like I should.

I bought this book and this book I'll do all the excercises in them.

What are the CTF's you mention?

Thanks again though, very helpful.

I don't have anything like that to recommend but if you are interested in more reading (especially non-fiction) take a look at the ones below.

Red Wheelbarrow Journal

I also really enjoyed the following:

The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground

​

From there, I went on to various sysadmin books (non-fiction) and a few journal articles.

Oh jeez.

I actually kinda want to revisit that DDoS episode for a couple reasons. Not to least, my friend Molly, who helped with that ep, just released her book on the subject which is AMAZING. If you're looking for some reading, highly recommended.

Pairs well with another colleague's book about Anonymous that just came out, if you need new reading times two.

Interesting analysis. I have been thinking the same lately, while reading Biella Coleman's recent book on Anonymous. She is quite sympathetic to anon culture, as am I, despite its toxic elements. The interesting question is how the consensus seemed to drift in a weird, conservative way around GG, when in the past it supported more progressive causes (Steubenville, etc.). Are these just different subgroups within anon, have people drifted (eg. weev revealing himself to be a plain old unironic racist), have some boards always been this fucked, what's the story?

Depending on exactly what part of the automotive computing field you want to get involved in you may be better off with Computer Science (machine vision, deep learning, etc), Computer Engineering (sensor design, bus interfaces, etc) or Electrical Engineering (analog design, signal integrity, etc). A great book to get started is The Car Hackers Handbook https://www.amazon.com/dp/1593277032/

Yes.

Hacking Exposed

Shellcoders Handbook

Reverse Engineering

Malware Analyst's Cookbook

Gray Hat Python

Gray Hat Hacking Second Edition

Writing Security Tools & Exploits

Sockets, Shellcode, Porting and Coding: Reverese Engineering Exploits and Tool Coding for Security Professionals

Professional Penetration Testing

These are definitely some books you could start with. Once you've gone through those, you'll know more then a lot of them out there :)

There's these reddit threads on r/netsec:
http://www.reddit.com/r/netsec/comments/d3hua/how_to_get_started_in_netsec/
http://www.reddit.com/r/netsec/comments/ekyjw/interested_in_learning_about_network_security/

http://www.reddit.com/r/netsec/comments/es4si/what_are_some_good_netsec_books_out_there/
http://www.reddit.com/r/netsec/comments/g6r71/getting_started_in_network_security_a_list_of/

There's also loads of blogs and websites around, if you go hunting or look at some of these netsec threads, you'll find loads more material.

> Suppose the voting machine stores...

No, this isn't how cryptography is used for voting (or can be used) as far as I recall. Recommended read: https://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099 :) I haven't taken much interest into secure voting apart from what I have read in this excellent book. I think it's a great starting point for any serious thinking about this topic.

I suck at explaining myself. For example, the second serial number I mentioned isn't for YOU and is not meant to prove anything but act as a "fake" (but verifiable) one you can present to blackmailer. I failed to explain even that properly.

As a side note, you make many assumptions about the voting process. For example, where I live you cannot get a duplicate voting card because this means messing with results easier so a photo would indeed be a proof etc. This is a detail though because I think you have much stricter expectations of a cryptographic system than you have of a physical one as if the latter couldn't be tampered with (they are!).

I think I'm not qualified for this discussion simply because cryptography isn't my specialization, esp. in this context. But thank you so much for sharing your thoughts.

A lot depends on the school and the program- some are operations focused, others are management focused. What school are you going to? It sounds like you're pretty well ahead already, so I wouldn't worry too much, especially as you will be reading a lot for school, but if I had to give you one book, I'd go with the Hacker's Playbook https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2. Its a far better book that the for dummies series.

This does not make sense to me.

> The Public keys will be base 36 numbers ranging from 00000 (0) to ZZZZZ (60,466,176).

As nsa_at_home points out, the key representation normally has nothing to do with the actual key. Cryptographers will represent things in binary as a convenient standard; you'd say "I want a key with at least 23.5 bits of entropy", say. It's very, very easy to represent a key with N bits of entropy in any form you want, which sounds to be your goal; in this case, you'd take a number in base 2 and just convert it to a number in base 36.

For most purposes, your keyspace is not large enough. Say encryption has a cost of N. That means that brute-forcing your entire keyspace only costs about 60 million times that much. If you want a signing operation to be reasonable on a computer, you probably can't blow more than, oh, say, let's say a second on it for most applications that I can think of. If I'm willing to brute force for a day, I've already covered 1/700th of the keyspace. If I get 700 computers, I've broken your encryption.

