Today is Sunday, July 06th, 2008

Taking The Red Pill: Thoughts On A Week of Professional Hacking Training

This week I really got to see just how deep the rabbit hole goes. Five long days sitting in a lab in Orlando with 20 professional hackers has opened my eyes to just how insecure the systems and connections we trust every day really are. The experience was nothing short of mind-bending. Passwords were pulled from the air at the touch of a button, CNN’s home page was defaced in front of my eyes, and tens of thousands of dollars could have easily gone “missing” from e-commerce websites at checkout - and these guys were loving every minute of it. The bigger and more complex the hack, the greater the bragging rights, and the capture-the-flag competitions in our little “closed loop” lab got pretty intense. I say this with a smile - I’m just as paranoid now as I am stricken with awe and admiration of people who have mastered this particular brand of technical hocus pocus.

Before last week, I was pretty green when it comes to black hat hacking - I’m grateful for having the opportunity to learn so much and meet the great group of guys that took part in the pilot training program. It’s funny, I hear horror stories from my clients all the time, but I’ve never really seen the true extent of what is possible by looking over the shoulder of someone waving the magic wand. This week was awesome because I actually got to get my hands dirty and try things in a closed network that I couldn’t even attempt in my own time without breaking the law. For that reason alone, this week was invaluable - it gave us all a chance to trade our white hats for black ones, if only for a few afternoons, and get to “know our enemy” on a much more intimate level. For those of you wondering, here’s a high level overview of what 50 hours of “Ethical Hacking” training covers:

  • Abusing DNS
  • Abusing SNMP
  • Passive intelligence gathering (techniques for gathering info remotely, what types of info bad guys go after and how multi-pronged attacks are planned)
  • Hacking TCP-IP
  • Stealthy Network Recon Techniques
  • Breaking Windows and Unix Passwords (terrifyingly easy, btw)
  • Learning exploitation (using zero days, reverse engineering and gathering info on known exploits from the net)
  • Exploiting Windows OS, Apps and Linux (ever seen someone hack into a machine by writing and executing code directly into windows media player? Jaw dropping stuff)
  • Deep Target Penetration (how to go after info on the CEO’s laptop from outside the firewall, for example)
  • Offensive Sniffing (you’d be shocked at how many passwords you can get with free tools just sitting in a hotel lobby)
  • Covert Channels (think a firewall can stop everything? Wrong.)
  • Covering Your Tracks (manipulating logs, using stenography to hide information in plain sight, matching traffic types and patterns, exploiting how intrusion detection systems work)
  • Wireless insecurity (this module made me never want to connect to the net in public places again, but also taught me how to get free wireless at just about any Starbucks or public hotspot - very cool)
  • Attacking Routers
  • Hacking Web Apps (defacing web pages, e-shoplifting and SQL injection to exploit interfaces with web databases etc. - coolest thing was that we saw the instructor change the price and quantity of an expensive set of items in his shopping cart on a real e-commerce website using just a free firefox extension.)

All of this is pretty scary stuff, really.

Overall, my memories of this week will be bitter sweet. The good is that the experiences I had will significantly change the way I approach my work from now on, and will definitely improve the way I engage my clients. The bad is that….I can’t go back to not knowing what’s out there. I worry that the geek in me won’t get the same kind of “job-well-done” rush that I used to get when I’d finish a security assessment or an IT audit. A week ago, I thought we were really designing good full-body armor, but now it feels like I’m handing my clients some cheap fencing gear, patting them on the back and reassuring them that they should feel confident about going into battle. My heart sinks a little, you know? I know now that we just don’t have the budgets, the equipment or permission to be able to do what’s truly necessary to protect a company’s systems from the really dangerous attackers. That all may change as our industry evolves, but for now, the cold hard truth is that even an IT security expert with an unlimited budget, no restrictions and infinite time couldn’t get your risk to zero. It’s a scary world out there and my eyes are wide open. The only question now is, if Google can be your worst enemy, and novice hackers can download powerful tools for free, and attack an organization from virtual, anonymous “clouds” from anywhere in the world without much fear of getting caught, how do you really circle the wagons effectively? Or more importantly, how do you stop paranoia getting the best of you? ;-)

May 11, 2008 | Filed Under Experiences | Leave a Comment 

Feasting With A Foodie

50mealsWe all eat, but some of us enjoy it more than others. Sometimes a lot more. Eating with someone who truly appreciates not only food, but everything that goes into the experience of eating, can be a total joy.

