bolts, writing, nuts

Please *do* glorify some great hackers and not crime

Please *do* glorify some great hackers and not crime Re: "Stop Glorifying Hackers"(sic) from the M. McWhorter, I'm sorry you had trouble safely sharing data with yourself online using free and inexpensive services. How much extra would you be willing to pay for safe versions of your online services? Equally I am sorry you did not value the free (to you) advice of the professional at Earthlink who advised your to secure private data offline as it was good advice given in good faith. You could pay a great deal to get worse advice. The majority of your editorial seems to be aimed at journalists, whom you chastise for glorifying the exploits of online criminals. That's a valid complaint, though hardly specific to online crime. Many of the problems with modern journalism are related to the economics of publishing, including the dominance of "if it bleeds it leads" editorial decisions. Instead I would caution your target audience and yourself about words: diction, connotation, and meaning. The words that you choose to use have meanings and even political significance that you would do well to pay more attention to. Decrying the criminal activities of "hackers" in one sentence and then asking where all the "white hat hackers" are demonstrates your ignorance and does nothing to help anyone. The hackers are the good guys and your rhetoric isn't going motivate them (us) to help you much. Regards, Adric Net BBST, CISSP, GSEC, GCIH, GCIA, LPIC-1, ITILF, AS CS, AS Psy. Originally on G+ here:
  • Current Mood
    annoyed annoyed
  • Tags

MCU for Fall and Winter 2013

The Keanu movie about the ronin was not as bad as the trailer led us to believe it would be. I saw it in a theatre with an aikido afficianado and she was also somewhat shocked by its overall quality, some aspects of the plot, and the treatment of the end of the story.

The second Hobbit movie is very good though I don't really enjoy the roller coaster sequences, as impressive as they are. I don't think the old don would know what to make of them... still it is nice to have more screen time and more of the concurrant stories. Oh and the synthetic elf captain is an interesting character and quite fetching.

American Hustle was really good. Some tremendously sexy bits and a lovely twirling plot. If you at all enjoyed any of their previous work, you should not miss this. And if you aren't already slightly obsessed with, say, Jennifer Lawrence you should watch Silver Linings Playbook. and The Hunger Games movies. But not Winter's Bone.

I quite recommend the Divergent trilogy of post-apocalyptic juvenile novels. In fact I like them more than The Hunger Games overall. This is entirely due to Katniss and Tris, in that I didn't like Katniss anymore after part way through book two but I was with Tris all the way through to the end.

Speaking politically about the characters and stories for a moment: Katniss starts off with some agency and sheds most of it through the course of the story. Tris starts off with only a little and takes more and more onto herself. Katniss sacrifices others, often unintentionally. Tris sacrifices herself throughout her story (while sometimes putting others at risk).

Leaving the soapbox I am apprehensive about the Divergent movie coming out soon. I got bad vibes from the trailer .. like The Golden Compass bad.. *shiver*.

The Wolverine and the X-Men show (Netflix) from earlier this century was pretty entertaining, once you give up any thoughts of canon (Since any fan (past or present) of X-Men or superhero comics know canon and continuity only as cruel jokes this should be easy). I actually liked the story they told and mostly buy how the stitched the various characters into it (except Erik who [spoilers redacted]). The only really bad spot is the Japanese visit ... instead see The Wolverine movie which is more fun, and slightly less insulting to intelligence (generally) and Japan's culture.

We haven't finished Hobo With A Shotgun (Rutger Hauer) but it is truly a remarkable thing. I rewatched Four Rooms and even skipping a lot of bits regretted the time overall. Farscape is back on Netflix and so I put it on as background sometimes. Hikaru hasn't come back s no progress there but Trigun is available with real audio and subtitles, fond memories (fan subs were better).

I tried Hulu. It has commercials and the video quality was worse than expected. No sale.

Thanks to an Amazon card (from vendor's Christmas guilt) I've been indulging in Kindle purchases and catching up on my Stross.
I finally read Neptune's Brood  and am two-thirds through the re-issue of the first part of The Merchant Princes. In both cases Stross is not only a thrilling and sneaky writer but a terribly educational one .. especially about economics and finance, though certainly political science, history, technology, nuclear physics, and of course the complexities and contradictions of the human condition. Oh and I read Rule 34 the follow-on Liz novel to Halting State which trilogy will not be completed as intended. that one teaches you about depravity and Scots slang, along with the rest.

I made a bit more  progress on the Kate Daniels novels by Illona Andrews. They are so much fun and quite clever. Some near-Jim Butcher levels of sneaky seeding of the major plot has been going on ... (I refer to the Dresden Files. Read 'em. Next book is out in May so you have a few months to catchup.) and Kate has ended up with a family whether she wanted one or not.

