Monday, December 11, 2017

New Ready Player One Trailer

This dropped while I was out of town -

From what I have read Ernest Cline seems to like the adaptation, but to me it seems to completely bastardize the book.

Thursday, November 30, 2017

I am now officially a CISSP, Bow down before me peasants

no seriously, just line up and start bowing. 

OK, maybe you don't have to bow, but a little scraping might be appropriate.


OK, well still got the email this morning confirming that the endorsement / approval process was complete and my application to become a CISSP was approved.  Since I took the test 5 weeks ago I was pretty happy to finally get that, especially since I was the only FTE Security Analyst in the office who wasn't a CISSP.  Now the embarrassment of that situation is gone so all I have to worry about is being old, fat, and somewhat stupid.

Tuesday, November 28, 2017

God, I suck at this blogging thing... (but let's talk about Artemis and the S4 conference anyway)

I used to be so good at updating content, now it seems I never have anything to say.  Of course a lot of people may find that to be a plus, but that's beside the point, I have a perfectly good platform for running my online mouth and I never use it. 

OK, enough self-flagellation.

First topic of conversation today - Artemis by Andy Weir

Artemis is the second novel by Andy Weir, author of The Martian, and shares a lot of the same virtues; a self-reliant hero who wisecracks their way thru crisis after crisis, a subtle anti-authoritarian- pro-libertarian take on government and bureaucracy, and (what seems to me anyway) so pretty sound science and engineering principles behind the story.

All that works for me mostly, but the story falls just a little flat.

First, we've seen it before, in The Martian, and frankly the character was more likable and more believable.  Not that Jas (the heroine) is actually unlikable she just doesn't feel as right as Mark Whatley.  Maybe because she spends a good portion of the novel actively trying to alienate people.  Until she needs them that is and then she smiles and all is forgiven.  It limits her appeal.

Second, the story is set in two small an ecosystem.  I can't go into a lot of detail, but we are talking about an enclosed city of 2000 people and all these shenanigans are taking place, and everyone is basically clueless.  Some of this is intentional but still - there is no way this woman should be getting away with half the crap she does.  I kept thinking that and it distracted me from the story quite a bit.

Finally, why did this story even take place?  And I don't mean why did Weir write the book?  I mean why is the story there to be told?  Why does Artemis (the city name) exist.  Kenya Space Corporation (KSC) built a colony on the moon, but why?  It doesn't seem to serve any purpose.  It just didn't make sense to me.

Despite those misgivings and the fact that the main character is a super-genius who does calculus in her head and teaches herself advanced materials chemistry over breakfast, I actually did like the story.  Jas, despite the flaws I noted above, is mostly likable, and the humor is pretty much my speed.  Smart-assed and mostly self-deprecating.  If you can ignore the flaws I noted, the story mostly holds together, and the style is easy to read.  All in all I liked the book, warts and all.  It was a pretty good second effort. 

Next, let's talk about the S4 conference.

How the hell have I never heard of this conference before?  It relates to an area I work in, it's put on by some big names, and it's on the beach in Miami.  All things that should have attracted me.

Oh wait I am an anti-social buttwipe, that's why.  Well that cost me in this case.

Seriously I have only recently started attending conferences / training again after a many year layoff because of lack of funds / contractor status and a general lack of interest.  I wish I had started sooner because this sounds like it is a well put together deal:

Good Speakers
Clear Vision - (something a lot of conferences lack)
Good CTF (or at least it looks that way to me)

and of course the beach

I'd love to go.  Question is can I afford it, and is it a better opportunity than South by Southwest neither one is going to do much for me career wise.  In the case of SXSW I have nothing in common with any of the participants I would be going solely for the experience.  In the case of S4 I have some stuff in common with the people putting it on and presenting, but I am so far down the food chain in that world I would just be attending out of interest (and for the beach of course).

Dilemma, Dilemma.

Oh well, here is some music to help you help me decide

Wednesday, November 08, 2017


Not much going on in Chad-land.  At least not anything interesting, but I'm keeping busy:

  • Working on my CCNA-Security, have that exam scheduled for December 2nd.
  • Started the ICS 515 - ICS Active Defense and Incident Response Course.  This is the precursor to the GIAC Response and Industrial Defense (GRID) eaxm and certification.  My goal is to take that test by Feb. 2018.  (A little side note here - yesterday at work we were looking some stuff up, because we have a lot of people going through different SANS class at the moment and we were curious where they overlap, and I noticed that despite all the hype about the need for ICS security professionals there are only 1500 people who have taken and passed the GICSP (me included) and only 81 who have taken and passed the GRID.  I'm not sure if that means the problem is overhyped or if it means the training isn't getting enough exposure, but there seems to be a disconnect.)
  • Still plugging away on the OSCP - which has gotten me thinking there needs to be an OSCP like cert for industrial networks.
  • Gathering material for the GIAC Critical Infrastructure Protection exam, which they will start offering in Feb. 2018.  I haven't decided whether or not I am going to take the SANS course yet.  

