So my friend Jon Molesa introduced me to web2py about 8 months ago. Web2py is a “Free open source full-stack framework for rapid development of fast, scalable, secure and portable database-driven web-based applications. Written and programmable in Python.” Over the years, I’ve become a real python bigot, so using a python based framework was very appealing to me. However, it proved a real challenge for me. For some reason, I had a very difficult time wrapping my head around the way web2py works. I’m by no means an expert in it — but I am much more comfortable today that I was a month ago, now that I have my first web2py project (a scoreboard for the BSidesCLT CTF) under my belt. Below is a list of resources that really helped me in the process:
The folks on the Google Group are amazingly helpful and I could not have completed my project without there assistance (and patience). Unfortunately the IRC channel #web2py appears to be dead for the most part. Lots of folks lurking, but little to nothing actually happening.
I wrote this today to answer the question “What is a hackerspace to me?”, to explain to my home hackerspace, Hackerspace Charlotte, exactly what I think a hackerspace should be . I thought I’d share it with a wider audience.
A few weeks ago, Red posed the following question to me: “What is a hackerspace to you?” With elections approaching and the likelihood that new blood on the board will bring changes to the hackerspace I’ve been taking some time to really think about what my answer is to that question.
When Red first asked me this question it seemed more like an intellectual exercise than it does now. Now the question seems like an important one to ask. I know several folks have been informally tossing around ideas for change and ways to improve the space, I think the open dialogue is fantastic and needed.
As I’ve been thinking about it, I realized the best way for me to answer ‘what the hackerspace was to me’ was to think about how I describe the hackerspace to other people. I have had the honor of speaking at several conferences recently and at each one, I’ve begun the talk by promoting my hackerspace. As a previous member of HackPittsburgh and now as a member of HSC, the second or third slide in my deck has always been to promote hackerspaces as a whole and my home hackerspace specifically.
So what do I say about hackerspaces? I talk first and foremost about the community. I talk about how I learn something every single time I visit my hackerspace. I talk about the free flow of information, the willingness of those in the know to share with those who don’t know. I talk about what I’d call cultural understanding for lack of a better term to explain an understanding and comfort with hackerdom. (lets face it, out in the ‘real world’ you get funny looks if you mention excitedly that last night you learned that you can fit four AA’s into a 5 hour energy drink bottle) I talk about community outreach to share what we know about building things and changing things with a world that is quickly losing those skills.
After thinking about this, I realized what is notably missing from my description. Not one mention of the selection of tools and equipment available to me. No mention of the 3d printer I have available or the laser cutter. Not one mention of a private workspace where I can bury my head in my project. Not one mention of the space as an incubator for my own private enterprises.
I realized that the tools are nice to have and an important part of the space, but honestly, if they were the most important thing to me, I’d buy my own. If I want to bury my head in my project I can do that at home as well, I don’t need to pay dues and drive to the space to get that.
So when it comes right down to it, the hackerspace to me is a community — a living breathing knowledge wielding solder slinging beast. I hope in an effort to tame that beast, we don’t lose the community that makes the hackerspace so important to me.
This past weekend, some friends and I competed in the Carolinacon 8 Capture the Flag (CTF). We learned a few things and I like to capture them here so they can help future CTF teams and so we don’t forget them next year when we stroll into Raleigh to try again.
1. A slightly offensive funny name is just fun. We couldn’t easily agree on a team name because the entire team wasn’t comfortable with the “offensive” nature of our name. However, I think it worked well for us. First, people had a good time with it and second, I don’t think we will be quickly forgotten.
2. Eating is important. It’s way to easy to get caught up in the hunt and forget to get meals. This happened to part of our team and it showed when the frustration level got high. Take the time to eat – even if that means sending someone out for food, do it. On Saturday, we invested close to 12 hours into the competition and that’s a long time to go without more than a bag of Doritos provided by the kindness of Mrs. Skydog.
3. Don’t be afraid to get up and walk away for a bit. We found ourselves afraid to walk away from the table to fear that the other team would pull ahead in our moment away. In retrospect and looking at the time line, we had plenty of opportunities to step away. It’s way to easy to get tunnel vision and sometimes that 15 minutes away is just enough to clear your head and give your mind a moment to work on the problem.
