Son Of Sun Tzu

To content | To menu | To search

Monday 2 July 2018

Lessons from the Legion - references from my presentations at Snoopcon and DC4420

Further to my presentations at Snoopcon and DC4420, please find a list of the most relevant references.

I'm flattered by the interest I've received, if my ideas had coalesced sooner, and I'd have expected such a response, I would have done this in advance. Thank you for your patience.

I've categorised references by type, kind of, I figure that's the easiest way for people to navigate this. Constructive feedback always welcome.


"Bullshit Jobs" is by David Graeber, there's a description here

"It's Football, Not Soccer" is by Stefan Szymanski and Silke-Maria Weineck. I haven't read it, I just spotted a tweet. The book is here:

The Numbers Game by Chris Anderson covers Strong Link and Weak Link games, and well, actually, I should buy this and read it, but this article covers all you need to know:

Blog posts:

Log Blog - Tim Brown's blog on incident response issues can be found here:

Rapid 7 on the number of CVEs is here:


Blinky Boxes - Frasier Scott's presentation on threat modelling has slides here: I think this is part of his current repetroire, so best caught live of course; or seeing as he's in DevOps, it'll have iterated several times already.

CTFs - The Last CTF Talk You'll Ever Need from DEFCON 25, is here:

CTRL+Break The OODA Loop by Abel Toro of Forcepoint from BSides London 2018 isn't up yet on their channel ; it was on Track 3, I'm hoping that was recorded... or that Abel will be giving the presentation again.

The Cuckoo's Egg reference was inspired by Paul Midian's BSides Glasgow 2018 keynote "Everything You Know Is Wrong" -

Hacker's being needed on the Blue Team comes from Harron Meer's Nullcon Goa 2018 keynote:

Ian Fish - Crisis Management - from CrestCON 2018 - is here:

Incident Response in Your Pyjamas - Paco Hope - Securi-Tay 2018 - is here:

Intruder's Dilemma - is mentioned in this from BSides Munch 2018:

Penetration Testing Must Die - Rory McCune at BSides London 2011 - is here:

Playbooks - Common Traps & Pitfalls in Red-teaming by Andrew Davies and Jon Medvenics from CRESTCon is here:

Pratchett - Circle City Con - The Network Night Watch, by @munin and @hacks4pancakes, is here:

Strategy - John Kindervag's "Win the War With Zero Trust" can be found via BrightTalk here:


The Base of Sand Problem, the RAND report that highlights the problems in military modelling/simulations/wargaming that, for me, resonate with issues we face, can be found here:

The Cyber Resilience Report from KPMG, that really makes the point that preparation is key, can be found here:

The Global Risks Report 2018 from the World Economic Forum can be obtained here:

Outpost24's report on their survey of RSA attendees can be found here:

State of CyberSecurity Report - InfoSecurity Magazine - where they highlight regulation can drive security - can be found here:

Seattle Seahawks and other less cybery references:

The article "Bobby Wagner Can See into the Future" is here:

Bobby Wagner's PFF rating is from this tweet: ( as a side note, check out this video on Luke Kuechly, who's also on that list, that's basically team-mates and rivals saying how smart he is )

Fewest points allowed - this ESPN article summarises it nicely

Introduction - the quick cartoon shoulderpunch is taken from this introduction to the game:

Kam Chancellor - I think this video sums up what he provided in the narrow focus I use, you may recognise part of it: ( as a side note, while I don't think it's relevant to the analogy, Kam Chancellor appears to have retired - update on 3rd July: this is a good video summary of what he provided to the team )

Legion of Boom - there's a nice retrospective that's just a five minute video:

If you want an emphasis on the boom, watch this:

My main source for Pete Carroll's philosophy, in many senses of the word, is here: ; I have a lot of reading to look forward to.

If you want to see just how many players there are on a team then you'll see the Seahawks roster here:

Tackling video - the Seahawks 2015 video summarising their technique is shown here:

Olivia Jeter, Defensive End for Blandensburg High School, is covered in these videos: and Yes, I do realise that those videos are from 2014, but she provides such great soundbites, I must find out what happened to her.

YouGov's survey on British interest in various sports is here:


Grugq being unimpressed by deception technologies is here:

Jeremiah Grossman on the Kenna Security report, highlighting 2% of vulnerabilities are exploited, is here: I've got into interesting discussions on how true or untrue that figure may be, watch this space.

Vincent Yiu on recruiter messages on LinkedIn is here:


Bananas - Chiquita using pharmaceutical packaging is detailed here:

Banks using mobile phone companies ... dammit, I had a single reference, which I think was a line or two in an article I had to use to source, but looking for "banks learning from" online there's many industries and many examples.

Bartle's Taxonomy of player types is taken from this: is, well, here:

The Caffrey Triangle is mentioned here , I've had it explained to me in person, we all need to be talking about this a lot more, in both cyber security and wargaming.

Cyber Resilience - Phil Huggins' Black Swan Security blog is here:

Cyberscape - the amount of tools we have, is taken from Momentum's cyberscape:

Dentistry using space technology is here:

Emergency response - the three element model can be seen is some detail here on the College of Policing website:

Francium - my main inspiration for choosing the element Francium is here:

HorseSenseUK - Equine Assisted Education - can be found here:

Incident Response, the four stages - I detailed that in this blog post:

Incident Response Timelines - this is taken from the Logically Secure website, and can be found here:

Intruder's Dilemma - I think the first reference to it from Richard Bejtlich is here:

MWR - the TechCrunch article I refer to, where F-Secure note the need for offensive capability, is here:

Naval - Paul Raisbeck, who uses his naval experience in what is loosely described as management consultancy, can be found here: , and a relevant piece by him here:

OODA loops are basically described here, but again, please pay me to research these concepts:

Playbooks, Rick Howard, the CSO of Palo Alto, on the small number of opponent's playbooks:

Practice - "any incident response plan is only as strong as the practice that goes into it" is from Mike Peters, Vice President of RIMS, the industry body for Risk Management. Best to search online for that specific quote and use whichever source will look best in your board level presentation.

