loading...

I'm a security auditor and researcher, Ask Me Anything!

terceranexus6 profile image Paula ・2 min read

My name is Paula, I've been here for a while now, but I haven't done this "ask me anything" thing yet, and felt like doing it now.

I'm 22 years old spanish security auditor, and I'm studying computer engineering. I've also studied a course of investigative journalism too, as I'm researching about internet censorship around the world, my main interest and investigation. I've co-founded a privacy and security awareness association in Spain called Interferencias, and I'm very happy to see a lot of people is getting involved in it.

I've worked in many tech related things by now, as I'm also into systems and hardware. I've been systems analyst, robotics teacher in Switzerland, Arduino monitor in an University Campus for girls into tech, and security auditor in a couple of companies. I spend most of my time researching, writing and learning, I give security speeches in different cities, mostly in my country, Spain, but I'm going to Vienna this week for the same reason.

I'm very into open source, and I work only with Linux, my main working condition. I use Debian Jessie and Tails, for the curious.

I'm currently trying to organize a python girls club for local female developers, and there already some girls interested. Our github is here.

I'm also learning about IPFS as distributed ledger is one of my favorite tech topics when related to security.

I try to keep a weekly publishing in DEV under the name of Security Sprint, even tho these last two weeks have been difficult for me to keep up.

I'd love to answer any security, censorship or whatever related question you have, as well as meeting other DEV users interested in these topics. Please feel free to ask my anything.

Discussion

pic
Editor guide
Collapse
nabbisen profile image
Heddi Nabbisen

Hi, Paula.
I'm very interested in what you specialize with passion: security, journalism and community formation.
Your challenge to organize a python girls club sounds great to me.

I have a question:

  • In order to improve yourself, what kind of daily or habitual routines do you have? For example, getting rss of some news. I want to use it as a reference when studying about security, especially designing secure architecture/network for myself.

I'd appreciate if you gave me your answer at your free time : )

Collapse
shostarsson profile image
Rémi Lavedrine

Hi Heddi,
I would recommend to follow sec people on Twitter, register to a Bug Bounty program and read about the public disclosures described on the Bug Bounty site (hackerone is the most famous in my opinion).
And last but not least, practice some CTF/Capture The Flag to enhance your knowledge about security in general.
Youtube and other services can teach you a lot as well.

Collapse
nabbisen profile image
Heddi Nabbisen

Hi Rémi.
I really appreciate your specific and useful advice.
Yes, I'll register hackerone and also practice CTF trainings!!
Although I haven't known how to make the best use of them yet, I have taken Twitter/Youtube as useful tools in order to improve myself on both studying tech and reading/listening to English.
Merci beaucoup : )

Collapse
terceranexus6 profile image
Paula Ask Me Anything

Hello! thank you for your kind words. I'm very used to check news in different Telegram groups and channels about security, either Spanish and International. I like to also over read eff.org news and blog, as I think they do a great work regarding digital rights. I have to keep an schedule in order to remember all my stuff, but I have it in paper, as using the computer makes me go faster (read faster, answer faster, act faster) and in order to organize myself, is okay to go slower, and force myself to think twice, this works the same in security. I'm studying a Linux Foundation course about networking, and I keep paper notes, too. I'd check on EDX and other university open education websites for helping yourself organize your aimed specialization, there's where I'm coursing the Linux Foundation certificate. I'm kind of a chaos in the rest of my life, but I hope to have answered your question, in a general way!

Collapse
nabbisen profile image
Heddi Nabbisen

Hello. Thank you for your careful reply. Yes, you have answered my question.
Using paper is so impressive and interesting! The idea "is okay to go slower" to "organize myself" didn't exist in my mind. I'll try to make the habit to "think twice" also mine : )
Also, I'll check news and blogs such as Telegram's/eff.org's, courses such as Linux Foundation's and education websites such as EDX's.
Muchas gracias.
Welp, a chaos is a part of my life, too. Haha.

Collapse
ondrejs profile image
Ondrej

I see you bio, and I have to admit that we have same interests. I do information security training for few investigative journalists but it does not earn me any money, so I have to do SW development (mainly in Kotlin) for living.
My question is do you earn enough (in infosec field) to focus only on those issues? Or have you some other job?
Also I understand the importance of anonymity in some cases, but do you think that TAILS is really way to go? IMHO it has extremely high threat model, I would rather to suggest solution like this one .
Thanks for what you do though, you focus on right issues and we need more people in this field!

Collapse
terceranexus6 profile image
Paula Ask Me Anything

Hello Ondrej, thank you for your answer!

I'm happy to meet other DEV user interested in security. Regarding your question, yes, I can manage to earn fairly enough for a living working exclusively in security, I'm currently switching the company I work for, but yes I do.