Last night I went out to dinner with a “foodie” friend of mine, Kevin, a staff writer for LAist.com whose up and coming blog 50meals.com is a must read for food-lovers living in, or around, Los Angeles. I admit that I go out to eat sushi a lot when I’m on projects in L.A., but I had never been to Little Tokyo, so when Kevin, a seasoned pro, excitedly suggested Sushi Gen I was in. From beginning to end, the night was full of lively conversation about food, life and all the small things that make the whole experience of meals so great. What I love about Kevin is that his energy and appreciation of all the meal’s details is infectious. He doesn’t just talk about food being “good” - Textures, aromas, colors and flavors all get an uncommon level of attention in the across-the-table banter. And, of course, sometimes no words are necessary - you can see it written all over his face when he takes a bite of something he’s really satisfied with. He totally lights up. (Kevin - how good was that melt-in-your mouth toro, or that black cod!?). All in all, the night reminded me of just how important it is to be around people who appreciate the small, simple things that make an experience joyful. Thanks to Kevin for such a memorable night in L.A.!

March 28, 2008 | Filed Under Blogging, Experiences, Friends | Leave a Comment 

Rubbing Elbows With The Alpha Geeks

I just spent a fantastic 4 days at ETech08 in San Diego. A special and heart-felt thank you goes out to Fraser and Alex at AdaptiveBlue, not only for their generosity and kindness for their help getting me in to the conference, but for the stellar sushi and conversation on Monday night. What an absolutely brilliant time.

The conference closed with a mind-bending keynote address from Tim Ferris, author of the 4 Hour Work Week - a totally appropriate choice by the OReilly staff, I thought. It’s a tough order to be tasked with wrapping up a 4 day event with speeches given by over 100 thought leaders like ETech, but I thought he did a bang-up job. Truth told, just listening to him speak was humbling…I don’t think there’s a more perfect way to describe it. At most of the keynotes this week, you’d see a virtual sea of laptops open, attendees blogging and chatting away. People sitting all around me were really paying attention to this guy. He just exuded genius (perhaps with a slight tendency towards OCD, which was self-admitted in his keynote). I was even inspired to re-visit his book now that I’ve seen him speak in person and I’m sure it’s going to add a lot of color to the way I experience it for the second time.

On the whole, five sessions really had a profound impact on me. Here are the links to the sessions on the OReilly site in order of “wow”factor. The actual videos should be posted with the presentations in the coming days - definitely worth checking out.

Futuretainment: The Asian Media Revolution  - I had the pleasure of having lunch with Michael Walsh, who’s book (same name as the title of the session) is coming out in the coming months. The presentation was chalk full of mind grenade-type insights about how asian tech culture is shaping the future of device design and how online behaviors are closely linked to the values and rules of ingrained cultures and societies.

Designing Magnets: Connecting with Audiences in the Wired Age  - Elan Lee (Fourth Wall Studios) shared a lot of personal experiences about what it was like bringing online fantasy to life for off-line communities, and how real-world interactivity can be built into online content.

The Case for Africa as a Mobile Development Hothouse - Made me want to pick up every single book I could about mobile web development. It’ll knock your socks off to actually see the statistics of the populations worldwide that are accessing the internet via mobile devices as their primary connection because of the digital divide.

Halo vs. Facebook: Emotion and the Fun of Games - Nicole Lazzaro, founder and president of XEODesign, Inc., is an award-winning interface designer and an authority on emotion and the player experience. Her passion for this stuff is infectious. I encourage anyone who designs interfaces to head over to the ETech site and download her presentation, which has got tons of intuitive grids and charts explaining the principals she uses when designing for the greats.

