q2 2018 training and learning plans

So, what’s on my structured training list now that I’ve finished CCNA Cyber Ops? I have a 2018 goals post, but obviously things can change… I don’t blog about many of my training things, largely because I have a separate, private OneNote instance that has a huge breakdown and list of things I want to do this year, next year, and discussions on everything else that my career may entail beyond. I have a long term section, and a list of things I’m basically doing right now.

Right now, I have a small lull until I head to SANS West in two months and pick up my first SANS course, GCFA FOR508. I’ve decided to forego some courses people tend to take early on in their SANS experience, and dive into the deep end by skipping GSEC (SEC401), GCIH (SEC504), GPEN (SEC560), and GCFE (FOR500). I’ve never had the opportunity to do SANS courses before, and rather than go easy and do something I may know pretty well already, I decided not to wait years and instead get to a course that will certainly be a challenge.

To that end, I’m already doing a little bit of prep work to brush up on some forensics/IR topics so that I don’t entirely need to catch my mindset up much to hit day 1 at a brisk walk. I’ll be watching some random YouTube clips of the course and related topics, reading a few books I have sitting around on forensics and data collection, and otherwise preparing my workstation.

Beyond that, I’m likely going to do a little preparation for NetWars as well, though to be honest, I don’t expect much as a first timer. But I want to finish a bit more in my RHCSA/LFCS courses, refresh using Metasploit Unleashed (a course I’ve long since just never gotten through) to get my mind back in offense, and then do some retired HTB boxes to oil those wheels further.

I’ll also be at C2E2 (Chicago) in the middle of all of this, so that likely is enough planning for now to see me through to the midpoint of 2018.

the internet is not so effortlessly making us smarter anymore

(I’ve had this incomplete through brewing for several weeks now, but never really put it down in writing. I finally have. I didn’t like the presentation, but have posted it below anyway since I didn’t want to spend any more real time on it. So it is half-baked, but here for my own posterity.)

I’m just over 40 years old. I grew up both without and with the Internet. During the early years, I felt like so much information was available to us that had never been exposed before. Rather than relying on libraries or television shows or word of mouth to find something out about whatever arbitrary topic one had, the information could be self-served via Google. Life was wonderful! I feel like we’re collectively getting smarter!

Fast forward to around 2015-2016, and I feel like a tipping point may have been reached. So many people are online now, and social media has allowed so many people to highly efficiently pipe in with their own take on things (even if it’s just a mass of Likes or upvotes), that we now have a problem where I don’t feel like we’re collectively getting smarter quite so effortlessly anymore. It actually takes effort to make sure you’re not learning falsehoods or buying into someone’s bullshit.

There are two factors to this: 1) The dumb ones are on social media now, and 2) so many of us are on social media in general.

Anyone and everyone can post a comment or make a social media post that states something as fact. For instance, someone posts an image on Imgur that is inspiring or funny for some reason, and a highly-voted comment purports that this person did XYZ and was from ABC. But if you dig into it, you find the real story on Snopes or some other resource that paints an entirely different picture. The first comment? They may or may not have realized they were promoting false facts. And due to tone and group think, someone probably walked away from that comment telling someone else the same false fact. Even just walking away with a false reality to the original image is bad. That’s a problem, especially if you have more people who believe a falsity than who know the truth.

This is how rumors and conspiracy theories spread. And it’s ok when those echo chambers don’t impact people not looking for it, but social media has allowed these bits of “dumbed down” information to spread to those not even looking for it. This is how good news sites that practice some form of democratized content eventually become overrun with funny things that don’t matter at all to life.

It’s also becoming useful to someone or other to influence popular opinions and facts, which anyone should have been able to predict someday, especially anyone whose grown up with the Internet’s start. Plant some seeds and watch the flames grow on their own!