Star Wars - security lessons to learn from Hazel Southwell, can be found here:

TRIZ on Wikipedia is here: and the main British consultancy, as far as I can tell, is here:


Sometimes I get the gist of something and use that. If you know any of these ideas better than I do, meaning that I've missed a nuance, or not read an important reference, please do get in touch. I always appreciate constructive corrections.

Sunday 3 June 2018

Money Making Machines

This is something I've referred to sporadically when talking to people, and I've been meaning to write up for a while... but then I found someone had put it rather well. The best way to make money is to make money making machines. This is explained below.

Meanwhile the original Twitter thread the text comes from is here: ; which I turned into a pretty page by using the Thread Reader bot here: to make it easy for me to cut and paste the text...

How to Get Rich (without getting lucky):

Seek wealth, not money or status. Wealth is having assets that earn while you sleep. Money is how we transfer time and wealth. Status is your place in the social hierarchy.

Understand that ethical wealth creation is possible. If you secretly despise wealth, it will elude you.

Ignore people playing status games. They gain status by attacking people playing wealth creation games.

You’re not going to get rich renting out your time. You must own equity - a piece of a business - to gain your financial freedom.

You will get rich by giving society what it wants but does not yet know how to get. At scale.

Pick an industry where you can play long term games with long term people.

The Internet has massively broadened the possible space of careers. Most people haven't figured this out yet.

Play iterated games. All the returns in life, whether in wealth, relationships, or knowledge, come from compound interest.

Pick business partners with high intelligence, energy, and, above all, integrity.

Don't partner with cynics and pessimists. Their beliefs are self-fulfilling.

Learn to sell. Learn to build. If you can do both, you will be unstoppable.

Arm yourself with specific knowledge, accountability, and leverage.

Specific knowledge is knowledge that you cannot be trained for. If society can train you, it can train someone else, and replace you.

Specific knowledge is found by pursuing your genuine curiosity and passion rather than whatever is hot right now.

Building specific knowledge will feel like play to you but will look like work to others.

When specific knowledge is taught, it’s through apprenticeships, not schools.

Specific knowledge is often highly technical or creative. It cannot be outsourced or automated.

Embrace accountability, and take business risks under your own name. Society will reward you with responsibility, equity, and leverage.

The most accountable people have singular, public, and risky brands: Oprah, Trump, Kanye, Elon.

“Give me a lever long enough, and a place to stand, and I will move the earth.” - Archimedes

Fortunes require leverage. Business leverage comes from capital, people, and products with no marginal cost of replication (code and media).

Capital means money. To raise money, apply your specific knowledge, with accountability, and show resulting good judgement.

Labour means people working for you. It's the oldest and most fought-over form of leverage. Labour leverage will impress your parents, but don’t waste your life chasing it.

Capital and labour are permissioned leverage. Everyone is chasing capital, but someone has to give it to you. Everyone is trying to lead, but someone has to follow you.

Code and media are permissionless leverage. They're the leverage behind the newly rich. You can create software and media that works for you while you sleep.

An army of robots is freely available - it's just packed in data centres for heat and space efficiency. Use it.

If you can't code, write books and blogs, record videos and podcasts.

Leverage is a force multiplier for your judgement.

Judgement requires experience, but can be built faster by learning foundational skills.

There is no skill called “business.” Avoid business magazines and business classes.

Study microeconomics, game theory, psychology, persuasion, ethics, mathematics, and computers.

Reading is faster than listening. Doing is faster than watching.

You should be too busy to “do coffee," while still keeping an uncluttered calendar.

Set and enforce an aspirational personal hourly rate. If fixing a problem will save less than your hourly rate, ignore it. If outsourcing a task will cost less than your hourly rate, outsource it.

Work as hard as you can. Even though who you work with and what you work on are more important than how hard you work.

Become the best in the world at what you do. Keep redefining what you do until this is true.

There are no get rich quick schemes. That's just someone else getting rich off you.

Apply specific knowledge, with leverage, and eventually you will get what you deserve.

When you're finally wealthy, you'll realize that it wasn't what you were seeking in the first place. But that's for another day.

Sunday 6 May 2018

Librarian of Experts

I had a great conversation with a friend/coach recently about, well, what to do careerwise, and this subject came up.

One of the things I'd like to be, and I'd like to be paid to be, is a "Librarian of Experts". I've always been naturally drawn to smart people, and I get a thrill out of seeing just how good people can be at certain tasks or skills or challenges; and also I enjoy being able to learn the detail about other's' areas of expertise without having to go through all the learning they've gone through. I naturally think of people in terms of what they know, I think because of, partly, laziness/efficiency - why spend a day figuring something out if someone else could give me the answer in thirty seconds ( I'd reciprocate from my own expertise of course ), and partly it's a chance to have an interesting conversation.

This Neil Gaiman quote has always summarised how I feel about these experts: “Google can bring you back 100,000 answers, a librarian can bring you back the right one.”

However, I struggle to keep track of who I know with expertise in each area, especially if it's not their main or current profession. While my memory isn't great I can usually recall who I know who's proficient in a certain area through a combination of searching LinkedIn, twiiter, and old emails; having some memory that I have a contact who's better at something than I am, or knows more about something that I do, feels like one of the few side benefits to occasional bursts of Imposter Syndrome.

Not only as a profession, but also to make it as easy as possible to discuss potential professions with many others, it would be very useful for me to have some kind of "Capability Matrix" of who I know, and what I could ask them about. This is a requirement that's come up again and again in my permanent jobs, figuring out who in their team can do what, but often the answer is just a half-thought out Excel spreadsheet that only works in very limited disciplines, penetration testing for example.

