Son Of Sun Tzu

I had a great conversation with a friend/coach recently about, well, what to do careerwise, and this subject came up.

One of the things I'd like to be, and I'd like to be paid to be, is a "Librarian of Experts". I've always been naturally drawn to smart people, and I get a thrill out of seeing just how good people can be at certain tasks or skills or challenges; and also I enjoy being able to learn the detail about other's' areas of expertise without having to go through all the learning they've gone through. I naturally think of people in terms of what they know, I think because of, partly, laziness/efficiency - why spend a day figuring something out if someone else could give me the answer in thirty seconds ( I'd reciprocate from my own expertise of course ), and partly it's a chance to have an interesting conversation.

This Neil Gaiman quote has always summarised how I feel about these experts: “Google can bring you back 100,000 answers, a librarian can bring you back the right one.”

However, I struggle to keep track of who I know with expertise in each area, especially if it's not their main or current profession. While my memory isn't great I can usually recall who I know who's proficient in a certain area through a combination of searching LinkedIn, twiiter, and old emails; having some memory that I have a contact who's better at something than I am, or knows more about something that I do, feels like one of the few side benefits to occasional bursts of Imposter Syndrome.

Not only as a profession, but also to make it as easy as possible to discuss potential professions with many others, it would be very useful for me to have some kind of "Capability Matrix" of who I know, and what I could ask them about. This is a requirement that's come up again and again in my permanent jobs, figuring out who in their team can do what, but often the answer is just a half-thought out Excel spreadsheet that only works in very limited disciplines, penetration testing for example.

So if I want some kind of index of talents in people, how do I classify those talents, where do I start? For all of human knowledge how do I classify what people know in a reliable and repeatable way. I figure the Dewey Decimal system ( https://en.wikipedia.org/wiki/List_of_Dewey_Decimal_classes ) is a start - also it might have established rules for dealing with people/books that fall into more than one category, and established software for computers and mobiles that I can easily adapt from books to people.

For example if you are one of my librarian friends you'd be under 26.026 I believe.

Thank you for your time, my questions are:

• Is this a good business idea? Even as one of many simultaneous professions? ( I've only seen this is one place before, the company Chime Advisors )
• Is this the best way to classify people's expertise?
• I wonder how to deal with people being experts in multiple areas, and so falling into multiple categories?
• Is there any free software, that works across computers and mobile devices, where this information could be stored?
• Is there a better solution I've missed?

All suggestions welcome.

Yet another niche blog post that only one person will read, but maybe I will save them an evening.

I have an HP Workstation as my new desktop PC, so I'm now only a couple of generations behind in hardware, rather than ten years old. So with the increased memory and processing power, I thought I'd plug my iMo USB screen into it, pass that through to a VM running in virtualbox, and run kodi on that. It's much easier than trying to make the USB screen run under my main Arch Linux and not interfere with the other four screens I've already set up.

( also easier than making it work on a Raspberry Pi, which I tried here: http://blog.sonofsuntzu.org.uk/post/2017/04/01/How-to-run-Xbian-off-a-USB-display

Considering the time of year in the NFL season, there's a lot happening in free agency and the draft is coming up, so really the reason I wanted to run this was to have the NFL Network playing in the background so I can keep an eye out for headlines.

So....

Attempt 1

Set up: Debian buster, because I know the USB screen just works with Debian.

Reason it failed: NFL Network live streaming ( but not the games apparently ), needs the InputAdaptive and RTMP functionality of KODI to work. It turns out the relevant kodi packages for this haven't been in Debian since Sid.

Attempt 2

Set up: Alpine system, because I like Alpine because it's so small and fast.

Reason it failed: I just couldn't get the keyboard and mouse to work on Alpine once I started X. I tried hard, but not that hard as Alpine has no drivers ( "udlfb" ) for the USB screen anyway, I just wanted to get something working.

Attempt 3

Set up: Linux Mint 18.3. Mint tends to "just work" in general, and is one of the easier Linux distributions to get started with.

