All we are is dust in the wind

This morning was a gut punch of reality. It took a bit for me to work through all the thoughts I had. I’m starting to realize I use my work as an escape to not deal with “real life”.

It started out as a normal early Tuesday, a lot of meetings scheduled, lots of emails to return, a puggle wanting to be walked, and chatting with some coworkers across the world. What I didn’t expect while dashing back and forth between my computer & the kitchen making my breakfast was that one of my coworkers out of the UK would let me know that someone that I worked with but never met passed away last week. This man was always helpful, always wanted to do his part to make sure that I got what I needed. We would chat about how we needed to grab a pint someday when I made it to London. We collaborated on a lot of projects. He was jovial, intelligent, and although he was all about getting things done you could tell he would be the same guy who would go for a pint with you after work & yell at the sports game on TV. From what I gathered from my coworker he was near the same age as I am, but was fighting cancer…all the while working like nothing was wrong nearly to when he passed.

We are all living our lives on this floating space rock to the best of our ability, and we never know when our time is up. I’m getting to the age where I have family, friends, coworkers, former schoolmates, and neighbors that pass on from health reasons, accidents, etc. and we never are prepared for it to happen. We always think “I’ll catch up with them next time”, but there might not be a next time. I see posts on social media about friends mourning their loved ones untimely passing and I don’t know what to say to comfort them. So often our lives are so chaotic and fast-paced that we don’t take the time to visit, have a chat, spend time, ask them how they *really* are. Are they ok? We don’t know unless we ask. Be there for people & skip that appointment to do (whatever) to be able to say you don’t regret your last time with that person.

Rest In Peace Paul. I’m sorry I never got to meet you in person.

New year, new attempt at losing weight

So after the new year I’m (again) trying to lose a few (40) pounds. I’ve made a realization this time when I started counting calories. I’m using the Myfitnesspal app (yes I’ve changed my password), and after I started counting for a couple days, I noticed something. The reason that Weight Watchers, Lean Cuisine, and all the others try to stay under 300 calories per meal is that…they know. They know you’re going to snack.

Look at any of your “normal” meals, and realize that you probably eat 500-600 calories (easy) per meal. That’s probably outside of whatever you drink with it. Now add in a candy bar or a bag of chips during the day, a drink or two after work, a late night snack and bam…you’re nearing 3000 calories. No wonder almost all of us gain weight!

Today I had an average breakfast (no coffee w/ sweetener…just plain iced tea), a light lunch with ice water, a snack (candy bar), a Lean Cuisine dinner meal, with 1/2 a serving of veggie-based crackers & 2 beers when I was out with a friend.

2390 calories!

My goal is 2070, and with linking the Myfitnesspal app to my FitBit, it gave me an additional 371 calories based on steps that I could add and still be “under my limit”. So if you count the steps I took, I’m *51* calories under my limit. So basically I’d be maintaining weight at this point. So I get it. They figure if you only buy their products, you eat about 900 calories a day in meals, 2-3 snacks a day (2-300 extra calories) and add in a beer at the end of the day & you’d be at about the 1800-2000 calorie limit.

I’m going to either have to invest in a chef, or really start counting what calories I eat for meals & snacks. I refuse to get any larger so it’s either buckle down & count…or starve. I think counting is probably the best way forward. Maybe I’ll try the Mediterranean Diet. Pass the steamed broccoli & olive oil please.

New platform – now with more “s”

I moved my blog over to wordpress.com after I realized how ancient my server was getting. It was cost effective & ran quick as hell because it was an old Dell GX620 desktop with only 512MB of RAM using Centos minimal, free wordpress, & Duo for 2FA. The issue was many things were outdated & unsupported on the current platform. Doing the updates that were available was getting to be a challenge to remember and I wanted to move over to a TLS connection which was going to require a lot more research on how to host it locally & get a cert.

So I figured this was an ok replacement for now. While it’s a bit more in cost for the hosting & such, it’s not terrible compared to the electricity being lost as heat that was being generated by the super old desktop. Hopefully I’ll update this more often now too.

New house, new security system

I recently moved to a new house (August) and decided that I was going to have a security system to replace the antiquated ADT system the previous owners had installed. I started looking around & decided that there were 3 that provided what I was looking for in a system. Nest, Ring, and Simplisafe. There were a couple others I looked at but I was looking for things like a glass-break sensor, doorbell camera, or a panic button that they didn’t offer.