So if I want some kind of index of talents in people, how do I classify those talents, where do I start? For all of human knowledge how do I classify what people know in a reliable and repeatable way. I figure the Dewey Decimal system ( ) is a start - also it might have established rules for dealing with people/books that fall into more than one category, and established software for computers and mobiles that I can easily adapt from books to people.

For example if you are one of my librarian friends you'd be under 26.026 I believe.

Thank you for your time, my questions are:

  • Is this a good business idea? Even as one of many simultaneous professions? ( I've only seen this is one place before, the company Chime Advisors )
  • Is this the best way to classify people's expertise?
  • I wonder how to deal with people being experts in multiple areas, and so falling into multiple categories?
  • Is there any free software, that works across computers and mobile devices, where this information could be stored?
  • Is there a better solution I've missed?

All suggestions welcome.

Wednesday 4 April 2018

Grabbing all the right cookies from the Burp Pro cookie jar

This solution works for me, on Kali Linux, using my keyboard; as always, YMMV.

In Burp Suite Pro:

  • Select Project Options from the tabs along the top
  • Select the Sessions tab
  • Scroll down to Cookie Jar
  • Click "Open cookie jar"
  • Ctrl+A to select the entire contents
  • Ctrl+C to copy all of those content

Now go to a file open in your favourite text editor. For me this is a file open in vim within a the gnome terminals Kali uses.

Ctrl+Shift+Insert to paste the contents of the clipboard into that file.

Now run this command, and you should have a list of cookie names you can work through:

grep <target domain> <name of file> | tr -d "/" | cut -f 3 | sort | uniq

Saturday 24 March 2018

Trying to watch the NFL Network on a KODI system, running in virtualbox, using a USB screen as the output

Yet another niche blog post that only one person will read, but maybe I will save them an evening.

I have an HP Workstation as my new desktop PC, so I'm now only a couple of generations behind in hardware, rather than ten years old. So with the increased memory and processing power, I thought I'd plug my iMo USB screen into it, pass that through to a VM running in virtualbox, and run kodi on that. It's much easier than trying to make the USB screen run under my main Arch Linux and not interfere with the other four screens I've already set up.

( also easier than making it work on a Raspberry Pi, which I tried here:

Considering the time of year in the NFL season, there's a lot happening in free agency and the draft is coming up, so really the reason I wanted to run this was to have the NFL Network playing in the background so I can keep an eye out for headlines.


Attempt 1

Set up: Debian buster, because I know the USB screen just works with Debian.

Reason it failed: NFL Network live streaming ( but not the games apparently ), needs the InputAdaptive and RTMP functionality of KODI to work. It turns out the relevant kodi packages for this haven't been in Debian since Sid.

Attempt 2

Set up: Alpine system, because I like Alpine because it's so small and fast.

Reason it failed: I just couldn't get the keyboard and mouse to work on Alpine once I started X. I tried hard, but not that hard as Alpine has no drivers ( "udlfb" ) for the USB screen anyway, I just wanted to get something working.

Attempt 3

Set up: Linux Mint 18.3. Mint tends to "just work" in general, and is one of the easier Linux distributions to get started with.

Reason it failed: Mint was weird... it would boot in the virtualbox monitor, then the Linux Mint graphical boot screen would appear on the USB monitor, but then the Mint interface would only show on the virtual monitor in virtualbox. This system was then unable to "see" the USB monitor at all, even after removing the specific entry to blacklist the udlfb driver in /etc/modprobe.d/blacklist.conf

Attempt 4

Set up: OpenELEC, installed by converting the OpenELEC img file to a vdi file and booting from it.

Reason it failed: As I suspected already from online forum postings, but I wanted to check with the latest version, OpenELEC doesn't appear to support the virtualbox virtual graphics card, so this didn't get anywhere at all.

Attempt 5

Set up: Windows 10 VM with Kodi installed, it worked well, although it took a while for the system to get the iMo screen drivers installed. For Kodi on Windows the relevant InputAdaptive and RTMP functionality just comes as part of the install package.

Reason it failed: Well... it kind of failed. I could actually watch the NFL Network streaming live using this, but from a quick look at the output of the htop command it was taking a lot to make this happen.

Other Notes

The mouse and keyboard use on this is weird, in general the virtual machine would boot, "transfer" the screen to the USB monitor, but then I'd operate the mouse on the USB screen by moving it around the, now blank, monitor being shown by virtualbox on my PC. On the Linux Mint solution the mouse and keyboard didn't get picked up, but after a reboot or two... it did. As you'll have seen above, it just wouldn't work under Alpine.

On Windows I only got as far as running that will two screens, and sometimes the mouse with be on the monitor being displayed in virtualbox, and the USB monitor, at the same time. I would have been tempted to play with that more except htop was showing how hard my PC was having to work.

Any constructive comments welcome...

Tuesday 6 March 2018

How not to fix the Lenovo Computer Stick 300

A friend was using a Lenovo Compute Stick 300, but a Windows update rendered it inert, as it wouldn't boot they passed it on to me to take a look.

( TL;DR - I couldn't fix it, I'd be tempted to avoid this form factor in future. )

So I had a go at fixing this, using as a sort of guide to the hardware.

I removed the BIOS battery, as advised in a URL I didn't note, which meant I could get it booting into the BIOS or the Windows recovery options.

However plugging the battery in, and trying all the Windows recovery options, and this fix , didn't fix the device. The device still shows the Lenovo logo for a bit, then just powers itself down, or hitting the hotkey gets me to BIOS / Windows recovery options, which all fail in the same way as they did when I removed the BIOS key.

