Using Android? Never forget it's built by Google. And some help on becoming a security professional.

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

Did you know? The first edition of Sawcon was in 2022. Sawcon deez nuts boi. Ayy, got'em.

In this week's edition:

💁🏻 Some help on becoming a Security professional.🤖 Using Android? Things to look out for.🔥 the quick and dirty

Reading time: 04:38 - better take a chair for this one

Some help on becoming a Security professional

If you're wondering:

a) if security is for youb) to go for information security of a more technical approachc) whether or not you're on 'the right track'd) why stores have the need to wrap vegetables in plastic

You're in the right place!

Let's start with a).You've just finished school and are curious about what path you want to take in IT.You've been working in IT for a while now, happy sysadmining your days away.Your current job has nothing to do with IT or security, but you keep hearing there's tons of money to be made in cyber security.Job positions? In 2022 alone there are 3,5 million unfilled spots in the field of cyber security.

I just summed up what I heard from candidates who applied for a junior security position in the company I work.And all are solid, security is (or should be) for everybody. That's also the reason I started this newsletter.But of course, there are some personal traits that can help you flourish:- You're vigilant and have a high sense of moral- Realize that security is always in service of the company, not the other way around.- You're either very technical, or are good with policies and like to contribute to them.

Essentially, you're batman.

So, if I don't have any of those, security isn't for me? Not at all. Those are just qualities that can help.

So b) then.. Just like saying you work in 'IT' or 'Tech', saying you work in 'Security' doesn't say a lot.For instance, I'm an information security guy. I know how the technical stuff works, I know the products and what their purpose is. But I'm not the one implementing it, or doing other stuff like penetration tests.That's where I rely on skilled technical hackers. Good guy hackers that is.How do you know which one is for you?Well, again there's no 'one answer' to this. For me it was that I am quite technical, but I don't get a major boner from coding, writing scripts, threat hunting, ...I do however *love* risk analysis. Tying the technical measures to the functional policies of a company.Yes, this is the reason nobody invites me to parties.

Am I on the right track (c))?Probably.

Really, probably.

Sounds cheesy and vague, but I think you are. Every person has their interests, their motives to do certain things. Keep doing what you like and love, and keep doing it at your own pace. Don't mirror yourself to other, only to the you from yesterday.#gettingphilosophical

Here are some tips on certifications and career tips you can use though. Free, from DisableUser.

• Starting out? Security+ from Comptia is awesome. Covers every topic there is, also helping you decide what role you could pursue later one.

• For people with some experience: Certified in Cyber security from (ISC)2 is a very nice certificate to obtain. Think I'm going to do this myself, just to see what it's like. It's not entirely entry level, so for the people with *some* experience. Also, this is free! check out (ISC)2's one million certified in security program.

• For the pro's: CISSP or CISM. CISSP for day to day operations, CISM if you're more in management and have a larger focus on the company's goals. These are rather difficult and costly, so I wouldn't recommend trying these until you have some experience.

And then, finally.. the d)

What is up with this? You do know fruits and vegetables have a natural shield?I'm not a fart sniffing hippie but this stuff really pisses me off.

 what it is what it should be

Using Android? Never forget it's built by Google.

While being an Android user myself for... well my entire life, there are some things that have always bothered me. The biggest one is: it's made by Google.

Past week has been a not so subtle reminder why that is.

Last week bug bounty hunter David Schultz wrote an extensive post on his website about his experience with Google/Android's bug bounty system.He found a method on how you could bypass the lock-screen code, by sim swapping a Pixel device. Google's flagship Android device.Seems pretty extensive to me, and cool that he found it.After testing and writing down the exact way this works, he filed a bug bounty report with Google and was awaiting answer. This was in June of this year.37 minutes later, they filed an internal bug. Awesome right?

Well, here's what happened afterwards:

• Communication times went downhill. Only 30 days later came the next reply.

• Google replied with that it could be a duplicate of another report. For those unaware, if you find and report a bug, there is a reward. For this bug there was a max of $100k, depending on the impact. But this of course doesn't count for duplicates.

• Google confirmed it's a duplicate. Buhbye reward.

• No follow up's for 2 months. Only after attending a google bug bounty conference (didn't even know those existed), David was able to speak with some Googlers and draw attention to the problem.

• Fast forward to November. Google just patched the problem, last week..

• Bonus point for Google though: because of the follow-ups and work he put into it, they handed out a 70K reward to David. Good on you, dude!

This isn't the dedication you would like from a tech giant like Google. Where the bounty reporter seems to care more about fixing the issue than the company itself.

The quick and dirty

• Google will pay $391M to settle Android location tracking lawsuit - another great reminder why Google isn't doing what it should be doing.

• How to glean passwords using thermal imaging - that's some Matrix type stuff

• DuckDuckGo now let's all Android users block trackers in their apps - DuckDuckGo still fighting the good cause

• Meme of the week:

Security like I'm five

Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.

So sign up for the newsletter and be enlightened! (don't set the bar too high tho)