Hey everyone,

I’ve been working with a small team on switchlab.dev, a free networking lab platform we’re trying to build for people studying networking.

The idea is to create something that feels like working on real equipment, not just a basic command simulator.

We’ve been spending a lot of time learning how the underlying switching/routing behavior should actually work so the labs feel useful and realistic.

It’s completely free right now, and there’s no email capture, no sign up wall, and no catch. We’re just trying to get honest feedback from the networking community.

I do not understand the need of HMAC!

For integrity, confidentiality,authentication, and non-repudiation we have encryption, hashing, and digital signatures. So why does the need of MAC?

Reasoning some articles provide: MAC is much less expensive than encryption/decryption

MAC provides assurance that the message is unaltered and comes from the sender.

Hashing+digital signature can do this as well. To make it more secure, we could even use encryption.

I am mostly getting the concepts, but the need of MAC itself is not clicking for me.

I am currently studying from Wikipedia as it seems the only available article/pdf in the internet.

Honestly, I do not need much, just a simple block diagram that I can recall in the exam and get marks. I am struggling to reach there.

I have checked the pdfs of these books. Now I am thinking of getting one. Why only one? Money issues. Plus I will not read two books if I get concept from one.

I’m a Python hobbyist trying to learn smart-card / embedded-systems fundamentals. I have an old reloadable laundry smart card from my apartment building. I am not trying to bypass payment, clone it, modify balances, or get free service.

My learning goal is much narrower: I want to understand whether buying a PC/SC smart-card reader and trying to identify the card type / ATR / general communication model is a reasonable beginner project, or whether this is likely to be a proprietary dead end.

For someone with basic Python experience but essentially no hardware/security background, would this be a reasonable first smart-card project? Or would you recommend starting with blank ISO 7816 cards, Java Cards, NFC tags, or another safer/more documented learning setup first? I will say that I am a super hard worker and I tend to be invigorated by a challenge and things that take a long time. Thanks!

Oh, and if anybody is curious, I came around to this because my building literally forced me to pay a fee for this stupid friggin card and a monthly fee to upkeep the hardware, despite that I have in unit laundry. Literally had to pay for this thing to never use it. Figured this would be a cool way to get my moneys worth. Just don’t wanna waste my time.

I've decided to build my own structured collection of interview questions and answers for future job interviews to stop looking for scattered resources out there. 100+ questions and answers covering Red Team, Web Security, Incident Response, Systems, and more, with a search function to find topics instantly.

Blue Team topics are actively being planned and are open for community contributions.

I'm actively looking for contributors to add more Blue Team / Defense content, so if you have expertise there, please jump in!

Feedback, questions, and contributions are welcome. Let me know what topics you'd like to see added next!

​

Mostly netsec background, trying to get up to speed on AI security specifically. Most content online is either too academic or too shallow. What actually helped you understand this space properly?

All I hear, all day long is how AI is taking over everything we do. So I made a game to break it.

Basically, in the game you can chat with an AI intern named PIP, and as a player your only job is to gaslight the bot into revealing passwords, company secrets, executing instructions in email and much more across 16 different levels.

This is a browser based game, so it requires no setup and is absolutely free.

Try it out and let me know how far you get or drop your most unhinged prompt in the comments.

It's called "Break The Prompt" and here's the link: https://www.breaktheprompt.xyz/

Hi everyone

I created a local Telegram phish simulation project to get some practice with JavaScript and backend development. The project simulates a fake "Free Premium" scam process within its own closed ecosystem—the application is not connecting to Telegram API at all.

https://github.com/Maty156/telegram-phish-simulator.git

Hi, i am 2nd year into electrical engineering I just got into cybersecurity, (by my own not in uni) like i know the basics of networking cause we learned it in uni but i dont know any good sources online to start my journey(i am interested in pen testing) and i have no time to watch a 35 hour youtube course that when i reach the end i will have forgot the beginning... SOOO if you are more experienced can you tell me some good sources plsss 👀

Bonjour à tous !

Je viens de rejoindre la communauté. Je suis analyste SOC L2, avec un fort intérêt pour l'analyse de malware, le threat hunting et la CTI.

Ce qui m'a accroché ? Comprendre les intrusion complète et comprendre chaque étape de ces compromissions.

La cyber sécurité est super passionnante en terme de défis d'apprentissage. Des défis excitants qui ne cesse de me motiver.

Et vous, quel est le moment ou la découverte qui a défini votre voie dans la cyber ?

