Nothing New Under the Sun?

This morning I saw this article: and it really blew my mind. The simple, but incredibly effective method is tremendous. I know, physical access means you own everything one way or another, but this example is elegant in its simplicity.

This simple article has been running around my head all day, and have struggled to figure out why. A little background, I’ve been following Rob, or Mubix as he’s also known, for a couple years now. When I first heard of him it was a talk he gave about how to create a career for yourself in infosec. As I was desperately looking to do that, I must have watched his talk a dozen times. And I followed his advice. I started creating a brand for myself, I started talking to more people. I’ve continued to follow Rob, learning by picking up the scraps he drops around him with his career. He is a very busy man. He has a day job, a part time job, and a family. I’ve met him once in passing at Derbycon and he’s a great guy, quiet, humble, but very open. He’s one of the many people that have inspired me to take my career seriously.

I fell backwards into infosec like a lot of folks have, by generally being interested in tech, getting some jobs I didn’t like, some I did, and slowly adding security into it. As I have recently come into more of a mentor role than a mentee, reading Rob’s first line in that article is what sent my mind spinning all day.

Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)

One thing I’ve found to be true among almost every competent tech person is discomfort with their abilities. They’re not scared really, just unwilling to boldly lay claim to things without research, testing, and if possible, independent third party verification. I have suffered from this my whole life, and it somehow makes me more comfortable with peoples skills if they ask you to verify things rather than trust them.

The important thing about this feeling is, that’s what makes the industry not just great, but incredible. I have found myself doing the same things I was shocked to find people I looked up to doing. Giving back. Replying to questions from strangers with annotated lists of resources and interpretations.  I’m sure at some level there is community to many career paths, but in security, community is the only way to succeed. Rob inspires me every day because he may not be right, or new, or original, but he’s working hard and putting it out there for other people to learn from. This takes all forms. Conversations, blogs, podcasts, conference talks, sample code, tutorial videos, vulnerable vms, encouragement. It’s not hard to find someone doing something inspiring, or someone that can easily be inspired. Infosec has taught me community is not the gathering of people. I spent a great deal of my life thinking that simply a group of like minded people creates a community. This is not the case. Community is the action of building each other up so that the whole is greater than the parts.

Books 2015 Part 1

The intention of this post was to be an annual reflection of my reading habits. Since I’ve kept at it for seven months, I’m not going to delay it until 2016, I’ll just drop monthly updates whenever I work my way through a book or two.

January 2015

I started re-reading Shadowrun novels after trying to plan a blog post relating my Macbook to a cyberdeck in this universe. I got sucked in because they’re entertaining. I haven’t read many of these since early college, and it is fascinating to see what predictions about the future they totally missed. Fax machines are still a thing in this universe. And payphones, called telecoms, but the principal is the same.

Streets of Blood


Striper Assassin

February 2015

Just a single entry, because Neal Stephenson writes books that are forever long. Snow Crash is the next book out of people’s mouths after Neuromancer. I’ve read most of William Gibson’s cyberpunk stuff, so I decided it was time to give this one a shot. It’s got some great stuff in it, but is way to long to develop what really was a fairly simple story. I think I’ll be avoiding Neal Stephenson for awhile. I still love Cryptonomicon, but I was pretty unhappy at the end of reading this book, despite the utterly badass notion of a hacker with swords that wrote a sword-fighting engine to match his reality.

Snow Crash

March 2015

March is nonfiction month. I’ve spent two months this year reading fiction, so now it’s time to get on track with something else. I’ve got a backlog of want and need to read stuff. I don’t really have any goal except to read new books rather than re-read old books, and for them to be non-fiction. However, they’re obviously closely matched to my interests, one has Macintosh in the title.

The Macintosh Way Picked this up when Guy put these out for free. I am nostalgic about Classic Mac stuff, probably because it was my first exposure to computing. I’ve read on and off for almost ten years. Now that I have experience watching and interacting with the management of a fair sized corporation, these sorts of books are a lot more interesting. — After finishing the book its very funny to compare 1990 Apple to 2015 Apple. There’s a lot that they didn’t do or believe in now that is a staple of their business, mostly retail and hands on support. There are many other things that stand out as exactly the same, namely they want developers to create fantastic Mac and iOS applications. Apple does not want ports from other operating systems, they don’t want good enough, they want their platform to run the best software.

Lauren Ipsum I think I saw this on one too many infosec slides and need a short break to something completely different. Its borderline non-fiction. There’s a little girl lost in a strange world, which turns out to directly map to computing concepts. Its kind of like Tron meets Through the Looking Glass. It’s not a bad story, just feels, exaggerated for the effect of the metaphor. I probably will not be reading this again.

April 2015

Continuing non-fiction, I started with Creativity, Inc. Mostly because I bought a copy for my Dad and I know he will want to discuss it. Well, that and Ed Catmull and Pixar have proven to be one of the most clever groups to deal with people.

