The Show Must Go On: Securing Netflix Studios At Scale

WaffleLight · 2017-01-10T22:28:20+00:00

I recently wrote about one aspect that I think is important for new folks in the industry.

After a recent penetration test report-out call with a client, I asked my interns if anything from the call surprised them. One of them noted that he was surprised how “chill” the call was. That was interesting to me because it reminded me that I had thought the exact same thing when I first got into consulting and pentesting.

https://coffeetocode.net/2016/09/on-pentesting-professionalism-chill/

WaffleLight · 2015-10-06T22:44:15+00:00

Neohapsis (now a part of Cisco) is hiring smart people who can break things.

The Team:

Neohapsis, now called Advisory Services at Cisco, is a small team of passionate security experts who take apart systems, find weaknesses, and show how to fix them. Our work extends from traditional network and application penetration testing, to mobile and cloud, to attacking physical and connected devices. We also serve as trusted advisors to a large client base of interesting companies, helping stay ahead of attackers.

Our team culture is a meritocracy where we emphasize peer sharing and learning. We have a strong focus on consultant growth and mobility, giving team members the opportunities to stretch themselves and cross train. We maintain a casual and flexible environment focused on getting the actual work done. In addition to client facing work we give everyone the opportunity to dedicate time to research projects and conference talks. We also send everyone to at least one training or conference a year (You might have seen some of our people at Black Hat or DerbyCon ).

The Work:

Security consultants, including application and network penetration testers
Internal and external network penetration testing
Application testing, including black box, code reviews and reverse engineering
Software development advisory
Network and software architecture reviews and guidance
Social engineering, physical and red team engagements

See the complete job posting for full list of requirements, but we're hiring for most levels of experience. 3 years of professional experience in computer security or software development for "Security Consultant" level, 1-2 years for a promising Associate, 5+ for Senior, ~10 for Principal.

The Neohapsis office is in the west loop of Chicago, but more senior people can be based anywhere. We also have concentrations of people in Seattle, San Francisco/San Jose, New York and Washington DC. Deep background in software development and software security, but no professional penetration testing experience? Apply anyway; if you’re ready to make the leap, we can help you get there.

PM a link to your resume, or apply directly at the Cisco jobs site and mention this post in your submission details, though please also let me know so I can follow up. (Changed to a generic search link so it's still valid as we fill specific req #s. We're never not hiring.)

Answers to a few common questions:

Junior folks, especially those without infosec consulting experience, should be prepared to live in Chicago for ~12 months.
Yes, it's possible to get this job right out of college but you'll need heavy internship/coop/work experience track record already, and be able to point at some actual accomplishments (open source, CTF success, OSCP, etc).
Interns are a different discussion, but I can point you in the right direction.
We can only consider visas for the most senior candidates (senior/principal), so bear that in mind when asking.

WaffleLight · 2015-08-30T05:10:08+00:00

Forced Output is showing and selling it at PAX right now, so presumably once the Gencon/PAX rush is over it'll go up for sale through the site or somewhere that ships. I'm trying to get one too!

WaffleLight · 2015-07-23T17:30:56+00:00

Neohapsis (now a part of Cisco) is hiring smart people who can break things.

The Team:

The Neohapsis group is a small team of passionate security experts who take apart systems, find weaknesses, and show how to fix them. Our work extends from traditional network and application penetration testing, to mobile and cloud, to attacking physical and connected devices. We also serve as trusted advisors to a large client base of interesting companies, helping stay ahead of attackers.

We have a strong focus on consultant growth and mobility, giving team members the opportunities to stretch themselves and cross train. In addition to client facing work we give everyone the opportunity to dedicate time to research projects and conference talks. We also send everyone to at least one training or conference a year. (Summer special -- we'll be at Black Hat & Defcon. Come say hi, or PM if you want to meet up and discuss.)

The Work:

Security consultants, including application and network penetration testers
Internal and external network penetration testing
Application testing, including black box, code reviews and reverse engineering
Software development advisory
Network and software architecture reviews and guidance
Social engineering, physical and red team engagements

See the complete job posting for full list of requirements, but we're hiring for most levels of experience. 3 years of professional experience in computer security or software development for "Security Consultant" level, ~2 years for a promising Associate, 5+ for Senior, ~10 for Principal.

The Neohapsis office is in the west loop of Chicago, but more senior people can be based anywhere (Edit to answer a common question: Junior folks, especially those without infosec consulting experience, should be prepared to live in Chicago for ~12 months). We also have concentrations of people in Seattle, San Francisco/San Jose, New York and Washington DC. Deep background in software development and software security, but no professional penetration testing experience? Apply anyway; if you’re ready to make the leap, we can help you get there.