Reason it failed: Mint was weird... it would boot in the virtualbox monitor, then the Linux Mint graphical boot screen would appear on the USB monitor, but then the Mint interface would only show on the virtual monitor in virtualbox. This system was then unable to "see" the USB monitor at all, even after removing the specific entry to blacklist the udlfb driver in /etc/modprobe.d/blacklist.conf

Attempt 4

Set up: OpenELEC, installed by converting the OpenELEC img file to a vdi file and booting from it.

Reason it failed: As I suspected already from online forum postings, but I wanted to check with the latest version, OpenELEC doesn't appear to support the virtualbox virtual graphics card, so this didn't get anywhere at all.

Attempt 5

Set up: Windows 10 VM with Kodi installed, it worked well, although it took a while for the system to get the iMo screen drivers installed. For Kodi on Windows the relevant InputAdaptive and RTMP functionality just comes as part of the install package.

Reason it failed: Well... it kind of failed. I could actually watch the NFL Network streaming live using this, but from a quick look at the output of the htop command it was taking a lot to make this happen.

Other Notes

The mouse and keyboard use on this is weird, in general the virtual machine would boot, "transfer" the screen to the USB monitor, but then I'd operate the mouse on the USB screen by moving it around the, now blank, monitor being shown by virtualbox on my PC. On the Linux Mint solution the mouse and keyboard didn't get picked up, but after a reboot or two... it did. As you'll have seen above, it just wouldn't work under Alpine.

On Windows I only got as far as running that will two screens, and sometimes the mouse with be on the monitor being displayed in virtualbox, and the USB monitor, at the same time. I would have been tempted to play with that more except htop was showing how hard my PC was having to work.

Any constructive comments welcome...

Making a mockery of RSS I'm just posting this because it's bound to be of use, to someone, on the Internet, once.

• Double pair rear fans - 12V 0.6A 92mm wide, 25mm deep - both have 4 pins but are amalgamated in the shroud into 6 pins coming out - max rpm 4042 from Thermal option in BIOS, marked as "chassis"
• Front bottom fan - 12V 0.24A 4 pins, 80mm wide, 25mm deep - uses plastic clips not screws, so will need replacements for those if you replace the fan - fan with my Z600 with can't be oiled, max rpm 3158 from Thermal option in bios, marked as "PCI"
• Two separate processor fans - 12v 0.40A, 80mm wide, 15mm deep - can't be deeper due to mounting
• Top / Memory fan - 12V 0.50A 80mm wide 25mm deep - fan says 495659-001 on it, shroud is 468628-001 - marked as "memory" in Thermal section in the BIOS
• Small fan - 12V 0.15A 4 pins - 40mm wide, 19mm deep - I think max rpm 8438 from Thermal option in bios, marked "chipset"
• Power supply fans are 2 x 60mm x 25mm according to HP website

If you can advise on OEM replacements, especially quieter versions, comments are welcome. Note that all of the fans appear to do a speed test as the machine starts.

The short version

Don't.

The long version

( I've not gone into too much detail, I figure the only people who'll stumble across this are either considering the same solution, or troubleshooting their own attempt )

I had a Raspberry Pi 2, it's a "2+" I think, running Xbian. Xbian is a pre-built version of Kodi, the popular media player that used to be called XBMC. No X server is used, Xbian turns your Raspberry Pi into a media player with relatively little effort.

Having acquired a couple of USB screens over the years I thought it would be useful to connect one of these screens to the Pi, just so something like BBC News 24 or the NFL Network could run in the background to the side of my main monitors, or a Twitch channel.

So I connected a Mimo USB UM710 monitor and rebooted the Pi. This came up as a green screen, which means that the udlfb driver has loaded; and from the command line I can see that I have "/dev/fb0" and "/dev/fb1" - meaning that two framebuffers are available.

However I couldn't find any way within the Xbian interface to direct Xbian to use /dev/fb1, nor any kind of option to specify this in any of its configuration files.

I tried using the con2fb tool to redirect a different console to each framebuffer, directing tty1 to the USB monitor, in the hope that Xbian was starting on tty1 ... but still running "kodi start" from the command line brings up Xbian on HDMI.

