Laurie I'm not sure if you're aware but this video has an ear-piercing squeak around 16kHz (likely caused by the flyback transformers in those CRTs). Most people won't hear it but it's unwatchable for those who can.

As a software engineer, a video titled in such a way as to suggest that other people aren't as good as me at something I do professionally is clearly a good thing and must be completely correct.

This gives me a lot of hope as a software developer with reversing / security research dreams.

I've always assumed that programming skills were a prerequisite for getting into this field

Yeah it is an issue. When I was starting out so many "popular" security experts told me you dont need to code to use tools. In hindsight it did a lot of damage later on when you get into very advanced topics that require you to do it yourself. You reach a upper limit in skill if you dont learn how to code or develop software early on.

I’m at the late career stage of cybersecurity and fully agree. When I started out security was at best an afterthought so my early tech career was back in the days of assembly language the original C before OO was a thing. I was always into the idea of security and some of my employers humoured my paranoia when I could articulate risks well. The reason I could do this was I not only had a technical grasp to get support from that side of the company but also quantitative business understanding that could put a monetary value to risk for the suits. These days I see far more emphasis on talking to suits than understanding the deep technical aspects of risk. Both are vital to the security role. It is more than anything else a translators role that requires fluency in both domains.

Extremely anecdotally, the people at uni in my CS course who were gunning for the cybersec track absolutely hated anything related to programming and just did the bare minimum to pass. I could never quite understand how one could be interested in the former while having an aversion to the latter; to me, they seem intrinsically entangled.

This entire format, the lighting, the audio sync, and literally all other detail is an absolute work of genius.

As someone who is a programmer primarily but does know a bit of cybersecurity. It is okay to have non-programmers on the team, a lot of attacks are social or psychological and in addition a managerial social butterfly type is useful for convincing executives that it worth the cost to implement defences or running stuff like spear-fishing simulations. Also it is well and good to have a mathematically verified authentication algorithm but sometimes we forget about big picture stuff like what happens if there is a black out or how the procedure of employees getting ID cards to use. In addition not having non-programmers on the team might lead to making procedures too difficult or annoying for regular people which means they'll just skip or get around them ie (Neville Long-bottom in Harry Potter keeping a list of future passwords on a sheet of paper because they changed too often) if this happens you make things even more insecure. You do need a good amount programmers on the team but fundamentally people with different backgrounds are going to discover completely different types of vulnerabilities and four geniuses who spot the same thing are less useful than 4 competent people who spot different things.

Most people are mediocre or bad at their job, not only in the cyber security industry. I'm more in security management and boy do we have idiots running around in that area (both old and young). The only area where this pattern really affects me is the medical profession. Don't wanna die some day because the doctor was crap at his job.

This is also a concern in other fields. Generally, the developers of a software have never worked in the field the software is for, and the users it have never been developers (neither have their managers). Without revealing too much, that’s why I have my job. I’m basically a liaison for our customers, as I’ve got a degree in computer science and worked as a dev for a few years, but also worked in the field we develop for and have a passion for it. So I’m in charge of meeting with customers and potential customers about their needs and helping plan our path forward with my knowledge of what the industry as a whole needs and what is possible in the timeframe given.

« Cybersecurity » itself is a broad term it’s like saying that you work in "IT", there are so many jobs Involved in it that some things are just not your responsibility. Most of the stuff discussed here mostly apply to like software security,bug bounty, web app pen testing which are different from like network security. I do agree obv you gotta know how to read and understand code but it really depends on what you’re specializing in. How can you be a reverse engineer if you don’t know the language that you’re trying to break apart? it doesn’t make sense, obv you should learn the language. But like a network security engineer doesn’t necessarily have to worry about that. that’s why reverse engineering is it’s own thing but they’re all under the umbrella of “cybersecurity” correct me If im wrong

Thanks Laurie. I’m learning a lot. I work front-end mostly but trained in machine and assembly many years ago. Your videos are a nice refresher. Keep up the good work.

