I have noticed quite a few HN users are well versed in security and various attacks (recently mentioned is the "cleaning lady" attack by cperciva (http://news.ycombinator.com/item?id=895411)). I consider myself well versed in basic web attacks (SQL injection, CSRF, etc.), but I would love to learn more about the algorithms themselves and I'm wondering where you guys/gals learned about encryption algorithms in general and the various attacks on them. Same thing with the general security issues (like the one discovered by dfranke on hacking arc).<p>Are there any resources you could recommend to those (like me) who want to learn more?
Ross Anderson's <i>Security Engineering</i> is an excellent introductory book. Highly readable, and broad but not very deep. The first edition is free online (and is still a perfectly resource; the second edition has a few added chapters):<p><a href="http://www.cl.cam.ac.uk/~rja14/book.html" rel="nofollow">http://www.cl.cam.ac.uk/~rja14/book.html</a>
Pentesting/security analysis has been my hobby in high school/early college and I ended up getting BS and MS degrees in CS, with concentration in security. It's also my day job.<p>It's unclear what exactly you want to concentrate on. Do you want to learn about encryption algorithm details and want to understand the design decisions behind them or do you just want to effectively use them? Do you want to learn about proper architecture and general principles?<p>edit: feel free to contact me if you have any specific questions, I'll try my best to weigh in on specific issues.
Metasploit is an open-source penetration / auditing framework written in ruby. I also liked this book:
<a href="http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593270070" rel="nofollow">http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/...</a>