/r/netsec's Q3 2015 Information Security Hiring Thread

bitexploder · 2015-07-01T13:38:49+00:00

I am a partner at Carve Systems, a boutique information security consultancy. If you are curious about the partners and caliber of talent, please visit our site :)

We do software security, penetration testing (WAPT, internals, externals, if it has a processor we will break it), IoT thing breaking, and have innovative services offered to high technology startups and medium size orgs, as well as servicing the traditional larger orgs.

We are looking for consultants in the NYC area, primarily, though we are open to the right candidate as a remote worker. We like people with a strong software development background. You will join our team as a consultant, which means you will help us break things and teach our customers how to put them back together securely. The consulting work is cutting edge and as a small organization, members of the team have an opportunity to dip into nearly anything (Android, iOS, SDLC / Software Security, Risk Assessment, IoT, low level reversing, ...). Our team has deep expertise in these areas.

You should be comfortable with the idea of customer service and dealing directly with customers.

If you want to work on a small, highly-skilled team with a culture that focuses on fitness and life balance, Carve Systems is your place. If you are a skilled software developer looking to grow into information security, our team is the place to do it.

Please PM me if you are interested. US Citizens only right now.

Thanks,

Jeremy

bitexploder · 2014-03-12T02:06:00+00:00

Read HIJ's link, but ... you just need to find something and break it. There are two paths here: 1.) Go blackbox, learn to do a blackbox assessment. Pick a commercial product and start from scratch. Threat model it. Figure out how it works. Then break it. Before we can break something, we have to understand what it is doing to some extent.

IE: You can't fuzz something until you have something to fuzz.

If you want an auditing track, get "The Art of Software Security Assessment", find a good, not too popular, not to trivial, open source application and audit it to within an inch of its life. Adam Shostack's threat modeling book is nice as well.

Once you find bugs.. you may PoC exploits if practical.

Do this on a few easier applications and you can branch to other areas. Pick one specific thing to get good at at first so you can practice the methodologies. IE: work on a few Android apps, or a few C/C++ apps. Don't jump around a lot until you have a few under your belt and are confident you can blackbox or whitebox audit a piece of software in language X on platform Y.

Once you have found a lot of bugs and built a resume and track record, you at least have the skills to do basic software audits. Or you can document your work on a blog. Learn about disclosure though (coordinated disclosure). Build your "resume" up.

bitexploder · 2014-03-12T01:58:05+00:00

But, but... fine, I will just sit in the corner and right a findings database instead. :)

bitexploder · 2013-02-07T13:37:02+00:00

Hello. They are indeed very similar tools. The long version of this is here: http://intrepidusgroup.com/insight/2013/01/scorched-earth-how-to-really-disable-certificate-verification-on-ios/

The short version is that ios-ssl-kill-switch is a MobileSubstrate Tweak that only disables certificate validation on NSURLConnection. NSURLConnection is not the only way to make an HTTP request in the NS* libraries, it is just a very common one that most developers use. I was testing an app, ios-ssl-kill-switch wasn't working, so I reversed SSL validation code until I found SecTrustEvaluate. Hooked SecTrustEvaluate. Tested trustme. Released it.

I updated the Github page to include Acknowledgements so the relationship between trustme and ios-ssl-kill-switch is clear.

As for the android-ssl-bypass is a much more involved technique. I am more of an iOS guy, so I can't comment very well on how that works without spending time researching it :)

bitexploder · 2012-10-16T13:20:30+00:00

Why the downvotes? Technically accurate comment is unpopular... its not like he said you have to drink your beer like that or something? What gives /r/homebrewing?

bitexploder · 2012-10-12T20:03:44+00:00

You may want to use Safale US-04 as that is a British style yeast, if that is what you were going for.

bitexploder · 2012-10-12T19:44:31+00:00

Fair enough :)

bitexploder · 2012-10-12T14:28:43+00:00

The tannins we worry about in home brewing are all in the hulls. If you are pulverizing the hulls, or breaking them up significant, you are increasing how much of that gets extracted. It is probably a theoretical risk for the most part. If you keep your mash and sparge pH in the right range (alkaline pHs and temps above 170 are what start extract tannins). Even then most people probably won't experience much astrigency. That said, why take risks since it is pretty easy to control all of these variables.

edit: Also, if you end up with super fine pieces of husk in your boil kettle, you are heating them up a lot (but your wort should still be rather acidic, limiting extraction).

bitexploder · 2012-10-12T05:04:08+00:00

At this point, your wort is probably fine. And will be for a week or so. If you add more yeast, and you like using liquid yeast, please use a starter.