4. Sitting by the pool is a bad idea. It seems like a good idea, really it does, but it’s not.
5. You will NOT have the gear you need. Try to plan for every contingency, but be prepared that you will be missing something. Be prepared to improvise.
6. Team communication is crucial. No lone wolves. You are on a team dammit, act like it. I think we did this well, but we did have a couple of moments where we could have done this better. Listen to what your teammates are saying. You wanted to be on a team with them for a reason, don’t get smartest guy in the room syndrome in the middle of the battle.
7. Shut your pie hole. Okay, so this sounds like in contradicts number 4, but it doesn’t. We learned the hard way that the other teams are listening to each other and they sure are paying attention to what the lead team is saying and doing. So make sure you have some secure form of inter-team communication. And test it before you leave – but be prepared, it will break 2 hours before the CTF so have a backup plan.
8. Social engineering isn’t against the rules, unless it is. Use it to your advantage.
9. Act like you are being watched. Odds are pretty good that the pretty woman who strolls up acting like she is interested in making small talk with you, isn’t. She’s looking at your screen grabbing intel. Decide if you are in it to win or make friends. If you want to make friends chat away. If you are in it to win, have a copy of goatse or lemon party on hand to flash up on your screen whenever she comes near.
10. The network is hostile. Remember the other teams want to beat you and even if attacking other competitors is against the rules, sniffing the wire isn’t. Any bit of intel they can grab from what attacks you are running or services you are targeting will only help them. Use this to your advantage; throw them off your tracks. Heck maybe even dedicate a team member to launching bogus attacks, it’s an idea anyway.
11. Have fun and remember it’s a game. Yes, there maybe prizes, fame and fortune at the end of the game, but it’s still just a game. We met some very cool people doing the CTF, people we beat and people who beat us. If we had allowed poor sportsmanship to creep into the competition we would have missed the opportunity to meet these fine (and very intelligent) folks.
We had a great time and I had the pleasure of working on an excellent team with guys I’m lucky enough to work with on a daily basis. I’m really looking forward to doing it again.
Turns out that Cree.py is broken out of the box on BackTrack 5 R2, but it’s a simple fix:
apt-get autoremove creepy
apt-get remove libosmgpsmap-dev python-osmgpsmap
apt-get install libosmgpsmap-dev python-osmgpsmap
apt-get install creepy
I hope that headline got your attention. That was my goal. It’s offensive when someone generalizes about the overall intelligence and thoughtfulness of an entire group of people. And yet, that’s the habit we as an industry seem to have fallen in to. In IT and in InfoSec, over and over again I hear “Stupid users”, “those idiot users”, “my users are such dumb shits”. It’s almost a mantra; it’s uttered that frequently.
My focus here is in the security realm because that’s where I am and what I do. In the security community, I hear the sentiment echoed over and over again as well. Dumb users who repeatedly “click on shit” that ends up compromising my security. I’d like to turn that around a bit. Any time one of my users “click on shit”, I’d like to suggest that it is I who have failed and not them. Myself and my team have failed to properly educate them, I have failed to teach them how to identify the latest phishing scam, we have failed to teach them to type the URL themselves rather than blindly clicking on links. We have let the company down, not those “dumb users”. I feel very strongly that a big part of my job should be end user education. As tired as military analogies maybe, they are our front line, they are our border guards. Without their participation and involvement in securing our environment, we can’t ever hope to be successful.
So please stop looking down at those “dumb users” and make them a part of your security team. Educate them and make sure they understand that they play a vital part in securing the enterprise. In fact, as a whole, I could argue that they play a much more important role than you do, so please act like it.
Also, please consider bringing your expertise to the newly launched Security Awareness Training Framework (SATF). We are working to develop a framework (similar to what is being done with Penetration Testing PTES) that will help security programs and practitioners develop a complete and comprehensive security awareness program. This isn’t a small task but we are a small group of folks working on this in our free time and any extra set of hands would be appreciated.
P.S. I don’t think information security folks are dumb, in fact, I’m often awed and intimidated by the intelligence of some of my peers.
This is becoming a disturbing trend in Pittsburgh. My thoughts today are with the family, friends and fellow officers of Derek Kotecki.
My dad had a variant of this poem framed when I was growing up. I always found it very moving and it is appropriate for today.
