undefined | Better HN

0 pointsjrockway13y ago0 comments

I got a B. The homework was to find and write an exploit for 10 security holes in deployed software, but I only found 2. (3 including the one above, which I must have found the week or so after exams. The holes I found were in nasm and in some amateur open-source smtpd.)

FWIW, the exams are quite thought-provoking nearly 10 years later, here's a link to them: http://cr.yp.to/2004-494.html

0 comments

amenonsen13y ago

What did you think of the course textbook ("Exploiting Software", Hoglund & McGraw)? Is there a more modern alternative that you (or anyone) can recommend?

tptacek13y ago

_The Art Of Software Security Assessment_ is the current canonical text.

Here's a reading list; I'd add Zalewsky's _Tangled Web_ to it, but change little else: http://amzn.to/cthr46

jrockwayOP13y ago

The textbook covers subject matter that won't become outdated: reverse engineering, how to craft malicious input, etc.

tptacek13y ago

Didn't he famously fail the whole class one of the times he gave it?

jrockwayOP13y ago

I don't think so, as he's only taught the class once and I didn't fail it:

http://cr.yp.to/courses.html

tptacek13y ago

There was a Slashdot story about it.

I remember reading the course syllabus online and being jealous despite already having worked in professional vulnerability research for a few years. You're lucky to have been at the class! Was he a good lecturer?

Tichy13y ago

Sounds like a very cool course.

j / k navigate · click thread line to collapse

0 pointsjrockway13y ago0 comments

FWIW, the exams are quite thought-provoking nearly 10 years later, here's a link to them: http://cr.yp.to/2004-494.html

0 comments

amenonsen13y ago

What did you think of the course textbook ("Exploiting Software", Hoglund & McGraw)? Is there a more modern alternative that you (or anyone) can recommend?

tptacek13y ago

_The Art Of Software Security Assessment_ is the current canonical text.

Here's a reading list; I'd add Zalewsky's _Tangled Web_ to it, but change little else: http://amzn.to/cthr46

jrockwayOP13y ago

The textbook covers subject matter that won't become outdated: reverse engineering, how to craft malicious input, etc.

tptacek13y ago

Didn't he famously fail the whole class one of the times he gave it?

jrockwayOP13y ago

I don't think so, as he's only taught the class once and I didn't fail it:

http://cr.yp.to/courses.html

tptacek13y ago

There was a Slashdot story about it.

Tichy13y ago

Sounds like a very cool course.

j / k navigate · click thread line to collapse