Your key has ~25.8 bits of entropy. ln(36\^5)/ln(2). A typical RSA pubkey in practical use today might have a key length of 2048 bits, to give you an idea of what you might want to shoot for.

> The Private Keys need to be originally derived from the public keys mathematically (or Vice Versa)

This makes no sense. The point of public/private key encryption is that the person who has the public key cannot derive the private key; this property means that you can give out the public key without needing to worry about anyone using the public key being able to decode messages others have encoded and sent to use using the public key.

If you don't care about this property, you would be using symmetric encryption, not pub/privkey encryption.

> The Private Keys need to be completely different yet within the same number range (0 - 60466176) without being guessable (ex: very complicated and possibly irreversible).

Now I'm really lost. A key isn't "reversible"; a process is. You can't run a key backwards; it's just a number.

The only other pieces of information out there that it might be deducible from would be the pubkey (and you've already specified that you want the privkey to be derivable from the pubkey, which doesn't make sense either, so that's already reversible) and a known-plaintext attack on the ciphertext (and as I point out above, for most practical uses, your mandated key length is so short that it probably is derivable from the ciphertext for most practical applications).

• If you want a practical solution here, you don't want to invent a new pubkey system. That is incredibly difficult; it's taken years and many many people hammering on various crypto systems (and breaking some of them) to get us to where we are now. You want to build something with existing pubkey systems. You might want to explain what your practical goals are, because the requirements of the thing specified just don't make sense for any real-world system.
  
  
• If you want to learn about crypto, and want to do a pubkey system as a form of practice, you are probably going to be better off reading your way through existing material than trying to learn by doing things from scratch. Honestly. I'd recommend reading and comfortably understanding Applied Cryptography to at least have a reasonable understanding of the issues that you're going to deal with. I have not read it, but I know enough people who do know what they're talking about who recommend it that it'd be my go-to recommendation. I think that you may be dramatically underestimating the scope of work that goes into developing basic crypto tools like pubkey systems.

Wow. I just got done reading Countdown to Zero Day (arguable a major source document for that movie) and I never got the sense that anyone involved wore a cape. Additionally the book goes into details about several 'versions' of stux that seemingly were developed by several different teams. Quite a good book if you are interested and my local library had it.

Thank you all for your responses! I have compiled a list of books mentioned by at least three different people below. Since some books have abbreviations (SICP) or colloquial names (Dragon Book), not to mention the occasional omission of a starting "a" or "the" this was done by hand and as a result it may contain errors.

edit: This list is now books mentioned by at least three people (was two) and contains posts up to icepack's.

edit: Updated with links to Amazon.com. These are not affiliate - Amazon was picked because they provide the most uniform way to compare books.

edit: Updated up to redline6561

• 14 The C Programming Language
  
• 11 Structure and Interpretation of Computer Programs
  
• 8 Introduction to Algorithms
  
• 7 Compilers: Principles, Techniques and Tools
  
• 6 Programming Erlang
  
• 5 The Mythical Man-Month
  
• 5 The Pragmatic Programmer
  
• 5 Applied Cryptography
  
• 4 Beautiful Code
  
• 4 The Little Schemer
  
• 4 Programming Perl
  
• 3 Types and Programming Languages
  
• 3 Gödel, Escher, Bach
  
• 3 OpenGL Programming Guide
  
• 3 Code Complete
  
• 3 Artificial Intelligence: A Modern Approach
  
• 3 Programming Pearls
  
• 3 ANSI Common Lisp
  
• 3 A Brief History of Time
  
• 3 Agile Web Development with Rails
  
• 3 Concrete Mathematics: A Foundation for Computer Science
  
• 3 Modern Operating Systems
  
• 3 Paradigms of Artificial Intelligence Programming
  
• 3 Operating System Design and Implementation
  
  

> If not then even if he had voted for it he does not have the capability to make it happen so why vote for him?

"An MP won't accomplish anything anyway" is an argument against representative democracy as a whole. Interestingly, we still have it.

> If you don't trust this guy that he is going to be honest about how and why he is voting then why vote for him in the first place.

Then we could scrap the police and the judiciary for the same reasons. Why do we keep checking on people if we trust them, and if we don't trust them why don't we lock them up just to be sure? And why do people get hired for jobs who get later fired for incompetence? You shouldn't have hired them in the first place, right? Well, I'm not sure that's how it works in the real world...

> You have like an excel sheet you fill in to track how your representative are doing?