A few notes if you've stumbled across this blog post and want to see if you have more success:

  • The "hotkey" needed to get into the BIOS or Windows Recovery Partition is F2.
  • The "top" is the bit with the Lenovo logo sticker on, the bottom is everything else, including the "vents" on the sides, you'll see the join.
  • It's the only way to do it, but separating the top from the bottom using a screwdriver will mash the plastic.
  • You will need to use considerable force to pull the top off the bottom once you've got the top mostly off the bottom.
  • To disconnect the motherboard from the end of the casing opposite the HDMI port you'll need to lift off the large sticker that covers the bottom.
  • With the USB key plugged in with the new UEFI files it seemed a bit random as to what pressing the hotkey actually took me to.
  • On that second URL, note that you'll need to type "fs1:", with a colon at the end, not "fs1", as per the instructions on the page.

But as I say, after all of the above I'm only slightly farther along than I was when I started - I can boot into different recovery options, but they don't help.

I'll have a crack at putting Linux on it at some point, but right now this is going to the bottom of the "to do" pile.

Wednesday 17 January 2018

Fans specifications in an HP Z600

Making a mockery of RSS I'm just posting this because it's bound to be of use, to someone, on the Internet, once.

  • Double pair rear fans - 12V 0.6A 92mm wide, 25mm deep - both have 4 pins but are amalgamated in the shroud into 6 pins coming out - max rpm 4042 from Thermal option in BIOS, marked as "chassis"
  • Front bottom fan - 12V 0.24A 4 pins, 80mm wide, 25mm deep - uses plastic clips not screws, so will need replacements for those if you replace the fan - fan with my Z600 with can't be oiled, max rpm 3158 from Thermal option in bios, marked as "PCI"
  • Two separate processor fans - 12v 0.40A, 80mm wide, 15mm deep - can't be deeper due to mounting
  • Top / Memory fan - 12V 0.50A 80mm wide 25mm deep - fan says 495659-001 on it, shroud is 468628-001 - marked as "memory" in Thermal section in the BIOS
  • Small fan - 12V 0.15A 4 pins - 40mm wide, 19mm deep - I think max rpm 8438 from Thermal option in bios, marked "chipset"
  • Power supply fans are 2 x 60mm x 25mm according to HP website

If you can advise on OEM replacements, especially quieter versions, comments are welcome. Note that all of the fans appear to do a speed test as the machine starts.

Saturday 2 September 2017

Bluetooth keyboard reviews

I've had a bunch of Bluetooth keyboards kicking around for ages ( I suspect at least two years ). I've only used a couple of them a couple of times, so I've finally decided to give them a quick try-out - so I thought I'd put those reviews up here in case they turn up in an online search and someone finds them useful. But they have been sat in the To Do pile for quite some time, so make and model are best guesses.

Note that I just typed on each one for three lines or, while sat properly at a desk, within two feet of the Android phone I was using for testing.

If anyone's intrigued by any of these but wants to confirm whether:

  • they remain connected for more than a few minutes
  • can they hold a charge for a day
  • they have any specific functionality you're after for Unix / terminal usage
  • the specific placement of specific keys

do say so in the comments and I'll figure that out.

Some crappy Bluetooth thing off eBay

Bah, I can't find this in my order histories online, it looks like this:

I don't know this specific make and model so all I can say is to avoid the really cheap stuff. While this did appear to replicate what I typed on the screen it has a weird double space bar, the keys feel genuinely awful, and the USB power connector is Micro A.

Anker TC320

So that'll be this one: - do note that searcher for this model will actually bring up a newer version.

Works nicely on my Android phone, pretty big size, and I had this one relatively loose in a large bag, so the middle is something like 2mm higher than the edges, but it still works. OK if you want a decent size keyboard, but you'll want it in a firm bag.

EC Technology Foldable Keyboard

I think it's this, or close enough:

This is reasonable enough to type on - it's essentially a "meh" keyboard, which is the best you can expect from something portable. Also it folds up nicely and appears to be suitably rugged, so something that will slip into a pocket or smaller bag.

Note it doesn't have a right CTRL key, which just might be important to you. Also the layout is, er, American, I think.

Zoom Bluetooth Keyboard - Series 1087 - Model 9010

Pretty sure this is this one: ... hmmm, this was left on a low power charger ( 500mA or so ) overnight, then left switched off for a few days, and had no charge left. It has a row of media keys along the top, with what I think are a "home button" key and a "lock screen" key.

Seems rugged enough too, not sure about that charge going away. Also bear in mind the power socket is USB Mini-B, not Micro-B.


A bluetooth foldable keyboard - which will look like this:


The key positioning is too weird on this one - the EC Technology foldable keyboard is OK because it folds a quarter of the way in from either end, this keyboard folds in the middle - which means the centre of the space bar I tend to hit is the join, the right shift is in a weird place, and the placement of the keys in the middle detracts from ease of use. Only the foldable keyboards will fit in the smallest of my bags, along with a phablet and a spare battery... so I like the idea of them, but they don't seem to work in practice, at least without spending more money.

Palm Universal Wireless Keyboard

This . Not a Bluetooth keyboard, just an illustration of what I had lying around in the "must figure out what this is" pile ;)

Saturday 1 April 2017

How to run Xbian off a USB display on a Raspberry PI

The short version


The long version

( I've not gone into too much detail, I figure the only people who'll stumble across this are either considering the same solution, or troubleshooting their own attempt )

I had a Raspberry Pi 2, it's a "2+" I think, running Xbian. Xbian is a pre-built version of Kodi, the popular media player that used to be called XBMC. No X server is used, Xbian turns your Raspberry Pi into a media player with relatively little effort.

Having acquired a couple of USB screens over the years I thought it would be useful to connect one of these screens to the Pi, just so something like BBC News 24 or the NFL Network could run in the background to the side of my main monitors, or a Twitch channel.

