Books 2015 IWT

Today’s summary is about “I Will Teach You To Be Rich” by Ramit Sethi. Despite what sounds like a sleazy title, I will count this book among the best I’ve ever read in terms of actionable content, written for YOU to get results. Yes, I’m sure that Ramit is very happy people like and buy his book, but from the first page to the last, he is encouraging the reader to look beyond their current state, and to get better.

This book isn’t about how to earn sick piles of cash to sleep on. It’s most basic message is that you can make your money work for you, so that you are able to enjoy a rich life. How you define a rich life is your own journey. Remit believes, and I with him, that worrying about which bill is paid when, which account to use for what, and managing your finances down to every tenth of a cent is in no way a rich life. Money is important, and having increasing amounts of it is not a bad goal. This book is super cheap and if you’re really that broke, half it’s content is available from Ramit himself in many places online. However, it’s worth a buy. This is the second book I’ve purchased as an adult for another person. It’s the first book I’ve done that after reading. It won’t be the last.

Remit doesn’t bullshit you. Learning to deal with money takes work. Unlearning or changing bad or outdated habits is hard. I’m just starting my journey following his ideas to automate my finances and the rewards are dramatic. They’re also a lot of work. Don’t be lazy. Try harder.

My fancy pen

This post is follow up. I spent a month trying to determine if this would work, and finally just threw money at the problem. I did get lucky though.

I have a lovely pen, a Muji fountain pen. This ticks all the little things I desire most in a quality writing implement. It’s a cylinder from top to bottom, it has a snap cap rather than screw on, and it takes cartridges, to keep me from spending obscene amounts of time and money dorking with ink.

Once I bought one, I found out this pen ships with a “fine” nib.
finenib

In practice, with my handwriting and notebooks, this is not ok. I found a fair number of forum and blog posts where people discuss changing nibs, but there’s very little resolution. So I did some learning, and it looks like a #5 nib should be a drop in replacement.The fine folks at Goulet Pens happen to sell a #5 Edison Extra Fine. More searching blogs and forums say it should work. $20 and a couple days later, I can confirm. My cheap pen ended up costing me around forty bucks, plus ink, but I’m damn happy about the result.

final

Books 2015 Part 1

The intention of this post was to be an annual reflection of my reading habits. Since I’ve kept at it for seven months, I’m not going to delay it until 2016, I’ll just drop monthly updates whenever I work my way through a book or two.

January 2015

I started re-reading Shadowrun novels after trying to plan a blog post relating my Macbook to a cyberdeck in this universe. I got sucked in because they’re entertaining. I haven’t read many of these since early college, and it is fascinating to see what predictions about the future they totally missed. Fax machines are still a thing in this universe. And payphones, called telecoms, but the principal is the same.

Streets of Blood

Nosferatu

Striper Assassin

February 2015

Just a single entry, because Neal Stephenson writes books that are forever long. Snow Crash is the next book out of people’s mouths after Neuromancer. I’ve read most of William Gibson’s cyberpunk stuff, so I decided it was time to give this one a shot. It’s got some great stuff in it, but is way to long to develop what really was a fairly simple story. I think I’ll be avoiding Neal Stephenson for awhile. I still love Cryptonomicon, but I was pretty unhappy at the end of reading this book, despite the utterly badass notion of a hacker with swords that wrote a sword-fighting engine to match his reality.

Snow Crash

March 2015

March is nonfiction month. I’ve spent two months this year reading fiction, so now it’s time to get on track with something else. I’ve got a backlog of want and need to read stuff. I don’t really have any goal except to read new books rather than re-read old books, and for them to be non-fiction. However, they’re obviously closely matched to my interests, one has Macintosh in the title.

The Macintosh Way Picked this up when Guy put these out for free. I am nostalgic about Classic Mac stuff, probably because it was my first exposure to computing. I’ve read folklore.org on and off for almost ten years. Now that I have experience watching and interacting with the management of a fair sized corporation, these sorts of books are a lot more interesting. — After finishing the book its very funny to compare 1990 Apple to 2015 Apple. There’s a lot that they didn’t do or believe in now that is a staple of their business, mostly retail and hands on support. There are many other things that stand out as exactly the same, namely they want developers to create fantastic Mac and iOS applications. Apple does not want ports from other operating systems, they don’t want good enough, they want their platform to run the best software.