That lead me to look into the 3 options I mentioned previously. I’ll start with the drawbacks for all three, then the benefits for all three & why I settled on what I did and the issues I ended up having with it.

The Nest is well known and I already had the thermostat & the smoke detector so adding the other parts would have been an easy choice but their parts are almost universally more expensive than the other two. Also their subscription package was the highest cost year by year. The Ring system seemed to be a bit cheaper on price but they don’t offer the option of a key fob to let you into the house without having to run to the keypad. Neither of these two offered a glass-break sensor or a panic button. Simplisafe was the cheaper cost for hardware but it currently doesn’t have an outdoor camera (they are working on it) and their subscription is nearly as expensive as Nest. They were higher on price for the extra siren if you wanted to go with that but Nest doesn’t offer one. Nest does also charge each year if you want cellular back-up and it’s motion sensor is in the door sensor which could be a benefit for some, but read about my issue below & it’ll explain why it wasn’t great for me.

Each did have a number of benefits if I was to choose them. All 3 offered a doorbell and indoor cam, monitoring, and door/window sensors. Simplisafe’s price on most items was the biggest benefit and covered the most check boxes I was looking for in the hardware area. Ring was the cheapest overall for the monitoring & what parts I could get total and it allowed a battery powered camera which means no drilling into brick to put the camera up. Nest would have integrated with the items I already had and also had the outdoor camera I want.

I ended up going with the Simplisafe system based on a few friends who have it & say they have no issues and it was easy set up and that it was hassle free. I haven’t had a perfect install or hassle-free yet and I still want to be able to have the outdoor camera so I hope they release that soon. My issues are not only with the installation but also with the fact that their marketing department took an idea and ran with it without fact checking anything.

  • The sensors are very easy to set up using a “command-strip” style double-sided tape but the sticky part does not stick very well, even after you clean & dry the surface you want to stick them to beforehand. I replaced a number of them with 3M Command strips.
  • The motion sensors are supposed to be “pet friendly” and are even identified on the site with the text of “We precision-engineered our motion sensors to detect the unique heat signature of humans. Not pets.” This is not true & apparent marketing B.S. After a few emails to them asking why my motion sensor was tripped by my two less-than-35-pound puggles (resulting in a call from the monitoring company less than 5 mins from when I left home), it turns out they recommend that if you have pets larger than 30 lbs, or that they may get close to the sensor (it’s heat-based IR), that you put the sensor up upside down at around 4′ off the ground. This way it will catch someone walking through but not the dogs. I decided to put both motion sensors in the basement & order some new window sensors for the areas that the dog would be.
  • The doorbell installation was pretty easy but as soon as I connected the doorbell to my system, the mechanical chime started ringing constantly and causing the dogs to go crazy. Another call from tech support and they shipped out a “chime connector” which appears to be some sort of resistor that you put inline to the power going to your chime. This stopped the constant ringing and allowed me to finish the set up for this item.
  • The WiFi for both of the cameras is a little flaky and can result in a “not found” message for them when they try to record or you try to view them live. I will be contacting the support team about this in the future.
  • The indoor camera is set to record any time the system is armed or disarmed so that’s a little odd. I am unable to find a setting that would allow me to turn it off anywhere in the app or the site.
  • I am unable to find anywhere to set a profile other than Off/Home/Away. I would like the option of adding a profile where I could be home, open the doors upstairs, etc. but if someone were to come in the basement, the motion detectors would trip.

All in all I’m satisfied with my purchase and so far with the settings. I have set it and used it for a couple weeks and it doesn’t make me feel like I live in a prison but it does allow for a small bit of comfort against break-ins even if I do live in a lower crime area.

What are your thoughts? Did you have other things I should have considered?

Too much work, not enough play/learning

I’ve taken over a lot of responsibility at work over the last 6 or so months and it’s caused me to lose a lot of time for learning new things. I’m still learning things related to work, about our tool set and such, but nothing “fun” per se. I went to DEF CON and Bsides LV a few weeks ago and saw a bunch of cool things but lately I haven’t had time to put towards anything quirky or fun. Have others felt this way at some point in their career?

A guy from the US learning Gaeilge

I decided to do an entry on my desire to learn the Irish Language or Gaeilge.