So I connected a Mimo USB UM710 monitor and rebooted the Pi. This came up as a green screen, which means that the udlfb driver has loaded; and from the command line I can see that I have "/dev/fb0" and "/dev/fb1" - meaning that two framebuffers are available.

However I couldn't find any way within the Xbian interface to direct Xbian to use /dev/fb1, nor any kind of option to specify this in any of its configuration files.

I tried using the con2fb tool to redirect a different console to each framebuffer, directing tty1 to the USB monitor, in the hope that Xbian was starting on tty1 ... but still running "kodi start" from the command line brings up Xbian on HDMI.

I looked at somehow disabling the first framebuffer, but to no avail; the relevant bcm2708_fb driver is part of the kernel, and there's no way to stop it being used. Also I don't know if that functionality is required to generate that graphics that are then sent to the USB monitor using the udlfb driver. I expect that a Raspbian kernel can be compiled that doesn't include this functionality, but I decided that for a relatively simple system, which I'm trying to use in an "plug and play" way as possible, compiling my own kernels was a step too far, especially as I had no idea if the solution would work or not.

Also, ideally, I would be able to switch this device from using the USB screen to an HDMI screen with a few commands.

( As a side note, if you're looking at this in general it's worth researching the "chvt" and "" commands online )

On further research it turns out this is a common issue for people trying to extend their use of a Raspberry Pi.

That research did lead to a couple of possible solutions, these are framebuffer copiers, or mirrors, that copy of the output from framebuffer to another. While not ideal, this could work.

Firstly I tried fbcp but that just didn't work.

I set the Xbian resolution down to 480p to match what the USB screen was capable of, but this didn't make a difference.

So I moved on to raspi2fb instead.

This worked up to a point, showing the output of the first framebuffer at the right resolution, and at something like 25 frames a second. While slightly jerky this was more than enough to satisfy my requirement to keep an eye on the channel. Kodi's BBC News 24 plugin worked fine, the NFL Network worked fine at a low enough resolution ... but both the Twitch and YouTube plugins would crash the entire system. As far as I can tell it seemed that if I attempted to display anything above the resolution supported by the USB screen the Pi would just crash and need to be manually restarted. Also the system was now a little flaky in general.

I tried both 1.0 amp and 2.0 amp power supplies with the same result.

In the end I gave up, and decided I'd try something else to get Xbian on the USB monitor.

However having disconnected the USB screen, and tried using the Raspberry Pi on an HDMI monitor again, it's crashed after a few minutes. I'll be seeing if there's some kind of software diagnostics I can run to spot any obvious problems - it feels like something the community will have written already.

So in the end I have a Pi that appears to be broken in some way, possibly a result of how many USB devices I plugged into it at once - suggestions for easy ways of running hardware diagnostics are welcome in the comments below.

Sunday 26 March 2017

Notes on Incident Response from the SC Congress

I had the pleasure of attending the "Do Data Breaches Matter? Mitigating Impact" session at the SC Congress last month ( details here ).

The panel consisted of:

  • Beverley Allen CISA, Information Security Professional, Independent|
  • Bob Tarzey, Analyst and Director, Quocirca
  • Sarb Sembhi CISM, CTO CISO DPO, Virtually Informed

There were some great points made on incident response, which I've summarised below:

The stages of incident response

The actions that result from an incident being detected and becoming a breach fall into the stages below:

Stage 1 - The company wonders why it's been attacked, is in shock to discover it has been successfully compromised.

Nothing happens during this stage.

Stage 2 - Staff ask "What do we do? What's the plan? Where's the plan?"

A lack of leadership will be shown up here.

Also people will think they know better than the plan and will act independently.

It will be illustrated that the plan has never been tested and does not work in practice.

Stage 3 - Dealing with the breach

I.T. teams are likely to take control of the situation because the compromise will be I.T. based, and they will fall back on, or create, informal processes if no formal processes are available.

Internal teams may make land grabs during incident response, or actively avoid responsibility in order to avoid blame, both responses are counter-productive.

Stakeholders will want updates during the incident and afterwards, this capability should be planned for.

Everyone has a role, even if that role is staying out of the way.

Stage 4 - After the breach has been resolved.

It is important here to review the actions that took place in the previous stage, so that the breach can be learnt from in future. If an ad-hoc response method was used it's extremely unlikely that sufficient information will be available.

While the impact on share price and customer trust can be insignificant over the longer term, don't underestimated the impact on staff morale on the long term viability of their employer, also that scrutiny by regulators and auditors will be intense and ongoing.

Stage 0

Not a term that was used on the day, but looking at the stages above much of the conversation covered what was required before an incident response plan had to be initiated:

Part of thinking ahead is determining who is in charge of the breach response, and who should be contacted, and how.

This is the most important stage to get right, and is the foundation for best practice for all the other stages.

Companies don't have time to be breached, so make time now for your preparation - Sarb Sembhi.

"You have to do all of your thinking up front, test it, and test it again" - Beverley Allen.


Hacking For A Career - Drinking From The Firehose

( NOTE - this should have been published six weeks ago, apologies )

A short list of which podcasts to listen to, and which blogs to follow. These are just a few entries to get you started, there's a lot of information out there, learning how to filter it to what is relevant to you is a very useful skill.


Risky Business - particularly the first twenty or so minutes covering the main stories of the last week, but also the interviews tend to be worth your time. Find it here.

SANS Internet Storm Center - released daily, and just a few minutes long, a quick way to be bang up to date with security news. Find it here.

Down The Security Rabbit Hole - good coverage of recent news, or an in-depth look at particular issues. Find it here.

The Silver Bullet Podcast - particularly useful just to get an insight into the "names" from cyber security you'll have seen online or presenting at conferences. Find it here.