I think Tails is interesting in some cases, such as outside home, when you don't have your laptop available at the moment or something, like a lifesaver. The option you suggest is better for home setup, of course! and thanks for sharing btw, the repository is interesting.

Thank you!

Collapse
ondrejs profile image
Ondrej

I would highly recommend to go through other Shawn's repositories and articles - they are very interesting, especially if you are interested about Tor. It is *BSD focused though, but you can do almost same things on Linux.

Collapse
ondrejs profile image
Ondrej

Ah, I forgot second question - if you use Debian, do you use Testing (Unstable) version? If yes, do you patch your kernel with grsecurity patches? I have tried in in the past but it was nightmare in terms of maintenance and some binaries did not even work.
Don't you think that CentOS (which has SELinux by default) would be safer in case if you don't use kernel hardening patches? Thanks!

Collapse
ben profile image
Ben Halpern

How have your thoughts on security changed in the past ~3-4 years, since you were a teenager.

Collapse
terceranexus6 profile image
Paula Ask Me Anything

Quite a lot. I used to think in security as movies pictured it, and never imagined the kind of work (like, seriously, not Hollywood-like depicted) that was behind our daily life security. Also realized the importance it has in every technology area.

Collapse
derek profile image
derek

Hi Paula! Thanks for doing this and willing to share your knowledge. ¡Muchas gracias!

I was curious of your recommendations in personal privacy? Specifically your personal workflow in which you ensure your own privacy?

  • How do you have your tails set up?
  • Daily drivers for web browsing? brave vs firefox/iceweasel vs opera or do you just use tor?
  • Trusty VPN service(s)?
  • Preferred chat apps: signal, keybase, etc?
  • Password management? 1password or perhaps a physical key for passwords?

Or anything in general your willing to share to ensure or enhance privacy?

Collapse
terceranexus6 profile image
Paula Ask Me Anything

Hey! thank you!

How do you have your tails set up?
with extra memory that can be accessed from one time to another using a passphrase... but everything else as default, for now!

Daily drivers for web browsing? brave vs firefox/iceweasel vs opera or do you just use tor?
FIrefox with duckduckgo, https everywhere, privacy badger, mailvelope and metamask. Sometimes I use tor, too.

Trusty VPN service(s)?
I aim to build my own using rpi!

Preferred chat apps: signal, keybase, etc?
I jave signal but what I use the most (with family and friends) is actually Telegram.

Password management? 1password or perhaps a physical key for passwords?
I actually have a memory methodology to remember them all, but in case I forget, I store some of them using keepassX. I'd like to have a physical key, tho. I have something similar, too, for a couple of passwords, but that's a secret ;) no, it's not a post-it, don't you worry.

Oh well! you should take a look at security in a box, it's pretty usefull for daily privacy management. Also the eff privacy area could be interesting!

Collapse
derek profile image
derek

Cool! Awesome reply, thank you for sharing 🙏🏽🎉!

That 🍓🥧vpn project sounds like a lot of fun. I'll definitely be on the look out for your post sharing that experience 😉

Collapse
jackharner profile image
Jack Harner 🚀

I know that cyber security is a massive field that takes years to master. Do you have any suggestions of things people can do today to boost application/website/server security?

Collapse
shostarsson profile image
Rémi Lavedrine

Hi Jack,
I am a security engineer as well.
I would recommend to start with reading the OWASP Top Ten and figure out if your app, service, etc... follow the very basic rules described there.
I see very often that developers don't know/care enough about security and release really unsecure piece of software that could be way more challenging for "BlackHat Hackers" and so remove all the "basic" flaws that you can encounter.

Collapse
terceranexus6 profile image
Paula Ask Me Anything

and yes!! those are top!

Collapse
terceranexus6 profile image
Paula Ask Me Anything

If you mean to start studying, I would go reading a lot, learning programming, playing capture the flags, joining sec communities and going to events...

But if you mean, as another kind of specialist (such as a dev or something) it depends on your role. If you are in charge of a project and are resourceful, I would hire an actual professional, an auditor, to perform the required tests. There are many automatized tools that can gives you a general idea of your security status, but for a real protection, a professional is needed. If you are a developer, your responsibility is to perform a clean understandable code, and acknowledge the latest vulnerabilities in the tools you choose to use. Most of the security issues in web apps are due to irresponsible use of versions. There's an interesting katacoda course about security in containers that could be used in such situation.

Hope to have cleared your mind about this topic!

Collapse
trueneu profile image
Pavel Gurkov

Hey Paula. Say I have fair amount of high-level programming experience, moderate experience with C, moderate understanding of how OS works in general, and call pull off a simple ROP attack. Wanna be one of those people that discover Spectre/Meltdown/SSL Heartblead/Dirty COW. Where would you suggest to start?