"An Excel sheet?" Why would you use something so inadequate? Do we live in the 19th century or what? There's a much larger picture there...

There is a book that just recently came out, titled Social Engineering that is very in depth. The author also has a website and podcast. I liked the book, and the pod casts are pretty neat. The only thing w/ the pod casts is that they are a little heavy on the chit-chat, a little light on the information.

1. The book: Download,Amazon
   
2. The Website/Podcast

Ok, it's good a question. I loved cryptography learned bitcoin. But i recommended this book!
And if you suck at math i recommended write a code with existing crypto-libs (on python,go,cpp etc....)

A guy I work with teaches ethical hacking courses, advises a college cybersecurity club, and maintains an ethical hacking lab. These are all things he's been getting into lately.

Lockpicking set

Or

The Car Hacker's Handbook

+

USB2CAN

+

DB9 to OBDII cable

Or

Tiny quadcopter (upgradeable, has a camera for use with monitors or video goggles to give you a first-person view, fantastic if you have a cat)

+

Transmitter

Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier. Bruce Schneier is basically the Chuck Norris of Information Assurance. The book is old and many of the technical details about cryptography are out of date, but it's still probably the best introduction to the subject.

If you found this interesting, check out the book The Perfect Weapon by David E. Sanger.

Stuxnet, Russia's Internet Research Agency, Chinese corporate espionage, ISIS social media campaigns... it's all there.. and it's VERY interesting.

https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196

I highly recommend this book, you guys will love this one!

If you "didn't mean Reddit.com" you shouldn't have said "a site like Reddit".

Anyway, no, what we have isn't "secure," but it at least (most places) has a paper trail. Any sort of internet voting system, however, would be less - far less - secure and far more gameable. No system running over the internet can be secure - at least, none that you can then give access to, well, everybody.

See Bruce Schneier's website - the man who literally wrote the book on cryptography.

The Guy Fawkes masks started not long after V for Vendetta (2005) which coincidentally is around the scientology thing.

If you are interested in the history of anonymous, this is a good book about it.

And it is just not true that interest ever dropped. There were constant stories about them in the mainstream media. Some bigger than others but there has never been a time in the last 30 years that "Scientology wasn't really something people cared about. It was a silly religion made by a sci-fi writer so movie stars could feel smart."

Stories about Scientology sell magazines so they have never really gone away.

You're correct. And they do a great podcast, as well as Chris' book: http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539

Here's a quick primer for the chemistry of baking.

For a lot more (and a generally fun read), I can recommend this book.

https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/

This book is an amazing read and gives a hugely comprehensive picture of everything: https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196

https://www.wired.com/2013/06/general-keith-alexander-cyberwar/

Shit yea. Peep The Art Of Human Hacking by Hadnagy - it's incredible. Goes into the science behind human interaction.

Now, keep in mind that I'm not suggesting you manipulate people to do your bidding, although that can be done using these same techniques. With great power comes great responsibility!

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

By David Sanger, national security correspondent and a senior writer for the New York Times.

(Okay, at this point, I'm really just suggesting books on my to-read list, but I did hear the guy speak and he had some pretty good anecdotes.)

I liked Applied Cryptography by Bruce Schneier. Easy read.

Link

This one is free:

http://www.fak.dk/en/publications/Pages/publication.aspx?pageid=559

And

https://www.amazon.com/Hacking-Human-Ian-Mann/dp/0566087731

And this is probably one of the more well known ones:

https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Also anything written by Kevin Mitnick

*adds a bunch of stuff to reading list* Thanks very much. Yeah, "brand new area" jumped out at me too.

I'll add: Gabriella Coleman. Upcoming book, website.

Applied Cryptography is considered one of the best introductions.

Oh Bruce, how I love thee.

Two great pieces on Operation Olympic Games AKA Stuxnet

Book: Countdown to Zero Day

Documentary: Zero Days

One of the "bibles":
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1?ie=UTF8&s=books&qid=1256702627&sr=1-1

I read a bit of it, some great insights.

Here is a great book that can answer a lot of your questions and give you some insight on what you can expect with various certification and paths.
http://www.amazon.com/gp/product/1597490113/ref=oh_details_o01_s00_i01?ie=UTF8&psc=1

This is way more than you need but it is an interesting read (that you can skim by chapter if you want to). http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539


Audio info http://www.social-engineer.org/podcast/episode-020-rapid-rapport-for-social-engineers/


Infographic. http://www.socialengineeringblogs.com/category/rapport/

chris hadnagy has a good book http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539/

kevin mitnick also has one "the art of deception"

hopefully my book will come out soon too :-)

I want to help, but because of lack of time, i will give you an incomplete answer

I have recently written an MSc thesis related to Social Engineering, where i had to review a number of books / papers / articles. One starting point for you would be to start by looking at the reference section of the thesis [here] (http://pure.ltu.se/portal/en/studentthesis/social-engineering-and-influence\(0d61b8aa-30ad-4cb0-9039-e04832f250a7\).html).