Computing for Socio-economic Development - It’s not often you get to hear one of the heads of the Microsoft Research  Team (Kentaro Toyama) wax intellectual about their personal experiences developing rural areas of India. Good stuff.

So all that said…Now I’ve got to figure out what to do with all the tech fodder I collected - like the seizure-inducing light up Google Pins and Yoyos sitting on the desk in my living room. What a week. Thanks Alex and Fraser!

:)

March 7, 2008 | Filed Under Experiences | Leave a Comment 

What It Takes To Be A Starbucks Die-Hard

This image can be found at http://img.slate.com/media/71/041005_starbucks.jpgI’m a Starbucks fan, but I’m not a die hard. And that’s a subtle, but critical distinction. I realized this morning that I’ll never reach die hard status. Not many people do. It’s reserved for the truly elite - The ones that require a completely different level of all-hands-on-deck customer service that is a joy to watch from the sidelines.

Every Starbucks regular, at one point or another in their quest for 15 minutes of caffeinated heaven, has had the pleasure of witnessing a die-hard order their favorite, ultra-customized coffee cocktail and perhaps broken out in laughter. This morning’s die-hard prize for most obnoxiously detailed order goes to the “Venti Half-Caf Non-Fat Vanilla Latte Extra Hot With Two Pumps of Caramel…no water.”  The entire line heard it and tuned into what was going on because the woman holding the pocket poodle had to repeat it 3 times. The poor girl taking the order had a mini meltdown, and then tried to recover by staring blankly at the cash register buttons in an attempt to try and parse all the information. It was total system overload. I had the biggest smile on my face - it was one of those moments that Julie and I would have appreciated together in gleeful silence. Until you get to the point where you’re ordering drinks that require 2 or 3 Starbucks employees to stop what they’re doing and make an assembly line, sorry, you’re just a regular.

November 1, 2007 | Filed Under Experiences, Fringe Thoughts | 1 Comment 

Loving San Diego’s La Jolla Shores

I went surfing with the guys this morning before work for the first time this summer and it was perfection. 4 ft, perfect, consistent A-frame waves - 71 degree bathwater - cloudless sky. Being out in the water at La Jolla shores and looking back on the green hills and the beach and being in the water with people laughing and hanging out before work reminded me of exactly why we moved out here — this is what southern California is all about. What a great way to start the day. I’m loving summer in San Diego.La Jolla Shores

July 25, 2007 | Filed Under Experiences, San Diego | Leave a Comment 

Blind Eyes Looking Straight At Me

 

I had an amazing experience last night walking home from the train stop by my house. It was raining a bit and I was doing the flipped up collar, elbows tucked in, hands in pockets at 1.5X speed walk. In the rain I passed a blind woman who seemed a little bit distressed. She had veered off the sidewalk a bit and was thrashing her cain on the garbage cans in an alley. As I passed her, I remember thinking “getting around a city without the ability to see is hard enough, I can imagine that doing it in the rain makes it 10 times harder”. And that genuinely bothered me. What if she’s lost her way just enough that she is completely disoreinted? How is she going to get home? Suddenly, I felt empathy and I panicked for myself in that position for a moment, and then I realized how callous I was being by trying to remain an unnoticed observer. I spent the next 10-20 seconds being acutely aware of just how much I could see.

When I got the end of the block, I turned around. I was about 30 yards ahead of her. Her head was down, and she was using her cain to feel her surroundings and fish herself out of the alley. Without really considering the best thing to say, I yelled “Follow the sound of my voice and you’ll walk straight down the sidewalk to the end of the block!!!”

In one rapid motion, her body turned, her head snapped up and, with closed blind eyes, she looked directly at me. The feeling and the rush I got from it was unforgettable.

And then she was on her way. No thank you or explination necessary.

Cool.

(From A Previous Blog Post on 15th-Apr-2006 08:57 am)

June 18, 2007 | Filed Under Experiences | Leave a Comment