On top of this of all that I have a trip to Austin planned for Dec. to take the SANS SEC 560 course.

Yeah, yeah I know this reads like a SANS fanboys wet dream, and that I have been critical of SANS in the past, mainly because of the cost, BUT, the training is good and work is paying for the two SANS courses so I would be a fool not to take them.  The goal is to have all three SANS ICS certs by the time DefCon starts next year.  It doesn't mean anything, other than it will make me super-sexy at the Vegas pool parties, but it's something to strive for.

Monday, October 30, 2017

Rum, Sodomy And An Unmet Patch Schedule - Life In Cybersecurity Today - What I am reading 10/30/2017

LAGUNA BEACH, Calif., Oct 18 (Reuters) - Two of the technology industry’s top startup investors took to the stage at a conference on Wednesday to decry the power that companies such as Facebook Inc had amassed and call for a redistribution of wealth.
Altman and Maris offered few details of how to accomplish a redistribution of wealth. Maris proposed shorter term limits for elected officials and simplifying the tax code. Altman has advocated basic income, a poverty-fighting proposal in which all residents would receive a regular, unconditional sum of money from the government.
They're right that companies like Facebook have accumulated far more power and social influence than AT&T ever had, but I don't see where their proposed solutions do anything about that.  AT & T was kept in check because it was a regulated monopoly.  Then when conditions changed it was broken up.  If you are truly concerned about Facebook, Google etc. those ore the solutions you should be looking at.

BBC - NHS 'could have prevented' WannaCry ransomware attack -
NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said.
Speaking on the same programme, former chairman of NHS Digital, Kingsley Manning, said that a failure to upgrade old computer systems at a local level within the NHS had contributed to the rapid spread of the malware.
He said: "The problem with cyber security for the NHS is [that] it has a particular vulnerability... It's very interconnected so if you get an attack in one place it tends to spread."
Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS. Once again, there had been warnings sent out by NHS Digital, but many trusts failed to act upon them - though in that they were no different from many organisations around the world that were also hit.
 This report was filed by the "Water is wet" department.  Every single serious list of cyber-security precautions - CIS Top 20 Critical Security Controls, Australia's NSD Top 35 Security Controls, NSA Top 10, etc - What's always in the top 5 of the controls?  Patching.  What's always one of the major areas of failure when an attack like this hits?  Patching.  Just patch you morons.

Speaking of Patching...

Dark Reading - Why Patching Software is Hard (a two part series) -

Technical Challenges 

  • Tracking Devices, Applications, and Software Libraries
  • Updating Critical, Complex, and Legacy Applications

Organizational Challenges 

 the reality is there are many organizational challenges preventing best practices. To solve the problem and not just point fingers, companies should look at the teams and individuals involved with patching and identify potential blockers. The following is a list of the roles that may be involved in patching, and what challenges they may face.
Patching needs to be a priority. It takes time and money from other important projects that offer more immediate and visible value compared to protection against a potential threat. 
The two articles together are pretty good and present a fairly balanced picture of difficulties associated with a large scale patch management program.  Still, by far the biggest obstacle is, in my opinion a lack of understanding of just how critical timely patching is.  Number two is lack of organizational will.  The technical challenges can be big but they are also controllable, because they are technical in nature.

Sunday, October 29, 2017

I am a glutton for punishment - just registered for CCNA Security

I know I said I was going to be working on the OSCP, and I am, but I have a commute that has me on the train for about 90 minutes a day.  I find it hard to concentrate on OSCP stuff during the commute so this will eat up that time. 

Oh, and bonus - I take the exam the day before I fly down to Austin for SANS SEC560 (Network Penetration Testing)

Saturday, October 28, 2017

Passed the CISSP exam - so now back to OSCP

at least provisionally they say to allow 2 to 5 days for review.  Now I just need an endorsement and that is an item off the bucket list. 

New Ready Player One Trailer

This dropped while I was out of town - From what I have read Ernest Cline seems to like the adaptation, but to me it seems to completely ...