In general, anything from Kevin Mitnick is a good start, together with Chris Hadnagy's book

If you are to read only one book, start with Carnegie's book.

If you need more information information, let me know

A great video to start... and the relevant book.. This will serve as an excellent resource for now and future developers interfacing with vehicles.

Making up a persona and using articles to improve your search rank =/= social engineering, which has to do with hacking. They aren't even remotely similar. Again, you clearly have no idea what it means.
http://searchsecurity.techtarget.com/definition/social-engineering
http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Some dank af infosec books:

Malware Data Science: https://nostarch.com/malwaredatascience

Real World Bug Hunting: https://nostarch.com/bughunting

Penetration Testing: https://nostarch.com/pentesting

Black Hat Python: https://nostarch.com/blackhatpython

Social Engineering: The art of human hacking https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Linux System Security: https://www.amazon.com/Linux-System-Security-Administrators-Source/dp/0130158070

Advanced Penetration Testing: https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689

That book is probably what you want. It looks like it focuses more on math and how it applies to cryptography rather than on crypto algorithms and how they work, pros/cons, etc. It was also used in this math class at Berkeley (lots of extra reading material on that page too).

Again, I think the book you found is what you want. But here are some other options if you want some:

• You may like A Course in Number Theory and Cryptography. A bit old, but still relevant.
  
  
• Intro to Modern Cryptography is what is used at my university and various others for an undergrad crypto course. Pretty rigorous.
  
  
• I doubt you'll want this, but Applied Cryptography is the seminal text on the subject. Most anything you could want to know about crypto is going to be in here (though it could use an update).
  
  

I enjoyed this: Social Engineering: The Art of Human Hacking.

Hacking: The art of exploitation

The Web Application Hackers Handbook

The Tangled Web: A Guide To Securing modern Web Applications

The Hacker Playbook 2

The Hacker playbook 3

Black Hat Python: Python Programming for Hackers and Pentesters

It's totally a thing and it's one of my favorite parts of my job - but it can get really dark too when we do phishing/open source intelligence gathering :/

If you want to support the author, Amazon Link

"Hacker, Hoaxer, Whistleblower, Spy" sobre Anonymous. Estaba muy interesante por que, uno, describe lo que ha pasado los últimos 6 años en cuanto a seguridad en línea desde la perspectiva de Anonymous, y dos, por que me tocó vivir muchos de esos momentos en línea y en la vida real con lo de Cientología, Wikileaks, Occupy, etc. 10/10 recomendaría.
Antes de eso: "Social Physics". Dice que podemos usar "big data" para monitorear las interacciones de las personas para tomar mejores decisiones sobre como organizar nuestras empresas, organizaciones, y ciudades. Tipo chido, pero lo que argumenta sobre big data según yo puede exacerbar la desigualdad en poder que ya existe entre los "pudientes/1%/corporaciones" y el resto de la "gente común y corriente". También está el peligro de que los algoritmos que usamos para tomar decisiones no tomen en cuenta muchos factores importantes que igual pueden empeorar la disparidad económica y racial que ya existe. Pero tiene ideas muy interesantes. 8/10 léanlo si le entran a este tipo de cosas.
Siguiente: Capital in the Twenty-First Century. Trata sobre la desigualdad que existe y se ha creado con nuestro sistema económico actual. Viene muy recomendado.

Applied Cryptography might be useful to you.

http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539

This one is a good start.

Social-Engineer.org and the book are good starting points.

Chris Hadnagy's Art of Hunam Hacking is a good read. Its on audible too.

>*Learn social engineering, somehow.
http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

It just came out couple days ago. Publisher's release date is today infact. For that reason I havent read it and cant say if it's good or not.

Countdown to Zero Day by Kim Zetter is a good read (amazon)

Where Ghost in the Wires is more a story book filled with great tales of hacking and phreaking, Social Engineering: The Art of Human Hacking is more a HowTo book for SE.

All the credit goes to Applied Cryptography

Always being keen in these areas, a book of social engineering.
http://www.amazon.com/dp/0470639539
Found it in a goodwill for a dollar.