I looked at somehow disabling the first framebuffer, but to no avail; the relevant bcm2708_fb driver is part of the kernel, and there's no way to stop it being used. Also I don't know if that functionality is required to generate that graphics that are then sent to the USB monitor using the udlfb driver. I expect that a Raspbian kernel can be compiled that doesn't include this functionality, but I decided that for a relatively simple system, which I'm trying to use in an "plug and play" way as possible, compiling my own kernels was a step too far, especially as I had no idea if the solution would work or not.

Also, ideally, I would be able to switch this device from using the USB screen to an HDMI screen with a few commands.

( As a side note, if you're looking at this in general it's worth researching the "chvt" and "xbmc_send.py" commands online )

On further research it turns out this is a common issue for people trying to extend their use of a Raspberry Pi.

That research did lead to a couple of possible solutions, these are framebuffer copiers, or mirrors, that copy of the output from framebuffer to another. While not ideal, this could work.

Firstly I tried fbcp but that just didn't work.

I set the Xbian resolution down to 480p to match what the USB screen was capable of, but this didn't make a difference.

So I moved on to raspi2fb instead.

This worked up to a point, showing the output of the first framebuffer at the right resolution, and at something like 25 frames a second. While slightly jerky this was more than enough to satisfy my requirement to keep an eye on the channel. Kodi's BBC News 24 plugin worked fine, the NFL Network worked fine at a low enough resolution ... but both the Twitch and YouTube plugins would crash the entire system. As far as I can tell it seemed that if I attempted to display anything above the resolution supported by the USB screen the Pi would just crash and need to be manually restarted. Also the system was now a little flaky in general.

I tried both 1.0 amp and 2.0 amp power supplies with the same result.

In the end I gave up, and decided I'd try something else to get Xbian on the USB monitor.

However having disconnected the USB screen, and tried using the Raspberry Pi on an HDMI monitor again, it's crashed after a few minutes. I'll be seeing if there's some kind of software diagnostics I can run to spot any obvious problems - it feels like something the community will have written already.

So in the end I have a Pi that appears to be broken in some way, possibly a result of how many USB devices I plugged into it at once - suggestions for easy ways of running hardware diagnostics are welcome in the comments below.

( NOTE - this should have been published six weeks ago, apologies )

A short list of which podcasts to listen to, and which blogs to follow. These are just a few entries to get you started, there's a lot of information out there, learning how to filter it to what is relevant to you is a very useful skill.

Podcasts

Risky Business - particularly the first twenty or so minutes covering the main stories of the last week, but also the interviews tend to be worth your time. Find it here.

SANS Internet Storm Center - released daily, and just a few minutes long, a quick way to be bang up to date with security news. Find it here.

Down The Security Rabbit Hole - good coverage of recent news, or an in-depth look at particular issues. Find it here.

The Silver Bullet Podcast - particularly useful just to get an insight into the "names" from cyber security you'll have seen online or presenting at conferences. Find it here.

Blogs

I went through my RSS reader and pulled out those few blogs that would be the most useful to anyone entering the industry:

For thoughts on penetration testing by working penetration testers try Holly Graceful, Carlos Perez's Dark Operator, and Digi Ninja's blog,

For a wider perspective of information security go to Black Swan Security, Michael Santarcangelo at CSO Online, Naked Security from Sophos, or Brian Krebs.

For regular updates on security news and testing tools, try Darknet. While I've found the quality of entries to vary quite considerably, this seems to be the best resource for quickly reviewing the latest news and a useful way of seeing what's out there.

I've just read Troy Hunt's excellent summary of the CloudPets breach, and it got me thinking. I'm a big fan of those "movie snark" YouTube channels, something like CinemaSins where they take a film to pieces and list "Everything Wrong With" it. The same kind of idea struck me about this issue, it is the Suicide Squad of security practice; CloudPets didn't make one error, but made several errors which exacerbated the effects of the others.

Referencing CinemaSins mean you should be watching a video with high production values but instead you've just got a text only blog that really needs a livelier theme.... but putting that to one side, I think CloudPets committed twelve "security sins". Did I get them all? And bear in mind I've just read Troy's blog, I've carried out no extra investigation myself.

