Refocusing

When I made this blog, originally I was inspired by a technical writing course I took. I wanted to create a resource accessible to the average home user.

However, in hindsight, there are multiple issues with that focus. Firstly, that’s far to narrow of a focus considering my interests are not that of the average home user. I frankly have no idea what someone like that would find helpful. My husband has begun to accuse me of technobabble, and he’s not exactly clueless about computers. Second, that is far too narrowly focused, and my interests in technology have expanded as I’ve learned more about computing and technology.

What drew me to technology in general was the centrality of internet and computing technologies in our daily lives. We truly live in the Information Age.

Big Data, and Privacy are major issues in our times. My interests are in the social, legal and technological issues presented to the modern person in controlling their data, privacy and maintaining control over their property (software and hardware). The list of things I intend to research in depth in the next year keeps growing and if I ever want to have a meaningful record of progress, and share what I learn along the way, I shouldn’t be narrowing my scope too far.

I want to empower myself and others by increasing access to clear and useful information on technology and privacy but I can’t narrow my focus so much that I never write or kill my own fun.

So, if I can crank out an article on VPNs that my grandparents would understand, awesome. But that doesn’t mean not writing about SQL injection, or routing protocols.

This blog post is really for myself to read in a month or a year and remember that if I want to accomplish my goals, it’s best to write whatever I want now, and edit later. I’ve had a “how to set up a virtual machine” article saved as a draft for weeks! So, I’ll keep notes that I think may benefit others here, and track progress on various projects here, and write how-tos as I go.

This is really my journal. A record for myself, of what I’m learning and would like others to be able to find information on as well. So… here goes!


Advice for first year IT students

          Maybe you always knew you wanted to pursue a career in computing, or maybe computers are a new love for you. But when I started my IT degree I had already put years into a fine art degree. I had no idea how computers, or networks, worked but my curiosity had been piqued by increasing advances in technology and its impact on our daily lives. When I realized how intimately connected my life was with various technologies that were each essentially a black box to me, I had to know more about them!

          Even if you have some experience, you may not be sure where to start, how to prepare for higher level courses or what is expected of you outside of school. Like with foreign language the best way to learn and understand something thoroughly is through immersion and hands on practice. So your first priority should be to get a lot of exposure and have as much fun as possible getting it!

Starting from Square One

This is simply a list of suggestions I would give to myself a few years ago. These are mostly things I’ve been advised to do and have already done myself, as well as a few things I’m working towards myself (like contributing to open source projects and teaching others).

  • Build good foundational knowledge. To understand networking you need to understand at least a little about computers, operatings systems, browsers and networking devices. You may go into shock at the sheer amount of acronyms but trust me, they will seem second nature after a while.
  • Comptia A+ and Network+ exam objectives or test prep books can give you a good idea of what you should know. Comptia provides vendor neutral tests that certify a certain level of IT knowledge and skill. A+ essentially certifies that you have basic technical support and troubleshooting skills. Network+ is a step above and focuses more on troubleshooting and design of networks than A+ does. Even if you know most of this already it’s worth looking into in order to address any gaps in your knowledge.
  • Balance book-learning with hands-on learning. Don’t just plow through a textbook or training manual without trying things out yourself. You do need to understand the general ideas before you can build your own lab but don’t over do theory at the expense of application. Which brings us to…
  • Make yourself a home lab. This is one of the best things you could do for yourself as an IT student. The easiest way to experiment with different operating systems and networking configurations is to set up virtual machines with software like Virtualbox or VMware Player. Virtualization gives you so much freedom to experiment without additional cost. Your biggest limits are how much RAM, storage space, and imagination. Everything makes more sense and sticks better when you go through the process of doing it yourself.
  • Make one of your VMs Kali Linux. Kali is chock-full of hack tools and if you’re anything like me it can make it way more fun and easy to learn how things work. For example, reading about how websites work often makes me want to pluck out my eyes. But fire up Burpsuite to learn how to map and exploit a website and suddenly it’s 100% more interesting.
  • If you have the funds and time build your own desktop. It’s fun, it’s custom and it’s educational.
  • Find technology conferences in your area and go to them. It’s a great chance to see what professionals are talking about and learn from them. Most security conferences have various “villages” focused on different skills like lockpicking, badge building, hardware hacking, social engineering or other areas of interest. You can hang-out and learn something new in a laid back environment. There will certainly be presentations and maybe some workshops, competitions or Capture-The-Flag contests (basically jeopardy style computer nerd puzzles).
  • If there are no conferences in your area, or within driving distance there Your school may  have a computer engineering, information technology, or cybersecurity club you could attend and learn from. There may be Python, Linux, security or otherwise techie meetups you can participate in. Look for your local DefCon group as well [something like DC 123 ].
  • Consider checking out infosec twitter, or finding subreddits in your area of technological interest.
  • Don’t psych yourself out. Often, when I invite someone to check out the security club at school they tell me they are worried they don’t know enough. Everyone feels that way at some point, but the whole point of the club is to learn together! What you’re doing to progress, and whether you have the drive to do so, matters more than what you know at this exact moment. If you put in serious effort, and don’t act entitled to other people’s time, you’ll find there are plenty of people who want to share what they know or are willing to give some general guidance.
  • Come up with projects that are fun for you! Build a website, set up a VPN on your raspberry pi. Consider donating your services to a non-profit to contribute to your community and gain experience. 
  • Find an open-source project you love and want to contribute to and use it to learn to code. It might sound crazy but it can be, and has been done.
  • Learn something teach something.  Whether that means a lightning talk, tutoring, blogging, or starting a club!

