lockpicking, work, gen con, and critical role

Activity got a little sparse here over the past few weeks. Part of the reason has been busyness at work. But another part of it has been tackling some personal activities. For the second year in a row, I went to the tabletop gaming convention Gen Con in Indianapolis. Between attending and preparing to go, that took quite a lot of my free time. Much of the rest of my free time has been spent trying to catch up on some new youtube channels and fitting them into my other habits and priorities. First, I’ve been turned onto BosnianBill’s YouTube channel which has 1000+ lockpicking videos. These are absolutely excellent; they’re small digestible videos and Bill talks wonderfully through everything he is doing while giving the viewer a very clear, close view of his work and clear audio of the progress as well. I’ve skipped around a bit to check other things out (I’m otherwise working backwards through his channel), and I found a tutorial video he did about picking spool pins and it’s absolutely invaluable and amazing how well he teaches lockpicking. Definitely a channel to subscribe to.

I’ve long been aware of the Critical Role show on Geek & Sundry since it began, but I’ve never taken the time to watch it since I knew it would be a timesuck. Essentially, the show is a group of voice actors playing D&D. I knew I’ve love it, and I finally started watching it a few weeks ago, and my fears were confirmed: I absolutely love it and need to keep watching to catch up. It’s also stoked my interest in D&D again, but not quite enough to pursue finding a group yet to scratch the lifelong itch. Maybe I’ll find a way to fit that in!

Lastly, I’m also watching some Linux courses over at Linux Academy, partly for my own learning, partly to normalize what I’ve learned over the years (and close some gaps), and partly to satisfy some training expectations at work. I’ll eventually be ready for, but won’t be taking, the Red Hat Certified Systems Admin test. Unless my title has “Linux” in it, I don’t think actually spending the money and time to take the test will be worth it to me, but the learning will be very nice to have. This sort of fills in my allotted personal learning time for the moment with something not terribly hard and with very little overhead pressure for the summer months.

Anyway, those have been my major timespends over the past month.

generation x or a millenial or a xennial?

I was born in 1977. This technically tends to make me part of Generation X, but I have never identified with that at all. I’ve identified more with Millenials, though I would have grown up, gone through highschool, and graduated college well before I had a cell phone of any type in hand. So, I found this article interesting, as I think it makes a good point about this little gap of time between Gen X and Millenials that I greatly identify with: There’s Now a Name for the Micro Generation Born Between 1977-1983. I really like the identifier of having an analog childhood and digital adulthood. Definitely agree with that, as I got my first computer around midway through high school (for writing papers, learning, but mostly I got into Doom), and while video games were a huge part of my childhood, I wouldn’t call that digital to any degree. It was probably not until around late high school that I started “getting online,” and then it was just myself and not part of a social thing with other kids I knew. I hadn’t heard this term before, and just needed to capture it down for future reference.

passions and the resultant career in infosec

This week I read an article, The Cult of Passion, from Chris Sanders. I didn’t like it much at all at first. But then I liked it, and now I really kinda don’t like it again. I think it’s just the tone of the piece; it’s very Tumblr-esque. It’s very “use the term properly, damnit!” even though we all do (mostly) end up using it in the same way, though definitely blurring denotation and connotation together. Do we really have to convince everyone that the phrase, “I have a passion for security,” is unhealthy, or do we all really know what we mean?

(I originally wrote more about what I disliked, but I wanted to cut that down and yet still keep my points. Basically, I don’t like the assertion that passion can’t be measured so we can’t evaluate it. I think, between the lines, Chris is trying to say that the person who does “infosec” 20 hours a day is not necessarily better than the person with a better work-life balance, or something like that. I just don’t like the way he frames it. I also didn’t like the miss that we are actually paying to do infosec all day, in terms of hours of our life and time. Now, granted, we are paid money in return, but make no mistake we are still paying to some degree. I also don’t like the blind assertion that other professions clock out after 8-10 hours. Anyway, moving to the positive…)

Regardless the tone and whether I like the full article or not, there are some absolutely excellent points, all centered around what we love doing. It’s a good idea to say, “If you didn’t get paid, would you still come in to work?” “If you had to pay to do infosec, would you?” Personally, I like to ask, “If I was income neutral, what would I enjoy doing as a job?” And this also goes into deciding what passions I might have outside of work, for instance, “What do I do when not at work to be happy? What hobbies do I spend the money I made on?” (Note: I emphasize the one question in this paragraph, as it’s a key question I ponder through my life, and one that could be it’s own chapter in a book. I look at my resultant answers, and balance that against whether those other ideas are just post-lottery-winning ideas or things I can actually make a living doing.)