Firstly - what they did get right - the use of bcrypt. Bcrypt is recommended for password hashes as it includes a salt, and so greatly reduces the feasibility of being attacked using rainbow tables.

However, for what they did wrong, in no particular order:

• Unnecessary Internet connectivity - I assume the MongoDB just needs to interface with the API, which is what interfaces with the phone apps, therefore the database doesn't need to be Internet facing at all.

• No firewalling in place - just the fact that the MongoDB was exposed to the Internet, rather than any kind of any host or network based firewall being in place.

• No database authentication - by default MongoDB does not used a password.

• Using live data in development - as Troy explains, there's no apparent separation between live and development environments or data.

• Not protecting your interfaces from known bad actors - while Shodan.io isn't necessarily a "bad actor", it does help your security if you block traffic from a service known to index vulnerable systems.

• No security based email addresses in place - standard email addresses that should be run for each domain are specified in RFC 2142. While some of these are undoubtedly out of date ( usenet@ anyone? ), others, such as security@, should be implemented and monitored appropriately.

• No network or security monitoring - the database was compromised multiple times and yet CloudPets obviously didn't spot this as they didn't react by securing their systems, or at least protecting the database server from the Internet.

• Unencrypted data within the database - it strikes me that there could/should have been a clever way to encrypt the data in the database, maybe tied into a particular toy's hardware, or some key derived from the App associated with the toy. As the toy appears to talk using Bluetooth to an App within the same household, as that App acts as a gatekeeper for inbound and outbound messages; a key based on the toy might work. By cryptography standards it would be horrible, a shared key in multiple locations, and that would require little effort for the App to encrypt or decrypt voice data, but certainly better than nothing.

• No authentication protecting online assets - the profile pictures, voice recordings, and so on are all accessible with knowledge of the complex URL they're hosted at. While not trivial to index this makes them vulnerable. The authentication credentials required are already available to the service, this is omitted simply because the service is so poorly secured.

• No network separation - from Troy's article it looks like the webserver, the production database server, and the development database server, were either all sitting on the same IP address, the same physical or virtual system, or all were the same physical or virtual system. I assume it's difficult to elevate privileges from MongoDB access otherwise far more damage would have been caused by all the recent compromises, but this is a less than ideal configuration all the same.

• No password policy in place - any password was permitted, including a single letter; as Troy points out the demo video uses "qwe", and judging by his article, the obvious choice of "cloudpets" was common.

• No notification of compromise - as Troy illustrates through interrogating Shodan, CloudPets knew that there database had been compromised, but made no effort to contact their users. I can't comment on the legal situation here, but it's due to vendors like this that the inbound GDPR disclosure rules look so useful, or so concerning, depending on whether you're consuming or providing a service.

So that's the twelve. There was a couple more that sprang to mind around Threat Intelligence, and more fine grained database security, but they're too wobbly for this piece.

So what did I miss? Did I catch everything? Suggestions for what else they did wrong are welcome in the comments below.

And do sign up for Troy's haveIbeenpwned.com website too.

A short blog this time, which events should you attend as a budding penetration tester?

There's a great list here on cyber.uk of all the relevant UK conferences - the only thing I'd add is that the dates for BSidesLondon have been announced.

So once you're at a cyber security conference, how to make the most of it? Talks are always important, they can be great chance to learn a lot about a subject in a short amount of time. But do make a point of making contact with new people in-between or outside of the presentations, what people tend to call "CorridorCon".

As with any experts cyber security people will tend to dislike uninformed questions, so "how do I learn to hack?" or "who will pay me the most?" or "you use Windows, you must suck" won't go down well. However if you're obviously put in some effort, and ask "I really enjoyed your presentation, I'm interested as to why you advocate X not Y" or "I'm looking for a company to work for over my holidays, and I'm wondering whether to contact Weyland Industries or The Umbrella Corporation, who should I consider?", you're much more likely to get a response.