I went through my RSS reader and pulled out those few blogs that would be the most useful to anyone entering the industry:

For thoughts on penetration testing by working penetration testers try Holly Graceful, Carlos Perez's Dark Operator, and Digi Ninja's blog,

For a wider perspective of information security go to Black Swan Security, Michael Santarcangelo at CSO Online, Naked Security from Sophos, or Brian Krebs.

For regular updates on security news and testing tools, try Darknet. While I've found the quality of entries to vary quite considerably, this seems to be the best resource for quickly reviewing the latest news and a useful way of seeing what's out there.

RSA Roundtable on AI and Automation

I recently had the pleasure of attending a roundtable discussion at the RSA on the future of "AI and Automation" in business, particularly among the so-called "low-skilled" workers. Many ideas were discussed under Chatham House rules, and there were a few of my own which didn't fit into the discussion.

A great deal was discussed, but a couple of highlights that I noted down:

  • The definition of Artificial Intelligence itself is tricky, and mischaracterising Machine Learning as Artificial Intelligence can raise expectations beyond what is possible or necessary.
  • "Switching costs" can be huge, with technology developing so quickly organisations can overlook the cost in resource of moving from one technology requirement to the next when the next move is already on the horizon.

The overall discussion prompted a few thoughts of my own, some points I made, some weren't appropriate to the conversation or didn't fit the timescale, deciding which are which is left as an exercise for the reader:

  • A largely artificial workforce, combined with the ever-present threat of ransomware, leads to some very interesting criminal possibilities.
  • With many employees being replaced by automated processes, or actual robots, there is a correspondingly massive increase in the attack surface that any organisation presents to an attacker? It will be much easier to affect or disrupt an organisation when so many more of its resources are on a network, and interact directly with many of the existing security systems.
  • With regard to Fraud Detection an intriguing difference might be that the increasing use of Machine Learning means success or failure of fraudulent activity is far more predictable than human analysts, therefore will it be possible for particularly smart organised crime groups to test their efforts in a safe environment before trying them out?
  • Alternatively will it be possible to steal and/or download fraud detection methodologies and test them offline for weaknesses, so that organised crime can then guarantee the success of efforts in the real world against known procedures?
  • It feels like too much of a "cyberpunk" idea, but if artificial intelligence is used by more and more organisations to detect fraudulent activity, or for other assessments that benefit the profitability of a business - i.e. determining insurance premiums - can criminal organisations use their own AI technology to determine how to bypass the AI of those organisations that they're attempted to defraud?

In the event that you're reading this, and thinking that these ideas have been covered before, and I should read a particular book or article or author, then please do list them in the comments section below.

Monday 27 February 2017

Everything Wrong With CloudPets

I've just read Troy Hunt's excellent summary of the CloudPets breach, and it got me thinking. I'm a big fan of those "movie snark" YouTube channels, something like CinemaSins where they take a film to pieces and list "Everything Wrong With" it. The same kind of idea struck me about this issue, it is the Suicide Squad of security practice; CloudPets didn't make one error, but made several errors which exacerbated the effects of the others.

Cinema Sins

Referencing CinemaSins mean you should be watching a video with high production values but instead you've just got a text only blog that really needs a livelier theme.... but putting that to one side, I think CloudPets committed twelve "security sins". Did I get them all? And bear in mind I've just read Troy's blog, I've carried out no extra investigation myself.

Firstly - what they did get right - the use of bcrypt. Bcrypt is recommended for password hashes as it includes a salt, and so greatly reduces the feasibility of being attacked using rainbow tables.

However, for what they did wrong, in no particular order:


  • Unnecessary Internet connectivity - I assume the MongoDB just needs to interface with the API, which is what interfaces with the phone apps, therefore the database doesn't need to be Internet facing at all.
  • No firewalling in place - just the fact that the MongoDB was exposed to the Internet, rather than any kind of any host or network based firewall being in place.
  • No database authentication - by default MongoDB does not used a password.
  • Using live data in development - as Troy explains, there's no apparent separation between live and development environments or data.
  • Not protecting your interfaces from known bad actors - while isn't necessarily a "bad actor", it does help your security if you block traffic from a service known to index vulnerable systems.
  • No security based email addresses in place - standard email addresses that should be run for each domain are specified in RFC 2142. While some of these are undoubtedly out of date ( usenet@ anyone? ), others, such as security@, should be implemented and monitored appropriately.
  • No network or security monitoring - the database was compromised multiple times and yet CloudPets obviously didn't spot this as they didn't react by securing their systems, or at least protecting the database server from the Internet.
  • Unencrypted data within the database - it strikes me that there could/should have been a clever way to encrypt the data in the database, maybe tied into a particular toy's hardware, or some key derived from the App associated with the toy. As the toy appears to talk using Bluetooth to an App within the same household, as that App acts as a gatekeeper for inbound and outbound messages; a key based on the toy might work. By cryptography standards it would be horrible, a shared key in multiple locations, and that would require little effort for the App to encrypt or decrypt voice data, but certainly better than nothing.
  • No authentication protecting online assets - the profile pictures, voice recordings, and so on are all accessible with knowledge of the complex URL they're hosted at. While not trivial to index this makes them vulnerable. The authentication credentials required are already available to the service, this is omitted simply because the service is so poorly secured.
  • No network separation - from Troy's article it looks like the webserver, the production database server, and the development database server, were either all sitting on the same IP address, the same physical or virtual system, or all were the same physical or virtual system. I assume it's difficult to elevate privileges from MongoDB access otherwise far more damage would have been caused by all the recent compromises, but this is a less than ideal configuration all the same.
  • No password policy in place - any password was permitted, including a single letter; as Troy points out the demo video uses "qwe", and judging by his article, the obvious choice of "cloudpets" was common.
  • No notification of compromise - as Troy illustrates through interrogating Shodan, CloudPets knew that there database had been compromised, but made no effort to contact their users. I can't comment on the legal situation here, but it's due to vendors like this that the inbound GDPR disclosure rules look so useful, or so concerning, depending on whether you're consuming or providing a service.