Lauren Ipsum I think I saw this on one too many infosec slides and need a short break to something completely different. Its borderline non-fiction. There’s a little girl lost in a strange world, which turns out to directly map to computing concepts. Its kind of like Tron meets Through the Looking Glass. It’s not a bad story, just feels, exaggerated for the effect of the metaphor. I probably will not be reading this again.

April 2015

Continuing non-fiction, I started with Creativity, Inc. Mostly because I bought a copy for my Dad and I know he will want to discuss it. Well, that and Ed Catmull and Pixar have proven to be one of the most clever groups to deal with people.

May 2015

Finally finished Creativity, Inc. To crudely sum it up, the entire book focuses on intrinsic honesty. Pixar’s success is based on the fact that anyone can tell anyone anything, no repercussions. Catmull presents this in different ways, talking about his own history, John Lasseter and the other film directors, and of course Steve Jobs. They all have a different way of looking at it and phrasing it, but honesty is what drives their professions and the company they work for. Its impressive to read about a company that both says they work for that kind of honesty, then shows it. Catmull describes many painful moments that they needed the honesty to make the films work. He also talks about “Notes Day”, when they turned to the company at large to help them become more effective. This struck me because he describes the thoughts leading up to it, its execution, and it’s followthrough. I’ve never seen something like that executed on that scale by an organization so … honestly.

June 2015

Busy month, nothing to report here other than I’ve pledged to myself that I need to read more books I’ve never read before. I spent a fair bit of time thinking about it and realized I’ve been reading the same couple of dozen books every few years for roughly twenty years. No more. I’ll need a break eventually, but for now I need to stop reading pulp sci-fi and horror books. I need to spend more time reading different things. For now that’s all pretty technical non-fiction, but we’ll see where this path ends.

July 2015

June was weird and as such I didn’t actually finish things. I slowly moved through this, Dissecting the Hack: The F0rb1dd3n Network, Revised Edition , at home and WOW is all I can think to say. If you ever know anyone interested in the nuts and bolts of infosec, this is the book for them. It’s got a cheesy narrative story in the first half of the book, which feels like a true-to-life adaptation of the movie hackers. However the second half is astoundingly verbose, contextualizing every bit of jargon, in-joke, or techy thing that happens in the story. After reading this I feel like if I had read this two year ago, I would be in a very different position in my life. This book compiles all the things that I’ve picked up from blog posts, con talks, conversations, twitter, and every other source that has helped me learn about infosec. Totally worth the time for anyone that considers themselves new to the industry, or anyone willing to learn a little bit more.

At work I’m also trying to branch out, but this time with a lot less success than my home book. Metasploit, The Penetration Tester’s Guide felt list a mis-guided mess. The book opens with a quick once over through Metasploit features, where and why to use them, but left me with lots of “how?” questions. The most glaring example is database use. The book guides you through using nmap directly in Metasploit, storing the results in a database, and then . . . nothing. That’s the last reference to the database that I saw. WHY would you store all your scan results, then not use them as a variable in every module for the rest of the book?! That failure definitely biased me through the rest of the book, because for every example I’m asking, “Why the HELL am I typing RHOST again?!”. Another sin that bugged me, but honestly is not the authors fault, is that two thirds of the exploit examples are based on Windows XP SP2. In 2010, when the book was published, that wasn’t that big of a deal to find. Now? In 2015? I’ve got access to a software testing library, and we don’t keep those laying around. I blame this on the editorial staff not being technically foresighted enough. There are plenty of intentionally vulnerable linux distros that could have stood in for Windows. Enough ranting. If you’re reading this and interested in Metasploit, read the Offensive Security version of this book, Metasploit Unleashed.

Be Humble

I was lucky enough to get selected again to speak at the local BSides this year. It was a fantastic experience, better than last year. I got a lot of good feedback and discussion from my talk, entitled, “DIY Hacker Training, a Walkthrough”. I just went through the things that I use for learning resources and keeping track of news around the infosec community.