I really appreciate you making this video Laurie, it was the wake up call I needed to push myself further than the goals I had previously set for myself.

Thanks for the perspective. I just started a CS program at my uni, and I'll keep this in mind as I go.

Agreed. Originally it was we were told programming is for scripts but for many aspects in cybersecurity it’s important. Heck look at web app pentesting, you NEED an understanding of JavaScript to communicate findings to the web devs. Also secops is a must. With the amount of free resources out there for coding, it’s a must for anyone doing infosec.

I'm fond of combining dev ops, security, and dev tools into a single team/scrum group as I scale up a company and start assembling engineering teams. the best way to get devs to use security best practices is to build tooling and workflows that encourage it. poor security tooling or security by fiat usually just results in frustrated users and devs circumventing the security or avoiding working with security because of how much friction it adds to their daily workflows.

We can hear the high tone of a CRT monitor.

Very well put together, clearly explained and makes a lot of sense... I just found your channel.. Subbed ofc... Keep up the great videos! :)

To reverse engineer it helps when you know how to engineer things.

Super cool video! Your video description reads like the abstract of a paper, your academic background definitely shows through. :)

Awesome insights and even a cooler background!

I'm not a security expert. I just hope my compiler produces good code! That said, there was a time when assembler was something one would typically know. So you could just "disassemble" the machine code into assembly and read that. But what would you do if the code vulnerability is in a script that is run by an interpreter?

Knowing the programming language and common idioms is extremely important. Programming languages continue to evolve the decompiler isnt decompiling to those languages but translating the compiled version of it into something like C or C# Sometimes these new language freatures can lead to more security issues, if security researches dont keep on these things and programmers ignore security then we are in a constant bad state, as someone who is a programmer I see this all the time. You also miss offering the actual best advice, when you understand programming and the language along with its features you can offer design patterns and approaches which are more secure and fit developers needs.

I like the intro! and so true about many of security researchers I know and mostly who hire them :)

changing the camera angle occasionally is really smart to bring back the viewer attention on a long monologue, without having to make complex visualisations or finding relevant other video material

Without an understanding of the structure of the target applications code , i don't think you can really "research its security" Cant break it if you cant build it

Never encountered this channel before but I have to say I love the serial experiments lain aesthetics of this video.

I hope this doesn't come across as just piling on, but I did take the audio of this and sent it into a frequency analyzer. There is a definite peak at 15.7KHz. I don't know if running your audio track through a sharp notch filter tuned around there would help. I'm an old fart, so I'm not bothered, but I figured I'd try to help. Edit: I loaded the sound track into Audacity and processed with the built in notch filter at 15737Hz and quality 5, and the peak is gone. One might be able to use an even sharper filter, but I think this removes the sound the young'uns are noticing, and it does so without any meaningful reduction in audio quality. Keep on keepin' on!

I do amateur pentesting for fun based on responsible disclosure policies -- I have no formal training in cyber security, but I have been able to get very far just with my knowledge as a software engineer. Sure, I may lack specialised knowledge, but learning how to make systems teaches you how to break them as well.

The video is very nice! Also, could you please get rid of the annoying high frequency noise? I think it's one of your CRT monitors.

Can confirm. My bachelors was in programming, but I sucked at and hated writing new code so switched to security. It clicks for me far better. I was far better at QA/bug hunting and helping others with their code than writing my own. Malware analysis would be fun eventually, get some use out of all those classes I paid for, but for now I'm happy just being an analyst. It seems plain to me that the reverse is also true though, coders don't know (or aren't given the time for) security. The amount of times I've found websites with no input validation is scary.

I wholeheartedly agree with your approach! I'm not great at computers. I do well with the little I learn but that's it. But the concept is something that I've always tried to do in every part of my life. Like my job selling car parts. When people come in and they don't know the name of the part they need I can still help cuz I know how cars work cuz I work on them myself. So after a few probing questions I can figure out the exact part, sometimes even the problem, and get them what they need. I couldn't imagine doing what I do without the knowledge I have. But many of my coworkers don't and it really shows sometimes... So ya, trying to advise other people on how to improve what they made without having an understanding of how it's made or an idea of how to rewrite it?... That's a recipe for embarrassment and conflict. Just like my job lol This is going into my favorites btw lol I love how my approach to life is illustrated :P

Some great insights you brought up, thanks Laurie. Having knowledge in both fields can only help. Absolutely agree that if you don't understand what you're looking at on a deep level how can you expect to find vulnerabilities the person who wrote it didn't expect.