A lot of my friends have wondered why I would want to learn a “dead” language. It turns out that “At least one in three people (~1.8 million) on the island of Ireland can understand Irish to some extent. Estimates of fully native speakers range from 40,000 up to 80,000 people.” [1]

One of the biggest challenges for me personally was that growing up learning English, I can’t understand the pronunciation of a lot of the words right off the bat. I look at the words “Dia duit” and I don’t get “gee-uh gwitch” out of it at all. I also didn’t want to start mispronouncing anything if I tried to speak with someone when I was in Ireland and look like a “Plastic Paddy”. I have to go back 5 generations on my mother’s side before I have any Irish heritage so I’m not going to be visiting relatives over there or anything. Speaking to someone in their language and screwing it up wasn’t something I wanted to portray as a US citizen either.

One of the things I was curious about being in tech was an easy way to start to learn how to “type Irish” so I could take notes in class. I spoke with one of my instructors and found out that using an iPad with Swype installed & the Gaeilge keyboard chosen allows you to slide a stylus across the keyboard & it will try to predict what Irish word you are trying to spell including the fadas.

The great part about taking notes this way is that holding the spacebar down with the stylus will allow you to quickly switch between English & Gaelic. This way you can Swype out “Dia duit – ‘gee-uh gwitch’ – means: God to you” on your tablet even if you’re in the same spot as me & can’t read your own handwriting.

I also found some information on DuoLingo.com about typing Irish letters including the fada on a USA QWERTY-layout keyboard. It can be found here: https://www.duolingo.com/comment/4278237

One good thing about living with all this technology is the ability to put the CD’s from our Irish book into Itunes so I can listen to someone pronouncing the words over and over without having to annoy someone asking them to repeat something dozens of times. It’s allowed me to learn to say “Tá sé go deas bualadh leat” (Tah shay go jas boo lee at) and a few other ones that have proven difficult for me as I start out.

While this isn’t the easiest thing I’ve done and it definitely puts me out of my comfort zone, it’s something I’d really like to continue. So if anyone out there wants to learn with me let me know!

-Slán go fóill

 

[1] – https://en.wikipedia.org/wiki/Status_of_the_Irish_language

Conferences & single people

I won’t write much about this (because more than likely no one cares about my opinion on it) but there was a blog post concerning dating this weekend & how security conferences are not match.com. I agree with the statement about how women are treated poorly when some men get drunk. Some men think they are more suave than they are after a bit of alcohol. If I have ever done this, I apologize to anyone I’ve offended and I hope someone points it out to me someday. What I disagree with though, is that conferences cannot be places that you meet someone you’re interested in. If you’re in the same field, it gives you something to chat about. I saw a number of couples walking around the conference hand-in-hand and seemed quite happy. I completely agree that women should feel safe & accepted in our industry. On the other hand to draw a hard line of basically “don’t date someone you meet at a conference” is, to me, a bit much.

I am pretty awkward when it comes to women. That’s not a revelation to my friends, or uncommon with many men I know in general. Personally I have mostly stayed away from asking anyone in the industry out just on the premise that if it didn’t work out, it could be even more awkward. So to keep myself and my female friends comfortable, my stance is that if a lady is interested in me, she’s going to have to come right out & tell me. I don’t want there to be any miscommunication, so rather than cause an awkward conversation, I’ll stay friends with her & not say anything.

Just my $0.02. YMMV.

Vegas interrupted

I made a trip to Las Vegas last week for “Hacker Summer Camp” to see people, present on a panel, and learn what I could from others presenting. There were the 3 usual conferences out there this year with Bsides Las Vegas & BlackHat starting off the week & DEF CON running through the weekend. I was only attending Bsides & DEF CON but issues arose and I was only able to attend Bsides.

At Bsides I was scheduled to present on a panel in the Underground track with my friends @jack_daniel, @mckeay, and @joshcorman and two new people I hadn’t met yet @p0lr_ and @thesuggmeister about stress and burnout. We chose to present in the underground track which doesn’t allow recording or digital devices because we wanted to have a candid discussion where no one was afraid to speak their mind about their job, personal life, etc. The talk went well and there were a lot of people who I feel connected with the topic. One person mentioned that they feel that it should have been recorded so people could take advantage of our experiences and we explained the reason for the decision. All in all I think it was a great talk but we definitely could have used more time than the hour.