So that's the twelve. There was a couple more that sprang to mind around Threat Intelligence, and more fine grained database security, but they're too wobbly for this piece.

So what did I miss? Did I catch everything? Suggestions for what else they did wrong are welcome in the comments below.

And do sign up for Troy's website too.

Monday 13 February 2017

The "Targus Wireless Bluetooth Presenter Remote Control & Mouse Cursor", model BEU0564C

In an earlier blog here I stated I was going to use a Targus device that combined the functionality of being a wireless mouse, and a wireless remote control for presenting; rare functionality that is exactly what I was after.

As stated... it does work with Linux, but only for short periods of time. Sometimes it can only last for a couple of minutes before it just kind of forgets that it was talking to something else. This makes it completely unusable for presentations, and essentially completely worthless. Reading through the Amazon reviews more thoroughly, it looks like I'm not the only one with this problem.

I realise the device was on the "cheap and cheerful" side but I expected basic functionality, rather than no functionality.


Suggestions for equivalent but reliable devices would be appreciated in the comments.

Monday 6 February 2017

Hacking For A Career - Which Events To Attend

A short blog this time, which events should you attend as a budding penetration tester?

There's a great list here on of all the relevant UK conferences - the only thing I'd add is that the dates for BSidesLondon have been announced.

So once you're at a cyber security conference, how to make the most of it? Talks are always important, they can be great chance to learn a lot about a subject in a short amount of time. But do make a point of making contact with new people in-between or outside of the presentations, what people tend to call "CorridorCon".

As with any experts cyber security people will tend to dislike uninformed questions, so "how do I learn to hack?" or "who will pay me the most?" or "you use Windows, you must suck" won't go down well. However if you're obviously put in some effort, and ask "I really enjoyed your presentation, I'm interested as to why you advocate X not Y" or "I'm looking for a company to work for over my holidays, and I'm wondering whether to contact Weyland Industries or The Umbrella Corporation, who should I consider?", you're much more likely to get a response.

Be interested, be interesting, and have your contact details ready to pass on, and a day spent at security conference can make all the difference to starting your career in the right way.

Hacking For A Career - Tools You Should Know

This is the next entry in the series, aimed at providing depth to parts of my "Hacking For A Living" presentation.

Further to the packed slide I gave during my presentation, here are the tools you should have a passing familiarity with. Note that these aren't the offensive tools, but the other programs you should be familiar with. Do bear in mind my background is as an infrastructure tester, in my experience of web application testing a lot of the information on the target was within a single application - Burp Suite.

Also, do look at the functionality and integration between up to date versions of Nmap, Nessus, and Metasploit - being able to easily transfer data between all three will enable you to do more testing in less time, making you more valuable as an employee, and more efficient as a tester.

The emphasis below is very much on Unix tooling, if you prefer to test from a Windows system I'd still recommend installing Cygwin to give you access to these, unless you're particularly adept at the Windows command prompt or PowerShell.

System and network monitoring tools

These will help you understand what your own system is doing, any bottlenecks or other issues that mean your system is slower than it should be, or any local connectivity issues causing you problems:

htop, iotop, ip, lsof, netstat, ps

Interrogating remote services or networks

All of these programs are useful for determining that you're on the right network, that you've got the right connection to your target systems, and so on. Also some of them are useful in an elementary way for obtaining information on whatever system or service it is you're attacking:

arp, arping, dig, host, hping2, netcat ( in all its forms ), nslookup, ping, openssl, socat, tcptraceroute, telnet, tftp, tracepath, traceroute, wget,

Terminal multiplexers

These programs allow you to easily manage multiple programs simultaneously, or to keep a session up on a remote system that will survive a break in connectivity:

screen, tmux

Recording your output

These programs are useful for recording your tool output, or network traffic - so you can grab entries from their logs for your report, or demonstrate to a customer what was or was not happening on your testing system at a particular time:

script, snoop, tcpdump, tshark

Sorting, searching, and manipulating output

There's a lot here, and I should stress that you don't need to know them extensively, you just need to know *of* them, and have an idea of how to start using them when necessary:

awk, sed, head, tail, strings, grep, egrep, findstr, cut, sort, uniq, sponge, tee, pee

Recording your knowledge

You will learn a great deal as a penetration tester, and won't have access to old machines or reports or notes when you change employer. For recording wehat I learnt on a test, so I could easily reference it on a future test, I always liked TiddlyWiki. Find something that suits you, but I'd strongly recommend using something digital, rather than a paper notebook - that way you can back up your notes, or easily search through them for a specific entry.

Programming Languages

You can arguably get by as a penetration tester with just a little bash shell scripting, but to really get on with automating your penetration testing workflow do look at advanced bash shell scripting, or Python. If you're going to be attacking Windows systems a working knowledge of PowerShell is increasingly required.


A couple of commands it's worth familiarising yourself with, just so you can ensure the output from your tools, or your notes, isn't accidentally overwritten:

chmod, chattr

And also the text editor "vi", as you'll find it on any Unix system you have access to.

One last thing, familiarise yourself with "man" pages. I always find man pages useful reminders for how a tool or program works, but far less useful in determining why or when I should use it.

Hacking For A Career - What To Learn

So, you want to become a penetration tester, where do you start?


Really the place to start is Robin Wood's two "Breaking in to Security" blog posts, which are here and here.

After that watch this great twenty minute interview with John Carroll on what it's like to be a penetration tester.