Be interested, be interesting, and have your contact details ready to pass on, and a day spent at security conference can make all the difference to starting your career in the right way.

So, you want to become a penetration tester, where do you start?

Introductions

Really the place to start is Robin Wood's two "Breaking in to Security" blog posts, which are here and here.

After that watch this great twenty minute interview with John Carroll on what it's like to be a penetration tester.

Now you have some context, work through "Start In InfoSec", put up by Rob Fuller, also known as Mubix. His Twitter feed is here: https://twitter.com/mubix. There's a considerable number of resources there, don't be afraid to pick and choose, move on to the next entry if the subject matter or the tone isn't relevant.

There's also a lot of information listed in "Getting Started in Information Security" on the netsec sub-reddit wiki here: https://www.reddit.com/r/netsec/wiki/start. While not directly useful this is handy to see the breadth of the subject matter, and what resources are available. Overall "/r/netsec" is worth your time as long as you aggressively filter. The regular hiring threads, while mainly focused on North America, are also worth following.

Attack Platforms

Kali is definitely the attack platform that many penetration testers use, and the most common. However it's also worth looking at BlackArch .

I would recommend running these as a virtual machine, however if you're looking at attacks at Layer 2, such as VLAN Hopping, you may have issues and ideally you'll run your attack platform directly from your laptop.

There are other platforms available, and also you may prefer to "roll your own" rather than having the platform maintainer decide how you work and what interface you use.

Offensive Tools

Depending on where you'll focus as a penetration tester you'll either need to become very familiar with very few tools, or at least have an understanding of a wide range of tools. These are good ones to start off with:

• Nmap - the industry default for port scanning.
• Nessus - this tends to be the vulnerability scanner that companies will use, and expect you to know.
• Metasploit - a well maintained collection of attacks and an industry default.
• Nikto - useful to see just how simple some tools can be, and the strengths and weaknesses of that approach.
• SqlMap - SQL injection is still a major weakness on websites, this program automates exploiting it.
• Burp Suite - the free version is enough for you to get the hang of this software, which is an industry default for web application testing.
• Kismet - for analysis wireless networks.
• Aircrack-NG - for testing wireless networks.

Targets To Attack

Of course you should only be attacking systems that you control, and have authorisation to do so. I always think it's much better to attack something locally that you're running as a virtual machine rather than to attack a Virtual Private System ( VPS ) you've paid for on the Internet. The best resource I've found is Awesome Cyber Skills as a list of systems to download, or access online.

Other Notes

As per my presentation, if you're interested in physical Social Engineering look at films such as Sneakers or the TV series Leverage just for flavour, look at the YouTube videos of Jayson Street and Johnny Long to see how professionals do it. Also check out the "career" of Karl Power and the book "The Complete Guide To Gatecrashing" to obtain interesting and entertaining insights into what's possible, and the mental challenges involved.

I expect similar examples of real world security failures to be present in Channel Four's "Britain's Greatest Hoaxer" documentary, which is on this week.

For real world examples of where this is important, look at the "KVM Hack" of Santander, and much more recently, the taping of members of the Republican Party...

If you have a problem with drop down menus for certain programs ( in my case kdenlive and virtualbox ) not displaying their drop down menus in xmonad it might be this issue:

https://github.com/xmonad/xmonad-contrib/issues/73

The workaround proposed by geekosaur in that bug report appears to work for me, after about ten minutes of testing.

However if you've followed the usual introductions to xmonad you'll need to change "workspacen" for "myWorkspaces", as looking at this online paste that appears to be what geekosaur calls their workspaces variable. ( It might be a "variable", I don't know Haskell ).

So copy and paste this text into the appropriate place in your xmonad.hs file, and restart xmonad:

-- @@@@@@@@ HAAAAAAAAAACK
setWorkArea :: X ()
setWorkArea = withDisplay $ \dpy -> do
    a <- getAtom "_NET_WORKAREA"
    c <- getAtom "CARDINAL"
    r <- asks theRoot
    io $ changeProperty32 dpy r a c propModeReplace (concat $ replicate (length myWorkspaces) [0, 26, 3840, 1028])