The above faults aside, the other questions are excellent. Infosec is often a resultant pursuit due to passions in more fundamental things. And if nothing else, this article has allowed me to get a little bit beyond, “Well, I have a passion for infosec,” and actually look into why that is. Infosec is a result of other, more fundamental passions.

I love solving problems, puzzles, riddles, and mysteries (thanks Encyclopedia Brown and childhood puzzle books!).

I love organizing things, lists, planning, and seeing a well-oiled machine work, both today and more long-term. (thanks science background/interest!).

I love creating solutions to problems. This includes using creativity and imagination (thanks gaming and reading as an only-child!).

And (probably the most common one we collectively get correct) I love learning new things (curiosity and the information gap) and creative (and objective!) ways to use technology and do all of the above (thanks brain!).

For me, I have fairly equal parts objective knowledge application/observation as well as subjective creativity and imagination. I do require these both to be addressed month-to-month. This means I can’t just create new things or harbor ephemeral ideas all month, but I also can’t just read balance sheet numbers for a month. (Interesting to note that coding is a strange middle ground in today’s IT environment) I need a bit of both, and honestly, most of IT supplies that in spades as long as my role isn’t in such a large company that I am only nose-deep in one thing week after week. For many people, it might be that they require doing different things here and there lest they become bored; but for me, there’s reason behind the desire for a little variety.

I probably have a little bit of a love for catching bad guys doing bad things; even if that means catching innocent people making mostly innocent mistakes that fall outside the lines (is it schadenfreude [BOFH!] or hall monitor syndrome?). I want to make sure things are still operating as they need to be operating. (I like to look at it like I’m teaching how to properly do something.)

I honestly also feel like I have a passion for teaching and sharing knowledge with others in a way that doesn’t come across as egotistical. I can also communicate well enough to tailor my delivery to the technical levels of my audience, and I take some pride in that. I’ve worked with non-technical clients, non-to-mostly-technical coworkers, and technical colleagues.

Pulling from my hobbies, I love a little bit of friendly competition (multiplayer gaming). I love using my imagination (reading, even solo gaming), I love creating something (I don’t stoke this enough, but maybe cosplay soon), I love possessing comfort items but I also love keeping things simple. I love using my senses (food, music, movies, clouds, wind, weather, candles, a bit of drink, exercise). And I love more learning and engagement with friends over all of the above or some new experiences.

So, I love lots of things that show my passion. Do I have gaps or weaknesses that are borne out of personality or shaped by my experiences in life over the past decades? Yes. Chris mentions that imposter syndrome, and I know I do suffer from that; I have this inherent dislike/distrust of other people, but I also seem to have this inherent unfounded respect of other people I don’t know, or rather I attribute competence to other people without any proof (we can talk about philosophy and metaphysics another time over whisky). That usually only lasts until I find my voice amongst new people or roles. How do I fix this? Just keep myself surrounded by other infosec people so I realize that I’m at least as good as most everyone else. By forcing myself to speak up. By also forcing myself to fail and be better for it!

I’m terrible meeting new people. I’m a typical introvert where I am terrible about initial small talk. It’s not an inherent thing to be interested in other people who aren’t already close friends. I make friends slowly, and often find myself assuming someone would rather not talk than shoot the shit for a bit (since, usually, I feel that way!). I’m super easy to get along with, I don’t actually have terrible social anxiety, but I tend to be the quiet one in the corner. And while I always come out of that shell, it just often seems to take some time and effort to do that. How do I fix this? Just smile and try to ask questions I actually want answered by a stranger. Actually try to be interested in others in general; they all know something I don’t!