Are we still getting smarter? Yes, but it’s not so effortless anymore; it takes work to verify stories and opinions, and work through pages upon pages of a thread to get up to speed.

lockpicking, work, gen con, and critical role

Activity got a little sparse here over the past few weeks. Part of the reason has been busyness at work. But another part of it has been tackling some personal activities. For the second year in a row, I went to the tabletop gaming convention Gen Con in Indianapolis. Between attending and preparing to go, that took quite a lot of my free time. Much of the rest of my free time has been spent trying to catch up on some new youtube channels and fitting them into my other habits and priorities. First, I’ve been turned onto BosnianBill’s YouTube channel which has 1000+ lockpicking videos. These are absolutely excellent; they’re small digestible videos and Bill talks wonderfully through everything he is doing while giving the viewer a very clear, close view of his work and clear audio of the progress as well. I’ve skipped around a bit to check other things out (I’m otherwise working backwards through his channel), and I found a tutorial video he did about picking spool pins and it’s absolutely invaluable and amazing how well he teaches lockpicking. Definitely a channel to subscribe to.

I’ve long been aware of the Critical Role show on Geek & Sundry since it began, but I’ve never taken the time to watch it since I knew it would be a timesuck. Essentially, the show is a group of voice actors playing D&D. I knew I’ve love it, and I finally started watching it a few weeks ago, and my fears were confirmed: I absolutely love it and need to keep watching to catch up. It’s also stoked my interest in D&D again, but not quite enough to pursue finding a group yet to scratch the lifelong itch. Maybe I’ll find a way to fit that in!

Lastly, I’m also watching some Linux courses over at Linux Academy, partly for my own learning, partly to normalize what I’ve learned over the years (and close some gaps), and partly to satisfy some training expectations at work. I’ll eventually be ready for, but won’t be taking, the Red Hat Certified Systems Admin test. Unless my title has “Linux” in it, I don’t think actually spending the money and time to take the test will be worth it to me, but the learning will be very nice to have. This sort of fills in my allotted personal learning time for the moment with something not terribly hard and with very little overhead pressure for the summer months.

Anyway, those have been my major timespends over the past month.

generation x or a millenial or a xennial?

I was born in 1977. This technically tends to make me part of Generation X, but I have never identified with that at all. I’ve identified more with Millenials, though I would have grown up, gone through highschool, and graduated college well before I had a cell phone of any type in hand. So, I found this article interesting, as I think it makes a good point about this little gap of time between Gen X and Millenials that I greatly identify with: There’s Now a Name for the Micro Generation Born Between 1977-1983. I really like the identifier of having an analog childhood and digital adulthood. Definitely agree with that, as I got my first computer around midway through high school (for writing papers, learning, but mostly I got into Doom), and while video games were a huge part of my childhood, I wouldn’t call that digital to any degree. It was probably not until around late high school that I started “getting online,” and then it was just myself and not part of a social thing with other kids I knew. I hadn’t heard this term before, and just needed to capture it down for future reference.

passions and the resultant career in infosec

This week I read an article, The Cult of Passion, from Chris Sanders. I didn’t like it much at all at first. But then I liked it, and now I really kinda don’t like it again. I think it’s just the tone of the piece; it’s very Tumblr-esque. It’s very “use the term properly, damnit!” even though we all do (mostly) end up using it in the same way, though definitely blurring denotation and connotation together. Do we really have to convince everyone that the phrase, “I have a passion for security,” is unhealthy, or do we all really know what we mean?

(I originally wrote more about what I disliked, but I wanted to cut that down and yet still keep my points. Basically, I don’t like the assertion that passion can’t be measured so we can’t evaluate it. I think, between the lines, Chris is trying to say that the person who does “infosec” 20 hours a day is not necessarily better than the person with a better work-life balance, or something like that. I just don’t like the way he frames it. I also didn’t like the miss that we are actually paying to do infosec all day, in terms of hours of our life and time. Now, granted, we are paid money in return, but make no mistake we are still paying to some degree. I also don’t like the blind assertion that other professions clock out after 8-10 hours. Anyway, moving to the positive…)

Regardless the tone and whether I like the full article or not, there are some absolutely excellent points, all centered around what we love doing. It’s a good idea to say, “If you didn’t get paid, would you still come in to work?” “If you had to pay to do infosec, would you?” Personally, I like to ask, “If I was income neutral, what would I enjoy doing as a job?” And this also goes into deciding what passions I might have outside of work, for instance, “What do I do when not at work to be happy? What hobbies do I spend the money I made on?” (Note: I emphasize the one question in this paragraph, as it’s a key question I ponder through my life, and one that could be it’s own chapter in a book. I look at my resultant answers, and balance that against whether those other ideas are just post-lottery-winning ideas or things I can actually make a living doing.)

