The way most folks learn to do high end niche programming: In advanced degree programs, research organizations and through professional development at government employers / contractors.
Charlie Miller is a well known example of this - he famously markets himself as a reliable exploit writer, his background came from doing the same work at the NSA.
In most cases it's a very technically challenging effort, beyond what most people will self teach. Simply finding the bug is often the easy part as compared to reliable exploitation.
The best publicly accessible sources of learning are security conference papers and university theses, though they don't usually explain the basic techniques or high level techniques. "Underground" sources like 2600 for the most part publish rather poor or incomplete material, though they occasionally do have some top notch stuff.
I assume this is related to the old Andy Greenberg article that's on HN right now. While I wouldn't say those prices are an outright fabrication, it is definitely misleading. It is very rare for those kind of prices to get paid, at least reliably. It's much more common for prices to be in the four or low five figures ranges when sold and often go completely unsold. It has a lot to do with who the buyer is and what their budgets are like and how well known you are and on and on - not totally unlike a traditional governmental procurement process.
What that article really was was an advertisement for that broker - the price list was there because he's trying to say hey you're getting screwed come to me! I would guess that the reality of working with him is significantly more middle class.
The way most folks learn to do high end niche programming: In advanced degree programs, research organizations and through professional development at government employers / contractors.
Charlie Miller is a well known example of this - he famously markets himself as a reliable exploit writer, his background came from doing the same work at the NSA.
Nope, Charlie is definitely not the typical story. Most of these guys don't even have college degrees.
Do you work in the industry? It's changed significantly in the last five or ten years. There are dozens or even hundreds of small shops in the dc area doing this kind of work and self taught no degree folks are a small minority.
Maybe it's the silent majority. After all, most developers aren't the node and nosql pioneers that get all the press, most are working in some office park doing .net and plsql.
Charlie Miller is a well known example of this - he famously markets himself as a reliable exploit writer, his background came from doing the same work at the NSA.
In most cases it's a very technically challenging effort, beyond what most people will self teach. Simply finding the bug is often the easy part as compared to reliable exploitation.
The best publicly accessible sources of learning are security conference papers and university theses, though they don't usually explain the basic techniques or high level techniques. "Underground" sources like 2600 for the most part publish rather poor or incomplete material, though they occasionally do have some top notch stuff.
I assume this is related to the old Andy Greenberg article that's on HN right now. While I wouldn't say those prices are an outright fabrication, it is definitely misleading. It is very rare for those kind of prices to get paid, at least reliably. It's much more common for prices to be in the four or low five figures ranges when sold and often go completely unsold. It has a lot to do with who the buyer is and what their budgets are like and how well known you are and on and on - not totally unlike a traditional governmental procurement process.
What that article really was was an advertisement for that broker - the price list was there because he's trying to say hey you're getting screwed come to me! I would guess that the reality of working with him is significantly more middle class.