adding comments into wireshark and pcaps

Read a post today that blew my mind. SANS Diary made mention of adding comments into Wireshark pcaps! Holy crap that is awesome, not only to put comments into a pcap, but adding a new column into the display to show them all is an amazing way to notate a capture set.

The diary entry also talks about Moloch and CloudShark. Moloch is a tool to download/install and set up, which will take packet capture feeds and index, store/display them for easy referencing, and for adding extra comments (tags) through a web interface. This doesn’t replace an IDS, but will augment the ability to manage traffic displays and packet feeds. I can see using this to carve out and save normal traffic examples or malicious incident snippets or just as a budget-conscious way to start indexing traffic patterns.

CloudShark is a cloud or on-prem solution that will do much the same thing, only probably more polished.

The bottom line, though, is I had no idea comments could be added to pcaps in Wireshark! (Save format defaults over to pcap-ng as well, to save the extra data.)

upgrading the gaming rig for 2018

(I wrote this about a month ago, and it got stuck in drafts. But now I’m pulling it back out and letting it loose.)

I’ve watercooled my gaming systems since around 2002. My last gaming system build was actually around 2012, and since then I’ve just been coasting on that system. I reworked the water loop into two loops a few years ago, adding a closed loop over the CPU (Corsair H60) and keeping a custom build over the GPU. Very cool. About 6 months ago my day-to-day system (an older gaming system) water cooling loop got some contaminants in it (after not having had any in many years) and I had an algae explosion. Rather than clean it up or even replace parts, I just scrapped the whole system and replaced it with a spare (better!) system I had sitting around doing nothing important.

Now, this week, my main gaming system suffered my first leak ever. A reservoir/pump combo drive bay unit was seeping water somewhere inside it. While the leak didn’t damage anything, it did cause me to rip out the loop and begin the process of replacing the air cooling (fan and heat spreaders) on the GPU. Water cooling was initially done to reduce the sound of my computers; but these days, fans are larger and far quieter such that the reduction in sound is negligible anymore. Somewhere in either that process or just the process of touching/moving things that hadn’t been much touched in many years, the motherboard decided to stop posting at all. I gutted everything out, but no improvement. Well, I was actually going to look at upgrading the system next year anyway!

(PS: After much fiddling, I actually got the old motherboard posting again, but this was after I had rebuilt the system. So it’ll still see life in an ancillary machine for testing/playing.)

So I’m taking the time to upgrade the motherboard, CPU, and RAM, and SSD. What’s interesting is how gaming hardware hasn’t really changed so much in the past 5 years, such that some of my components can actually be re-used. This marks the first time I’ve done an actual large upgrade rather than just building new from scratch.

I really wanted to get an Intel i5-8400 CPU, but I can’t find any available for at least several weeks. So I decided to spend a bit more for the Intel i5-8600. This requires an 1151 socket board which is covered in 300-level motherboards. So I’m picking up a Gigabyte Z370 AORUS Gaming 5 motherboard. This means I need new DDR4 memory, so I’ll pick up 16GB of G.SKILL Ripjaw 8×2 sticks. I kept the option to keep a closed water loop on the CPU with a new Corsair H60. I also had an unused SSD sitting around, so I’m making use of that as my system drive (though my old case really wasn’t built with SSDs in on the market yet, so it’s really just kinda hanging out in there…).

I really didn’t want to make these purchases right now, but things happen. Probably my computer telling me to make use of the Steam sale-driven Skyrim Special Edition that I purchased over Thanksgiving weekend!

building your personal brand in infosec

A post by Harlan Carvey as he ties up some draft thoughts on 2017 piqued my attention. Part of the post deals with building a personal brand in infosec, which channels information from a post by CryptoCypher over on AlienVault on the same topic.

I particularly dig this bit of advice when looking to build your brand online and using a blog as a means to that: “The first step is understanding that you do not have to come up with original or innovative content. Not at all. This is probably the single most difficult obstacle to blogging for most folks.” That really is it; it’s very hard to come up with original content. Often, the best bet is to build upon or give personal opinion about other topics, or just share information/links about things that others may not have seen. If nothing else, it’s also good practice for formulating opinions and thoughts on various topics, ahead of when a VP or developer comes walking up with questions (or a sales guy slides you into an ambush at a conference!).

And I totally agree when he says this about one of the purposes of a blog: “…a blog post is a great way to showcase your ability to write a coherent sentence.” If nothing else, a blog can do that and give an employer a hit on a Google search that will demonstrate interest in the industry. Everything else accomplished beyond that is bonus.

What I’m grateful for, though, is being pointed to the other article by CryptoCypher. This article is a very complete, and actionable bit of advice for anyone in infosec. And I think the guy practices what he preaches. For instance, I’m aware of the Twitter handle and see him participate in discussions, and recognize the handle/bio image elsewhere. (Granted, it might not always be positive recollection, as things like n–bsec can teach us, but images and the people you associate with can be cleaned up with sincerity and effort and old-fashioned time.)

Getting back to the blogging part, he had this bit of truth to add: “A lot of people do not blog at all so just by having one you are already ahead of most students in that regard.” Not just students, but most professionals!

I really love the rest of his items. Getting involved in college and hackathons (or CTFs) and conferences is a huge boon of contacts and experience. I know, there are many introverted infosec insiders out there (myself included!), but there needs to be some focus on just saying, “Hi, what-do-you-do/what-brings-you-here?” to someone random at an event where you both clearly have intersecting interests to some degree.

Even more so, I love the inclusion of mentoring, though I would say this goes both ways: being mentored and being a mentor. I don’t care if the mentoring is formal in person or informal over Discord/Slack, but mentoring and teaching what you know is the best way to solidify what you actually know, and paves the way to share ideas, improvements, and consume even deeper topics. Be positive, be approachable, be helpful, be sincere.

I also believe many of us just need some friends in our lives, to share our lives with and stay on a positive track.

I also believe that we need far less mentoring than we think we do. If you can pass Sec+ or other entry level certs/material, you can truly consume anything in the industry given some measure of time and effort. Infosec is a half step up from “just” being a sys/desktop/network admin or other IT grunt. But it’s just a *half* step up. The imposter syndrome can be very real, but that devil just needs to be ignored and relegated to a basement office.

And, as the author mentions, I believe Twitter is one of the best places to cultivate a personal brand. You get immediate exposure and access to like-minded persons. Likewise, Slack and Discord and even Reddit can offer similar opportunities to get on board.

If anything is missed in all of these mentions, I think it would be developing a Github presence and populating it with some scripts and other pieces of work (it can also double as a wiki or place you keep links/resources or something).

A personal brand isn’t for everyone. There are plenty of infosec folks who do not define themselves by their day job; they do not hang out on Twitter with us or go to more than 1 local con every few years. They probably have their own interests and ways to spend their life’s time. And that’s perfectly fine. But putting in some effort on a personal brand can certainly help anyone with the interest to invest. And this applies to things outside infosec as well.