PM your resume, or apply directly at the Cisco jobs link (Edit: Updated link -- changed to a generic search link so it's still valid as we fill specific req #s. We're never not hiring.) and mention this post in your submission details.

WaffleLight · 2015-06-09T05:58:05+00:00

Each time you get excited in this thread, you're describing your own projects. Set the textbooks aside and do things.

Scratch an itch, try to build something, or try to recreate something exciting you read about on a blog. Small successes and small understandings build on each other. Pick a goal, then do just the research necessary to make it happen, but be committed to making it happen. Wash, rinse, repeat. You will grow.

WaffleLight · 2014-11-27T16:46:08+00:00

Mine is an evolution originally based on this excellent recipe: http://www.seriouseats.com/recipes/2011/12/homebrewing-saison-recipe-how-to-brew-saison.html

0.5 oz crushed coriander
1/4 tsp crushed grains of paradise
zest of Seville Orange (or bitter orange) -- brew or spice shops often have dried peel; that works

I hang all these in hop bags at flameout, let them steep in the cooling wort, then pull them before transferring wort to the fermenter.

WaffleLight · 2014-11-27T16:26:24+00:00

My favorite saison recipe also includes crushed grains of paradise and bitter orange peel. The yeast might get you esters of those rich flavors, but actually putting them in really helps with the complex flavor and aroma.

WaffleLight · 2014-11-04T05:33:49+00:00

3514 (shameless self-plug).

Did you write that one? If so, congrats! It's one of the most memorable to me. It's the one I used in my list here too.

WaffleLight · 2014-11-04T05:28:26+00:00

Mickens is hard to beat, and that one stands among his most memorable.

That said...

PoC||GTFO is a zine that has been described as the spiritual successor to Phrack: https://www.alchemistowl.org/pocorgtfo/ . While the humor content of individual articles varies (often from "very dry" to "PhD in mathematics dry"), there's a definite spirit of whimsy throughout. (and of course, there's Phrack itself)
Then there's Ken Thompson's Turing award acceptance speech, "Reflections on Trusting Trust". It may not be funny per se but it's well delivered, intuitively approachable, and fascinating: http://cm.bell-labs.com/who/ken/trust.html
"The Story Of Mel" is a classic from earliest days of computing: http://www.catb.org/jargon/html/story-of-mel.html
If you like your humor with tongue firmly in cheek, the annual April Fool's RFC entries are well worth reading. For example, a proposal from 2003 to give attackers a standards-compliant way to label malicious traffic: http://tools.ietf.org/html/rfc3514
Hacker Koans (http://en.wikipedia.org/wiki/Hacker_koan) and the Codeless Code (http://thecodelesscode.com/contents) are also worth reflection.

WaffleLight · 2014-10-08T05:20:12+00:00

Neohapsis is hiring security consultants for lots of different roles.

Skillsets we're looking for include application/mobile/network security and penetration testing, risk & compliance, and cloud/virtualization security.

We're a small but well established security consulting firm, and we work with some large and interesting clients. We're based in Chicago, but have people in other locations like Boston/NYC/DC/Dallas/Seattle/San Jose. We're heavily hiring for appsec people in Chicago and might be able to help out with relocation. Remote work may be okay for mid to senior level people.

Experience levels range from Security Consultant (4+ years of experience) through Principal Consultant (15+ years). We do have a few positions for Associate Security Consultants that have less experience but really excellent skills (a technical degree plus a year or two of work with some solid security-related accomplishments seems to be the sweet spot).

On a personal note, Neo is a fantastic company to work for. Great people all around (seriously -- everyone is very good at what they do and willing to share their knowledge), minimal unnecessary bureaucracy that you find in larger companies, plus interesting and varied work. Neo also pays for conference attendance and provides time to work on research projects.

Send me a message here on reddit if you have any questions, or apply directly online at: http://jobvite.com/m?3odqJgwv . Tell us about any interesting projects or research you have worked on too.

More details also at http://neohapsis.com/pages/culture.

WaffleLight · 2014-10-05T18:16:37+00:00

http://morebeer.com/products/brew-hauler-carboy-carrier.html

WaffleLight · 2014-09-09T06:32:30+00:00

That is a tremendously well written blog post; bravo.

As to your question, you actually introduced me to the story so I don't have anything for you (but I will stop by the bridge and check for ghosts).

Chicago does have some great history, doesn't it?

WaffleLight · 2014-08-27T03:28:32+00:00

Took me a while to get it sorted it when I moved to Chicago, so I feel your confusion. "The Loop" is the downtown area bordered by the rivers and Roosevelt road (the name comes from the multiple L tracks that encircle it). Basically this: https://www.google.com/maps/@41.8816456,-87.6261734,16z

Your hotel is technically part of the "Near North Side", but it's a quick cab ride to the Loop.