It's like on the cover of this book

http://amzn.com/0470639539

> In what way is that a HACK on our election?

Social engineering is an accepted form of hacking. Proof

Get a copy of Bruce Scheier's Applied Cryptography, there is plenty of stuff in there that's accessable even without a strict mathematical background. Most (if not all) of the algorithms in the book are explained with an example setup using Alice and Bob (and other characters) to explain the steps of the algorithms.

It also has extensive chapters on modern stream- og blockcifers, which may be somewhat harder to dig into as a novice.

Note that it does not comtain any material on the Advanced Encryption Standard (AES), since it was written before that was adopted.

https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196 has been recommended to me by multiple people. I have yet to read it myself though

You might like, Social Engineering: The Art of Human Hacking. Its actually happend and he uses a combination of computer and human hacking to achive his goals. Its not one long story but multible storys.

He has many more books on the subject.

http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Just finished a book on stuxnet and I find it absolutely fascinating. Haven't watched the documentary yet, but if anyone is looking for more information, check out this book. It's written so anyone can understand it without any prior knowledge of computer viruses or nuclear power. I can't recommend it enough.

Two books on social engineering I can recommend:

Social Engineering: The Art of Human Hacking
http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1333753273&sr=8-1

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
http://www.amazon.com/No-Tech-Hacking-Engineering-Dumpster/dp/1597492159/ref=sr_1_4?ie=UTF8&qid=1333753273&sr=8-4

Applied Cryptology is the text you want.

"The Art of Human Hacking" :
https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Social Engineering: The Art of Human Hacking

Here are some links for the product in the above comment for different countries:

Link: Social Engineering

• UK: amazon.co.uk
  
• Spain: amazon.es
  
• France: amazon.fr
  
• Germany: amazon.de
  
• Japan: amazon.co.jp
  
• Canada: amazon.ca
  
• Italy: amazon.it
  
  
  This bot is currently in testing so let me know what you think by voting (or commenting).

Not a pdf but.... http://www.amazon.com/Social-Engineering-The-Human-Hacking/dp/0470639539

Cough...


Actually, maybe that's why my relationships max out at two years.

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Would you call it... A friendly orange glow ?

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

1. This
   
2. 2b2t.org@gmail.com

You Need,

http://www.amazon.in/Social-Engineering-Art-Human-Hacking/dp/0470639539/

Last time an unprecedented worldwide hack occurred the person involved wrote a book about it. Verifiable conformation isn't much to ask for here, especially when America's made up stuff before.

Just wait until people figure out what hackers can do with neuro-linguistic programing.

It is covered briefly in this book, but this is just the tip of the iceberg. https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

Social Engineering: The Art of Human Hacking

this should keep you busy for awhile.

buy this:

http://www.amazon.com/Professional-Penetration-Testing-Creating-Learning/dp/1597494259/ref=la_B002WK0OS4_1_5?s=books&ie=UTF8&qid=1420278723&sr=1-5

These should get you strated:



What Every BODY is Saying Amazon link.

The Definitive Book of Body Language Amazon link


Whit focus on social engineering:



Social Engineering: The Art of Human Hacking Amazon link



If money is an issue you can find all of these books on pirate bay.



These books are not read-once-and-become-expert, like with any skill it takes time and practice.

Why not Social Engineering by Chris Hadnagy? This book has a lot of really interesting and dangerous insights into manipulative psychological techniques.

Just read chapters on elicitation, pretexting, psychology and related stuff, side away technical information.

https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196

Read that book if you want a real life James Bond type story. It details the work done to bypass airgapped machines and sabotage uranium centrifuges. Seriously good book!

I will use these two weapons.

This and this.

In most public hacks the vector of attack was a human being tricked into clicking a phishing link (Podesta), or being manipulated into thinking they were a justice warrior (Snowden).

Which major hack was purely technical?

https://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539

attacking infrastructure not connected to the internet is absolutely possible.

https://en.wikipedia.org/wiki/Stuxnet

if books are more your style:

https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196

make sure this is legally waterproof. i've read in Social Engineering that there was prosecution of hired security experts that performed a certain penetration test on their clients servers, because it's still a criminal offence to do so.

Similar killings happened in Iran when Stuxnet and its variants were wrecking the enrichment centrifuges.

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.by Kim Zetter is a great whodunnit exploring the failures of the centrifuges.

I don't think you will find a book on a global financial crisis as devastating as Mr.Robot from a hack, but you can find books such as "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon" that deal with real world scenarios that can turn cyber weapons into real world problems portrayed in Mr.Robot
https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196