A police officer stood at the pearly gate,
His face was scarred and old.
He stood before the man of fate
For admission to the fold.
“What have you done” St Peter asked,
“To gain admission here?”
‘I’ve been a police officer sir,’ he said,
‘For many and many a year.’
The pearly gates swung open wide
As Peter touched the bell.
‘Inside,’ he said, ‘and choose your harp.
You’ve had your share of hell.’
The first time I met Moxie Marlinspike was outside of a small Mexican restaurant in downtown Pittsburgh. He rolled up on his bike rocking his head full of dreads looking like perhaps he had just returned from some island trip. I admit, I was in awe. Here I was talking to a celebrity in my world, the guy who broke the Internet. This guy was the real deal, he brought it. His findings had called into question the very core of the trusted Internet, he had broken SSL. Not only was he doing this amazing research, dropping 0-days on the world, he was releasing some amazing tools. And here I was about to have a great lunch with this amazing mind.
The reason Moxie had agreed to meet with me was to discuss the possibility of him speaking at a fledgling organization I was trying to get started. I had it in my head that Pittsburgh needed a security community. So a couple friends and I had started PittSUG, the Pittsburgh Security Users Group and we were hoping to lure Moxie, bribe him if that’s what it took, to get him to speak at our event. So I sat there explaining to Moxie what my idea was for the Users Group. He seemed into the idea, but he wanted to make sure I understood that no one was going to come and drop 0-day at PittSUG. I was kind of surprised by this, it had never occurred to me to even think that someone would drop 0-day at PittSUG. Probably, because I don’t deal in 0-day, I don’t think there’s any risk of me uncovering some 0-day.
The goal of PittSUG was to deal in what I described that day as “commodity” security
information. In my career, I have encountered plenty of Information Security professionals who don’t understand the very basics — from being warned that I would infect my Linux box by running strings on a W32 binary to what I can only call a mystical belief about how TCP/IP networking works, as if once you got below layer 7, it all became black magic and could behave without rules and defy both logic and reason. Many of these Info Sec professionals not only didn’t understand what the tool was doing behind the scenes, they didn’t even understand the tool. With PittSUG, I hoped to fix this. Okay, not fix it, but at least make a dent in it. Unfortunately, the PittSUG experiment didn’t last long. We quickly ran out of people willing to speak and teach at the meetings. However, I know we were partially successful.
Our last event was a CTF, created by the core group of PittSUG. The goal was collecting flags hidden through-out various machines. We had totally outdone ourselves, the contestants really struggled and we watched with pride, we had really created a challenge. And then something great happened, all of us spontaneously sat down with the less experienced contestants and started leading them through the exercises. We didn’t really decide for this to happen, it just kind of morphed into a training session. Suddenly flags were falling and those frustrated faces became smiles. The folks at that CTF had really learned some things, we spent time not only showing them how to use the tools, but we also spent time explaining what was happening behind the scenes.
This afternoon I listened to the AIDE talk from Keith Pachulski (SecOps) on the failures of the penetration testing industry. A good portion of his talk was addressed at individuals like the ones I mentioned previously, the ones who think TCP/IP is a mystery and ICMP is a clown faced rap group. As he talked, I couldn’t help but wonder if we aren’t doing it wrong. As a community, we seem to raise up those who bring the 0-day, but not so much those in the trenches teaching the “commodity” security lessons. I understand why; 0-day is sexy. Explaining a MITM attack only to realize the person you are explaining it to has no idea what an ARP table is, is everything but sexy. I also think a lot of us are self taught, we do this not because we want a paycheck, but because we really love this, we love the challenge and the we love losing ourselves in the Matrix. I think in a lot of cases we expect the same effort and interest from our peers and we are frustrated and disappointed when we don’t get it.
So what’s the point of all this? My point is this, Adrian Crenshaw and those like him are doing it right. Irongeek.com has some great video’s and some amazing tutorials. Adrian will be the first to admit he isn’t an expert, but he’s turned that enthusiasm for Information Security into a great learning resource. Maybe if we had more Adrian’s in the community, we’d have fewer people who only know Metasploit for db_autopwn and more who know how to find targeted and specific attacks. And just maybe they will not only be able to chose the right attack for the right target, they might even be able to explain what it’s doing under the covers.