The problem is that the industry is hiring people with "certificates" instead of people with a lot of developer experiences. If you are not asking for that and if you are only making them click checklists then that's what you are getting. I always feel Cybersecurity should be a VERY senior position -- you should never hire people with no developer experience into the field.

Im studying CompSci/InfoSec and they really DO NOT put a heavy enough focus on programming. Ive had 2 classes all year and thats it with respect to just coding with some language. So i taught myself most on the side to learn more than just the web trio, which js what they focus on the most (other than Python). Definitely learn some C (i started with ++). You cant do any of this ish (at least the really heavy duty stuff) withoit knowing how to AT LEAST read most languages. You have too, and you definitely have to be good at scripting. If you cant read the code and understand whats its accomplishing you cant really at the core understand the threat. Especially in the pentest field. They definitely need to make it way more of an importance to learn at the very least how to do a good bit of the entire stack.

Lets think for a moment , what purpose of Cybersecurity specialists? They main purpose to identified security vurnabilities at the given company, they responsible for identifing potential data leakage, they understand access control. Now on software side, there they must audit software for any security problems, but this is not theirs major responsibility, they should find problems, but make aware developers to fix the code which must be refactored. So Cybersecurity job to maintain security in the company, its always beneficial to know very good programming language, but at first its not necessary.

It actually is a problem lol I learned how to make very specific things work together about ten years ago and forgot even, so imagine how much this feels like you're talking to me right now lol by the way thanks for thinking outside the box and making videos like this, cuz you really hit a specific point I need to work on, and you really are a great teacher. I really do appreciate all the work ya do Laurie

Laurie, you are incredible knowledgeable. Impressed!

Nice video! I just want to let you know, there is a really annoying high frequency tone during the entirety of it. I've also noticed it a little in your previous vid. Perhaps something to check out?

9:00 see, the trick that most malware authors use is this: They don't actually encrypt your files. They just delete them and replace them with randomly generated data nonsense of equal size.

The problem with this angle is that "cyber security" isn't one job. A Vulnerability Researcher isn't a penetration tester isn't a red teamer and etc... There are people's whose job is simply compliance stuff where all they allowed to do is run scans. On the other hand, some people literally do security code review all day, so it'd be pretty impossible for them to not know software engineering. So a lot of the people who don't know coding are ending up in jobs that aren't requiring it, because they are essentially running scanners for a living. I would not say that "cybersecurity experts suck at coding" covers that complex reality.

Why is the oscilloscope in the Background in XY-Mode? Very unusual. Looks like there's sound inputted and both inputs (channel 1 and 2) are exactly the same (only a single line, which is diagonally across the display) There are much nicer figures you can create with just one or two function generators, so called Lissajous figures.

It really depends on which branch of cybersecurity you are working in. This will be less necessary for people working in incident response and some entry level network pentesting. I work in appsec and it is absolutely necessary to have a programming background. I worked in software development for over twenty years before I got into appsec six years ago. A lot of my time is spent in code review and exploit creation and thus I have to be fluent in a lot of languages, or at the very least types of languages. When I talk to some of our network security guys I talk above their head most of the time when it comes to coding. The very most they would have to do, most of the time, is write a python or bash script.

WTF is that noise in the back?

You should use an equalizer or notch filter to remove the CRT horizontal scan noise, it hurts.

While we’re on the topic… how many things have you learned & forgot because you don’t utilize them frequently enough?

Love the Lain reference at the beginning!

theres a really strong audio frequency in the intro by the way, its hard for me to tell if its in the rest of the video but just letting you know

oh boy, i haven't started watching yet but that lain intro suggests i'm for a treat.