The second keynote of the day was … unexpected. Chris Nickerson is typically the first person people point to when the topic of “rockstar” in the community is raised. He tells funny stories, he’s often seen with a drink in hand, and he’s always talking about this time he got into some shit. Saturday Chris got up and put his story out there for everyone to see, as a lesson, almost a confession, and a pledge to get better. He talked about the highs of leading in the infosec community for 20 years, attaining that “rockstar” status; TV shows, board positions, leading companies, owning companies, pwning companies. He also talked about the hard parts, the rough patches, the terrorizing that he and his loved ones are enduring every day. It’s a hard lesson to learn and I’m sure an even harder one to teach. I am grateful for the lesson and for Chris’ sacrifice. He has taught me more than a few things over the last few years as I have grown up into this field. The message I got from him awhile ago, that he underscored again on Saturday, is universal. No one can claim to live a full life without it and absolutely no one can have a decent career without it. Be humble. Don’t be cocky. Everyone, no matter how smart, no matter how dumb, no matter where they’re coming from, everyone knows something you don’t, and can teach you things.

It’s often said that the key to succeeding in Information Security is mindset. You have to think like an attacker, think about what it can do, rather than what it should do. Since the first time I heard Chris say this in a talk, I’ve watched him and others in the community live it at cons, on twitter, in their blogs. Everyone can help you get better. As they can help you, so can you help them. Share your insights, share your experience, share your knowledge. There’s not a better message to take home.

Be Humble.

Wow. Just, Wow.

Since Windows 7 announced or demoed their Aero-Snap feature, I’ve wanted it for OS X. I  find it extremely handy to be able to just throw a window towards an edge of a screen and have it conform to a size by default. Two windows side-by-side are incredibly useful for learning things in a terminal or IDE with a browser right next to it. I’ve been wishing for something, particularly since I got my Macbook 11. Better Touch Tool is that thing. And its FREE.

I found it because someone posted some jab at the dev for running out of version numbers on Twitter, which prompted me to check out the reddit thread, and I finally downloaded the tool. AND THE FIRST THING IT ASKED ME ON THE FIRST LAUNCH WAS TO ENABLE WINDOW SNAP. Done. Winner. Over in one round. As long as this tool keeps working it’ll be on my macs.

Update, 06.24.2015 – Doesn’t Apple finally announce this feature for OS X this fall? sumbitch. If you have an *extra* mac, I recommend the betas.

I Built Something – VBox Lab PS

I’ve dabbled in programming of one sort or another since I learned BASIC in 4th grade. Finally I’m starting to envision products I need small enough to get my feet wet. There will be at least one more of these, once I figure out some intricacies of Objective-C.

I learned quite some time ago that you can interact with VirtualBox on the commandline. Which is super handy if you’re in the habit of leaving a shell open. Lately I’ve been trying to spend time learning network enumeration, on the long list of things I need to practice with before attempting PWK/OSCP later this year. At work this means finding VirtualBox on Windows8’s Metro mania, and clicking around. Which gets old. No more.

VBox_Lab.ps1 is a quick PowerShell utility to do what I need most. Launch VMs, headless or not.

pretty

I learned a LOT from this. Everything was copy a little bit from a How-To and change it some, test, Repeat. Repeat. Repeat. Debugging even something this simple gets complex. Dynamic menus, it turns out, are quite a thing to have to learn how to do. I’m glad I did though, because it makes this portable.

I already have a long feature list to add, but for right now it works without crashing, which is a fantastic place to pause and put it out there.

Good Deals

I’m an Apple guy. This started when my dad was in grad school, the lab had Macs. I got to spend an hour or two when I was super young playing with MacPaint. I thought this was great, but didn’t appreciate the significance until much later. The important part here is that my dad got to like Apple gear, Macs in particular. Quite some time later the first family computer was an old Mac Plus. After that came a Performa. When I went away to college I ordered an iBook.

That iBook. Man, I abused that computer. I learned so very, very much about having and supporting myself with it. I had no support structure, the few people I was close with all had Windows machines. One friend was into Macs, but I only talked to him over AIM. Which meant I had to have a working computer and network connection. This was not often the case, since I was perpetually installing, re-installing, re-installing, un-installing all kinds of things. In addition to the basics of computergeekery that I picked up, there was also the freedom. At the time it was a slow machine, wireless wasn’t really a thing, and it had nearly no storage, but it was portable. It even had a handle. I lived from that machine for almost two years. It went everywhere with me. Across campus to print something, home on the weekends, across country on vacation. Once I decided on a major, I needed to upgrade. Of course I picked another Mac, upgrading to a PowerMac and handing the iBook down. It was a revolution to me to be able to move my entire computing world with me from place to place. In retrospect, it was categorically not a good deal. After taxes it was over $1800. Nevermind the specs, because they’re less than an original iPod touch, but for the time it was expensive. Looking back it was a terrific waste of cash. I don’t regret the purchase, because if nothing else it began teaching me how to support my equipment with only the internet.