          What this whole list really comes down to is relax, explore, experiment, and get involved in the community. If you can have fun and work hard at the same time there is really no limit to what you can accomplish.

Why should I try College Cyber Defense Competitions?

If you are an information technology or cybersecurity student with the opportunity to participate in a collegiate cyber defense competition I highly recommend you take advantage of it. If you don’t have the opportunity to join an existing team I suggest you make one!

Why? Because when you are tasked with defending a network you’ve never seen before, with one hand tied behind your back, while your CIO and CEO demand extensive reports and policies be written while you respond to intrusions … a lot of things start to click. Things that you’ve learned in class, or personal experimentation, get tied together within a greater context. You’ll learn from your teammates and be forced to learn new tools or concepts on the fly. And, if you’ve never been given administrative privilege in a network, not of your own design this is an extremely useful experience.

It’s a really, really bad day at work simulator.

It will test your nerves, communication skills, technical skills, team cohesion, and organizational skills.

You might stress-break-out but you’ll get a hell of a rush when you take back machines.

At some point, you’re going to think the hackers have taken down a service or system and, if you’ve kept good enough change logs, within five minutes you’ll discover that you, or a team member, hurt yourself by overhardening. If you don’t have good enough change logs or your team isn’t gracious and humble enough to absorb mistakes you’re gonna have a bad time. This fear is affectionately and resentfully referred to as The Ghost of Red Team. And it’s a perfect example of how psychological this event is. Unlike an athletic sport, you can’t compare your team’s performance to others, and you may not be sure about your adversaries’ performance either.

Similarly, if your team doesn’t have enough respect for business injects, such as the aforementioned policy writing assignments and reports, you will lose. It’s not the cool job and nobody wants to do it but you will lose if someone doesn’t do it and do it well. Just like you need all your services up as long as possible, you need every inject turned in and done as well as possible.

These competitions are incredible learning experiences and potentially good networking opportunities. In light of that, I’d like to be able to help students who are interested in cyber defense competitions get an idea of what they’re in for and how to prepare. I can’t and won’t get into specific detail about particular competitions. But, I can and will write what I would have liked to know about preparing for competitions in general. Hopefully, it’s beneficial to you.

 

My First DefCon

DefCon 25 was an amazing experience! While I had heard that DefCon could be an unwelcoming place to newcomers and women I did not find this to be the case personally. Attending DefCon was hands down the best conference experience I have had so far.

While I did miss the first day due to working as a Conference Associate at BlackHat that was also part of how I earned a DefCon badge in the first place. I was also able to share a hotel room with a couple of friends.

I loved the social environment of DefCon. People came from such diverse backgrounds and had highly varied reasons for attending. I met people who simply came along with a group of friends who were into hacking and others who worked in video game design and wanted to transition into a cybersecurity career. There were students, well establish cyber security professionals, aspiring music teachers, professors, web developers, pentesters and hobbyists from all over. It was easy to meet friendly people and a lot of fun! A piece of advice I received several times, which I fully stand behind is “Prioritize the villages, demonstrations, sky talks and people over talks. Talks will be online later but certain opportunities need to be taken advantage of during the conference.

The vendor area was also quite a bit of fun itself. I picked up my first set of lock picks there and scouted out interesting books and tools. I learned about Security Weekly podcast  there and got to flip through a bunch of No Starch Press books while I was there. For example, I got to take a look at The Manga Guide to Crypto which still only available to preorder right now. There are also independent visual and musical artists who you can buy directly from. You can also find groups like Hackers For Charity in the vendor area where you can learn more, make a donation or purchase goods.

At some point, I became tired enough that I wasn’t really sure what to do with myself for the remaining hour of the conference that day. So, I got in line to get a mohawk at Mohawk Con. For a suggested donation of $20.00 volunteers will give you a mohawk. This year you could choose what percentage of your donation went to the Electronic Frontier Foundation, Hackers For Charity and Mohawk Con itself. I had a great conversation while waiting in line and had a lot of fun with the whole process.

One of my favorite things I learned about was that there are people and organizations using hacking skills in order to track down human traffickers. When they have enough incriminating evidence the government can be tipped off, start their own investigation and prosecute. Several people have been saved from human trafficking in this way. I found this incredibly inspiring to hear about and it only makes me want to progress more. I would like to be able to put the skills I develop into such good use.

If you are thinking about going to DefCon start planning your trip now! Find out if you have a local hackerspace or local DefCon group. Learn about the conference and how to stay both digitally and physically safe, and go for it! You’ll be glad you did.