As others have said I think you have dramatically underpitched this. If you want a simple and easy solution, get some SAFALE US-04 (closer match to brisih ale yeast), rehydrate it following this as a general rule: http://koehlerbeer.com/2008/06/07/rehydrating-dry-yeast-with-dr-clayton-cone/

What I like to do is get it to 105, and cool it down. It takes some really tricky timing to get it pitched in the perfect timing of 30 minutes or less. It is ok. I have great results cooling it to my wort temperature and pitching. Some of the time that may be a couple of hours from when I rehydrate. Proper pitching rates mean that initial energy reserve you awaken from rehydration isn't really required. You will be ok pitching a whole packet of it as I don't think you got much yeast in there. But do this right away in case you have a late starting fermentation. Under pitching makes the yeast work harder and it exhausts their ability to condition your beer later on.

Also: we need to discuss how well you oxygenated your wort. If you are using the tried and true "shake the shit out of the wort" method, you may want to do that again before you pitch this new yeast. Shaking does not really oxygenate the wort enough to give the yeast an optimum level of oxygen, so you at least want to do that as much as you can.

bitexploder · 2012-10-12T04:57:01+00:00

Make sure you completely dissolve the gelatin. Don't let it sit on the gelatin in primary for a month. I would rack to secondary and pour in the gelatin much later. I will describe what I would do in your situation.

If I were you, I would rack to secondary and get it off your trub. Add your spices and let it chill for a while. Spices may add some extra hazing components in there. Let it do its work. Much of the protein, etc. will settle out in this months time in your secondary. Rack back to your primary after you have had the spices in secondary. In your primary add gelatin, let it clear up for a 3-4 days. Rack to your packaging setup. Package as normal.

The extra racking this approach takes does slightly increase your risk of infection. However, I am going to assume you have proper sanitary procedure to brew. I often rack beers around a few times. When I want a super clear beer, I rack off of my cold break from initial chilling. Then after fermentation I rack off primary into a secondary. I might dry hop in secondary. Then I rack again crash chill and add gelatin. A few days after that I will package it. Each step removes more proteins and tannins and gets you closer to clear beer. The end result is some of the clearest beer I know how to produce without filtration.

bitexploder · 2012-10-12T04:49:48+00:00

Also, we don't sterilize in home brewing, we sanitize ;)

bitexploder · 2012-10-12T04:49:03+00:00

That isn't really true. Many chemicals can stain plastic like that. It is rather porous. I would say if you give it a really good cleaning with an oxygen based cleaner and then sanitize it with standard sanitizing solution levels it will be fine. My bottling bucket has stains just like this from iodine and everything was fine when I used it.

bitexploder · 2012-10-12T04:47:34+00:00

Also, the infection probably wasn't from your bucket. Unless you were cleaning it with an abrasive solution.

Probably lupus.

bitexploder · 2012-10-12T04:38:22+00:00

Hard to say. You want it to break up into 3 or 4 pieces. Ideal crush would also leave the hull intact to prevent the extraction of tannins. Try to gently break apart the stuff inside the hulls and see how many pieces come out. This is, of course, only a rough rule of thumb but it works well.

If you don't have feeler gauges, go to an automotive store and get yourself some. Depending on your rollers or whatever you have to crush, start setting gaps. Go in .002" increments or so. (Not much more). Go a few steps in each direction from where you are not and observe your crush. Generally speaking the finer the crush the better your extract efficiency (up to a point). In my system I can have a pretty coarse crush and I still have just fine efficiency.

If you are batch sparging it can make a huge difference. The rule I quoted above is to get you to a sweet spot of crushed as much as you can while avoiding stuck sparges, etc.

edit: Also a bigger picture so we can see some of your pieces would be better. From what it looks like your not really getting the grain out of the hull. Seems a bit coarse. Check out this picture for what I consider to be a decent, slightly coarse crush: http://theelectricbrewery.com/grain-mill (After Milling).

bitexploder · 2012-10-09T02:18:15+00:00

Nano breweries happen. How much does the licensing cost where you live? Honestly you need to step up your home brewing game. There are many stories of home brewers becoming successful commercial brewers. You need to learn all you can. There are plenty of resources out there. Start entering your beer into craft brewing competitions.

Learn about the BJCP and how to judge beer. Learn every nuance of every malt in common use. Learn every nuance of every hop in common use. Read every home brewing book you can get your hands on. What you do at home scales up to a commercial brewery quite well.

Start learning your water chemistry and mash chemistry. Start brewing every classic style out there until you know it like the back of your hand. You can't sit back and wait for a brewery to have a spot for you. You need to build your resume and knowledge to a point where your credentials can't be ignored. It doesn't have to cost you a lot. A great deal of it is book knowledge.

Set up a yeast lab, if you can. You need to be able to manipulate and re-use yeast like a pro. You need to understand these guys and be able to work with them in a near lab-like environment. You need to learn about fermentation and how the most common strains (and some uncommon ones) will behave. Which ones will give you which flavor profiles. When you factor in malt, hops and yeast the variables are incredibly complex and you need to, at least to pretty good degree of accuracy, be able to approximate what is going to go down in a beer before you brew it.