I striving to be on that level. For real. So many technical terms I have to look up, but I am getting there.

Could someone tell me who the character is in the PFP? I swear it looks familiar but could also be OC (maybe AI?)

So I'm getting a bit confused at your point. You talk about security researchers but then at other points you talk like you're speaking about all jobs within cybersecurity. I think the difference is pretty important. Most people within the field as a whole would never touch anything you mentioned except maybe YARA.

You got me with the Lain intro

Not on topic to the subject of the video, but I love the use of screen savers in the background.

there is a very high pitched sound in some parts of this video, noticed right away in the first 15-25s, you might want to have a look at the spectrum and fix your audio with a equalizer

There is a benefit of knowing Apple Crypto Kit or Spring Security open source build to figure out how to back door and exploit applications built on top of these frameworks.

Security field is awash in people who are staggeringly incompetent.

I'm sure there's a few other videos on the topic but I'd be interested to see your interpretation of "how to learn a new language". You mentioned learning how to develop in a language. Can you break that down at all?

why is there a high pitvh noise in the background?

Congratulations, this video just won the youtube algorithm lottery! Good luck, hope you a million subs 😇

At this point why dont you make your own software business? You can make your own top tier software and keep all the money instead of just a salary

cool channel, i really wanna learn more ab reverse engineering

I'd love a video on how exactly fuzzers work

just remembered I’ve started learning programming because one Brazilian hacker guy said hackers needed programming to be a good one and now I’m a web developer

i love the serial experiments lain aesthetics in your channel

I actually can't believe that there are cybersecurity companies that actually hire analysts with no programming experience. It's like hiring a plumber with no soldering experience. A buddy of mine used to T.A. assembly language courses at the university here (and now does encryption coding). He said that the general familiarity with how computers actually work under the hood was becoming less and less with each year's roster of students. It was to the point where he said he'd be sure to avoid any mission-critical project that those students eventually worked on (e.g. hospitals, high-speed transit systems, etc...).

As a developer with a master in network and telecom. working at Cyber Security, it was really easy for me go thru 7 layers network. My advice is programming then follow your Cyber career.

In my opinion new projects need to be built with security from the get go, with well documented design intents (they might change over time). If you need to plug-in security features without any historical context except code, that is some mountain. That's not to dispute any points from this excellent video.

YOU REFERENCE SERIAL EXPERIMENTS LAIN IN YOUR TRANSITIONS!!!???? You're awesome already! :D

there's a lot of high piched noise from thos old tvs, for a moment i though my tinnitus sudenly worsened :/ Found the title interesting but it's really uncorfotable to listen to this with headphones...

Hello Maybe you can do a video about credential stuffing and Selenium

Stop using noise gate and instead actually filter out the coil whine since the flybacks in all those CRT screens switch at a relatively specific frequency. You need a notch filter for it. Audacity has one. Generate a spectrum analysis of your sound ( Load it into Audacity, Press CTRL+A -> Go to Analyze -> Plot Spectrum), find the silly high pitched squeak from those CRT screens. It'll probably be in the 12KHz range. Take note of the frequency peak (at the bottom right when you hover over the peak), then go into (Effects -> EQ and filters -> Notch filter) and then punch that number you just noted in. Also, placing all of this stuff on soft materials, and placing soft materials on the walls will cut down on reverb/echo. Best budget option that many people building their own studios would be things like tacking towels to the walls. Carpet tiles also work surprisingly well for getting rid of reverb and looks more professional.

Did you put the last chapter at 1337 on purpose?

what is that pitch

So.... Reverse engineering some code? Like decompiling the binary? I hope you like assembly.

Love this. You're awesome!

Interesting, I didn't think people in cyber security suck at programming. Because before I considered cyber security as a career, I learned programming because gaming got me into it. Now I've been a developer for 4 years and I have a good understanding of several programming languages. This has been very helpful for the courses I have in my university.