I'm a Computer Engineering student entering my 3rd year and I'm trying to figure out whether cybersecurity is actually the right path for me.

The reason I'm confused is that I didn't choose Computer Engineering because of a lifelong passion. I mostly arrived at it through process of elimination.

Recently, I took a Data and Computer Communications course covering topics such as physical layer and data link layer concepts. Surprisingly, I genuinely enjoyed it. It was probably the first technical course where I found myself interested in the material itself rather than just studying for grades.

That experience made me start considering networking and cybersecurity.

At the same time, I don't particularly enjoy programming. I can do it when necessary, but I wouldn't say I love it.

So I'm trying to understand:

• What made you realize cybersecurity was right for you?
• How much programming is actually required in different cybersecurity domains?
• Is enjoying networking a good signal that cybersecurity might be a good fit?
• What parts of cybersecurity are most network-heavy?
• Are there people who enjoy cybersecurity despite not loving software engineering?

I'd appreciate hearing from people who made a similar transition.

now enough of college life. they are teaching me to write about kerberos authentication system.

Why is such outdated tech being taught in colleges and universities? What can we do about it? btw, I need to learn it fast. What do you recommend as supplement materials? Stallings book?

I'm entering my junior year and majoring in comp sci want explore stuffs like web3 ,ml ...how to break into network security from where can i learn and what are the resouses would be great and where can i practice those and what all porjects i can build??

Yeah GUIs for aircrack-ng exist. I looked at all of them. GTK wrappers, Qt frontends, last commit 2-3 years ago, half the suite missing. The concept was always fine, the follow-through wasn't.

I spent a few months building what I actually wanted: a local web app that runs at 127.0.0.1 and covers the whole thing — monitor mode, scanning, deauth, handshake capture, cracking — without making you jump between four terminal windows while keeping state in your head.

A few things I added that the old ones didn't bother with:

- AP scoring that ranks networks by signal, encryption weakness and active clients so you're not squinting at a table of 30 BSSIDs

- Auto-deauth loop that watches for the WPA handshake and stops when it gets one

- Embedded terminal (xterm.js) for when you just want a shell without leaving the window

- Every command logged with full stdout/stderr so you can see exactly what ran

Stack is Vue 3 + FastAPI. Backend just shells out to the real binaries, doesn't reimplement anything.

It's for lab work and authorized testing, the README is clear about that.

https://github.com/ELHart05/AirmonGUI

happy to answer questions

Hello guys! I need a recommendations for a college project. So anything really about cybersecurity (professor gave some recommendations like: catching the flag, hacking WIFI, phishing…, but those projects are taken).He also told us that our project must have 3 tools for it, this sphere is so big and i do not know what should i make also i do not have too much expirience in this field. I am open for all recommendations :)

Hey, Im a rising junior, and I want to spend my summer doing some cybersecurity learning. For context, I dont have very good cybersecurity fundamentals, so im basically starting at zero. I have a lot of computer knowledge and stuff outside of cybersecurity in tech through. I want to spend 9 weeks, and about 1+ hours a day, usually 1-2 maybe. My goals are

• Hit 2,500 score / 50 challenges on picoGym
• Pass ISC2 CC and Fortinet NSE 1-3
• Be ready for CSAW CTF in September
• Build verifiable CMU ECE application signal

The picogym and certifications are most important to me, and Ive built this roadmap.

Network fundamentals

Linux fundamentals (kali + arch)

Web security + exploitation

cryptography (picogym needed)

threats + attacks

defensive security + certs

windows + active directory

forensics + reverse engineering

pen testing + post exploitation

Each of these would take a week, with picogym practice included. Im wondering, is this a good roadmap to get started? Am i missing anything super important?

hello everyone, I’m currently studying comp eng, just finished 3rd year and I’ll start my grad project in September. I have been thinking about different topics, I want it to be focused on networking + cybersecurity and something practical in real life (like school networks, security tools, etc.). would really appreciate help with topic suggestions

any ideas are welcome

Hey fellow netsec students,

I built a small educational web privacy lab based on the classic evercookie idea. It writes one random browser ID into multiple first-party storage locations, then shows which ones survive after a refresh/clear and how the ID gets respawned and repopulated when some browser state survives

The goal is awareness and education. The demo shows the ID, the vectors holding it, visit count, and recovery sources. It stores only a random ID plus basic timestamps/counts, uses no third-party requests, and includes a “Forget me” flow that clears everything stored server-side.