The above faults aside, the other questions are excellent. Infosec is often a resultant pursuit due to passions in more fundamental things. And if nothing else, this article has allowed me to get a little bit beyond, “Well, I have a passion for infosec,” and actually look into why that is. Infosec is a result of other, more fundamental passions.

I love solving problems, puzzles, riddles, and mysteries (thanks Encyclopedia Brown and childhood puzzle books!).

I love organizing things, lists, planning, and seeing a well-oiled machine work, both today and more long-term. (thanks science background/interest!).

I love creating solutions to problems. This includes using creativity and imagination (thanks gaming and reading as an only-child!).

And (probably the most common one we collectively get correct) I love learning new things (curiosity and the information gap) and creative (and objective!) ways to use technology and do all of the above (thanks brain!).

For me, I have fairly equal parts objective knowledge application/observation as well as subjective creativity and imagination. I do require these both to be addressed month-to-month. This means I can’t just create new things or harbor ephemeral ideas all month, but I also can’t just read balance sheet numbers for a month. (Interesting to note that coding is a strange middle ground in today’s IT environment) I need a bit of both, and honestly, most of IT supplies that in spades as long as my role isn’t in such a large company that I am only nose-deep in one thing week after week. For many people, it might be that they require doing different things here and there lest they become bored; but for me, there’s reason behind the desire for a little variety.

I probably have a little bit of a love for catching bad guys doing bad things; even if that means catching innocent people making mostly innocent mistakes that fall outside the lines (is it schadenfreude [BOFH!] or hall monitor syndrome?). I want to make sure things are still operating as they need to be operating. (I like to look at it like I’m teaching how to properly do something.)

I honestly also feel like I have a passion for teaching and sharing knowledge with others in a way that doesn’t come across as egotistical. I can also communicate well enough to tailor my delivery to the technical levels of my audience, and I take some pride in that. I’ve worked with non-technical clients, non-to-mostly-technical coworkers, and technical colleagues.

Pulling from my hobbies, I love a little bit of friendly competition (multiplayer gaming). I love using my imagination (reading, even solo gaming), I love creating something (I don’t stoke this enough, but maybe cosplay soon), I love possessing comfort items but I also love keeping things simple. I love using my senses (food, music, movies, clouds, wind, weather, candles, a bit of drink, exercise). And I love more learning and engagement with friends over all of the above or some new experiences.

So, I love lots of things that show my passion. Do I have gaps or weaknesses that are borne out of personality or shaped by my experiences in life over the past decades? Yes. Chris mentions that imposter syndrome, and I know I do suffer from that; I have this inherent dislike/distrust of other people, but I also seem to have this inherent unfounded respect of other people I don’t know, or rather I attribute competence to other people without any proof (we can talk about philosophy and metaphysics another time over whisky). That usually only lasts until I find my voice amongst new people or roles. How do I fix this? Just keep myself surrounded by other infosec people so I realize that I’m at least as good as most everyone else. By forcing myself to speak up. By also forcing myself to fail and be better for it!

I’m terrible meeting new people. I’m a typical introvert where I am terrible about initial small talk. It’s not an inherent thing to be interested in other people who aren’t already close friends. I make friends slowly, and often find myself assuming someone would rather not talk than shoot the shit for a bit (since, usually, I feel that way!). I’m super easy to get along with, I don’t actually have terrible social anxiety, but I tend to be the quiet one in the corner. And while I always come out of that shell, it just often seems to take some time and effort to do that. How do I fix this? Just smile and try to ask questions I actually want answered by a stranger. Actually try to be interested in others in general; they all know something I don’t!

I’ve worked in IT for the past 15 years, and for all of those years, training and organized learning on the job (outside of troubleshooting something and learning from it) were luxuries that I never had time or backing to pursue. That was all own time pursuits and things that were outside the budget. As a result, I feel like I need to have my working days filled with actual work. I’m not sure this is a me thing or rather shaped by my managers of the past 10 years that required such time-spend reports every week.