I’ve worked in IT for the past 15 years, and for all of those years, training and organized learning on the job (outside of troubleshooting something and learning from it) were luxuries that I never had time or backing to pursue. That was all own time pursuits and things that were outside the budget. As a result, I feel like I need to have my working days filled with actual work. I’m not sure this is a me thing or rather shaped by my managers of the past 10 years that required such time-spend reports every week.

Due to some of my managers and company cultures and combined with the occasional imposter syndrome issue, this does end up causing me to be a little risk averse, more so when my manager is hyper risk averse. This means failure is a bad thing, which can mean I end up not trying something and coming out neutral rather than trying and failing. Now, keep in mind most of my background is in Sysadmin/Ops; I feel security itself is far more forgiving of trying new things, as long as they don’t land the company on the news headlines due to a breach. But my science and tech background means lots of fails are useful data and contribute to learning! So I love failing, but it does strike a strange situation where my environment screams Don’t Fail and yet I sort of want to do something and try it out with X% risk of failing. It’s something I have to deal with consciously with both me, but also probably more so my environment. We’re humans in a human world; it’s ok. And as long as people aren’t dying, life will go on. I’ve worked in a company that said, “Innovate and try new things!” while at the very same time whispering, “Failure is not acceptable.” It’s a cultural red flag that I keep in mind during job searches.

All of this leads me to another related topic: what do I want to do? I’ve looked at framing this quest(ion) not long ago in a post from last winter: security job areas.

So, what do I want to do all day that I’ll love doing, and just happen to get paid to do? (Yes, there’s tons of other things to think about, such as the team, manager, company, and other things that influence happiness, but let’s assume the best here.) What sucks is I find myself just listing all the infosec roles (except maybe management and SOC analyst)! But I’ll try to rank things a little bit here.

red teaming – sounds so fun and varied, plus gives good, actionable value in return to clients
pen testing – solving problems and analyzing an environment are fun.
vulnerability assessment/management – much the same as above, just a little more structured and formulaic
security advising, consulting – quite varied, from high level concepts to low level step by step advice.
risk, compliance reviews, auditor, policies to find gaps and advise on proper steps/evidence
incident response/malware analysis
web application pen testing and reviews

Does this mean I’d hate doing the other things? Absolutely not. Honestly, other than being a third shift SOC analyst in a large company or just a initial provisioning tech in an MSSP, I’d likely be happy with most any infosec role.

So, this turned out to be a lotta introspection, and I even hesitated to even post it. But what does this mean for me tomorrow, next month, this year, and in 5 years? It gives me a way to evaluate what I want to do, for work, in each of those time periods. It also gives me an idea of an end goal (let’s just say a blend of red team/pen testing/vuln assessments/audits/consulting) which in turn gives me a chance to look at my gaps in getting there. Do I lack some certifications or training on the CV? Do I lack certain knowledge and skill I can pick up on my own time? What tasks do I want to grab at work tomorrow? And what opportunities should I keep my eye open for and jump at the moment they appear? It’s good stuff, and I think I maybe already knew some of this, particularly with my OSCP learning earlier this year, and continued CTF/Hack lab efforts.

training and learning plans for the rest of 2017

I made a post back in November about some future learning plans. Of that list, I’ve “finished” building my lab for the moment which allows me to put time into vulnhub boxes and other lab work. I successfully finished the PWK/OSCP course (whew!). I’ve started getting back to attending local meet-ups and events (SecDSM, BSidesIowa, ISSA). I also have a PluralSight subscription where I fill some free time with courses hosted there; they proved very helpful in preparing for the PWK/OSCP.

Moving forward over the next 6 months…

I’ve added and also started to pursue other online labs/CTF styled efforts such as hackthebox.gr. I hope to make HTB my larger time spend for geek stuff over the summer months. Add this to Vulnhub lab efforts and I should have my puzzle-solving itch taken care of for at least the summer. Also, doing these hits some sub-goals of organization and learning a few new tools.

Work is footing access to the LinuxAcademy course site for 6 months with the goal that I will be completing one of a few 20-ish hour tracks in Linux. Obviously, I’ll take advantage of more courses than just that. My own goal is to shore up some of my Linux exposure. I’m comfortable in Linux day-to-day and command line operation, but I still have lots to learn and I do plenty of administration-by-Google. I’d love to eventually just add in a RedHat or LinuxFoundation or Linux+/LPIC certification under my belt. Probably one of the former two by end of 2017 or early 2018.