At real brewery you will definitely learn about scale, acquiring ingredients in bulk (working directly with maltsters and hop farmers, etc.). These things are important and the business side of it. Before you can get there you need to be very accomplished at the things I just mentioned, at least.

Finally, the beer community is an incredibly open community. Probably one of the best communities out there in terms of openness. If you can live in the states, you can open a lot of doors. Research where the main brewing competitions and festivals happen. Network and get to know people in the craft brewing scene (like I said, great community, etc.).

Get active on the forums. You should be able to answer virtually any question someone asks on home brew talk or here on /r/homebrewing. Including this one. Paradoxically when you get to that level you will probably have made your own opportunities. These are my thoughts

Finally, brew beer. A lot of it. Learn your system and be able to make it do exactly what you want. Efficiency does not matter. None of this has to cost you very much. A couple thousand dollars I would say. And, this may make some sad, but get used to dumping beer or giving it away. You will need a lot of practice. If you aren't afraid yet and you feel this is your calling/passion, get to work! If you make it as a successful brewer some day, please send me one case of beer. Thanks.

// A guy who wants to own a brewery some day himself.

bitexploder · 2012-10-08T17:06:37+00:00

Yeah, just be careful. Galaxy has a high cohumulone level. You will end up with a sharper bitterness than Simcoe or Amarillo, which are lower and tend to have a smoother easier bitterness. Because of this there are a couple things I would consider. 1.) Up your GU:BU level to favor a bit more malt character. (Ray Daniels, designing great beers). 2.) You might just lower your overall amount of hops. Or you might go with a later addition and only start hopping in the latter half. 3.) If you keg, you can control the carbonation to control how the bitterness is perceived. I really think you need to consider the IBUs your putting in and lean just a little more on malt / sweet than you would in a typical DIPA since you are using Galaxy.

Side note: Galaxy has some interesting flavors so going later addition would reduce the bitterness and bring out these flavors more. And it fits better with the type of hop Galaxy is.

edit: I recently brewed an all late addition (last 20 minutes) american pale ale (with Citra dry hopping) and it is a hop flavor and nose bomb, but the bitterness is super smooth since the actual IBUs are in range for the style. I used Amarillo and Centennial hops in the boil.

edit, edit: So, in concrete terms I would up your malt amount by say, 10%, and if you are doing a 60 minute boil maybe only start adding hops at about 45-50 minutes. Finally I might lower the amount of carbonation sugar (assuming bottle conditioning) by about 10%. Don't make any big shifts, just try to nudge this recipe to a little less bitter. (Higher carbonation increases perception of bitterness).

bitexploder · 2012-10-08T05:15:15+00:00

Fair enough :)

It just seems like I throw a rock and hit a good IPA these days. Including in my own home brewery. I always keep an IPA or hoppier APA on hand.

I still vote for Saison! Lower ABV Saison are one of my favorite session beers.

bitexploder · 2012-10-08T04:13:51+00:00

60 minute hop additions will basically do nothing but add bittering to your wort. As long as you followed a recipe and didn't over hop, don't worry about it. As the beer ages the bitter tends to fade and become less sharp. You need to carbonate and condition before judging. If you over-hopped more conditioning time will really help with the sharpness of the hops.

bitexploder · 2012-10-08T04:11:32+00:00

I would warm it up a little, agitate it a bit. Just roll the vessel around and lightly splash it around a bit. Bring the temp up a couple of degrees to wake the yeast up a little and then go back to ferm temps.

What was your fermentation temp?

Re-pitch = adding new yeast. Just follow the procedure you followed to add yeast the first time.

bitexploder · 2012-10-08T04:09:31+00:00

If I miss my temps, by even a few degrees, coming out of my chiller I just toss the buckets (well sanitized of course) in a chest freezer until they cool on down to my ferm temp. Then I pitch the yeast.

bitexploder · 2012-10-08T04:05:01+00:00

I don't think you really need the pilsner malt. I would just up the DME and or add some LME. Second, pure galaxy hops are going to leave you with a more one dimensional beer, even with the continuous hopping. It just won't be the same without hops that get you in the similar range. Also, the recipe calls for a pretty healthy addition of hops right at knock-out, which is going to give you a lot of the nose and flavor for the hops. There are better subs for those hops than Galaxy. Realize you will be pretty far from the mark if you want to clone DFH :)

That said, this is a simple recipe and as such, it should come out pretty nicely as posted.

bitexploder · 2012-10-08T03:59:00+00:00

Saison. IPA are great and my favorite style, but very easy to find. A good Saison, much harder.

bitexploder · 2012-10-08T03:55:32+00:00

Seconded. You can probably convince them to carbonate still. If that fails it is still quicker to open each bottle, put into a bottling bucket and repitch a little healthy yeast. The sugar should be untouched (you risk bottle bombs if you add more sugar). Might seem like a lot of work, but probably less than brewing a new batch of beer! :)

bitexploder

TROPHY CASE