There are a lot of things I do not miss about that computer, but from the day I moved on, I missed being able to have my Mac with me. Along the way, I kept trying other things to find a portable machine that was super light, super mobile, and had what I wanted. I tried a few Dells, from the weird and compromised Dell Latitude X300, I briefly had an e4300, and lastly with a frankensteined e4310. They were good enough computers, and for the little bit of money I paid for them, nice. But they were Dells, and only ran Windows or Linux. The X300 was an early “ultrabook” which translated to it was thin because it had no optical drive. The X300 was released in 2003. I bought mine around 2009. I wasn’t able to find a comparable model for the price in the 5 years after that was as small and light. Latitudes as a group are great workhorse computers. They’re easy to fix, there’s tons of parts, meh. They’re boring and have shitty keyboards too.

Where is all this leading? I got a new laptop last year. And, for the first time since 2001, it’s an Apple laptop. That is mine. It was a good deal too; 2 year old MacBook Air 11″. For $350. That’s at the top end of “good deal”, edging towards “great deal”. It’s tiny, has an SSD, so its fast, and it works. Well, it works now. I had barely gotten it up and running, wiped the drive, registered for the Yosemite beta, gotten it installed. Then I opened it, thrilled to have MY laptop running an OS X beta , finally I can help Apple find bugs, and nothing happened. I plugged it in. No lights lit up on the MagSafe adapter. Oh. Goody.

So I did what you’re supposed to do. I made an appointment and took it to the Genius Bar. They did not have good news. They could replace the Logic Board, for something like $500, or they could send it to the depot. The depot has a flat repair charge, $300, they send it back working. I opted for the depot. I spent all my “loose” money buying the damn thing, I can’t afford to trust that its simply the logic board. In no way could I spend five hundred dollars on this. A few days later they called, it was back and working. I picked it up, I paid my fee. For those of you playing the home game, my cheap MacBook has now cost me $650. At the time that was $70 less than a refurbished 2014 model. And if only the story ended there.

The night after I picked it up, I sat down on the couch to finally enjoy the freedom to surf and watch TV. I opened it and the display was dark. Going through common troubleshooting steps I found it was working, charging was fine, external video was fine. So I checked the display with a flashlight. Dead backlight. By shining a bright flashlight near the display I could see it was getting signal, but there was nothing lighting it. Back to the Genius Bar. This time I learned my favorite bit of Genius jargon, “looper”. Since it was a repeat-offender, all the repairs are on Apple. They replaced the entire top half of the laptop for free. I’ve got the receipt, bottom line reads, “amount due: $0.00”. That was a great day. Too bad I was back less than a week later. By this time half the staff of the Genius Bar knew me on site. They tried to help, told me to ask for a replacement because I have, “no confidence”, in that particular machine. Thankfully that wasn’t necessary. They replaced the display assembly(lid) again AND the logic board. This adds up to nearly two computers worth of parts I’ve gotten for my $300 depot repair investment. Which isn’t bad. It’s still not a good deal, but I’ve got my own working laptop, legitimately running OS X.

I’ve returned to the days when I can just grab a bag and go out the door, trusting that I can solve any problem with what I’ve got on me. The bag is a lot lighter now, too.

Headless Kali

Since I am space and RAM limited on my laptop I decided to make a headless Kali virtual machine to keep around for playing with. Since I couldn’t find a reliable tutorial for removing all the GUI stuff from a normal Kali install, I decided to create a Debian-turned-Kali machine. Currently the goal is to only use this for command line tools.

First step, install and update a minimal Debian Wheezy(7.0) machine. Mine has only SSH installed from the start.

Next, add the Kali software repositories, and update. This is where i hit my first snag, as well as my first triumph. I’m doing this to learn, after all.

  • begin by adding the following lines to the /etc/apt/sources.list file

  • deb http://http.kali.org/kali kali main non-free contrib
    deb http://security.kali.org/kali-security kali/updates main contrib non-free

  • run # apt-get update to pull the latest info. Here is where I hit my snag. I got the following warningPubKeyError copy
  • This is a missing public key for the Kali Repos. I can still pull down and install software, but it will be doing so unauthenticated. Thanks to the public-ness of PKI, this is an easy fix, once I learned a little about what I was doing.