I am also impatiently waiting for the online release of the Offensive Security web application course, AWAE/OSWE. This isn’t live yet, but once it opens, I plan to get in on this to further my web application security assessment skills as a priority. I could also pursue self study on the syllabus or using books like the Web Application Hacker’s Handbook in the meantime. Failing that one coming out any time soon, I’m also open to looking at other web app security/assessment courses or certifications. Examples include eLearnSecurity’s eWAPT course, or maybe the CSSLP from ISC2.

For possible other directions later this year, the next Offensive Security offering CTP/OSCE is an experience I’d like to have finished by the end of 2018. But having done OSCP, I know this will be another time suck. I’d like to look into the SLAE from SecurityTube as a pre-cursor.

Also, the CompTia CASP has appeared on my radar of something to pursue, and seems to be getting good exposure and reviews. Other possibilities are the CCNA as a way to get into the deeper Cisco security stuff or doing some other vendor-specific stuff like Palo Alto, Fortinet, VMWare, AWS Cloud Security, and so on.

My lab does still need to have a plan implemented for standing up (and re-standing up efficiently) an AD environment that I can use for testing. I’d like to package some additional PowerShell and maybe even Ansible/DevOps concepts into this effort, but that might be too big of a scope.

And a bit further down the priority list would be something like the ISACA CISA/CISM or much deeper study into Python.

There’s an endless amount of learning to do!

diagnosing blog depression

It’s interesting to get by blog back up and read some of my last posts and orphaned drafts. Honestly, 2014 was pretty rough for me for a few reasons, which contributed to my blog just staying down.

I was really busy at work with some large projects and lack of staff to help out. In 2013, both Google Reader and Twitter decided to make life more difficult. I still haven’t completely moved Feedly into my regular list of habits to replace Google Reader, and I still bounce a bit between Twitter apps once Twitter started turning away all the third-party ones. I have, however, made room for Reddit…

I also was finding it difficult to say anything new about security on my blog. I was sort of getting sick of the same old thing, as well as just posting links to the same things others were posting about it. It’s a lot like retweeting a tweet that has already been retweeted 24 times in your own feed. What’s the point? But I was also just not having much new to say.

And then in early 2014, my blog’s server’s motherboard died out.

On a brighter side, I had some nice promotions at work due to the efforts, cultivated a new hobby/habit with tabletop gaming with friends, and found good companionship. And now have the chance to pursue security as a full time job.

This storm basically just led to me doing other things with my own time. Until now. 🙂

old sites removed from the side bar

It was a bit sobering to go through the links I had for news and blogs. Almost 50% of what used to be around are no longer present. Some are gone entirely, some are just not updated anymore, a few have changed content. As usual, I just post my own last farewell as a list of retired links. Next up will be all the tools and other resources I had in my side bar. I’m not very happy with the style of the links. Each item should be closer together, but I’ll tackle that another day.


terminal23 activity is ramping back up

Terminal23.net is back up and running! I’ve been absent for a few years due to life and a hardware failure. For years, I ran my site off a system sitting in the corner of my office, but its motherboard decided to finally die out. Life went by pretty quickly, but recently I got the itch to bring this site back up. I picked up a new motherboard and exported all of my contents into a proper format to move back up to a new hosting provider and into WordPress.

This is my first foray into WordPress, so I’ll be playing with the themes/appearance for a while here, and also doing some reviews of my old content to see what needs fixing. But, I have to say the export from MovableType3 into WordPress went far smoother than I had expected. The appearance is a different story. The current layout and theme settings are pretty close to my old site, but not quite close enough to my liking. Still, I’ll take what I can get in the short term here! The colors and general layout work for now. Maybe I’ll just code my own templates like I did previously…

The past 2 years have easily been my largest gap in blogging and having a web presence of my own since 1996. (I don’t count FaceBook or other smaller services.) A lot has changed, and yet a lot remains the same. Perhaps I’ll go into more detail as I decide where I want terminal23 to go or if I want to slice off a more personal blog or FaceBook presence off to the side.