We need those like Moxie and Tavis Ormandy dropping those awesome 0-days because we need those flaws found and brought to the light of day by the good guys, but we also desperately need the Irongeeks who aren’t afraid to teach the stuff so many of us take for granted. Next time your local con or Bsides event has a call-for-papers, please don’t be afraid to submit a talk about something you think everyone knows, because you might be surprised how much your talk will benefit those in the audience.
In this case, I’m the hairless monkey and the teacher was Matthew Beckler and Andy Leer of HackPittsburgh. Matt is one half of Wayne and Layne which is a company that produces open source hardware kits. Andy Leer, on the other hand, is 100% of Andy Leer.
When I signed up for the class I wasn’t sure what to expect. My experience with a soldering iron was limited to ruining my Dad’s iron by repeatedly melting my little green army men and filling the basement with the toxic black smoke of molten plastic.
Luckily, in the able hands of Matt and Andy, I was able to turn my toy soldier torturing abilities into a useful skill. The entire class assembled and soldered the Tactile Metronome kit from Wayne and Layne. I left the class with a functioning “Syncopation machine.” Both Matt and Andy spent enough time circling the class and making sure that everyone one was on the right track and even took the time necessary with each individual if they needed a little one-on-one attention.
I left the hackerspace with a big smile on my face and a new toy in my hand. If you are looking for a good beginner’s soldering kit, I can’t recommend the Tactile Metronome enough. The kit was easy enough for a newb like myself, but also a complete enough project that I felt like I was leaving with a finished product.
Special, thanks to Matt and Andy for being such patient and able teachers.
If you are a newbie solderer or even if you’ve never touched a soldering iron before — I’m confident that a beginners soldering class at Hack Pittsburgh can get you melting tin in no time.
I have always held Verizon’s Business Security division in rather high regard, primarily because over the last several years I’ve found their Data Breech Investigations report a useful and very telling document. I’m often in the situation in my career of explaining the “real” threat that X poses. This document has always provided something for me to point at and say here is why you, Mr. BusinessMan need to care about securing your enterprise. Having Verizon’s name tied to it gave it some additional weight.
However, this morning I read the article entitled “Redefining Security Researcher” by Wade Baker. In this blog posting the author suggests that the InfoSec community suffers from the “ridiculous yet long-standing inability to distinguish the good guys from the bad guys”. I have several issues with Wade’s terminology and his logic.
First, as Wade suggests the headlines do often read “Security Researcher Breaks This” and “Security Researcher Exposes That”. However, the author of the article or his/her editor picks that headline not the “Security Researcher”. Just like the television reporter gets to decide if the term “World’s Number One Hacker” appears underneath Gregory D. Evans when he mugs for CNN. We in the industry have only limited influence over the terminology used. A perfect example of this is death of the term “cracker” and the changing of the word “hacker” to be synonymous with criminal.
Also, let’s not forget that even the Narcissistic Vulnerability Pimp is doing research. It’s not like they have some secret vulnerability hole where they can pull vulnerabilities from. While you might object to their methods of disclosure, that doesn’t mean that their efforts are due anything less than being called a “Security Researcher”. They are in fact researching security issues.
Finally, as Wade points out in his later comments on the post, several analogies do fall flat when used to further explain disclosure. Admittedly no analogy is destined to be a perfect fit; however I do feel that I’ve found an analogy that works well enough – Bullet-Proof vests. Imagine someone discovered that a certain brand of 9mm ammunition could easily pierce a standard bullet proof vest. They contact the manufacturer and inform them that the vest fails to stop this particular brand of bullet. The manufacturer says “we don’t believe that to be a real issue”. How should this be handled? Hundreds perhaps thousands of vests with this vulnerability are deployed in military, police, and civilian circles. If the bad guys get wind of this, you can be sure this brand of bullet will become the round of choice. I think the only responsible thing to do is go public with this information. This allows each person to make an educated decision when they put on a vest – like wearing some additional layer of protection. Hopefully the public outrage will force the vendor to look into the problem and fix the issue.
Vulnerability disclosure is a touchy subject and will always be a balancing act between being responsible and doing what is best to protect the consumer, allowing the consumer to make an educated decision about what software provides the level of security and functionality necessary to get the job done.