CyberSecurity Resources & Learning Path

The group shared many links to security papers, old zines, exploit collections, and tools. This page consolidates those into a coherent learning path.

Old-school security resources often recommended:

• PacketStorm Security papers and articles:
  • PacketStorm – Papers
• Old hacking zines and txt files:
  • Exploit write-ups, buffer overflow tutorials, shellcode basics.
• Kernel and low-level docs:
  • Sites like kernel-related documentation aggregators and personal collections of `.txt` articles.

Use these to understand how classic vulnerabilities work: stack overflows, format string bugs, race conditions, insecure defaults.

From the way resources are shared, a natural progression looks like:

• Level 0 – Basics
  • Solid understanding of C and memory layout (stack vs heap).
  • Comfortable with Linux shell, compiling programs, and reading man pages.

• Level 1 – Classic Exploitation
  • Stack buffer overflows.
  • Return-to-libc and basic ROP.
  • Format string vulnerabilities.
  • Tools: `gdb`, `pwndbg`, `objdump`, `readelf`, `strace`.

• Level 2 – Modern Defenses & Bypasses
  • ASLR, NX/DEP, stack canaries, RELRO.
  • PIE binaries and their impact.
  • Basic mitigations in modern compilers (`-fstack-protector`, `fortify-source`).

• Level 3 – Web Security
  • XSS, CSRF, SQL injection, IDOR, SSRF.
  • Secure session handling and authentication schemes.
  • Tools: Burp Suite, browser dev tools, basic fuzzing.

• Level 4 – Network & Infrastructure
  • VPNs, firewall rules, segmentation.
  • SSH hardening, bastion hosts, jump boxes.

Privacy discussions often revolved around:

• Tor as a tool for anonymity:
  • Better used through hardened browsers or systems (e.g. Tor Browser, Tails).
  • Avoid logging into real-identity accounts over Tor.

• VPNs:
  • WireGuard/OpenVPN for private tunnels (see Networks, VPNs & Firewalls).
  • Understand that VPNs change who you trust, they don’t “solve” anonymity by themselves.

• Threat models:
  • Distinguish between:
    • “Hide from ISP / coffee shop Wi-Fi”.
    • “Avoid profiling by large tech companies”.
    • “Strong anonymity against state actors”.

Although specific platforms were mentioned in passing, you can safely use:

• CTF platforms (e.g. picoCTF-style sites).
• Vulnerable VMs and labs (Metasploitable-like images).
• Bug bounty programs (for real-world practice, respecting scope and rules).

Typical advice implied by the group:

• Alternate theory (papers, zines, specs) with practical exploitation.
• Focus on understanding root cause of vulnerabilities, not just copying payloads.

Some habits implicitly encouraged:

• Use separate environments for security experiments (VMs, containers, disposable systems).
• Keep a dedicated notes repo (wiki, org-mode, markdown) with:
  • Attack chains.
  • Cheat sheets (nmap, metasploit, sqlmap, etc.).
  • Links to relevant docs and RFCs.

Security here is treated not as “hacking for the memes” but as a discipline with tooling, reading lists, and practice routines.