How far into this do you get before you learn how CBC bitflips work? Trick question! It's never covered. The cryptanalysis slides are from 2013, sure, but CBC padding oracles were already passé by then.
It just makes me feel like people aren't taking the subject seriously. Which is how a lot of this courseware reads to me! A recitation of random facts.
That said, my hypothetical crypto curriculum looks like this:
1. Cryptopals challenges as a guide to what to learn and pay attention to (which I suspect tptacek would probably recommend as well since he had a hand in making it :P)
2. Serious Cryptography as an introduction to core concepts
3. Applied Cryptography for encyclopedic reference
Even just annotating the table of contents from "Serious Cryptography", "Cryptography Engineering", etc. would be enormously useful for motivated hobbyists.
Probably hard to monetize, but it would be a great service to the community.
like, the guide co-authored by a partner in the firm started by the parent poster?
OST was started a decade ago when I was at MITRE and had zero public profile. So I didn't exactly have the luxury of running around and asking people to go do free work for me by making free classes. But I did have the luxury of turning to my colleagues like Kerry, who I could get into the MITRE program which paid bonuses for making classes. Kerry obviously has an academic background, and thus she created material with an academic slant.
Now that I'm going to be working on the site full time over many years and trying to find a way to make it so that instructors can get paid more than $2k per class (which is what we were getting at MITRE, but which at the time was plenty of motivation for me to make many classes :)), I hope we can go much broader and much deeper on crypto material this time around, both from the academic and applied perspective (though the latter is the priority.)
But the problem of course is that I don't consider myself in any way qualified to create or judge crypto content. Thus I have to rely on whatever I can convince folks to contribute. I hear great things about cryptopals (and I got to work with both Sean and Alex at Apple until I recently quit), but I haven't ever looked at it in detail since it's outside of my primary area of interest (though if I'm correct in believing it's primary about crypto-implementation-vulnerabilities, I find it intellectually interesting as it's own unique bag of tricks which some, but not most, vulnerability hunters end up adding to their larger bag of tricks, depending on whether they choose to (or have to) audit crypto or not (I very literally just outsourced it to Sean for multiple audits)). But while things like cryptopals can serve as an important component of both crypto and exploits learning paths, it's only a small part of the overall curriculum which is needed to get people into jobs that actually use/audit crypto on a regular basis. And that's what I think is needed now, the full set of classes which are needed for people to start off in jobs (because that's what OST2 is going to be about when I relaunch it - vocational classes that lead directly to jobs.)
So who do you think I should reach out to in order to find people who are passionate and willing to help craft such a curriculum?
COVID was a lightning rod and channeled a lot of technological advances through that would’ve been otherwise halted by the cyber hand wringers who seem to have infiltrated all approval processes.
One recent example I saw was prioritizing the re-evaluation of a system that is low impact and limited access over the remediation of issues on a widely accessible system, only because the low impact evaluation was going to be out of tolerance sooner and therefore look bad on report cards.
For a fee you can also take tests to earn certificates.
Full disclosure: I developed these courses (with lots of gratefully-accepted feedback). But I hope you'll like them anyway :-).
The founder of OST(OpenSecurityTraining) recently tweet that he's going to work full time on OST.
Even if he would ask for donations to keep it going, disclosing other revenue streams is a bit much to ask for someone not involved in the project.
Maybe it's your tone.
Maybe start with: "I've always wondered how the economics of this work, how would he survive? How can someone replicate this model?"