Collapse
shostarsson profile image
Rémi Lavedrine

Hi Pavel,
The Meltdown/Spectre vulnerability are a pretty hard to find vulnerability.
If you really want to find one of that kind one day, I should say, start with a Phd in CyberSecurity targeted on hardware and then get to work into a security lab.
Cheers

Collapse
trueneu profile image
Pavel Gurkov

Hey, thanks. That’s the answer I expected.

Collapse
terceranexus6 profile image
Paula Ask Me Anything

As you already have a solid programming base and general understanding, I would suggest you to focus your efforts in joining online communities to be updated. Some people think security is kind of a lone-wolf job, nothing further than reality. Keeping the right news, communities and tech-pals around you is important. I'm mostly in Spanish communities, but there are tons around the world.

I would experiment, too. Either trying online capture the flag, or building your own laboratories. Take a close look to OWASP wiki.

I think you are aiming to be a zero-day hunter. For that, I think reading and learning about older vulnerabilities could guide you into what kind of vulnerabilities appear in new versions of different applications and OS. Good luck with it!

Collapse
eli profile image
Eli Bierman

Hi Paula! I love your security and digital privacy posts on this site. Thanks for sharing your knowledge and passion.

I've found that talking to people (particularly in the US) about digital rights, they have a hard time connecting the individual impacts ("but I don't care who knows my internet history!") with the broader societal impacts (censorship, election influencing, automated discrimination, etc.). Do you have any tips on how to convince people that they should care about digital rights not only for themselves but also for the future of society? Thanks!

Collapse
terceranexus6 profile image
Paula Ask Me Anything

hey thanks for your nice words. I have to face those kind of comments a lot, due to my interests. I use to start saying the same thing Edward Snowden once said: "saying you don't care about privacy because you have nothing to hide is the same as saying you don't care about freedom of speech because you don't have anything to say". It's a matter of empathy, to be responsible of others rights. Not everyone who needs privacy is a criminal, there are activists, journalist, and other kind of users that are in need of privacy and digital rights to get a better situation and to help others. Internet should be open to work, if we don't care about other countries censorship, we are actually censoring ourselves too, as we will be unaware of their situation from the outside. As users we have both rights and responsibilities, as any human being in a society/community does. I think US is very committed to neighborhoods, or that's what we think from the outside. It doesn't make any sense to be like that in real life, but being individualist on the internet.

I hope to have given you some consistent arguments for that kind of situations :)

Collapse
eli profile image
Eli Bierman

That's very helpful, thanks for the thoughtful reply! I really like the rights & responsibilities angle and I'm definitely going to try that next time :)

Collapse
shostarsson profile image
Rémi Lavedrine

Hi Paula,

That is interesting.

I would love to understand what kind of audience you are presenting security topic?
And how you can find conferences to present this?
I am looking to present some information about security to some conferences but I find it (conferences) hard to find in France and Europe.

Cheers

Collapse
terceranexus6 profile image
Paula Ask Me Anything

I have had many types of audience, from kids to professionals. I mostly present in events where I can find security students, security auditors and other security-related professionals, where I usually have to show a demo or something technical of medium or high level. If I have to explain stuff to another kind of audience, such as kids, I tend to explain the importance of security, rather than technical information.

I check from time to time (usually I wait 2 months or so) on the internet, looking for open call for papers. On summer is a nice date to look for C4P, because some of them are pointing to September-October, and these dates, November and such are nice for incoming 2019 events. I tend to think of interesting topics, regarding security researching, open source projects, experiments and such, and create abstracts of the highlights. Always about topics I enjoy.

I hope to have helped you.

Collapse
bzdata profile image
Beatriz

What are your OSINT tools/feeds of choice?

Are you currently hunting/researching a specific observable?

Collapse
terceranexus6 profile image
Paula Ask Me Anything

Oh hey! I recently assisted an OSINT workshop and these are some of the tools I discovered:

Also python scripts! Shodan is a nice tool, too.
I'm currently into other things right now, but surely is an interesting area. Hope you find those useful!

Collapse
shostarsson profile image
Rémi Lavedrine

Hi Beatriz,

If I can share my experience on that as well, I would say that on Android security, I am using nmap, Burp, apktool and shell commands (grep, strings, etc...).
And I think that for mobile security Frida is very interesting and useful, as well as gdb. For security, mastering a debugger is really interesting.

Cheers

Collapse
mountainmanjon profile image
Jon Luke Harvey

What has been the most challenging topic to learn the last couple of years in security?

Collapse
terceranexus6 profile image
Paula Ask Me Anything

hey! sorry I missed this one! This is a very difficult question, but I think the most challenging thing to learn has been distributed ledger security. It requires knowledge of so many things and it seems like a pretty new topic (compared to other security related stuff) so, yep. ON the other hand I found difficulties on many topics so far, but precisely I find interesting that challenging environment. Thank you for your question!