I made terminal23.net for 3 primary reasons. First, I wanted to organize my own thoughts on security in a place that I could reference in the future, either to recall a tool, a script snippet, or just dump out some thoughts going through my head. Second, I wanted a curated place I could consume my favorite links that I found useful, from other blogs to web resources in the security world. Third, I wanted all of this to be viewable by any curious persons, especially those looking to see if I know anything about security and want to employ my services.

Looking back, I have 1724 published posts on this site dating back to 8/9/2004. Probably 98% of those posts are dealing with IT security to some extent or other, from tools to new scripts to commentary in general. During much of that time I had a more personal blog with 268 posts since 10/05/2001. And even older than that, had a site presence of some sort since 1997/1996, though anything from those probably only exist on a floppy in some box somewhere.

At the time of my site going down, I had a listing of over 469 other security blogs, news sites, tools, and various resources.  I do plan to bring those back, but they will take more time to check and port back in.

a little bit of blog history

Just because I was curious, I did some checking on my site here. I have 1,454 posts here on Terminal23.net dating back to 8/9/2004. That’s 19 posts per month. Prior to that, I made all my posts on my personal blog at HoldInfinity.com (less geek, more personal blog), which has 268 posts since 10/05/2001. I’d say I’ve been blogging about security since 2004.

Even prior to that, I’ve had a web site since 1997 (maybe late 1996 if I really push the definition), but are no longer available except maybe on a floppy somewhere in a desk.

powershell: getting a list of active directory servers

Getting a list of servers can be a pretty valuable first task for working with large numbers of computers. Yesterday I had a reason to get a list of them all, and thankfully all of my servers are in the same OU tree in AD (/Machines/Servers). I also see SynJunkie did a similar thing this week, but I prefer not to use third-party cmdlets. 🙂

$blagh = [ADSI]”LDAP://ou=Servers,ou=Machines,dc=my,dc=domain,dc=com”
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $blagh
$objSearcher.Filter = “(objectCategory=computer)”

$PropList = “name”,”cn”,”lastlogon”
foreach ($i in $PropList){$objSearcher.PropertiesToLoad.Add($i)}

$Results = $objSearcher.FindAll()

Write-Host “found $($Results.Count) servers”

What this does is look for all computer objects under Machines/Servers in my domain my.domain.com. For all computers that it finds, it pulls out the name, cn, and lastlogon properties.

To find a list of all the properies that can be pulled out, after that above script do this:


Based on the properties I pulled, it should be obvious I was looking for signs of dead computer accounts. This can easily be changed to look for user accounts, properties in them, and other OUs.

weakness in md5 carries over as weakness in ca roots

The weakness I posted about yesterday is being presented right now at the CCC. I listened to the beginning of the preso just enough to get an idea of what they are doing (the stream is too broken up to properly listen to right now). It appears the team is able to leverage md5 collisions to fake a CA root certificate because the CA roots still validate by md5 hashes. So I suppose if you can MITM connections (or MITM the CA check?) you can pose as a Root CA and validate SSL certs that you control. I might have missed something there, since I’m not watching the rest of the preso right now.

Does this mean the Internet is buckling right now? Not really. I might change my mind if Joe Teenager down the street can hop on an open wifi network and MITM all SSL connections successfully without my knowing it.

you have your pro blackhats…and your noob admins

A couple articles skittered across my desk the other day. Los Angeles traffic engineers admit hacking into traffic light control systems and Rogue IT admin hands former employer’s network over to spammers.

There is lots of talk about the criminality of the black hat underworld and about profit-pursuing hacker groups (although maybe this is just the growing up of the teenage hacker vandals from 10 years ago now needing income), but there is another important set of threats: relatively normal people with access.

This includes former employees that can still use accounts for bad things, easy password guessing, or abuse of legitimate access just, well, because they can. It stems from both negligence and the simple aging of our reliance on technology. Ever wonder how many stale accounts you might have in your organization just because people with knowledge have left? And I’m not talking about obvious stores like LDAP/AD, email, VPN, network devices.

couple unpatched iphone flaws released

A couple iPhone flaws released by a frustrated Aviv Raff illustrate that Apple has a ways to go to become a respectable security citizen (to their defense, so do most people and companies).