May 2015

Finally finished Creativity, Inc. To crudely sum it up, the entire book focuses on intrinsic honesty. Pixar’s success is based on the fact that anyone can tell anyone anything, no repercussions. Catmull presents this in different ways, talking about his own history, John Lasseter and the other film directors, and of course Steve Jobs. They all have a different way of looking at it and phrasing it, but honesty is what drives their professions and the company they work for. Its impressive to read about a company that both says they work for that kind of honesty, then shows it. Catmull describes many painful moments that they needed the honesty to make the films work. He also talks about “Notes Day”, when they turned to the company at large to help them become more effective. This struck me because he describes the thoughts leading up to it, its execution, and it’s followthrough. I’ve never seen something like that executed on that scale by an organization so … honestly.

June 2015

Busy month, nothing to report here other than I’ve pledged to myself that I need to read more books I’ve never read before. I spent a fair bit of time thinking about it and realized I’ve been reading the same couple of dozen books every few years for roughly twenty years. No more. I’ll need a break eventually, but for now I need to stop reading pulp sci-fi and horror books. I need to spend more time reading different things. For now that’s all pretty technical non-fiction, but we’ll see where this path ends.

July 2015

June was weird and as such I didn’t actually finish things. I slowly moved through this, Dissecting the Hack: The F0rb1dd3n Network, Revised Edition , at home and WOW is all I can think to say. If you ever know anyone interested in the nuts and bolts of infosec, this is the book for them. It’s got a cheesy narrative story in the first half of the book, which feels like a true-to-life adaptation of the movie hackers. However the second half is astoundingly verbose, contextualizing every bit of jargon, in-joke, or techy thing that happens in the story. After reading this I feel like if I had read this two year ago, I would be in a very different position in my life. This book compiles all the things that I’ve picked up from blog posts, con talks, conversations, twitter, and every other source that has helped me learn about infosec. Totally worth the time for anyone that considers themselves new to the industry, or anyone willing to learn a little bit more.

At work I’m also trying to branch out, but this time with a lot less success than my home book. Metasploit, The Penetration Tester’s Guide felt list a mis-guided mess. The book opens with a quick once over through Metasploit features, where and why to use them, but left me with lots of “how?” questions. The most glaring example is database use. The book guides you through using nmap directly in Metasploit, storing the results in a database, and then . . . nothing. That’s the last reference to the database that I saw. WHY would you store all your scan results, then not use them as a variable in every module for the rest of the book?! That failure definitely biased me through the rest of the book, because for every example I’m asking, “Why the HELL am I typing RHOST again?!”. Another sin that bugged me, but honestly is not the authors fault, is that two thirds of the exploit examples are based on Windows XP SP2. In 2010, when the book was published, that wasn’t that big of a deal to find. Now? In 2015? I’ve got access to a software testing library, and we don’t keep those laying around. I blame this on the editorial staff not being technically foresighted enough. There are plenty of intentionally vulnerable linux distros that could have stood in for Windows. Enough ranting. If you’re reading this and interested in Metasploit, read the Offensive Security version of this book, Metasploit Unleashed.

Be Humble

I was lucky enough to get selected again to speak at the local BSides this year. It was a fantastic experience, better than last year. I got a lot of good feedback and discussion from my talk, entitled, “DIY Hacker Training, a Walkthrough”. I just went through the things that I use for learning resources and keeping track of news around the infosec community.

The second keynote of the day was … unexpected. Chris Nickerson is typically the first person people point to when the topic of “rockstar” in the community is raised. He tells funny stories, he’s often seen with a drink in hand, and he’s always talking about this time he got into some shit. Saturday Chris got up and put his story out there for everyone to see, as a lesson, almost a confession, and a pledge to get better. He talked about the highs of leading in the infosec community for 20 years, attaining that “rockstar” status; TV shows, board positions, leading companies, owning companies, pwning companies. He also talked about the hard parts, the rough patches, the terrorizing that he and his loved ones are enduring every day. It’s a hard lesson to learn and I’m sure an even harder one to teach. I am grateful for the lesson and for Chris’ sacrifice. He has taught me more than a few things over the last few years as I have grown up into this field. The message I got from him awhile ago, that he underscored again on Saturday, is universal. No one can claim to live a full life without it and absolutely no one can have a decent career without it. Be humble. Don’t be cocky. Everyone, no matter how smart, no matter how dumb, no matter where they’re coming from, everyone knows something you don’t, and can teach you things.

It’s often said that the key to succeeding in Information Security is mindset. You have to think like an attacker, think about what it can do, rather than what it should do. Since the first time I heard Chris say this in a talk, I’ve watched him and others in the community live it at cons, on twitter, in their blogs. Everyone can help you get better. As they can help you, so can you help them. Share your insights, share your experience, share your knowledge. There’s not a better message to take home.

Be Humble.