Pnigos
Links: https://www.zhihu.com/question/23073812/answer/23563575
Source: Know
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.
The word "hacker" is a bit big in the problem, because the hacker represents not only the professional and technical attainments, but also the thinking, thinking, even a spirit.
Now the entertainment of serious security circle, "hacker" word has become a face worker mouth of conversation.
========================================
The complaint is over, the following according to the above mentioned in several aspects of how to "hackers" efforts.
Related technologies:
Now more and more channels of access to information, the daily new technical articles have been beyond the ability of people to deal with the scope, how to find the essence, screening, classifying this information is very important work.
I am more concerned about web and mobile security, the following examples in this direction
1,twitter:First of all, locate a direction you focus on, such as the front-end hacker, choose a keyword, do not choose that impracticality xxx Security, because this information is generally a type of location, choose a technical point: such as Csrf,dom XSS,CSP BYPASS,XSS Vector, Go to Twitter, look at those topics, one by one, look at their history tweets, if you're interested in more, then pay attention. And then one person who's over your attention.
The people who are concerned, and then repeat the steps above. Refinement does not demand much, focus on a few areas of the giant bull, their information is enough for you to digest.
For example, I am concerned about Web security (i @pnig0s):
@k3170Makan (the author of Android Security Cookbook, previously also a web-safe field of cattle, professional digging Google vulnerability 30)
@irsdl (Web security field Daniel, from NCC Group)
@lcamtuf (web security, exploits of the gods, from Google Security team)
@bulkneets (Japanese friend, front-end security bull, foreign Multiple Vulnerability Incentive program on the list of regulars)
@kuza55 (Low-key, in short, the cow is right)
@kkotowicz (focus on HTML5 security, Daniel One, Blackhat and other meeting speakers)
@0x6d6172696f (focus on XSS)
@shreeraj (front end god bull, multiple Web security book author)
....... Wait a minute
2,blog:
Daniel has his own blog in different fields, so dig a grave for yourself. Don't feel that the article is outdated and meaningless. Red across the Struts code execution vulnerability is dug graves dug out, Android webview arbitrary command Execution vulnerability is also 11 years have been researched. So, cattle blog many years ago things are now looking at or ahead of, this is not blindly, who dug who know. Many domestic cattle are read abroad paper, summed up, Divergent, and then sent to the domestic to fill the big head.
The subscriber I used is feedly:
<img src= "https://pic4.zhimg.com/952e75c69d0b51a9e11c54574aa9b983_b.jpg" data-rawwidth= "239" Data-rawheight= "616" class= "Content_image" width= "239" > <img src= "https://pic4.zhimg.com/49db3cb60aa4b58dd243eafd2f09502b_b.jpg" data-rawwidth= "234" data-rawheight= "685" class= "Content_image" width= "234" > <img src= "https://pic3.zhimg.com/8f3aa548cc768832aa3317e14c706686_b.jpg" data-rawwidth= "229" data-rawheight= "755" class= "Content_image" width= "229" > of course these subscriptions I will not all look, every day will be an eye 10 lines of unread entries, if the title first impression I am interested in, Then it will be a little bit to see, and the key is to meet the recent research direction. (The content of the subscription includes part of this answer) Of course, these subscriptions I will not see, every day will be an eye 10 lines of unread entries, if the title first impression I am interested in, then will point in to see, and the most important thing is to meet the recent research direction. (The content of the subscription includes part of this answer)
3, mailing list and discussion group:
1) seclists.org Security mailing List Archive
2)https://groups.google.com/forum/#!forum/android-security-discuss
3) .....