Now you have some context, work through "Start In InfoSec", put up by Rob Fuller, also known as Mubix. His Twitter feed is here: There's a considerable number of resources there, don't be afraid to pick and choose, move on to the next entry if the subject matter or the tone isn't relevant.

There's also a lot of information listed in "Getting Started in Information Security" on the netsec sub-reddit wiki here: While not directly useful this is handy to see the breadth of the subject matter, and what resources are available. Overall "/r/netsec" is worth your time as long as you aggressively filter. The regular hiring threads, while mainly focused on North America, are also worth following.

Attack Platforms

Kali is definitely the attack platform that many penetration testers use, and the most common. However it's also worth looking at BlackArch .

I would recommend running these as a virtual machine, however if you're looking at attacks at Layer 2, such as VLAN Hopping, you may have issues and ideally you'll run your attack platform directly from your laptop.

There are other platforms available, and also you may prefer to "roll your own" rather than having the platform maintainer decide how you work and what interface you use.

Offensive Tools

Depending on where you'll focus as a penetration tester you'll either need to become very familiar with very few tools, or at least have an understanding of a wide range of tools. These are good ones to start off with:

  • Nmap - the industry default for port scanning.
  • Nessus - this tends to be the vulnerability scanner that companies will use, and expect you to know.
  • Metasploit - a well maintained collection of attacks and an industry default.
  • Nikto - useful to see just how simple some tools can be, and the strengths and weaknesses of that approach.
  • SqlMap - SQL injection is still a major weakness on websites, this program automates exploiting it.
  • Burp Suite - the free version is enough for you to get the hang of this software, which is an industry default for web application testing.
  • Kismet - for analysis wireless networks.
  • Aircrack-NG - for testing wireless networks.

Targets To Attack

Of course you should only be attacking systems that you control, and have authorisation to do so. I always think it's much better to attack something locally that you're running as a virtual machine rather than to attack a Virtual Private System ( VPS ) you've paid for on the Internet. The best resource I've found is Awesome Cyber Skills as a list of systems to download, or access online.

Other Notes

As per my presentation, if you're interested in physical Social Engineering look at films such as Sneakers or the TV series Leverage just for flavour, look at the YouTube videos of Jayson Street and Johnny Long to see how professionals do it. Also check out the "career" of Karl Power and the book "The Complete Guide To Gatecrashing" to obtain interesting and entertaining insights into what's possible, and the mental challenges involved.

I expect similar examples of real world security failures to be present in Channel Four's "Britain's Greatest Hoaxer" documentary, which is on this week.

For real world examples of where this is important, look at the "KVM Hack" of Santander, and much more recently, the taping of members of the Republican Party...

Friday 3 February 2017

Hacking For A Career - Introduction

I was a penetration tester for ten years, working for a few companies in the UK, and participating or leading hundreds of tests. I also find the overall philosophy behind penetration testing, and pentesters themselves, particularly interesting, so I'm reasonably familiar with how the industry "works" in the UK.

Since moving on from penetration testing I've presented a few times on "Hacking As A Career", a rough guide to being a penetration tester, covering what the career involves, how to get into it, and what to get out of it. The presentation is usually given to Computer Science students in the UK, so that's where my focus lies. It's mainly based on my own experience, but I've made a point of asking a few friends for suggestions for each category.

In the following blog posts expand on this presentation, with references taken from my research and notes, and partly filling in the detail from my slidedeck:

What To Learn

A few references on where to start:

  • which resources to read on breaking into the industry
  • which attack platforms or tools to learn
  • what to attack using those tools

Tools You Should Know

A list of the tools which any aspiring tester should familiarise themselves with in order to make their life easier.

Which Events To Attend

A list of which events anyone looking to enter the industry should attend.

A guide on what to ask, and how to introduce yourself.

Drinking From The FireHose

Which blogs to follow, and which podcasts to listen to - focusing on those that will provide the greatest value in the shortest amount of time.

In particular for this one I'll list relatively few resources as I'm naturally averse to listing everything, pre-curated lists of resources are woefully rare on the present day Internet.

Tuesday 13 December 2016

xmonad issue with drop down menus - workaround

If you have a problem with drop down menus for certain programs ( in my case kdenlive and virtualbox ) not displaying their drop down menus in xmonad it might be this issue:

The workaround proposed by geekosaur in that bug report appears to work for me, after about ten minutes of testing.

However if you've followed the usual introductions to xmonad you'll need to change "workspacen" for "myWorkspaces", as looking at this online paste that appears to be what geekosaur calls their workspaces variable. ( It might be a "variable", I don't know Haskell ).

So copy and paste this text into the appropriate place in your xmonad.hs file, and restart xmonad:

setWorkArea :: X ()
setWorkArea = withDisplay $ \dpy -> do
    a <- getAtom "_NET_WORKAREA"
    c <- getAtom "CARDINAL"
    r <- asks theRoot
    io $ changeProperty32 dpy r a c propModeReplace (concat $ replicate (length myWorkspaces) [0, 26, 3840, 1028])

Friday 9 December 2016

How to remove all notifications of FaceBook user status changes in Weechat when it's talking to Bitlbee

If you're using Weechat to talk to Bitlbee to talk to FaceBook ( or other instant messaging services ), your private message window for each user will be full of notifications that the user has joined or quit.

You can get rid of most of the notifications using this filter line:

/filter add joinquitbitlbee irc.bitlbee.* irc_join,irc_part,irc_quit *

Which is specified here,

However if you do this you'll see get the "is back on server" messages; to remove those as well you want to use this line:

/filter add joinquitbitlbee irc.bitlbee.* irc_join,irc_part,irc_quit,irc_nick_back *

If you want to see those messages temporarily, for example to see if someone is online or not, enable them in Weechat with ALT and "=". Use the same key combination to remove them.

- page 2 of 3 -