  • Pulling this key is simple enough, # gpg --recv-keys ED444FF07D8D0BF6PubKeyFix1 copy
  • Simply getting the key is not enough, you must tell apt to use it. # gpg -a --export ED444F07D8D0BF6 | apt-key add - this will return OK, and allow apt-get update to run without any further warnings.

Now I can install any Kali tool I’d like, and run them remotely through a headless VM. How can I run something headless? EASY, both my favorite Virtual Machine managers, Virtualbox and VMWare Fusion provide LOTS of command line tools for interacting with their software.

  • for VMWare its simply $ /Applications/VMware\ Fusion.app/Contents/Library/vmrun -T fusion start "/path/to/vm.vmx" nogui
  • and for VirtualBox its $ vboxheadless -startvm VMNAME

    Next time I visit this topic it’s likely to be “how to run remote GUI tools from a headless Kali VM”, when I find a need for a GUI tool on this machine.

  • PS to remember Part 2

    Building Directories with PowerShell

    I needed to create a script that will build out directories following a pattern. In this case, Microsoft Security Updates. Perfect opportunity to practice a little coding. The script needs to be functioning in an all Windows environment, and easy to maintain. Sadly, this eliminated Python, which is more interesting to me, but PowerShell is a very close second. And despite my desire to not be a Windows guy, the almighty paycheck comes from a company that builds a product that runs exclusively on Windows. So away we go(sanitized where appropriate).


    # get current year from system and format for directories
    $year = get-date -format yyyy
    $year_short = get-date -f yy
    $month = get-date -format MMMM
    $month_short = get-date -format MM

    # constants; current month name and prefix
    $parent_dir = "$month_short - $month"
    $prefix = "\MS$year_short-"

    # actual, live working directory
    $checkifdir = "\\servername.domain\software\patches\$year\$parent_dir"
    # testing/debugging directory
    #$checkifdir = "C:\Users\wkopp\Desktop\temp\sandbox\$year\$parent_dir"

    # check if current month directory exists, if not, create (w/loop)
    # this happens without user input

    if ($checkifdir -eq $false){
    md $checkifdir
    }

    # ask user for range of this month's bulletins(user input)
    # create the names for directories needed.
    # create directories

    $st = Read-Host "Please enter the number of the first bulletin: "
    $end = Read-Host "Please enter the number of the last bulletin: "

    $bulletin_range = $st..$end

    for ($i = 0; $i -lt $bulletin_range.length; $i++){
    $string_name = $prefix + $bulletin_range[$i].ToString("000")
    $folder = $checkifdir + $string_name

    Write-Host $folder

    if ($folder -ne $false){
    md $folder
    }
    }

    Gear Intro

    “…and I said, that’s good! One less thing.” -Forrest Gump

    This is the start of a new category here, GEAR. Hopefully someone else finds it useful. I will surely be referencing it when necessary.

    Recently I’ve been reading about the idea of “Buy it for Life”, where you find a product, or line, or brand that solves the problems you have. I’m not so sure that there is much I can buy that will satisfy my needs for life, but I do need to track the stuff I buy that’s super high quality or great for what I need. Recently I’ve found two home runs in that department. The first, a new laptop will get it’s own post later, because there is quite a story to match.

    The second is something I’ve been looking for since high school, and that’s a notebook with thin, strong sheets that don’t bleed with most ink-ball or fountain pens. I received a notebook like this as a gift in high school, and I promptly filled it with notes, drawings, scribbles, and even some paintings. It was amazing. Since then I’ve been searching for its replacement, hopefully in bulk. While binge reading the wonderful Cool Tools site, I found a “what’s in your bag” article that listed Muji brand notebooks. There wasn’t any other description of the type or quality, and reading amazon.com reviews didn’t shed much more light. However, my work notebook was quickly running out of pages, so I took a shot with the MUJI Blank Notebook a Book(Japanese Tankoubon) Size Unruled 184sheets(fair warning, amazon affiliate link).

    Just, WOW. Going in with no expectations, this fit all my needs. It’s small, about 5.25″ x 7.25″, has plain UNRULED sheets, plain covers, and amazing, wonderful, silky smooth paper that didn’t bleed with ANY of the pens I tried with it. Pilot V5? Nope. Uniball Signo? Nope. Fountain Pens? Nope. It might not work for many other people, but for me this is the best notebook I’ve had in a long, long time.