IT/Software career thread: Invert binary trees for dollars.

Falxy-US said:

So.. how do people make money with python? Is it just because people have certain tasks they need in a defined environment? I ask bc I’m enjoying learning it, it’s very clever and so advanced from what I know of programming 20 years ago, but you can’t really compile it, and a lot of libraries are OS dependent, etc. Not complaining. But just seems like you can’t really compile an app and distribute it .. can you? So when you do apps with like tkinter etc, those are really all just internal things to accomplish a task, but not something you are deploying for sale?

Click to expand...

Python excels at quick and dirty programming. For this reason its good for data science, network tasks, general tasks, anything simple that is otherwise tedious to do manually, etc. It causes lots of issues when you need to make something big with it because so much in python is generally out of your control (memory management, threading, etc).

99% of the stuff I've used python for in the past 9 years is for some very routine task. Write some bullshit in python for it in 20 minutes, throw it on a box and run it on a cronjob. This is way easier than using Java to do the same thing.

At my current job I wrote an application in python to manage the hundreds of ETL tasks I put together for the company's backend. Another one was a console application for the finance buys where they could just enter a target date and a few other parameters and it would query our billing platform for projected billings from today to X chosen date and a few other assumptions. This was just a way to interface with the billing system's API that a non technical person could use. It then spits out an excel doc with all that in it. Python is real good for that shit.

People just take it too far. Yes Python is easier to understand. It was intentionally designed to be easier to understand. It is also, however, lacking a ton of features and flexibility of the "harder" languages like Java or C#.

The asspain management gets is when their dev teams try and use python or Javascript for all layers of the application. That always creates problems down the road.

Pythonistas writing code like a bunch of faggots is just that. I fucking hate pythonistas.

Julia is a great new language to learn. Python is a great old(ish) language to learn.

Cybersecurity is gay but I learned a lot about it from this site @Falxy-US . I say gay because most people in the Cybersecurity sector work completely boring ass jobs like running commerical pen test software. Letting it spit out a result then telling devs that this is wrong fix it without understanding even what the piece of shit application they use spits out. Other than that its a lot of things like user account/pw management and shit. I'd never work in cybersecurity.

This might be good:


Cant speak for this course as I have no interest but I have done the Haskell and python data analysis courses offered and they were great. They had automatic exercise checkers which is always nice, and rare, when it comes to university courses online and this cybersecurity class seems to as well.

Ao- said:

Sir I am very offended at this, as it is mostly correct and holy shit it's mainly internet janitor work. Cybersecurity is cool if you're doing Forensics (disk forensics is cool but memory forensics is CRAZY), Threat Intelligence work (though phishing analysis is boring) or actual red-teaming/Offensive Security (right chaos ?). The rest of it "what does this alert mean, why is this user dumb?" or "Holy shit why is SMB exposed to the internet?" and you clean up tech debt.

HackTheBox is another set of cool stuff like that.


I would reaaaaally strive to differentiate "Cybersecurity" vs "Hacking" though. The difference exists even if there is overlap.

Click to expand...

My favorite experience with idiotic "cybersecurity."

Dude: Runs whatever security software bullshit on our code. Spits out a report. Says that I am exposing api keys or something.
Me: No dude, that is wrong, this line is referencing our key vault in AWS where that actual API key exists. Once called, this returns the encrypted key for this transaction then discards it.
Dude: If they hacked our app they could get this reference then get our key out of the AWS vault.
Me: Uhhh, no because they don't have any way to reach AWS. The location of that vault can only be reached from our internal server that is the only one of like five with IPs that can connect to it to retrieve it. The AWS role is the only one in our entire org that can open the key vault other than the admin role. This is SAAS product best practice. Just having the reference does nothing. They would need access to the product server itself and the keys to make a transaction with this user role or the admin role in AWS. None of which are exposed.
Dude: That's not whats happening (he has no idea what's happening). Make it better.
Me: I suspect the software is scanning some pointless bullshit. I use a simple base64 encoding on that particular line and add another step to decode it. This doesn't trip the scanning tool.
Dude: Good job you made it secure.

....?

But I do agree the high level Security Research type stuff is cool as fuck. But you need to be hella smart and have a LOT of experience with various stuff to be any good at it.

alavaz said:

At my last job our "cyber" guy asked in one of our weekly meetings if we could open up this long list of ports or disable the firewalls on all of our servers so that he could "scan for vulnerabilities." I've never seen so much laughter at a work meeting.

I do think that certain aspects of cyber could be cool, but it just seems like the field is so bloated with entry level dudes watching for a red light in splunk that's usually false alert anyway. I had our cyber department get all riled up a couple of weeks ago because they thought they found an active attack when they noticed thousands of attempted logins against our DCs. Upon closer examination, it was simply thousands of "events" that they pulled from the event log...

Click to expand...

That is my main gripe with them. The part where you have someone managing user accounts/pws? Yes that absolutely needs to be done, although much of it can be automated. But this can be also done by a system admin without even adding extra responsibilities to their role. It doesn't have to be a "cybersecurity" dude. I am fully capable of pressing EXECUTE PEN TEST on whatever dumbass scanning tool you're using. Why do you have a job again?

It is as you say. Most of them ride coattails of people and shit they don't understand. Oh you saw a red alert in splunk? Who set it up? What is it looking for? Rather than investigate or understand this they just raise the alarm that OMG SECURITY VULNERABILITY. Bro, this is why people hate you. The wise cybersecurity professional would be the one spending time creating splunk rules and intelligent alerts looking for meaningful events that should prompt action. But it is the extreme minority that actually does this. As splunk is usually configured by devs who want splunk to tell them about shit they care about. Which is usually related to their current projects and workload rather than from the perspective of "is this secure?" Somehow this gets adopted by cybersecurity without even changing it and just rolling with it. Probably because they read some article about splunk being "great for cybersecurity."