Courtesy of a silly promotion in October I found out that Audible has some of the The Great Courses series from The Learning Company (as advertised in expensive magazine) and I've been slowly working my way through their mythology lectures: first a relatively quick survey of classical myths and now I'm getting towards the end of a longer, more in-depth course called "Myth in Human History". It's really interesting stuff not only with the individual myths and goddesses but the themes he draws from are wonderful. This course contains units on creation myths, gods and goddesses, heroic mono-myths, and tricksters (so far). Really excellent and thought-provoking. The discussion of the effects of nomads on agricultural societies, and their gods and myths are wonderful and all but forgive the time wasted on Freudian and Jungian 19C gender politics.

Telly? The third American Horror Story is really fun. They seem to have no shame and are taking full advantage of their setting (New Orleans). Lost Girl continues to be more amusing than expected (Netflix through season 3). The Witches of East End
was better than expected and Devious Maids was pretty fun with a few rough spots. We really liked Continuum and are looking forward to more turning up on Netflix. The cop mystery show Life only has two seasons but it is brilliant and ends well .. really well. You should watch it all. Fringe ended up rather well, though it is pretty hard to get through parts of season 4 and5 (She couldn't stay awake to get the intro to the future storyline).

We see almost every episode of the Stewart and Colbert news hour (if not quite on time) and @midnight is actually pretty fun. It's a bit too lively for bedtime, really.

Who? I really enjoyed the 50th anniversary "Day of the Doctor" show and all the little homages and touches. I liked the Christmas special well enough and am curious to see what the new chap will be like and where the writing is going after all of the build-up and , well, timey-whimey plots of the last few companions... We'll see how they do.

How about you lot? What have you enjoyed reading, watching, browsing, or falling asleep to of late?


20C AP student requesting records for transfer institutions

Or sign # 875,675 that I should have gone to university at age 12 or not at all: further punishment for taking AP courses
I took AP courses and exams in high school in the twentieth century (1993-1995 CE) before your web site existed. Despite that universities continue to insist on AP score transcripts and I am trying to get some sent. I have registered a username on the College Board site but am unable to complete account verification because I do not know my student ID nor was there (as far as I recall) an email address entry on my score sheets.
I appreciate any help you can provide.
Very respectfully,

Learn more about security

Do you want to know more?

Want to learn more about memory analysis?

  • Install Volatility or grab SIFT VM
  • Get memory image samples from:
    • Volatility wiki:
    • HoneyNet:
    • Book:
  • Practice, practice, practice
    • Image your own hosts and analyze them
  • Write about what you find out!
Want to learn more about (web) application security?
  • Install proxy tools and browser plugins or get Samurai WTF
  • Get sample vulnerable web apps :
    • Samurai includes WebGoat, Mutilidae, and others
    • Google Gruyere:
    • BodgeIt Store :
    • Book: The Tangled Web :
    • Read, participate: OWASP:
  • Practice, practice, practice
    • Test your own apps in the lab
  • Write about what you find out!
What to learn more about host forensics?
  • Get SIFT and FTK Imager (etc)
  • Get sample images and challenges:
    • HoneyNet Challenges:
    • EH Net Challenges:
    • Advanced Digital Corpora:
    • Book: File System Forensics Analysis:
  • Practice, practice, practice
    • Image your own hosts and analyze them
  • Write about what you find out!
Want to learn more about network monitoring, network forensics?
  • Get Security Onion and SIFT
  • Get some sample captures and logs:
    • /opt/samples in SecurityOnion
    • Wireshark's samples wiki :
    • (Network) Forensics Contest . com :
    • Advanced: Johannes packet challenges:
    • Book: Practice of NSM and samples :
  • Practice, practice, practice
    • Record, monitor, analyze your own networks
  • Write about what you find out!
Want to learn more about artifact analysis and reverse engineering malware?
  • Get REMnux and demos of IDA, Hopper. Download OllyDbg
  • Get some sample files:
    • Contagio :
    • VirusShare :
    • your inbox
    •  Book: Practical Malware Analysis and exercises:
  • Practice, practice, practice
    • Dissect and analyze the files around you
  • Write about what you find out!


Comments appreciated. Live wiki doc is at


a snarky but informative post to dc404

There were some interesting opinions expressed about recent news events at the meeting Saturday but when I asked if anyone had done the reading I got a lot of blank stares. This distresses me quite a bit since hackers and security "people" should be more educated and informed on these issues than the general public -- not less. This is our history, frankly, even if you don't work for a government and you should know it.

I'm carefully not taking any sides in the debate about surveillance and oversight here. I do encourage anyone interested in these topics, and especially those outraged by events or revelations to study the history of intelligence and cryptography to hone their opinions. The nation should debate these issues publicly and informed debate is the only way to try and find a balanced answer to such a complex problem

In the meeting I asked how many people had read "The American Black Chamber" and no one said they had. That's unfortunate because that book and the results of its publication represent one of the previous times there was a national debate on this very topic. The Secretary of War at the time , one Stimson, was heard to famously declare: "Gentlemen do not read other gentlemen's mail." The results of his attitude and actions are worth noting.