 

 

First BlackHat USA and the Conference Associate Program

This summer I had the opportunity to work at BlackHat USA as a conference associate and attend DefCon, both for the first time. Having never been to Las Vegas or such major conferences I was ecstatic for the opportunity.

My experience at BlackHat was primarily shaped by the Conference Associate program. Through this program students and alumni from certain universities can apply to work  as BlackHat support staff. Conference associates are put up in hotel rooms in or near the venue, earn a wage, get about one meal a day, and earn access to conference briefings online in addition to scoring a DefCon badge. While most the day was spent preparing for the conference or helping attendees, evenings provided ample opportunity to meet new people and make new connections. I made friends with peers in the program and had the opportunity converse with professionals about career development. I even met some of my online friends face to face for the first time!

The opportunity to ask professionals face to face what they are looking for in good candidates for various roles was extremely helpful. Additionally, it was great to learn about the highly varied backgrounds that brought them to their current point. There are stereotypes about who is interested in cybersecurity, and an idea that everyone starts in tech in the first place. I’ve found that isn’t the case. The greatest common denominators seem to be curiosity and drive.

I had also thought I wouldn’t know anyone there but I learned that several professionals from the DC 801 area worked in the NOC. Some of whom I had met at previous security conferences. As someone working at the conference rather than attending it, the social opportunities are the highlight. When it comes to networking, I am someone who is more interested in becoming friends with people who have similar professional interests than I am in rapid fire business card distribution. What I learned from my first multi-day major conference is that it is a better than usual opportunity to build relationships. Everyone is away from home, and to a potentially lesser extent away from work, and therefore ready to talk and play.

Some real highlights for me included making friends with my roommate and other conference associates, meeting Tarah Wheeler and getting my copy of Women in Tech signed, and discussing career development with pentesters over lunch.

If you have the opportunity to work as a conference associate through your school, like UVU or UAT, I highly recommend it. Earning a wage there can help with your travel expenses and make it a bit easier to get to DefCon. The one downside this year was we received our DefCon badges after BlackHat the same Thursday that DefCon started.

 

 

My tips regarding a first time Vegas visit and BlackHat USA:

  • Pack light and purchase snacks at the local walmart or to order from Amazon Prime Now if you don’t have access to a car or don’t want to get an Uber. (Take it from someone who packed 3 boxes of clif bars.)
  • Uber is super expensive! Account for this when you choose your hotel room. I walked a lot to save money but The Strip is designed to corral consumers, not to be walkable.
  • Drink a ton of water. Drink more water than you think you need and purchase it from a supermarket or walmart. Otherwise you can end up paying $10.00 for a bottle of water. Get some aspirin too while you’re at it.
  • Bring your own portable battery. You don’t want to be plugging into any old USB port after all. Burner phones/devices are also a good idea but it’s still important to maintain physical control and not make any unecessary connections. 
  • Bring cash and store it securely so you don’t need to withdraw from machines.
  • BlackHat: If you are a student and venture into the vendors area it is helpful to have specific questions or to go with a professional. Not everyone on the vendor floor knows how the product they are pushing works and if they do they likely want to speak with someone who has decision making power in a business. However, it should be noted some vendors love talking to students because they see them as potential contributors, future customers or possible interns.
  • BlackHat Conference Associate: If you have time to explore during the conference itself try to go see demos instead of talks. You can get access to talks later unlike Arsenal Demos.
  • BlackHat USA: If you wait until the last day to purchase apparel you can probably get it on sale. However, if you are an average sized male be aware your size may not be available by the time the sale comes.  
  • Wear quality shoes made for walking which have already been broken in. This is not the time or place to break in a new pair of shoes or suddenly transition to minimalist footwear.
  • Pace yourself when it comes to alcohol. Never leave your drinks unattended and drink plenty of water!
  • Go to bed early enough to enjoy the next day! By the end of a week I hadn’t met my personal sleep requirements so Def Con was more difficult than it need otherwise be.
  • Give yourself time to recharge your batteries at night as well. Especially if you are an introvert, it can be exhausting to meet so many people and be in such busy places all day. Take some time to read a book, take a soak, go for a jog or take care of yourself in some other way.
  • Walk the strip at least once. You see so many interesting things, displays and people. Go see the fountain show at the Bellagio, you will not regret it.

 

First blog post

My name is Charlie, and I am starting this blog in order to write informative articles accessible to the average user regarding security, as well as to document my own personal projects and studies.

Two years ago I decided to move across the country and change my major from illustration to information technology. Once I made that shift cybersecurity caught my eye and motivated me to continue learning more. As I get more involved in my local cyber security community the more exciting it becomes. I recommend to any tech enthusiast to check out meetup and look for conferences in their local area. You learn things you may not have otherwise, meet new people and have a great time doing it. At DefCon this past August I learned about several charities dedicated to bringing technology into people’s lives and even using hacking skills to bring down human traffickers. This opened up my eyes to the potential for good that can come out of dedication to this path and increased my desire to make a meaningful contribution. I have high goals but, after all, every journey begins with a single step.

There is always something new to learn in computing so let’s have fun with it and teach each other!