Due to some of my managers and company cultures and combined with the occasional imposter syndrome issue, this does end up causing me to be a little risk averse, more so when my manager is hyper risk averse. This means failure is a bad thing, which can mean I end up not trying something and coming out neutral rather than trying and failing. Now, keep in mind most of my background is in Sysadmin/Ops; I feel security itself is far more forgiving of trying new things, as long as they don’t land the company on the news headlines due to a breach. But my science and tech background means lots of fails are useful data and contribute to learning! So I love failing, but it does strike a strange situation where my environment screams Don’t Fail and yet I sort of want to do something and try it out with X% risk of failing. It’s something I have to deal with consciously with both me, but also probably more so my environment. We’re humans in a human world; it’s ok. And as long as people aren’t dying, life will go on. I’ve worked in a company that said, “Innovate and try new things!” while at the very same time whispering, “Failure is not acceptable.” It’s a cultural red flag that I keep in mind during job searches.

All of this leads me to another related topic: what do I want to do? I’ve looked at framing this quest(ion) not long ago in a post from last winter: security job areas.

So, what do I want to do all day that I’ll love doing, and just happen to get paid to do? (Yes, there’s tons of other things to think about, such as the team, manager, company, and other things that influence happiness, but let’s assume the best here.) What sucks is I find myself just listing all the infosec roles (except maybe management and SOC analyst)! But I’ll try to rank things a little bit here.

red teaming – sounds so fun and varied, plus gives good, actionable value in return to clients
pen testing – solving problems and analyzing an environment are fun.
vulnerability assessment/management – much the same as above, just a little more structured and formulaic
security advising, consulting – quite varied, from high level concepts to low level step by step advice.
risk, compliance reviews, auditor, policies to find gaps and advise on proper steps/evidence
incident response/malware analysis
web application pen testing and reviews

Does this mean I’d hate doing the other things? Absolutely not. Honestly, other than being a third shift SOC analyst in a large company or just a initial provisioning tech in an MSSP, I’d likely be happy with most any infosec role.

So, this turned out to be a lotta introspection, and I even hesitated to even post it. But what does this mean for me tomorrow, next month, this year, and in 5 years? It gives me a way to evaluate what I want to do, for work, in each of those time periods. It also gives me an idea of an end goal (let’s just say a blend of red team/pen testing/vuln assessments/audits/consulting) which in turn gives me a chance to look at my gaps in getting there. Do I lack some certifications or training on the CV? Do I lack certain knowledge and skill I can pick up on my own time? What tasks do I want to grab at work tomorrow? And what opportunities should I keep my eye open for and jump at the moment they appear? It’s good stuff, and I think I maybe already knew some of this, particularly with my OSCP learning earlier this year, and continued CTF/Hack lab efforts.

training and learning plans for the rest of 2017

I made a post back in November about some future learning plans. Of that list, I’ve “finished” building my lab for the moment which allows me to put time into vulnhub boxes and other lab work. I successfully finished the PWK/OSCP course (whew!). I’ve started getting back to attending local meet-ups and events (SecDSM, BSidesIowa, ISSA). I also have a PluralSight subscription where I fill some free time with courses hosted there; they proved very helpful in preparing for the PWK/OSCP.

Moving forward over the next 6 months…

I’ve added and also started to pursue other online labs/CTF styled efforts such as hackthebox.gr. I hope to make HTB my larger time spend for geek stuff over the summer months. Add this to Vulnhub lab efforts and I should have my puzzle-solving itch taken care of for at least the summer. Also, doing these hits some sub-goals of organization and learning a few new tools.

Work is footing access to the LinuxAcademy course site for 6 months with the goal that I will be completing one of a few 20-ish hour tracks in Linux. Obviously, I’ll take advantage of more courses than just that. My own goal is to shore up some of my Linux exposure. I’m comfortable in Linux day-to-day and command line operation, but I still have lots to learn and I do plenty of administration-by-Google. I’d love to eventually just add in a RedHat or LinuxFoundation or Linux+/LPIC certification under my belt. Probably one of the former two by end of 2017 or early 2018.