I was able to get checked into DEF CON, get my ridiculously huge badge (a 45 RPM vinyl record) and visit the venue but being it was Thursday and there were only two tracks open, trying to get into one was really difficult with the amount of people there. I was able to connect with a few friends and coworkers during the day and catch a bit of the “Mission SE Impossible” at the SE village. All in all the larger venue should be a great thing but walking through the smokey casino at Bally’s from the Paris for a non-smoker is going to be a bit of a pain in the future. I wasn’t able to stay after Thursday though because around 5:30am Vegas time Friday morning I got a text that my sister was back in the ICU because of her cancer. I quickly changed my flight & hopped a cab to the airport. Leaving early wasn’t my plan but being by my sister’s side was definitely the right choice. I heard from some friends that they had a great time and my good friend & coworker @J_Fox was the winner of the SECTF and a DEF CON Black Badge!

Not sure if I’ll be making the trip next year but it allows me to see so many friends and network with so many people, so it’s always a possibility. I didn’t get to see nearly enough of the people I had on my list this year so we’ll see if I can catch them somewhere else during the year. Next up on the list is Source Conference Dublin! Anyone making that trip?

Chicago Conferences 2015

So another Chicago security conference season is in the books including @Thotcon & @BsidesChicago. This is the second year that I’ve attended from afar since I moved to the Detroit Metro area. This has presented it’s own challenges from places to stay, getting to the venues and trying to see all my friends from that area.

The weekend started with dinner with my friend @4n6woman on Wednesday night and rooming with another friend and their coworker. Thursday morning brought us Thotcon 0x6 and my 5th trip to this conference. Thotcon 0x2 was my first security conference so I have a soft spot in my heart for this one. The email from the organizers promised some updates and a number of new things in store for this year. I had a VIP badge so I was excited to see how they have changed things. The venue was the same one that they had for the last few years but a new configuration gave them a little more room, more areas, & less bleed-over from the hallway-con that has been an issue in the past. It is still in the middle of BFE from those of us that don’t live on the CTA lines though. While the conference itself seemed better from a layout perspective, this part still irks me. I’ve spoken with the conference organizers about this and the big issue I’ve been told is cost & the ability to get a good venue near the city for less money brought them back.

I spent a lot of day one on talking to friends and catching up but I did see the talk by a very smart lady I know @wbm312 who did yet another great talk this year called “Hacking the CFAA”. Great content and I wish I had a few hours to sit and talk to her about all the legal ramifications around the security work that we do on a daily basis. Day two brought a number of talks that I wanted to catch by friends and a few I didn’t know. One of the #BurbSec IRC crew (admford) did a talk on “How to Influence Elections on a Budget”, my friend @jack_daniel let us know “What we know & what we need to know”, another friend @claudijd spoke about sketchy “Trojaned Gems” in Ruby, and the #AwkwardHug master @jaysonstreet talked about “BREAKING in BAD!” where he is the one who doesn’t knock. I had to head back to NW Indiana that night so I didn’t get to see the after party but I had a few drinks with some friends on that side of the state line so it was all good.

Moving on to Bsides Chicago on Saturday brought a new venue, new speakers, and a new list of talks to learn from. The venue was different this year and outside of the ultra-loud A/C it was a pretty good set up. If you were paying attention the A/C the venue speakers could overcome the A/C for the talks. The keynote from @gdead was the first time I’ve heard him speak. Great talk & a lot of good points made including “I don’t care if you disagree, but let’s have a constructive conversation about it”. Later @harmj0y and @sixdub talked about abusing trust relationships in Active Directory, and the main reason for my attendance,  @runasand talked about the Tor tools and their uses. These were the talks that stuck out to me & I feel gave some really great information on what is going on and thoughts about what to do about it when you go back to work Monday morning.

Overall the weekend was great. I had some new beers from a brewery across from the Thotcon venue, I was able to see a bunch of people I haven’t seen in a while, connect with some new friends, and just relax a bit from the stress of our daily lives as security professionals. What did you feel was the greatest thing about the weekend? Leave a comment or hit me up on twitter.

-Scott

Is this thing on?

Wow it’s been a while, huh?

I guess I should write more. For now, let’s start with the easy stuff. I am hitting a few conferences this year and I hope to see you all during at least one of them. Here’s the list:

I’d love to hang out with anyone reading this so hit me up on Twitter & let’s make plans. If you want to split a room at one of them, that’s negotiable depending on how well I know you. I’m all about saving some money. If you just want to toast a drink I’m cool with that too. You never have too many friends.