Researcher. Builder. Hacker. Traveler.
I attended the Kali Dojo at Blackhat this week where I was able to look at the new version of Kali 2.0 that is coming out next Tuesday.
If you are interested in getting an early look here are instructions on how to build your own.
Here are direct links to the two ISO’s I built:
kali-linux-sana-amd64.iso
kali-linux-light-sana-amd64.iso
Since it is that time of the year for all good security professionals to get ready to fly to Vegas I decided to put together my own “Surviving Blackhat” blog post.
Make a Friend.
Being in security is sometimes a thankless job. You are going to a place with 30,000 other professionals who do the same thing you do and know the struggle is real.
Sure, someone may try to social engineer you into you telling them your mothers maiden name but you might find a friend who does forensics that you can call at 0200 when you think you are 10 minutes away from being fired.
Have A Meal With An Important Security Partner.
The companies that help you secure your company are at blackhat and want to hang out with you. Take advantage of it.
Have A Meal With Some Friends (That You Pay For).
Pick a night (I suggest Tuesday) and make plans with a group of friends to have an amazing meal somewhere in Vegas without a vendor (unless you are really friends with a vendor).
I would suggest the Italian American Club for an affordable and amazing dinner.
Do Not Go To Every Party!
Seriously… there is no way to attend all of these. Pick one or two that you really want to go to. I would suggest the Nike Party and the RiskIQ party.
Dress Like An Adult (for meetings).
Save the Black T-shirts and Flip-Flops for DEFCON.
To quote Jay-Z:
I don’t wear jersey’s. I’m 30 plus gimmie a crisp pair of jeans and a button up.
Get Swag And Give It Away.
Pick up way more swag then you need. You have co-workers that are covering for you. Nothing says “Thank you” like showing up on the 10th with a book bag of T-Shirts from companies you never heard of.
Get Smart!
90% of the smartest people in the industry are going to be within 4 miles of each other for 168 hours. LEARN.AS.MUCH.AS.YOU.CAN.
Have Fun!
Part of the reason you are in Vegas is to recharge your batteries and have fun. Do that.
I spend a lot of time working in the starbucks near my office. It is a great place to slip away from the office for an hour when I need to do some heads down work but dont want to be completely anti-social.
Even though I always use a VPN one thing that always bothered my was that Starbucks was grabbing my MAC address every-time I logged in:
I am not a big fan of being tracked like this so this weekend I wrote randomMAC for OSX to quickly change my MAC address.
So now when I log in at Starbucks I am passing it a random MAC:
I have been using the iOS 9 Public Beta 2 and one of the things that I do not like (and has really been freaking me out) is the Frequent Location Tracking.
I was getting alerts like this:
This made me have the following thoughts:
The answer to this is a new-ish feature in iOS 9 called “Frequent Locations” and it does a stalker quality job of keeping track of you:
You can and should turn this and Location-Based Alerts and Location-Based iAds off in: Settings > Privacy > Location Services:
At work this week I needed to compare two files to see if they had the same MD5 or SHA256 hash. After spending way too long trying to get hashdeep and md5deep to work correctly and not finding anything else to easily do this I wrote compare.py today.
This script is the definition of utilitarian but I hope it can help you also.
I see these types of listicles on LinkedIn or Twitter a few times a week:
5 tips to protect your business against cyber crime
Ten ways to prevent a data breach and protect your small business
3 tips to keep your company secure from hackers
They are written by *security experts* and they say effective security is as easy as:
The only way to respond to these articles is:
The truth is SECURITY.IS.HARD!
When an *expert* writes an article based on the premise that effective security is achievable by following a canned security framework they devalue the whole security industry. Implementing security in any organization is about performing the unique risk analysis and that cant be achieved through a checklist.
So the next time you see one of these listicles just say…
“Mr.Gamblin this is your sixth year in the role of my father. How do you think this year has gone?”
– My son during my imaginary yearly performance review.
Most holidays are set aside to celebrate an event that happened in the past while father’s day is mostly a day to celebrate what was accomplished in the past year.
It is impossible for me to celebrate without stopping and thinking about the past year. The easiest way to do this is to go straight to some classic performance review questions and apply them to my parenting skills. So here are the five questions I asked myself this morning:
“What went well this year and what might have gone better?”
“What can I do differently next year?”
“What are the most important goals for the coming year?”
“What knowledge or skills do I need to develop to meet my goals in this job?”
“In the past year, what achievement am I most proud of?”
Overall I think I did a good job this year but being a dad is one of the few roles in my life where I do not mind and actually expect to get a few “needs improvement” and no “exceeds expectations” because I am the one setting the expectations and I can never do enough for my son.
I spend a lot of time dealing with risk at my job.
I spend a lot of time dealing with how to communicate risk at my job.
I spend a lot of time dealing with how to accurately communicate risk at my job.
I put together this risk statement flowchart to help make sure I include all the information necessary when communicating risk. If I dont have something in every box I know my job isnt done.
Here it is in PDF format if that works better for your needs.
Last December I visited my Doctor for my yearly checkup and he told me I was getting a “little husky” and that I was over 200 pounds for the first time.
That was a wake up call. I had always thought of myself as “athletic” although I had slowly went from a waist size of 30 to 34 over the last 10 years.
So I made a goal to try to be under 160 pounds by June 1st.
After reading online I decided the best was to do that was follow these 3 rules:
Only eat 1000 calories a day.
Go to the gym 3 or 4 times a week.
No excuses.
On January 1st, 2015 I weighed:
201.2 Pounds
155.7 Pounds Lean
45.5 Pounds Fat
22.50% Body Fat
It wasn’t easy and I knew I had a lot of work to do. I used to eat 1000 calories at some (OK most) meals and I hadn’t routinely been to the gym to workout in years.
I gave up eating much pasta and bread. I stopped eating candy. I started to run and lift weights again. It worked.
Today I weighed:
153.5 Pounds
136.6 Pounds Lean
16.9 Pounds Fat
11% Body Fat
I still have some work to do as I would like to add back about 15 pounds of muscle mass and get under 10% body fat but it is nice to feel “athletic” again.
“I am useless by myself.
My success hinges entirely on the people in my life.”
I was challenged this weekend to think about this statement and decide if I really believed it or not. It was such a thought provoking statement that I wanted to share it and not overly pollute it with my own thoughts.