What's it like being a penetration tester / Forensics expert?

[Oni]

Hi all. I wanted to get some opinions on this as I suspect I might have the wrong ideas. I love the show and the kinds of things you guys get up to are awesome. I get into similar things here in the UK and I'm ina current state of "rediscovering" my technolust. I've begun to get more involved with Crypto, security and what not and I'm wondering what penetration testing and forensics is like?

The reason I ask is I'm looking at working in these areas in the future. Im not the kind of guy who can sit behind a desk all day and program. I've tried it and for some reason, the motivation isn't really there at all. I have two degrees in computer science(perhaps stupidly) and cant seem to sit down to it, except if I'm working on anything computer graphics or hacking related. Both are quite creative and have lots of the lateral thinking and a touch of naughtiness to them that is quite appealing.

I read Mubix's webpage and was really psyked by the Marines thing. I'm in the UK and trained with the RAF about 5 years ago and quite enjoyed it BUT i felt it clashed a lot with my Geek-side. It was cool to see that being a rough and tumble action hero and a network security geek can indeed go hand in hand. Sadly, in the UK, such a career move doesnt really exist save for perhaps some of the scarier government branches (though where I live, in Leeds, West Yorkshire Police apparently has a cyber crime unit).

I thought briefly about taking a course or similar. I spoke with my colleagues at Leeds Uni who basically said what I knew all along; "Don't bother, its a money spinner for Students with more cash than passion" which seems to be the case. I'm having a lot of fun at the moment but there is the issue of not getting quite involved enough. I look at Milworm and some of the other sites and get all sleepy.... whereas Hak5 has that more "yeah, lets try that and maybe add our own twist" so I get the feeling it'd be a good area to really push myself with (as at the moment, teaching undergrads how to program in Python and Java can be a bit dry). I suspect its simply a case of doing more of what I do at the moment, reading stuff and trying stuff. I looked at CREST and TIGER but I'm told these arent so good.

So... is it loads of fun being a penetration tester or forensics /security bod and if so, whats the best way to get some experience that is recognised (I figured going to cons with other hacker type and learning that way would be good but sadly, DEFCON clashes with Sonisphere this year and I cant find any UK ones :( )

[The Sorrow]

Honestly being a security admin and pentester is for me the most fun (I do work at my high school). Its more dynamic than coding and whats better than being paid (or in my case given extra credit) for breaking into systems?

[i.have.rewt]

If you enjoy keeping up to date with operating systems such as Windows and *nix systems their vulnerabilities and such, which requires gobs amount of time, then yes it should be fun for you. But of course the buck doesn't stop there. Lifetime careers are made with analyzing and creating a more secure C*sco product as well..

It really depends on your stance. Where do you want to be? There's many things you can do in security. It's up to you if you want to generalize your knowledge, specialize or be a cowboy-I-do-it-all.

[thefatmoop]

The reason I ask is I'm looking at working in these areas in the future. Im not the kind of guy who can sit behind a desk all day and program.

i'll prob be flamed by the basement dwellers(and if you're a basement dweller chase the dream of network tech!)

really anything dealing with programming/computer networking management is low pay/insecure. If you can't be sitting at a comp all day then you'll prob be network manager. after my intern (which was VERY good for cs) i dropped cs and went engineering

if u have a degree in math, then u get a comp programming degree = some big $$. then again if ur after money just go med.

computers are changing all the time, and it gets to a point when u want to live a life. Math really never develops at this age other than extreme concentrations.

[h3%5kr3w]

computers are changing all the time, and it gets to a point when u want to live a life.

So true... I am a basement dweller (well living room dweller you see.. I have no basement :P) but at the same time there is money in network administration. Sure it's not 100% secure but it depends on who you work for and the skills you have and the willingness to learn, but if you look around at the other co-workers that get the boot, most of them didnt try to do shit in the first place (my general view in the workplace and in IT as well)

[metatron]

Honestly my life is like the film Swordfish, I can't do anything with out having my dick sucked while a gun is put to my head. Life is good.

[digininja]

I thought briefly about taking a course or similar. I spoke with my colleagues at Leeds Uni who basically said what I knew all along;

If you are still in Leeds come along to a 2600 meeting, usually at The Grove on the first Friday of the month. There are a few of us there who are in some way in the security industry and we'd be happy to share stories.

So... is it loads of fun being a penetration tester or forensics /security bod and if so, whats the best way to get some experience that is recognised (I figured going to cons with other hacker type and learning that way would be good but sadly, DEFCON clashes with Sonisphere this year and I cant find any UK ones :( )

BruCon is in Brussels in September, much cheaper and easier to get to. The line up looks great. If you can afford the extra, the two day training before the con should be very good.

[Oni]

If you are still in Leeds come along to a 2600 meeting, usually at The Grove on the first Friday of the month. There are a few of us there who are in some way in the security industry and we'd be happy to share stories.

BruCon is in Brussels in September, much cheaper and easier to get to. The line up looks great. If you can afford the extra, the two day training before the con should be very good.

I had looked into 2600 but not so thoroughly as to know you guys had meetings. Sure, that sounds really good. Thanks for the advice everyone... its certainly an interesting area, and although Im very much of a n00b I do find it a curious and slightly naughty topic :P

[digininja]

2600 is a lot of things including a magazine and monthly meetings that to be official have to happen on the first Friday of the month and include more than 4 people.

The Leeds one usually makes over 4 people and we have some interesting geeky chat. More info is on the site at http://leeds2600.org.uk/ .

[PC646]

"Im not the kind of guy who can sit behind a desk all day and program."

Then forensic work is not for you. I give two examples regarding forensic work, the first is fishing. You can sit in an office all day waiting for a bite and get nothing... Second I tell people forensics is an art, not a science. Yes there are scientific principles behind your work, but doing forensics is more of sitting in an office and digging for something. Tools like Encase and FTK exist to make searching easier, but it really comes down to your own dedication and drive to find that one piece of code or information to make or break your case.