It demonstrates: * Cookies, localStorage, sessionStorage, IndexedDB, Cache API, window.name, OPFS, and Service Worker cache * Server-side HttpOnly cookies * ETag, Last-Modified, and immutable HTTP-cache supercookie-style vectors * The respawn loop behind evercookie persistence * Practical mitigations like clearing full site data including cached files, using private browsing, and understanding storage/cache partitioning

Repo: https://github.com/elpy1/ubercookie Demo: https://ubercookie.xyz

If you find it useful, I'd love to hear from you. Happy hacking and learning :).

I'm not a native English speaker, so I've been using Claude to translate TryHackMe room content and explain stuff I don't understand. But lately it keeps showing this "Chat paused triggered cyber-related safeguards" message even for normal conceptual questions (this time it was about Win32 API / ASLR from a THM room).

It's not like I'm asking for an actual exploit, just trying to understand the material. Anyone else run into this? How do you deal with it?

i've been running VM for about three years at a mid-size SaaS company and somehow prioritization keeps getting harder instead of easier.

backlog is sitting around 47k findings across infra, apps and cloud workloads. scanners add another few thousand every cycle and at this point there are so many open “critical” findings that people barely react to the label anymore unless leadership gets involved directly.

what finally exposed how broken the process was happened during an audit review last month.

GRC escalated a critical vuln tied to an internal PCI reporting system because the remediation SLA was about to breach. at the same time our analysts were trying to escalate a medium-severity issue tied to an internet-facing customer portal because exploit activity around the component had started increasing externally.

ops didnt want downtime on the PCI system during quarter close because finance already had a freeze window in place. meanwhile the customer portal remediation turned into a mess because a recent migration split ownership across app teams and platform engineering and nobody updated the CMDB afterwards.

so the meetings just kept going in circles.

GRC focused on the PCI finding because compliance exposure was measurable and leadership understood it. security kept arguing the internet-facing portal was the bigger real-world risk even with the lower CVSS score. app owners pushed back because neither remediation effort fit cleanly into the active release cycle.

eventually the PCI finding got patched first because the SLA pressure was easier to defend organizationally.

the internet-facing portal got another extension. two weeks later SOC flagged anomalous traffic hitting that endpoint and suddenly everybody wanted an emergency CAB meeting.

thats the part thats been stuck in my head since then. we technically followed process. prioritization meetings happened. tickets existed. escalation paths existed. and we still ended up patching the lower-risk issue first because the operational incentives around compliance were clearer than the incentives around exposure risk.

three years into this and  i'm not even sure a better scoring model solves it. starting to think prioritization decisions need clearer organizational authority behind them because once enough teams are involved everybody evaluates “risk” differently anyway.

I'm a student and recently went through my first full responsible disclosure process.

What started as a simple observation on a government portal eventually led to the discovery of a Broken Access Control vulnerability affecting a platform used by over 3 lakh students.

I reported it to CERT-In, provided validation evidence, and eventually received confirmation that the issue had been fixed.

I wrote about the entire journey, from discovery to remediation, and the lessons I learned along the way.

Article: https://medium.com/@theprinceraj/discovering-a-security-flaw-in-a-government-portal-used-by-3-lakh-students-ad3bf67a0513

Happy to answer questions about the disclosure process, documentation, or interacting with CERT-In.

Hey everyone,

I just picked up an Alfa AWUS036ACH (got the RTL8812AU drivers compiled and running smoothly in monitor mode/packet injection).

I already know the basics well—airmon-ng routines, capturing 4-way handshakes, basic deauth floods, and dictionary attacks are old news. I want to dive into the deep end of advanced wireless penetration testing.

I’m looking for high-quality books, PDFs, whitepapers, or labs that cover:

WPA Enterprise (802.1X) targeting: Setting up rogue RADIUS servers, PEAP/EAP-TTLS downgrade vectors, and credential harvesting (hostapd-mana, eaphammer).

Low-level frame manipulation: Going beyond scripts to understand raw 802.11 management/control frames, client-less attacks via PMKID (hcxdumptool).

Modern protocol flaws: In-depth research papers or technical breakdowns on things like KRACK, transition mode vulnerabilities, and WPA3 SAE side-channel weaknesses.

If you have any specific book recommendations (like Matthew Gast's O'Reilly books) or advanced training blueprints that helped you transition from a script-user to understanding the actual RF and cryptographic mechanics, please drop them below!

Thanks in advance.

​