One flaw released takes advantage of the iPhone not displaying the middle sections of long URL links. This could lead to a rise in Rickrolling. The second flaw leverages the iPhone’s behavior of automatically downloading images in mail. Both of these issues are old, obvious use-cases.

Hey, when business wants to move forward, security/insecurity just isn’t a stopping power.

my 2008 gaming system is done

Last week I finished putting everything together for my 2008 gaming machine. It’s been about 6 years since my last gaming machine, so I was due for an upgrade. The parts list is saved on my wiki. Special props to NewEgg, my hardware supplier for many, many years. And I added PetrasTechShop.com as my water cooling parts supplier. Excellent service at both, and absolutely no bad parts this go-around! My source of most information comes from the HardForum.

Total cost is probably somewhere around $1100-1300 (not including monitors), with probably the largest chunk being all the water cooling parts. Six years ago, I saved a lot by putting the system together myself, but these days gaming boutiques and other computer outlets have pretty damn good pricing, and I likely didn’t save all that much off a comparably performing pre-built system. But few of them do water cooling at all without a premium cost. So to get silence with water, I did save a bundle.

The system is running on WinXP 32-bit right now. I know, I lose some performance, but I didn’t want to spend any huge time (getting everything to work and run) or money (a real, honest license [damn Microsoft]), until I hear more details on when Windows 7 will be out and how long Windows XP will be extended. If they start to overlap, I’m just going to skip Vista like I skipped ME. (DirectX 10 support/availability may make a difference when Starcraft II comes out.)

Everything works great. Wow sits at 60 fps no matter what I do (including fraps recording), and isn’t taxing the system at all. Temperatures stay barely above room temp, even after hours of gaming, so I’m very happy with the water cooling.

I ended up water cooling my GPU as well. When powering up system components the first time, I was terribly disappointed with the noise from my HD-3870 fan. With that gone, the system hums away unnoticed.

What would I do differently with my setup if I knew what I know now:

  • Bigger case. It took a lot of experimenting to get everything in a good position in the midtower case I got. I lucked out with the top fan (didn’t have to drill more holes to mount the top radiator), but I got screwed with the hard drive cage and other crap in the lower right corner of the case. I moved what I could, but the pump still is at a non-optimal angle. Also, I wouldn’t mind making a bigger hole on the top and mounting the radiator on the inside of the top of the case rather than the outside. Alas, not a huge deal.
  • Bought all the water cooling parts at once. Since this was my first time parting water cooling out, I did it in very small orders. I think 6 total! I would have planned a bit better too: gotten a flow indicator somewhere in the line, better fill setup (currently the only thing still in progress) so I don’t even have to open the case to add liquid (not that I will need to very often), and maybe a drain port if I ever upgrade stuff and need to remove parts. As it is, I’ll need to turn the case upside down and around to fully drain it.
  • a personal divergence and offensive security materials

    It has been almost 2 years since I changed my job situation up. I was hoping, 2 years ago, to get into a networking or security job when I took up my current role as a Network Analyst. Instead, I found myself back in the hole of Windows web administration and developer support, among many other things some of which does include security. I’ve been slowly clawing my way out of that area, but now the more senior coworker that managed our company’s web environment with me has resigned, leaving me as the sole expert in this area on our team. I’ve definitely had happier days as I now try to catch up on what he managed while also my own stuff. I was hoping I would get out of here before he did so I could avoid this! 🙂

    So that means I’m even more stuck in web administration (and various other things) for at least another 6 months here. It really does start to cause one to question one’s career direction or personal happiness just a wee little bit

    On the bright side, I do have more things to look forward to here, such as a Foundstone vulnerability scanning box I have sitting in the corner and a web app firewall/load-balance solution on the way in the next few weeks. And I do have a project to upgrade our host-based firewall solution and assume full control over it. But oh how I wish I could leave the developer/web support behind!

    I also received access to my Offensive Security coursework this weekend. The material includes a couple PDFs and a nearly 700MB rar of tutorial videos. I’ve yet to extract the movies, but I’m really excited they’re just a download and I don’t have to bother picking them from the server one by one. I also have my access to the virtual labs on their VPN. I’m anxious to start in on learning more about BackTrack 3!