I'm sorry to leave this comment, but there is an 'ultrasound' sound throughout the entire video, and it's quite annoying. It might be more noticeable to me because I'm young and can hear high frequencies better.

There is some noise in the background like very acute.

Okay, a bit of information in this video, first off, any reverse engineer of course knows coding, like that's basics, especially C and assembly. But I am sorry, most SOC analysts won't EVER need to use programming as a SOC analyst, or an auditor or a manager... App security is a VERY small part of cybersecurity, security operations, governance, network security, web security, laws, all of those are much much more likely to fall into cybersecurity than app security, it's completely different things... Now if you work in offensive security, I can see it, but most teams have a dedicated programmer for the creation of tools, that's why everybody does its job, you are in a team, not alone. Also... Cybersecurity experts? Seriously? You mean specialist right? Cause there ain't more than 50k cybersecurity experts in the world, max, and that's an estimation, it's incredibly hard to be an expert, you need to either know one of the categories of cybersecurity among those to the perfection, or know all of them at an intermediate level at least (Also there is like 10 subcategories for each of them which also have sub categories): Computer Security Network security Vulnerability Management Cryptography Malware analysis Application Security Identity and Access Management Operating System Security Digital Forensics/OSINT Data Security Intrusion Testing Cloud Security Wireless Network Security Threat Monitoring and Detection Physical and Social Security Cyber Risk Management Compliance and Security Standards Critical Infrastructure Security Financial Transaction Security So yeah, clearly your video isn't titled correctly... You might know what you're talking about but let's not make it a generality, 80% of people working in cybersecurity will never need to learn how to program things considering cybersecurity is mostly defensive security.

Man those CRT Screensvaers are awesome!!! I want MORE!!! MORE!! MORE!! MORE!!

i really enjoyed this video. you should do more videos covering theoretical topics like that.

Some cybersecurity researchers are more interested in notoriety than solving the underlying vulnerability. In my previous dealings with them and a discovered vulnerability in our product, they weren’t even interested in communicating with us vs making a name for themselves. In this particular case, this wasn’t a code vulnerability but rather a configuration issue, something that needs communication with end users to resolve.

Laurie: the original developer was focused on performance 5:02 JS devs:

how much have you spent on CRTs?

Yes, the fact that one can even get into cybersecurity without having first having been a senior engineer in one of the four IT domains (compute/sysadmin, network engineer, storage engineer, software engineer) is crazy. They think they can secure environments composed of those 4 domains however, they've never mastered any one of them. Little has changed in that realm since they were ruthlessly trolled by GOBBLES in the early 2000's...

Good video, I agree. But those constantly changing angles are annoying.

i love how your channel is Lain themed

Pls reupload without the squeak my ears hurt

Hm. As a developer with a ton of powershell remote management and scripting, c#, java, c++, python experience, this makes me think a move to this field could be a good strategy.

There's a horrible high pitched sound playing throughout your video and it makes it painful and difficult to focus on the informative aspect of the video

There is an inverse issue where most devs don’t understand networking, security, infrastructure architecture, etc. Once you know both sides of the house you become a magical unicorn in the field.

What kind of psyop is this? And for what purpose? I don't know how to deal with this video

nice video. thanks!

In my opinion, the core problem of interaction between developers and IT sec lies in the inequality of incentives that management creates. Often developers (or devops) and IT sec are set up as adversaries in a project or even in the entire infrastructure. They are not encouraged to work together to develop a secure and efficient solution.

I know that there is a practice of engineering managers (I know two personally) that hire pretty woman as security experts on big paychecks because they enjoy having them around even if they have zero experience in IT. This is not the case for software engineering generally, as some knowledge is expected.

Pretty much the only kind of roles that don't involve some kind of CLI or coding would be GRC related. And even then... you might end up needing to evaluate the risk of people that do work with code.

the mac wall is sick :3

This is also a big issue with people doing data science. People who were never programmers who create programs by stringing together code snippets they got from Stack Overflow, ChatGPT etc. and the code may work but it's a mess. Something happens and they can't explain anything because they never really understood how it worked in first place.