I am also impatiently waiting for the online release of the Offensive Security web application course, AWAE/OSWE. This isn’t live yet, but once it opens, I plan to get in on this to further my web application security assessment skills as a priority. I could also pursue self study on the syllabus or using books like the Web Application Hacker’s Handbook in the meantime. Failing that one coming out any time soon, I’m also open to looking at other web app security/assessment courses or certifications. Examples include eLearnSecurity’s eWAPT course, or maybe the CSSLP from ISC2.

For possible other directions later this year, the next Offensive Security offering CTP/OSCE is an experience I’d like to have finished by the end of 2018. But having done OSCP, I know this will be another time suck. I’d like to look into the SLAE from SecurityTube as a pre-cursor.

Also, the CompTia CASP has appeared on my radar of something to pursue, and seems to be getting good exposure and reviews. Other possibilities are the CCNA as a way to get into the deeper Cisco security stuff or doing some other vendor-specific stuff like Palo Alto, Fortinet, VMWare, AWS Cloud Security, and so on.

My lab does still need to have a plan implemented for standing up (and re-standing up efficiently) an AD environment that I can use for testing. I’d like to package some additional PowerShell and maybe even Ansible/DevOps concepts into this effort, but that might be too big of a scope.

And a bit further down the priority list would be something like the ISACA CISA/CISM or much deeper study into Python.

There’s an endless amount of learning to do!

diagnosing blog depression

It’s interesting to get by blog back up and read some of my last posts and orphaned drafts. Honestly, 2014 was pretty rough for me for a few reasons, which contributed to my blog just staying down.

I was really busy at work with some large projects and lack of staff to help out. In 2013, both Google Reader and Twitter decided to make life more difficult. I still haven’t completely moved Feedly into my regular list of habits to replace Google Reader, and I still bounce a bit between Twitter apps once Twitter started turning away all the third-party ones. I have, however, made room for Reddit…

I also was finding it difficult to say anything new about security on my blog. I was sort of getting sick of the same old thing, as well as just posting links to the same things others were posting about it. It’s a lot like retweeting a tweet that has already been retweeted 24 times in your own feed. What’s the point? But I was also just not having much new to say.

And then in early 2014, my blog’s server’s motherboard died out.

On a brighter side, I had some nice promotions at work due to the efforts, cultivated a new hobby/habit with tabletop gaming with friends, and found good companionship. And now have the chance to pursue security as a full time job.

This storm basically just led to me doing other things with my own time. Until now. 🙂

old sites removed from the side bar

It was a bit sobering to go through the links I had for news and blogs. Almost 50% of what used to be around are no longer present. Some are gone entirely, some are just not updated anymore, a few have changed content. As usual, I just post my own last farewell as a list of retired links. Next up will be all the tools and other resources I had in my side bar. I’m not very happy with the style of the links. Each item should be closer together, but I’ll tackle that another day.


terminal23 activity is ramping back up

Terminal23.net is back up and running! I’ve been absent for a few years due to life and a hardware failure. For years, I ran my site off a system sitting in the corner of my office, but its motherboard decided to finally die out. Life went by pretty quickly, but recently I got the itch to bring this site back up. I picked up a new motherboard and exported all of my contents into a proper format to move back up to a new hosting provider and into WordPress.

This is my first foray into WordPress, so I’ll be playing with the themes/appearance for a while here, and also doing some reviews of my old content to see what needs fixing. But, I have to say the export from MovableType3 into WordPress went far smoother than I had expected. The appearance is a different story. The current layout and theme settings are pretty close to my old site, but not quite close enough to my liking. Still, I’ll take what I can get in the short term here! The colors and general layout work for now. Maybe I’ll just code my own templates like I did previously…

The past 2 years have easily been my largest gap in blogging and having a web presence of my own since 1996. (I don’t count FaceBook or other smaller services.) A lot has changed, and yet a lot remains the same. Perhaps I’ll go into more detail as I decide where I want terminal23 to go or if I want to slice off a more personal blog or FaceBook presence off to the side.

I made terminal23.net for 3 primary reasons. First, I wanted to organize my own thoughts on security in a place that I could reference in the future, either to recall a tool, a script snippet, or just dump out some thoughts going through my head. Second, I wanted a curated place I could consume my favorite links that I found useful, from other blogs to web resources in the security world. Third, I wanted all of this to be viewable by any curious persons, especially those looking to see if I know anything about security and want to employ my services.