To understand more broadly the questions about government, secrecy, intelligence, and so on and the previous answers you should certainly read David Kahn's tome "The Codebreakers" which is arguably the most thorough publicly available account of the history of secret writing. He starts with the ancient civilizations and moves forward through to the late 20C. At the time of writing he wasn't able to include much information about Bletchley or computers, from which all modern computer science as well as most modern cryptanalysis stems along with the outcome of WWII and thereby the history of the second half of the 20C and most of the current geopolitical mess.**

An easier read , and perhaps a bit more fun, is Simon Singh's "The Code Book". Wiki says:
"The Code Book covers a diverse set of historical topics including the Man in the Iron Mask, Arabic cryptography, Charles Babbage, the mechanisation of cryptography, the Enigma Machine, and the decipherment of Linear B and other ancient writing systems. Later sections cover the development of public key cryptography and some of this material is based on interviews with the participants, including those who worked in secret at GCHQ. The book concludes with a discussion of PGP, quantum computing, and quantum cryptography. "

Oh and you should know about the "equity debate" inside NSA, referred to recently by Schneier in his blog by back reference to one of his old posts:
"America's Dilemma: Close Security Holes, or Exploit Them Ourselves" By Bruce Schneier Wired News May 01, 2008

If you want more food for thought or have other remarks, please share.

Hope this helps,
Adric Net
adric at

PS Hey let's all sign our emails and see how that goes?

** If you believe this statement to be hyperbolic or exaggerated then you likely have a lot of history to catch up on. Also, Bletchley is a very cool place to visit. Do go out there some time if you have the chance

Summer vacation MCU

I got through a bunch of comics and some audio on the little mini-vacation we took around Memorial Day weekend. I'll add these to too later. Comics, from Comixology
  • finished up Death of the Family a much hyped Batman and Joker story arc / crossover
  • The Walking Dead collections Vol 9-13
  • Bandette #1 and #2, from Monkeybrains
  • Girls (2005) complete collection by the Luna brothers
  • Eisner award nominee The Mire
  • and the free teaser of Wizzywig
Audio from Audible
  • started Cloud Atlas
  • a bit of The Lost Symbol before she chickened out

Static analysis:Sometime an icon is just an icon?

I try to take advantage of the malware samples in my inbox every day to practice analysis and learn cool news tools. A previous post covers some of the basics.

This week I got an "eFAX" message with a zip file attachment that was quite suspicious so I dug right into it. It's defintiely a Win32 PE file (exe) inside the zip despite the Adobe-esque PDF icon it's using and although ClamAV didn't find anything VirusTotal confirms that most of the planet thinks it is bad news indeed. Here's the VT and Annubis reports for the binary.

From there I tried to apply some of the techniques I am reading about in Practical Malware Analysis1 an awesome book that walks through the proceedures and tools needed to disect and analyze files. I'm just starting the book and have been reading about the Windows Portable executable format, so PE header analysis, I chose you!

Collapse )

Recent online discussions about security awareness training and education effectiveness

Bruce Schneier's 19 March 2013 blog on DarkReading "On Security Awareness Training: The focus on training obscures the failures of security design" is making headlines with his bold assertion that "training users in security is generally a waste of time and that the money can be spent better elsewhere". The piece argues by examples from other fields of health and safety education that complex decision making can't be easily taught to a large population in an effective way and that if security awareness training as enacted in the past 20 years was effective we would see commensurate change in the behaviour of the population. Schneier’s standing as a cryptographer and esteemed author gives tremendous weight to this controversial argument.
Although Schneier's editorial is more persuasively written and less overtly provocative he is essentially arguing a similar point as Immunity's Dave Aitel did in his 18 July 2012 editorial on CISO Magazine "Why you shouldn't train employees for security awareness: Dave Aitel argues that money spent on awareness training is money wasted". Aitel’s recommendation is to eliminate awareness training and instead fund secure development and software testing to harden systems so that user behaviour isn’t so dangerous to the organization: “It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization”.
Aitel's piece provoked  much discussion and many online rebuttals1 and Schneier's post has already generated some well-reasoned responses. Benjamin Mauch commented to link to his spirited rebuttal "Security Awareness Education". He is quite passionate about security awareness and has given talks on security education including one recently at Derby Con. Mauch argues that the mechanisms of training in common use, such as computer based training and quizzes, perform poorly but that engagement and education of users to develop a User Defense "layer" is effective and vital to defense.
Mauch's colleague Dave Kennedy, Founder and Principal Security Consultant at TrustedSec, posted his own response to Schneier's post titled "The Debate on Security Education and Awareness". Kennedy outlines his concerns with the general ideas in Schneier's post and then examines a handful of the arguments quote by quote from the DarkReading post. He on expands a few of the metaphors (eg driver education) and shows how a broader interpretation of them supports a different view.
1 Rebuttals to Aitel include: