“I am no longer afraid of becoming lost, because the journey back always reveals something new, and that is ultimately good for the artist.” -Billy Joel

I’ve never claimed to be an artist, nor do I aspire to be one.  Everyone draws their own hotly-disputed line between science and art.  As one of my heroes, Neil deGrasse Tyson, likes to say, “Why do people say ‘they’ve raised it to an art,’ but also ‘they’ve got it down to a science?’”  It’s an interesting thought.  It’s as though the very idioms of our society have come to favor natural talent and the results it produces over hard facts, analysis, and repeatable results.  It makes sense I suppose.  The former is far more romantic to practitioners of neither than the latter.  We as a whole are a nostalgic and romantic society, myself included.  I have shelf after shelf of books that I purchased well after the advent and widespread of adoption of e-readers.  Why?  Romance.  Something about a hardcover and/or leatherbound book, just makes the knowledge contained within that much more real to me.  Allows me to draw a more significant connection to it.  And although I will always profess myself a follower of science over art, there is nothing scientific or economical even about that approach to knowledge-seeking.

Everyone has a unique trigger which allows for their own uncoupling of consciousness and reality.  Their own method to ….become lost.  The world of books and knowledge, especially “forbidden” knowledge, has been my trigger for as long as I can remember.  The sheer number and range of subjects of which I’m interested in, and actually have concrete plans to pursue mastery of, is staggering to me, even overwhelming at times.  I’ve compiled a text document of books I plan to purchase to tackle these subjects.  A list which approaches five hundred in number.

I realize that’s not the most practical method or even goal.  How do “normal” people gain knowledge?  How do those who are not obsessed with the abstract concept of knowledge itself gain mastery in their chosen field?  Of course.  They go to college.  Halls of Knowledge they are even called by some.  Makes perfect sense.  There are people there who know what you want to know, and they may be willing to tell you what you want to know (or what the institution tells them they HAVE to tell you) …for a very large fee.  Given what I’ve told you, you might think college is a great place for me.  I should thrive there.  Hell, I might even be one of those people who never leaves and ends up with 27 degrees in random disciplines.

But I’m not.  I’m a college dropout.  I have no degree.  Right out of high school I enrolled in Penn State majoring in Information Systems.  I picked that major because that’s what you choose when you “want to do something with computers, just not sure what.”  I completed my first year.. completely bored.  I felt like I was re-hashing my junior year of high school.  It was remedial, it was boring, it was a waste of time and precious money.  On top of that, I wasn’t able to enroll in a single technology class.  They VERY reason I was there!  And I couldn’t even peek in the windows.

Finally, second year came, and I was finally allowed to take a tech class.  But only one.  “At least it’s something,” I thought. A few weeks into the class, we were doing hardware identification.  Meaning there was an “exercise” in my textbook with a picture of a mouse, keyboard, monitor, etc, and I was meant to fill in the blank about what these items were.  That was the last straw.  I couldn’t justify wasting my time and money here only to come out four years later, no smarter, but with a meaningless slip of hundred-thousand-dollar paper.

So I left.  Moved back home, found a job as a Systems Operator within the month, moved out, and worked there for the next three years.  I learned more on that job and on my own in the first year than in three semesters at Penn State.  And THEY were paying ME.  During that time I FINALLY found my calling within the tech world: InfoSec.  I started reading, joining groups, going to meetings and cons, it was an amazing time.  I had it all figured out.  Until I didn’t.  The more I learned, the more I was aware of how much I didn’t know.  Which is true for all things I guess.  One of the things I learned is that InfoSec is a notoriously difficult field to break into.

Then I got another job.  A job with actual possibilities for upward mobility, but more importantly, it was at a company with an internal security team.  I would work my ass off in my current position, get my certifications (company paid), attach my name to security in any way possible, and eventually work my way into that department.  It would take a long time, but it should work.  There was only one problem, I didn’t factor my impatience into this equation.  Security is hard.  There’s a lot to learn.  And it takes a long time to learn, especially when you’re self-taught, because that means your teacher sucks just as badly as you do.

I began to get discouraged.  It seemed like it just wasn’t ever going to happen for me.  “Doomed to mediocrity” as they say.  This, of course, is a completely self-inflicted affliction.  Hard to see that when you’re on the other side though.  I heard about BSides Rochester, and thought it sounded like a good idea.  It would give me a few days away, give me a chance to see some people, and maybe learn a thing or two from some of the talks.  They were good talks, and it was a good trip, but one eclipsed them all.

My good friend Rob gave a talk “How I Snuck Into the InfoSec Industry.”  A talk I had been wanting to see anyway, but I didn’t expect it to have the effect on me that it did.  I know Rob probably still doesn’t believe me, but it engulfed my thoughts so fully that I was unable to think of anything else the rest of the weekend.  I even had to leave the con because I couldn’t think of anything else.  I ran a million scenarios in my head, but one came out the clear winner every time.  It’s the scenario that this new site will facilitate.

Everyone, I’m going back to school.

I applied to the University of Advancing Technology, a school with an incredible Network Security program and unparalleled accolades.  Yesterday, I was informed that my application had been accepted.  After some conversation, I decided that I will be enrolling in the accelerated program while pursuing dual degrees in Network Security and Technology Forensics.  This means that in about three and a half years, I will be in possession of a bachelor’s degree in each field.  I will be doing this while maintaining my full time job, and still trying to work my way into the internal security team.

However, this is an expensive endeavor and money has never been a trivial commodity for me.  I have applied for federal aid, and I have also resolved to complete at least one scholarship application per day.  At the end, whatever is left, I will apply for a student loan to make up.  Being debt-free is not a young man’s game.

Additionally, over the next 4 years, and hopefully longer, I will be chronicling every step of my journey right here.  From class content, to book reviews, to scholarship applications, roadblocks, I’ll record it all.  Comments are more than welcome.  I hope you guys find some value in my writings, I know I will.

Another post with more details will come tomorrow, but before I go, I just want to thank two people who have been especially helpful in my journey thus far, Robert (@dicipulus) Chuvala and Matt (@matthewneely) Neely.  I really could not have made it this far without you guys.  Thank you for everything.

…to not buy this horrible book.  I linked it above for consistency, but let me be clear, don’t waste your time with this book.  I bought it on Amazon I think for $15, and I sold it at Half Price books for a more than generous (on their part) $4.  I sold it because I didn’t even want to see it sitting on my shelf.  And I’m one of those annoying people who keep their books forever for seemingly no reason.  I have one quote from the book that I think sums it all up.

“I’m going to say something that has probably never been in print before in a business book. It’s probably never been in a business book because, at face value, it sounds kind of depressing. The bigger the impact you want to make on the world or in your chosen field-the bolder your purpose is-the greater the risks you’re going to have to take.”

Pretty sure that’s been in ALL THE BUSINESS BOOKS. The fucking ego on this guy.  I’ve never actually read a book where the writing style made me visibly angry.  Now, full disclosure, I didn’t make it past the hundredth page of this book.  But, to be fair, that just speaks to how bad this book really is.  I’m not the kind of person who quits reading if I’m not sure how it’ll turn out, and I think I’ve only ever turned off one movie halfway through.  Maybe that quote up there isn’t enough to convince you of the awfulness spewing forth from the pages of this monstrosity.  Well worry not, I have more.

“[Listening to Pink Floyd was] some of the most educational parts of my college experience, truly.”  ….just wow.  Michael Ellsberg is nothing but a glorified frat boy who’s read one too many marketing books and thought he’d try his hand.  As I believe I’ve mentioned before, I can’t stand when books contain gratuitous amounts of lead-up.  This is when the first chapter talks about what the rest of the book will be about and the first five pages of each chapter talks about what that chapter will be about.  Get to the content.  Don’t waste my fucking time because your editor thought it would be better if your book was 250 pages instead of 180.  Evidence of this persists throughout.  The man (loosely using that term) stretches the text of this book by defining almost every word we come across that could be considered as jargon by the readers (who are apparently piddling children.)  Examples are great to illustrate abstract points and definitions are great for seldom used or industry-specific terms, but at this frequency, you’re just insulting my intelligence.  And that’s how I felt the entire time I was reading this.  Like I was being talked down to.

One of Ellsberg’s favorite tools for “comedy” in the book is the alternate title.  Most sections of the book are constructed as follows: [Actual Title] (or [coffee-cup humor title]).  He clearly thinks coffee mugs and mall tshirts are the height of comedy and that he should be the champion of their cause.  Well I agree, this man is far better suited to peddling trite, unfunny tshirts and mugs at a stand somewhere to rednecks than being anywhere near moveable type.  However, that’s clearly his ambition.  He takes an opportunity every few pages or so to remind us all that he’s writing another book!  Keep an eye out for that one!  Sure to be a gem!  I don’t like commercials in my tv, I sure as shit don’t like them in my books.  You have committed an unforgivable sin sir.

Now, I do have one positive thing to say.  There’s a certain part of the book where an interviewee is telling a story and Ellsberg is forced to shut the hell up for a minute.  Those are actually decently interesting.  HOWEVER.  Ellsberg immediately follows those stories with his groundbreaking analysis.  “It’s possible to be monetarily rich, and spiritually poor!” (paraphrasing).  No shit.  I saw Richie Rich too.  Don’t take age old morals and try to present them as revelatory business ideas.

So, the point of this book is to say “Hey, if you dropped out of school or don’t think college isn’t right for you, it’s ok, a lot of successful people have done that… here’s how.”  Pretty interesting concept.  You expect to hear the Bill Gates story… all the old standbys.  No.  The first example is a man named David Gilmour.  Yes.  That David Fucking Gilmour.  And what’s more, Ellsberg thinks he’s so worldly and you’re so dumb that he’s going to coyly INTRODUCE David Fucking Gilmour to you!!  I’M 22 YEARS OLD AND I KNOW WHO DAVID GILMOUR IS!!  I can’t imagine how insulting that is to someone who grew up in the 60s or 70s.  Some kid trying to pretend like he discovered the lead guitarist of fucking Pink Floyd.  I know who Pink Floyd is, I know who David Gilmour is.  Don’t insult me you twat.  Also, THAT’S your first example!? David Gilmour didn’t do to well in school, and everything turned out all right for him.  Well, no shit.  I’m sorry dude, but your “practical learning” advice doesn’t apply here.  Yeah, that’s what Gilmour did.  But I have news for you, no matter how much “practical learning” I do, I’m not going to be goddamn David Gilmour.  It’s not going to happen.  Pick a more relatable example.

Insulting your intelligence seems to be the real focus of this book.  Ellsberg loves him some metaphors.  Bad metaphors, but metaphors nonetheless.  And if you have a little trouble with metaphors, don’t worry, that’s ok.  He’s going to point out each and every one to you.  Hey, hey guys, I just used a metaphor.  Check it out.  That’s some serious poetic shit.  The gems go throughout the whole book.  “People tend to feel safer with the known than the unknown.”  How does someone read that sentence in a book and not immediately close it in rage?  I know I did.

The ego of Ellsberg is never more apparent than in his tangents.  He likes to relate the subject matter to his life.  But pretty much immediately loses that link.  It’s like he constantly forgets what book he’s writing.  He wants to write his memoirs before he does anything noteworthy.  People like him are a dime a dozen.  Had some good fortune in his life, thinks he’s a superstar, but he’s still  just a frat boy.  Anyone who says “I’m not bragging” this much, clearly is.  His ego is so big, it distracts me every few paragraphs from the actual subject matter.  I’ll never take advice from someone who includes the phrase “Burning Man rules” (as in O’Doyle rules) in his book.  Every few pages talks about another marketing book.  At first it seems like recommendations and good sourcing, but quickly becomes “hey guys, look at all these books I read.”  No one cares Ellsberg.  No one cares.

Anyway, if you flip ahead to the later chapters, you see that the famous people interviews stop and he just starts chatting with his marketing buddies.  If you hate the stereotypical sales guys at your job, you’ll probably hate this book.  The book starts off with a great idea, and immediately throws it out for a new concept.  Book should have been titled “How to Market Yourself to your Betters (plus some marketing and sales stuff I read once.  Oh, and by the way, I’m awesome.)”

If you want to learn marketing and sales, that’s great.  This isn’t the book to learn it.  Ellsberg thinks he’s created the compilation of business/marketing/sales books in “Millionaires” that Ramit Sethi created for finance in “I Will Teach You To Be Rich.” (awesome book by the way), but he’s completely missed the mark.  And you would do well to avoid this book unless you need something to get you pissed off for some reason.  Then this is the book for you.

Before we begin, a little aside.  The title above is linked to the Amazon page for this book.  These links aren’t affiliate links, and they will always be links to the hardcover version (if available), because that’s what I always buy.  I’m happy to pay even a good deal extra for the hard cover.  I like my books to look as nice as they can for as long as they can.  So let’s grab the notebook, take off that dust jacket and dive in, shall we?

If there’s one thing I will take away from this book, it’s this: Sexy != Rich.  In fact, more often than not, the two are mutually exclusive.  The book defines people in two categories: UAWs (Under Accumulators of Wealth) and PAWs (Prodigious Accumulators of Wealth.)  After reading the book, if you’re like me, you will begin placing people into those categories yourself.  As I was reading the book and its many many case studies, I saw more and more traits of people I know being displayed.

I’ll be the first to admit it: I’m not a good sport.  I don’t like seeing other people succeed without effort, I don’t like seeing people win large sums of money, I don’t like seeing people get lucky at anything.  These hold especially true if I’m in a bad mood or if I’ve judged that person unworthy of such gifts.  Conversely, I don’t like being offered handouts and have been known to take offense to being given things without working for them.  I know this isn’t an ideal set of personality traits to have, but no one is perfect.

This book has offered me something of a coping mechanism for dealing with seeing people display what appear to be unearned or disproportionate amounts of wealth.  Some of you may recall a little meltdown I had a few months back about watching a guy in his early 20s poorly drive and almost wreck his brand new Nissan GT-R (A ~$90k vehicle).  Now I have the ability to label him (and probably his parents) as a UAW and dismiss him from memory.

To determine if you are a UAW or PAW, plug your own numbers into this little formula: (Age x Pretax Annual Income (less inheritances)) / 10.  Take this number and compare to your net worth (less inheritances).  If your actual net worth is lower than the number produced by the formula, you are a UAW.  If it above that number, you are a PAW.  It’s that simple.  If you’re a UAW, don’t feel too bad.  I am.  Most people are.  Obviously the formula is imperfect and has a strong bias on age, how long you’ve been in the workforce, etc.  But it’s a decent baseline for well-established adults (the average age of PAWs is around 50).

The real question is not whether or not you are currently a UAW or a PAW, but if your habits and general attitude are leading you closer to becoming a PAW or not.  You may think you’re at a disadvantage from birth, coming from a humble background, but one of my favorite stats from the book proves that isn’t the case.  Ready for it?  80% of American Millionaires (net worth) are 1st generation millionaires.  80 percent.  I would have never guessed it was that many.  If you come from non-millionaire parents, there is a 1 in 30 chance you will become a millionaire at some point in your life.  Those sound like pretty good odds to me.

And that’s all this book is, facts. Facts facts facts.  Case studies, surveys, so much work has been done to back up every fact in this book.  The attention to detail is absolutely staggering.  The book also manages to avoid one of my least favorite things about non-fiction books.  There is no lead up. Not a single chapter starts with “In this chapter, we’ll talk about how blah blah blah” for 13 pages before actually starting with the content.

If you have any interest at all in accumulating wealth to spend how you want, how to live comfortably, and don’t mind skipping all the meaningless status items, this book is a must read.  It’s chocked full of tips and tricks from people who’ve done it all, and each one has the math to back it up. The following are my biggest takeaways from the book.

• 80% of American Millionaires are 1st generation rich.
• Sexy != Rich.  In fact, the opposite is often true.
• Never take a mortgage for more than 2x annual household income.
• A financial adviser is a key employee of the business that is your household.  Hire and fire accordingly.
• Movies are lies.  If you spend high, you retire low.  Spend low, retire high.
• Don’t tell your children of your wealth, this way they will learn the value of money and become PAWs themselves.
• Never become jealous of those who display their wealth rather than save it.  They have the worries of those who make half their income or less.

In closing, this book was incredible.  Anyone who ever touches money should read it.  It should be required reading for high school students.  Even though the statistics are a bit outdated (1995 mostly), the wisdom is timeless.  Read it.  Make your kids read it.  A definite must-have.

Sometimes I’ll become so thoroughly engrossed in a book that it becomes nigh impossible to tear me away. Like my mother used to say: “I bet I’m one of the only parents on the planet that has to tell their kid to put the damn book down.” And sometimes, I’ll read a book at a snail’s pace because something about it just doesn’t sit well with me, but I want the knowledge contained in it so badly that I suffer through it.

In order to combat this issue, I’ve taken to reading as many as five books at any given time, but never more than one fiction book. Anyone who’s ever tried to read more than one fiction book and began mixing the stories (which is something I seem to do every time) knows why. I’ve found it also helps to vary the subject matter, writing style, and length of book in any given book group.

Anyway, I figured that my interests are so varied, I’d eventually read a book who’s subject matter interested one of you people. So I’ve decided to begin writing small reviews for the books I read. I don’t claim to be a journalist or a scholar of any kind, I’m just a man who enjoys reading, giving you my opinions. Take them or leave them, but they’re here if you want them.

In the coming months I plan on migrating all of this information to a personal website, and will probably be shutting down Blue Shell Security as I really don’t have a use for it. Until then, my book reviews will be posted here and on my twitter account @BlueShellSec; a name I’ll probably also be changing before too long. Anyway, I’ve spelled out way too much lead up as it is. So enjoy the reviews and let me know what you think. Thanks.

This is just another new frontier for which the security community must balance security vs convenience. As we all know, wherever the mass public is involved, convenience will win 99% of the time. And that 1% is usually after a major breach where everyone suddenly wants to be locked down, until they see what a hassle it is. Two factor authentication is two steps too many for most people. Sad but true.

I’m all for carrying less devices every day, as long as we can strike a reasonable balance between convenience and security. I think that now, in 2011, we’re at a transition phase. There are still people who opt to carry checkbooks instead of debit cards. There are still people who won’t go near a computer, let alone a smartphone. But the day is coming when those people will no longer be able to reasonably operate in civilized society, and it’s coming fast. Adapt and survive, or stay stagnant and be left behind and regarded as a drag on the progress that the rest of society is striving so hard to accomplish.

Every day, the smartphone gets smarter. It can alleviate us of some of our day to day responsibilities. It has the ability to allow us to automate our lives to a certain extent. And I think it’s great honestly. Not worrying about certain daily minutiae allows us to focus on more important things. It allows us to consolidate the way we interact with our world. I could carry a dedicated MP3/Video player, a portable gaming system, a nice compact 12mp camera, a two factor auth keyfob, a cell phone, wear a watch, and carry a planner, but I don’t have to carry any of things any more, because my phone does all of them, and my phone is a dinosaur by today’s standards. Sure, sometimes the functionality isn’t as good, but I’m willing to sacrifice functionality for convenience to some extent as I imagine most of you are.

The point here is, we as a people are at a crossroads of emerging personal technologies. How long before the smartphone becomes more personal to us than our wallets? Has it already? Does it pose more danger if stolen? What do you think? Answer in the poll to the right.

“I am a Hacker, and this is my manifesto.” What emotion do those words evoke in you? Stop reading. Really think about it for a second. What do you feel when you hear those words?

I AM A HACKER, AND THIS IS MY MANIFESTO.

Let me tell you a story.  The story of how I got into infosec.  One short year ago, I was your average, run of the mill, hometown tech guy.  The guy who got the label “computer whiz kid” because I knew how to alt+tab.  Like most of you, I was completely self-taught.  There were no computer classes in my area at the time, and my parents viewed the PC as just another game console.  My knowledge stemmed from adventuring into the virgin file directories and settings.  Exploring every corner of my system and inevitably breaking something.  Something I would need to fix before my parents found out.

Fix and break.  Fix and break.  Disassemble and reassemble.  This was my life.  Eventually I got good enough that I wasn’t breaking things anymore when disassembling them.  So I began fixing the problems others had caused.  I knew more about computers than most, but I wasn’t satisfied.  I had hit a plateau.  I had no more problems to solve.  It made me feel empty.  I didn’t know how much I didn’t know.

I don’t remember how I found it, I just know that I did, and it changed my life forever.  I identified with this document so wholly, so completely, I felt as though I could have written it myself, had I only been inspired to do so.  This document was The Hacker Manifesto; written January 8, 1986 by The Mentor.  I know every one of you has read this document at some point, but I implore you to read it once more.  [Cue 2112 Discovery by Rush]

Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world…

Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me.. Or thinks I’m a smart ass.. Or doesn’t like teaching and shouldn’t be here…

Damn kid. All he does is play games. They’re all alike.

And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

Damn kid. Tying up the phone line again. They’re all alike…

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

Was…was this what I was meant to be the whole time?  I had also been bored with the non-challenges presented to me in grade school.  So bored that I had to go out and find my own challenge in the (relatively infant) field of technology.  I hated the constant “show your work” badgering in middle school when the problem solved itself so easily in my mind.  For the first time, I felt like I wasn’t alone.  That there were others out there being labeled smartass and shunned by teachers.  That there were others whose default state was to ask questions, to not trust authority, to explore beyond the scope of the task at hand.  If there were others, did that mean that there was a place where this behavior was not only accepted, but encouraged?  I had to know.

My experience on the internet thus far told me that the best place to start on any unknown subject was Wikipedia; and as usual, it did not disappoint.  I spent the next week sorting through the ridiculous number of tabs that I’d spawned from the “Hacker” Wikipedia article.  Hacker.  White-hat Hacker.  Cracking.  Kevin Mitnick.  Social Engineering.  Cross-site scripting.  SQL injection.  DARPA.  Metasploit.  All of these new terms, a vast sea of knowledge that I had yet to reach the shores of.  While I didn’t learn too much from those articles during the tab-explosion week, I did learn the most important thing of all.  I was finally able to fathom how much I didn’t know.

Ladies and gentlemen, I have never written an 0-day exploit.  I don’t know any programming languages.  I have never broken into a network that was not in my home lab with or without permission.  But I tell you this now, ich bin ein Hacker! Over the last year, I’ve located fellow hackers in my area, I’ve attended meeting after meeting, read book after book, and endless online articles.  I have uncovered for myself a grand new set of challenges that need solving.  I am a hacker because nothing excites me like the prospect of solving those problems.  My favorite definition of a hacker is from the jargon file and it reads as follows: “One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.”

THAT is the true mark of a hacker.  Anyone who believes otherwise has lost sight of their roots.  I personally believe that there is nothing more harmful to the community as a whole than the ideal of the so-called “uber-leet hax0r.”  Which is why when I see things like this:

Following the link in the tweet results in the UrbanDictionary definition below:

I’m filled with extreme rage.

If you agree with that definition; and think that the word “Busticati” (or similar) should be put into common use, you are what is wrong with this community.  You are everything that the outside world hates about us.  You are the reason new, bright, young individuals shy away from the hacker community.  You push away those who would learn the craft when you should be embracing them.  It is because of you that (outside of the criminal implications) there is such a heavy social stigma attached to the title: Hacker.

This kind of elitism cannot be allowed to stand.  But who am I to you?  You who believe that only the pr0est of the pr0 deserve the right to have their opinion heard.  If you won’t listen to me, maybe you’ll listen to Chris Nickerson of Exotic Liability who said in a recent talk at Dojocon,

"This is the definition of a Hacker. If you don't agree with it, fuck you, you're wrong. Sorry, it doesn't mean writing 0-day and being leet and cool and jerking off on stage because of how leet your stuff is." - Chris Nickerson

So next time you come across someone who doesn’t know as much as you know, someone who is struggling with a concept, someone who has limited themselves to making “led throwies,” approach them, and teach them.  Because to sit back and poke fun at someone who isn’t as “leet” as you are just makes you an elitist asshole and you are not worthy of the title “hacker.”  Hackers are all about community.  Let’s usher in a new golden age of hacking.  Make collaboration cool again.  Shun those who would keep the so called “glory” for themselves, for they weaken us as a whole.

For another take on this subject, watch Chris Nickerson’s Dojocon talk, “The State of (In)Security” below.

Chris Nickerson The State of (In)Security from Adrian Crenshaw on Vimeo.

I expect more from the hacker community.  Anything worth doing, is worth doing properly.  As hackers, most of the things we say, aren’t said at all.  They’re typed.  This leaves no excuse for poor grammar.  As we’ve been preaching to the users for years: if you’re not sure of something, GOOGLE IS YOUR FRIEND.  However, if you’re feeling lazy, I’ll summarize a few key points for you here; because afterall, I’m a nice guy.

You’re vs. Your

Now, being on the internet comes with a certain degree of informality as anyone will tell you.  However, informality =/= ignorance.  For instance, while sentence fragments can be ignored in an informal setting, there is no excuse for not knowing the difference between “your” and “you’re.”  Hell, in this world of informal text, I’ll even allow “youre.”  Now, if you don’t know the difference, and are too lazy to Google it, I’ve found a handy visual aid thanks to the Warehouse Comic.  Enjoy.

There.  Now you have no excuse for mixing those up.  It’s a pretty simple concept.  I mean, you guys do know how contractions work, right?  A contraction is the combining of two words.  So if you’re trying to say “you are” then you use “you’re.”  If you’re not trying to say “you are” then you get to use “your.”  It’s really that simple.  Moving on…

Apostrophes.

This is definitely one of my biggest pet peeves.  People try to defend their incorrect use of apostrophes with the regular “it’s the internet!” comments and cries of “grammar nazi!” but seriously, adding an apostrophe where it isn’t needed is actually more work, so stop it.  By far the most common offendees of misplaced apostrophes are plural acronyms and initialisms.  I’ll explain.  If you wanted to tell someone you had multiple copies of a DVD, you would say, “I have two of those DVDs.” NOT “I have two of those DVD’s.”  What you’re implying here is that you haven’t finished your sentence and that the DVD owns something.  There is a very easy rule to follow regarding this.  You NEVER use an apostrophe to mark a pluralization.  NEVER.  No.  Never.

Correct: On my last pen test, I got root on all of their servers.

Fail: On my last pen test, I had to punch one of the guard’s in the balls.

It’s vs. Its

Now for this one, I’ll actually excuse a little ignorance because it’s a fairly unknown rule; but now you know it, and get to look smarter than everyone else.  Shut up, I know you love doing that, it’s why you’re a hacker.  Contrary to every other word, “it” only has an apostrophe for the contraction of “it is.”  If “it” is the subject, and you need to show ownership, it remains “its.”  Example:

Correct: While repinning a lock, I dropped one of its springs.  It’s lost in the carpet somewhere now.

Incorrect: A company asked me to test it’s website.  Turns out its vulnerable to SQL injection!

And now, another Warehouse Comic!

Quotes

My final point for this post will be about quotation marks and their usage.  Quotation marks should NEVER be used for emphasis.  This is text people, there are a million other ways you can denote emphasis.

Correct: You should ALWAYS change your default passwords.

Correct: Never, under any circumstances, let an unauthorized person into a restricted area.

Incorrect: Everyone in the call center is acting like an “idiot” today.

Incorrect: Your “presence” here, court ordered.
(Why’d you put presence in quotes, are you implying we’re not here?)

Quotes can also denote the title of certain bodies of artistic works including song titles, short stories, poetry, chapters, and articles.  If you’re not sure how to properly note the title of a certain work, it has become generally acceptable to put the titles of ALL works in italics.

I’m sure I’ll notice more grammatical issues that annoy me in the future: so rest assured, there will be a “Grammar, You’re Doing it Wrong Part 2.”  Let the comments commence!

Special Note: The below pertains to low-security situations.

Perspective:  At my current job, I am a user, not an administrator, which means I have to abide by the rules and policies set out by our sysadmin (who in turn has to follow the demands of the security-ignorant sub-c-level execs with too much time and power on their hands).  Also, I have been involved in the infosec community for less than a year, but consider myself a pretty quick study.

I understand the reasons behind password policies.  Generally, it is a good idea to implement said policies.  However, sometimes these password policies will go awry.  I now present you with several examples:

1) Frequent Password Changes
Reason: If a user’s password is compromised without their knowledge, it’s best to change it frequently so that an attacker cannot use it to cause extensive damage over time.
Problem: By requiring that I change my password every 3 weeks and restricting my previous 50 passwords, you’ve turned ME, a hackerish, generally security-conscious person, into a base user.  After my 10th password change, I just said fuck it and started using terrible, terrible passwords.  Because honestly, I couldn’t think of any more quality ones that I’d be able to remember easily.  And even if I did, they’d be gone soon anyway!  So fuck this.  My password at work is now very easy to guess, but isn’t the password of anything personal of mine.  So if anyone’s getting screwed here, it’s the company that doesn’t pay me enough to care about their security.  Oh well.

2) Length Minimums
Reason: The longer a password is, the harder it is to guess, harder it is to crack the hash, harder it is for an attacker to brute-force their way into the company.
Problem: If you implement a 15 character minimum on passwords, you’re not doing anyone any favors.  Especially coupled with frequent changes, you’re not creating strong passwords.  The implementer expects ‘L337p4$$w0R|)z!1!!’, but what they get is ’111111111111111′.  Let’s face it, in today’s age of using 500-core GPUs to crack passwords, no password is safe.  And when you implement length minimums, you aren’t necessarily making them harder to crack.  From what I’ve seen, the longer a password gets (by necessity, not choice) the simpler it gets.  You don’t get special characters, and you’re lucky to get mixed case.  You get strings of numbers or something like ‘ThisIsMyPassword’.  And even being sec-minded as I am, if I have to come up with a 15 character password for the 3rd time in 2 months, it’ll also probably be a random string of numbers because hey, fuck it.

3) Special Characters
Reason: Adding special characters makes passwords nearly impossible to guess and definitely harder to brute force.  Suck on this, dictionary attack!
Problem: When the common user forgets his password when it’s something like, oh I don’t know… ‘Password” or his own daughter’s name, why in the hell does anyone think they can keep track of things they have to press shift for?  All you’re doing is upping the percentage of help desk calls that start with “Hey, uh, it’s John in finance again… “  And once again, if I have to come up with a password, every 3 weeks, that is 15 characters long, and has 3 unique special characters in it, you can bet it’s going to be some variation of /\/\gmtC4nS_ckMy|)!k.  Just sayin.

You want the help desk happy, because if the help desk is happy, problems get resolved faster which means less lost minutes of work which means less lost money.  To keep the hell desk happy, give them as few stupid calls as possible. So in conclusion, your password policies, if too strict, which some are, can actually make you LESS secure.  So what do you do?  Like everything else, moderation is key.  Follow these rules and you should be fine:

1) Implement password changes on a reasonable basis.  If you have more than 12 password changes in a year and you’re not running some high-security shit, you’re doing it wrong.

2) Implement changes on a regular basis.  Everyone will be less likely to gripe if they know that on the first of every other month, the password change is coming.  It becomes routine.

3) Implement changes in unison.  If a single user is required to access multiple systems, make sure all the passwords are changed on the same day.  Again gets people into the routine.  If it’s part of the routine, less likely to gripe, less likely to create weak passwords out of anger.

4) Keep the password length reasonable.  Longer passwords are more secure, yes.  But they aren’t bulletproof.  If someone is intent on cracking your password hashes, it’ll get done.  Convenience takes priority here.

5) Require special characters, no more than 4.  Before doing so, no joke, hold a class on L337 speak.  Replacing letters with numbers or symbols comes naturally to us.  It should come naturally to your users too.  They’ll think it’s fun and it’ll result in more secure and less forgotten passwords.

6) For fuck’s sake, just implement 2-factor auth already and this shit won’t matter nearly as much.

/rant

The Project For Awesome was given life by two (now rather famous) Youtubers: Hank Green and John Green on their shared Youtube channel, Vlogbrothers.  Every year since 2007, John and Hanks subscribers, hereafter referred to as Nerdfighters, have aspired to “take over Youtube” with Project For Awesome videos.  The goal is to fill the most discussed, most viewed, and most liked pages completely with Project For Awesome themed videos.  This year, Youtube itself has decided to endorse the Project For Awesome.  Much like the President of the United States and Conan O’Brien before them, the Vlogbrothers are being allowed a 4-hour live show on Youtube.com on December 17th.

This being my first year as a video-making member of the Youtube community, I have decided to take part and to support a cause close to all of our hearts, Hackers for Charity.  I have contacted the Hackers for Charity people via their website asking permission to use video footage of them in action as well as photos to be used in the video, but it won’t be enough.

Fellow hackers, I need your help.  On December 17th, I will upload the video as early as is allowed by the 2010 Project For Awesome guidelines, at which point I will begin a barrage of facebook and twitter spam that I need your help turning into Youtube spam.

First, I need everyone to retweet this article, post it on their blog, post it on Facebook, do whatever you have to do to get the word out, let everyone know, December 17th is not a day we can afford to be away from the computer.  Secondly, on the 17th, I will be tweeting about the video and the Project for Awesome all day long, and I need you to do the same.  I don’t care if you retweet my tweets, make your own, or whatever, just get the word out.  Third and most important:  on December 17th, you need to log into Youtube, thumbs up the video, comment on the video, and spread it around.

The more people we can get involved in this, the more exposure we can get for Hackers for Charity and hopefully we can translate a lot of that into income for them.  God knows they could use it.  It won’t take much time or effort, you’ve tweeted about far more frivolous things.  Help me get the word out.

More Info On Project For Awesome:
2010 Project For Awesome
2009 Project For Awesome
2008 Project For Awesome
2007 Project For Awesome

Our first reaction was to fight ignorance with reason.  A folly in itself, yet for some reason, always the first course of human action.  Many of us made blog entries, forum posts, podcasts, sent emails, made phone calls, all in the effort to right the wrongs and fight back the falsehoods perpetrated by Mr. Evans and his associates.  Obviously, this was useless.  So we moved on to the second course of action; get the words directly from the no talent assclown’s mouth.  This lead to nothing more than refusals, denials, and what amounts to a death threat to one of our own.  This is something we simply cannot tolerate.

A new favorite activity of mine is getting Mr. Evans removed from any speaking engagements I’m aware he’s scheduled for.  I either accomplish this through sending them my open letter, or by linking them to the extensive Attrition.org research.  I know I’m not the only one to take up this hobby, and I know we always welcome more.

Artist Management Conference 2010 – New York City.

This image shows the first part of the lineup of speakers for the Artist Management Conference 2010.  The conference is to be held one week from this writing, and as you can see from the highlighted section of this image, Mr. Gregory Evans is slated to speak.

…Or rather, he would be.  Had he not been removed from that list after the event organizers recieved several concerned emails from those in the infosec community pointing out Ligatt’s various flaws.  Most commonly linking them to the Attrition.org research.

This is what the lineup currently looks like.  Note that while Evangelia Livanos of 5B Artist Management and Gregory Whiteside of Fanteraction are still listed as speakers, the man who previously occupied the space between them has been removed.  Mr. Gregory Evans will not speak at AmCon2010, and it’s likely he will not speak at any future AmCons.

All is as it should be at AmCon2010, and an undoubtedly more qualified speaker has taken the place of this charlatan.

International Conference on Information Assurance – Atlanta

The image you see to your left is the speaker profile for Gregory Evans on the plenary speakers page for the Sixth International Conference on Information Assurance and Security; more commonly referred to as IAS 2010.  This conference is held in Atlanta, Georgia.  Right in Ligatt’s backyard.  This event was the first to receive my Open Letter to Event Organizers, and indeed, the reason it was written.

After a long email correspondence between the event organizer, myself, and another member of the infosec community who shall remain nameless, Mr. Evans’ profile was pulled from the plenary speakers page while it was placed under review by the committee running the event.  It never returned.

HTCIA Training Conference - Atlanta

The third event Mr. Evans was removed from is the 2010 High Technology Crime Investigation Association International Training Conference and Expo.  Now, in my opinion, this talk should never have been allowed through in the first place.  Greg Evans’ talk was seriously titled “Why Cybercrime Pays from an Ex-Computer Hacker’s Perspective.”  Fucking really?  Why.  Crime.  Pays.  At what point did this seem like a good idea for a talk?

My guess is that the council was on the fence about the talk from the beginning though because with minimal prodding from the InfoSec community, the blog post shown here was made.  And as promised, Greg’s name no longer appears as a speaker.

Gwinnett County Chamber Technology Forum – Atlanta

What you see to the left is the website of the Gwinnett Chamber Technology Forum notice for Greg Evans’ talk entitled “How Hackers Do It, Know How and Secure More” [sic].  If you can get past the ludicrous title (I know, took me a while too), pay special attention to the time, date, and location of this talk.  He was slated to speak at 7:30am on July 20th at the Busbee Center.

You can see some of the bullet points of the talk here, and I’ve cut out the rest for your sanity’s sake.  How does this guy not get tired of pretending to be an expert while peddling the very basics of information security?  Even I get tired of telling people their passwords aren’t strong enough and I’m not even a CEH! (yet.)  Do you want to know more than Greg Evans about hacking?  Take an hour out of your day, hit Google, type “Information Security Tips -Ligatt” and read.

If you look to your right, you’ll see Mr. Evans’ replacement, Ms. Melanie Brandt.  She will be giving a much more useful speech on the state of the technology industry.  Broad spectrum and generic?  Probably.  Complete and utter bs?  Probably not.  The citizens of Atlanta dodged a bullet there.

Thanks to the efforts of the Infosec community, there was not a sudden drop in IQ on July 20th, at 7:30am.

Ladies and gentlemen, this is a wonderful start.  We see a speaking engagement, we take it down.  But we can do better.  Much better.  Since this campaign began, Mr. Evans has been on cable news multiple times, and even allowed to speak to a group of our nation’s children! (+1 convicted felons in schools)

My friends, we can do better than this.  If anyone, anywhere, even hears the slightest rumor that Greg Evans will be speaking, please forward them the Errata research or my open letter and get him removed!  If you’re not comfortable doing so, please, let me know, and I’ll be more than happy to send along the info in your stead.  We can do this.  Let’s show this man once and for all not to meddle in the affairs of hackers.  For we are subtle.  And we are quick to temper.