4, Security document paper Summary:
secwiki-security Wiki, bringing together excellent security information, tools and websites from home and abroad
IT Security and Hacking Knowledge Base
Security Article-freebuf.com
Wooyun Knowledge Base
5, more to find or make mind map (carding ideas):
<img src= "https://pic3.zhimg.com/324910155433e80a0c1c9599bd39df72_b.jpg" data-rawwidth= "811" data-rawheight= "2182" class= "Origin_image zh-lightbox-thumb" width= "811" data-original= "https://pic3.zhimg.com/ 324910155433e80a0c1c9599bd39df72_r.jpg "> <img src= "https://pic4.zhimg.com/873cbcbe4ee01995c01b7e02aab4b163_b.jpg" data-rawwidth= "2908" data-rawheight= "7821" class= "Origin_image zh-lightbox-thumb" width= "2908" data-original= "https://pic4.zhimg.com/ 873cbcbe4ee01995c01b7e02aab4b163_r.jpg "> <img src= "https://pic1.zhimg.com/427668f0143add15eb98213ef957f148_b.jpg" data-rawwidth= "1132" data-rawheight= "976" class= "Origin_image zh-lightbox-thumb" width= "1132" data-original= "https://pic1.zhimg.com/ 427668f0143add15eb98213ef957f148_r.jpg "> <img src= "https://pic1.zhimg.com/5ea2eb8e49191a0ea00cc228ea6c51e4_b.jpg" data-rawwidth= "1245" data-rawheight= "863" class= "Origin_image zh-lightbox-thumb" width= "1245" data-original= "https://pic1.zhimg.com/ 5ea2eb8e49191a0ea00cc228ea6c51e4_r.jpg "> <img src= "https://pic1.zhimg.com/1e09083c1b6e4cad6ca524eb671a36d0_b.jpg" data-rawwidth= "1356" data-rawheight= "590" class= "Origin_image zh-lightbox-thumb" width= "1356" data-original= "https://pic1.zhimg.com/ 1e09083c1b6e4cad6ca524eb671a36d0_r.jpg ">
Two, security information:
Keeping the habit of reading safety information is very helpful for broadening the horizons, divergent thinking and improving the ability of innovation, and often cares about new security incidents at home and abroad. Learn some of the points you're interested in by using security information, and then delve into them. To know, the speed and scope of information dissemination is far superior to technical analysis articles, so there is technical information before the technical analysis. If a person does not care about information, how can they know what innovative research results are in their areas of concern?
Recommended:
As one of the FREEBUF's dispensers, I continue to have a cheeky recommendation because I have confidence in the content.
Freebuf.com focus on hackers and geeks
Cyber War News
Help Net Security
The Hacker News
Threatpost | The first stop for security news
Freebuf part manuscripts translation from the above site and Twitter real-time security dynamics, so you know.
third, the ability to lift
1, want to become a hacker, can not only focus on technology, the way of thinking is very important, and to a certain extent, determine the extent of your cattle. Technology in fact, those things, cows and not before the difference between the cow is not technology, is experience, and only a wealth of experience will produce rich ideas. So let's not make a bad point with the technology and repeat the skills we've mastered over and over again.
Take an example of basic database security:
- The first day I learned simple MySQL injection
- The next day I learned that MySQL injected time based, Boolean based, error-based injection reading library, table, column, data.
- The third day I learned to read the database path through MySQL, working directory, server IP, link-side IP
- The fourth day I deeply understand the MySQL4, and 5 database structure of the differences, know where the database account, hash is what type of encryption, different versions of how different encryption methods, how to break.
- On the fifth day I learned how to get right through MySQL, under what conditions, under the different versions of the right to mention how different. Learn about the power details, how to write a DLL, and add custom functions.
The main line is probably the case, then, is in the actual combat to fill the optimization of various details. such as Mssql,oracle, is nothing more than repeating the above steps, MSSQL you also need to know the various stored procedures and security has a strong dependency, which stored procedures under what permissions can be used, the default which version of which permissions to operate which of the stored procedures, these are details, So begin to learn the process of completing the main line of the task can, do not fall into the details, otherwise easy to go to the devil, beyond redemption. such as Oracle-related security issues, people who have studied will probably say "what a mess! ”
2, Multi-Practice:
For example, the study of a DOM XSS, see a lot of paper still feel too messy, can not penetrate, how to do? Write a DOM XSS detection module come out, in this process will force you to understand thoroughly, step by step practice, a little bit clear. When it was finished, everything was transparent. Read more is also the knowledge of others, practice hand can be converted into their own nutrition. Say it over and over, but only the person who does it knows what it means.
3, more summary:
Write a blog or write a note, or summarize into a formal paper. To keep doing notes, summary, summary is a refinement, melted down re-create the process, read into the brain is someone else's language, summed up their own language, more convenient to remember and understand. Say it over and over, but only the person who does it knows what it means.
==============================================================
In the end I feel that I have been off the topic, in short, the source of knowledge really does not need too much, also do not care excessively. Different times of knowledge of the source of each have advantages and disadvantages, but can always create a cow, the key is to be able to do, you keep doing, knowledge will continue to emerge, do not deliberately to find.
Quote Heige's sentence "whole cattle." "
to quote someone's words, "people who can do things quietly will become Daniel, and those who can do things quietly and anywhere will become great gods." "
==============================================================
"2,31update"
A lot of people ask me for a list of RSS feeds, I'll give it to the public bookmarkslist
Do not go through their own hard to sort out the things themselves will not take a serious look, the above is very complete, I have collected but basic will not look, because I did not pay. Instead, I often look at the incomplete version of my own, because I know better, more in line with my concerns. So you have to organize yourself, the process of finishing is also learning:
Where did the self-taught hacker (security researcher) learn that knowledge?