Looking back, I have 1724 published posts on this site dating back to 8/9/2004. Probably 98% of those posts are dealing with IT security to some extent or other, from tools to new scripts to commentary in general. During much of that time I had a more personal blog with 268 posts since 10/05/2001. And even older than that, had a site presence of some sort since 1997/1996, though anything from those probably only exist on a floppy in some box somewhere.

At the time of my site going down, I had a listing of over 469 other security blogs, news sites, tools, and various resources.  I do plan to bring those back, but they will take more time to check and port back in.

a little bit of blog history

Just because I was curious, I did some checking on my site here. I have 1,454 posts here on Terminal23.net dating back to 8/9/2004. That’s 19 posts per month. Prior to that, I made all my posts on my personal blog at HoldInfinity.com (less geek, more personal blog), which has 268 posts since 10/05/2001. I’d say I’ve been blogging about security since 2004.

Even prior to that, I’ve had a web site since 1997 (maybe late 1996 if I really push the definition), but are no longer available except maybe on a floppy somewhere in a desk.

powershell: getting a list of active directory servers

Getting a list of servers can be a pretty valuable first task for working with large numbers of computers. Yesterday I had a reason to get a list of them all, and thankfully all of my servers are in the same OU tree in AD (/Machines/Servers). I also see SynJunkie did a similar thing this week, but I prefer not to use third-party cmdlets. 🙂

$blagh = [ADSI]”LDAP://ou=Servers,ou=Machines,dc=my,dc=domain,dc=com”
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $blagh
$objSearcher.Filter = “(objectCategory=computer)”

$PropList = “name”,”cn”,”lastlogon”
foreach ($i in $PropList){$objSearcher.PropertiesToLoad.Add($i)}

$Results = $objSearcher.FindAll()

Write-Host “found $($Results.Count) servers”

What this does is look for all computer objects under Machines/Servers in my domain my.domain.com. For all computers that it finds, it pulls out the name, cn, and lastlogon properties.

To find a list of all the properies that can be pulled out, after that above script do this:


Based on the properties I pulled, it should be obvious I was looking for signs of dead computer accounts. This can easily be changed to look for user accounts, properties in them, and other OUs.

weakness in md5 carries over as weakness in ca roots

The weakness I posted about yesterday is being presented right now at the CCC. I listened to the beginning of the preso just enough to get an idea of what they are doing (the stream is too broken up to properly listen to right now). It appears the team is able to leverage md5 collisions to fake a CA root certificate because the CA roots still validate by md5 hashes. So I suppose if you can MITM connections (or MITM the CA check?) you can pose as a Root CA and validate SSL certs that you control. I might have missed something there, since I’m not watching the rest of the preso right now.

Does this mean the Internet is buckling right now? Not really. I might change my mind if Joe Teenager down the street can hop on an open wifi network and MITM all SSL connections successfully without my knowing it.

you have your pro blackhats…and your noob admins

A couple articles skittered across my desk the other day. Los Angeles traffic engineers admit hacking into traffic light control systems and Rogue IT admin hands former employer’s network over to spammers.

There is lots of talk about the criminality of the black hat underworld and about profit-pursuing hacker groups (although maybe this is just the growing up of the teenage hacker vandals from 10 years ago now needing income), but there is another important set of threats: relatively normal people with access.

This includes former employees that can still use accounts for bad things, easy password guessing, or abuse of legitimate access just, well, because they can. It stems from both negligence and the simple aging of our reliance on technology. Ever wonder how many stale accounts you might have in your organization just because people with knowledge have left? And I’m not talking about obvious stores like LDAP/AD, email, VPN, network devices.

couple unpatched iphone flaws released

A couple iPhone flaws released by a frustrated Aviv Raff illustrate that Apple has a ways to go to become a respectable security citizen (to their defense, so do most people and companies).

One flaw released takes advantage of the iPhone not displaying the middle sections of long URL links. This could lead to a rise in Rickrolling. The second flaw leverages the iPhone’s behavior of automatically downloading images in mail. Both of these issues are old, obvious use-cases.

Hey, when business wants to move forward, security/insecurity just isn’t a stopping power.