Over the past 4 days, I had the opportunity to take two hardware security classes taught by Joe Fitzpatrick(@securelyfitz) along with @_MG_. Both courses are part of the “Applied Hardware Attacks” series of courses taught by Joe. The first course, “Rapid Prototyping”, is focused on using 3D printers and PCB mills to build interfaces to hardware systems. The second course, aptly named “Hardware Implants” applies these skills to build hardware implants to perform attacks on hardware systems. Both courses are very timely and informative, as well as a lot of fun.

For some reason, security certifications get discussed a lot, particularly in forums catering to those newer to the industry. (See, for example, /r/asknetsec.) Now I’m not talking about business certifications (ISO, etc.) but personal certifications that allegedly demonstrate some kind of skill on behalf of the individual. There seems to be a lot of focus on certifications that you “need” or that will land you your dream security job.

I’m going to make the claim that you should stop worrying about certifications and instead spend your time learning things that will help you in the real world – or better yet, actually applying your skills in the real world. There are likely some people who will strongly disagree with me, and that’s good, but I want it to be a discussion that people think about, instead of just assuming certifications are some kind of magic wand.

I’ve just written a post for the BSidesSF blog about running the BSidesSF 2019 CTF. Check it out and feel free to get in touch if you have feedback.

Flagsrv was a 300 point web challenge in this year’s BSidesSF CTF. The description was a simple one:

We’ve built a service for the sole purpose of serving up flags!

The account you want is named ‘flag’.

The Challenge

Sometimes you see marketing materials that use the word cloud to the point that it starts to lose all meaning. This service allows you to fix that with clowns instead of clouds. Note: there are 2 flags, they should be clearly labeled.