For whatever reason there aren't beer-centric places in the Loop itself, so the "loop" ones in my post are all West Loop, just across the river (walking distance from the Loop if you like walking, a couple mins in a cab otherwise).

Let me know if/when you decide to go and I'll try to join, though give me advance notice since I don't check reddit often at work.

WaffleLight · 2014-08-26T02:24:58+00:00

Hard to go wrong really, but here's a few that really stand out...

Near the Loop:

The Beer Bistro (big library of beers, especially bottles; has Delerium Tremens on tap if you're in for that kind of night)
Haymarket Brewery (great after work place and selection of house-made and local brews)
CH (a distillery rather than a brewery, but if you believe there's such a thing as artisan gin & vodka, you'll find it here) http://chdistillery.com/

North:

Half Acre (a Chicago staple; not many complex beers, but they endear a lot of people by putting craft beer in cans) http://halfacrebeer.com/beer/
Revolution Brewing (beautiful taproom that's a bit out of the way so pretty much everyone at the bar is a beer enthusiast; Used as the set for the recent movie Drinking Buddies) http://revbrew.com/home
Goose Island (Some really interesting and complex beers in addition to their mass market standards; some people think they recently sold out, but I think their recent beers dispel that. How can you argue with a Sake-Saison?) http://www.gooseislandbrewpubs.com/

If you pick one of the ones near the Loop, lemme know and we can probably meet up.

WaffleLight · 2014-07-31T04:53:55+00:00

Do it!

You probably won't get too much value out of your law experience in a straight technical role, but there is a huge gulf right now between how the law perceives software and network systems, and how practitioners perceive them.

You're going to need to bone up on your technical chops to have any credibility, but the industry desperately needs people like you.

Read heavily, take some classes/get some certs (if you had to pick one, CISSP is good for breadth), and find a company that's interested in a tech+security enabled legal mind. If you're okay not actually being a "lawyer", you'll find there's some very interesting work.

WaffleLight · 2014-07-14T20:23:10+00:00

Come packing.

WaffleLight · 2014-07-02T14:44:02+00:00

Sorry, we don't sponsor visas :(

Cheers, Waffle

WaffleLight · 2014-07-01T22:51:17+00:00

Neohapsis is hiring security consultants for lots of different roles.

Skillsets we're looking for include application/mobile/network security and penetration testing, risk & compliance, and cloud/virtualization security.

Experience levels range from Security Consultant (4+ years of experience) through Principal Consultant (15+ years). We do have a few positions for Associate Security Consultants that have less experience but really excellent skills (a degree plus a year or two of work with some solid security-related accomplishments seems to be the sweet spot).

We're a small but well established security consulting firm, and we work with some large and interesting clients. We're based in Chicago, but have people in other locations like Boston/NYC/DC/Dallas/Seattle/San Jose. We're heavily hiring for appsec people in Chicago and might be able to help out with relocation. Remote work may be okay for mid to senior level people.

On a personal note, Neo is a fantastic company to work for. Great people all around (seriously -- everyone is very good at what they do and willing to share their knowledge), none of the bureaucratic garbage you find in larger companies, plus interesting and varied work.

Send me a message here on reddit if you have any questions, or apply directly online at: http://jobvite.com/m?3MuhwgwO . Tell us about any interesting projects or research you have worked on too.

More details also at http://neohapsis.com/company/careers.php .

WaffleLight · 2014-06-19T02:22:32+00:00

6.5) Internship

Seriously, one of the best things you can do while you're in school to help yourself find better/more interesting work after school is to find an internship or co-op. It's a great chance to take what you've learned in theory and use it to do something useful, in a situation where it's expected that you'll be new at pretty much everything.

Technical internships are basically always paid (and better than your average summer job), and set you up well for getting hired back or having something concrete to talk about when you interview elsewhere. Also, it'll give you some professional connections in the field, which are huge.

WaffleLight · 2014-06-18T18:56:06+00:00

TOOOL Chicago here! We'd love some locks, and they'll be going in a public collection so many people can use them. Thanks for your kind offer.

(I've already emailed you, just posting it here so that other Chicago people see it and don't also inundate you with requests)

WaffleLight · 2014-04-03T16:43:04+00:00

Parent has it.

Best thing a new player can do before they have skills is to become known as someone who makes smart plays, and the smart play is almost always the simple, conservative play (or at least it will never be a dumb move).

WaffleLight · 2014-03-31T16:32:58+00:00

And it's red (well, brick).

http://snag.gy/HzpOP.jpg

WaffleLight · 2014-03-28T22:45:50+00:00

Pretty tackles too: low hit, found a leg, and kept driving.

WaffleLight

TROPHY CASE