Be Kind to the N00bz: Effective Knowledge and Resource Sharing
10:56PM Jul 29, 2020
Welcome back at home 2020. We're ready for our next session with Charlie and Michael doing Be kind to the noobs effective knowledge and resource sharing. So hi guys. Nice to see you. We're going to go right into the video and we'll be right back for questions and answers. The, the presenters will be live with you on matrix and will be interacting with you so hop on to the matrix channel and watch the video right now. Thanks.
You're watching data rest and Information Security podcast brought to you by the University of North Carolina at Chapel hills Information Security Office. I'm Charlie nearshore, and with my co host Michael Williams we aim to bring you accessible and informative Information Security discussions. Today, we are recording for. Oh, hackers on planet Earth. The 13th iteration of the conference, from 2600, and I am really excited to be doing this talk
time Hi, I'm Michael Williams, um, should we start by introducing ourselves. Let's start with the title of the talk, probably, that's probably a good idea. The title of the talk is. Be kind to the noobs, which is a really important thing, because we were both originally noobs at one point,
everybody's a noob at some point like
everybody's on knew about something at any given moment. That's what
I was gonna say like I'm a total noob at making pasta. I've never made pasta I'd like to eventually I'll do it but I'll have to figure it out. The same thing goes with packing and information security, that's a really weird correlation that's probably not going to translate
well it's not that weird of a correlation though because they both show like intellectual curiosity about learning how to do something that seems kind of complex and you can get somebody else to do for you easily, but you love the topic and you want to learn how to do it yourself.
So let's introduce ourselves, you go first.
Sure. I spent most of the 1990s working for what used to be called sun sight now it's called a biblio. It was a component of UNC Chapel Hill. And then after that I also worked for the company that was Netscape press, we published looks about Netscape which worked out really well for a very brief window of time. And then I worked in corporate telecom for about 10 years for various companies that you've heard of but you don't particularly admire. And then, I left the corporate telecom world, and came back to UNC Chapel Hill where I had done my undergraduate degree to become a member of the information security office. That was 2009, and now I am the network security team lead for UNC Chapel Hill.
Let's keep it interesting, I'll go the opposite direction. Go for it. So I am currently the operations and incident handling team lead for the University of North Carolina, Chapel hills Information Security office. I have been at UNC since 2016 before that I was a jack of all trades i t guy and a small nonprofit in Chapel Hill, North Carolina. They handle a lot of HIPAA data so I cut my teeth security wise there by having to make sure that certain controls were in place before that from a technology standpoint, I worked in the.com boom, and was a casualty of the bubble burst I was making cold fusion based sites. And one day the job just wasn't there anymore.
So who knew,
certainly not the venture capitalists that were putting money into it.
Before that, so now we're back into the 90s, I was just a bonafide knucklehead just trying to break things and make computers do stuff they're not supposed to do or maybe that they can do that you don't want them to do. So that was my 90s experience was more being a script kid.
Nice. I see if it makes you feel any better. I have had more than one job that all of a sudden one day just wasn't there anymore.
Right, it's not a good feeling.
No, definitely not.
So why are we doing this talk, let's delve we talked about that a little bit with the bad pasta analogy, but let's like really dig into that.
Sure. Well, everybody has to be somewhere in their lifespan, as a hacker or as an information security professional.
Yeah, so like you're either the future, like you're a noob you're often coming. You're the present, which is kind of where I place us like we're mid career we're, we're doing the work, or you're the past and you're the people that taught us. I sincerely believe that there's room for each role to bring value to the larger community of hackers and information security professionals enthusiasts. You don't have to be a professional for this talk to be relevant, so the future needs to observe the present doing the work while learning the lessons from the past for perspective right yeah I feel like it's really important that you have all three in order to have context, and to have new ideas and to have an understanding of where the of why things were done the way they were done in any situation like this. So the future needs to observe the present doing the work while studying the past for perspective right and the people in the present, need to not be dismissive of either the up and comers or the people that came before because both bring value like we talked about and the people that came before what they bring is perspective, because if we don't learn from the past. We're doomed to repeat, its mistakes, and we were all standing on the shoulders of giants right and we need that strong foundation, otherwise we'll just go out and make mistakes oh you will make mistakes along the way anyway but it can help prevent really bad ones.
Yeah, I mean, all of these technologies anything that anybody is going to be working with and information security is either brand new, and nobody really knows it, except for people who have sufficient neuroplasticity that they have just picked it up like that. And those are probably the up and comers. And so they're worth listening to about that stuff, or their technologies that have kind of been around for a while, in which case you want to talk to the people who came before because you want to have their institutional knowledge, their hands on understanding from having been there when this stuff was created as to why it was created that way,
it's like COBOL, why does COBOL every five years come up. Yeah.
Because so much is built on top
of it. When I was an undergrad at UNC they had stopped teaching COBOL. Then, very shortly. Literally the year that I graduated a whole bunch of COBOL programmers had to come out of retirement to try to fix the y2k bug before y2k happened.
Right. And then it but that one keeps coming up it's like the gift that keeps on giving. Yeah. So, we want to focus on nurturing the future because we were all there. Maybe you're watching this right now or you're listening to this and you're at the beginning of your journey and you're looking for resources that's kind of what we're going to cover we're going to cover some good free resources that are available to learn. If you are sort of midway through your career, we're going to talk about healthy perspectives, how to treat people and build meaningful relationships and connections. Normally on our podcast, we do a history lesson where we'll talk about the background of a specific technology that we're covering today. We're being a little more general we're not covering a specific technology so why don't we talk about our pasts as the history lesson.
That sounds great to me. You want to revert sure I'm happy to. When I think about like my own history and people who really contributed to that. People who encouraged me, rather than discouraging me. People who recognize that I was curious, but maybe didn't have a lot in the way of knowledge and created opportunities for me to gain that knowledge through hands on means, and continuous encouragement to keep trying. If I mess something up. The first person I think of is Paul Jones, he just retired as of this talk, from having been the creator and director and general intellectual guru of ai biblio. But he also was a professor in the School of Information Library Science he has done a ton of research in different things he's also a recognized poet. He's a real polymath when it comes to like having a lot of different things where he's a real genius, and all of these things involve creativity. He hates email, and he hates email, which, for which he was considered to be very forward looking when the new dawn did it. And now he's kind of thinking maybe it's time for email to come back, I don't know, I don't.
I'm sorry to jump in your history lesson. Paul Jones conversation. The one conversation I've had with Paul Jones was him calling me back because I needed to get ahold of him because there was an issue and its environment. And because I couldn't email them. And I was like well I guess I'll just call them, so I call them, I didn't pick up so I left a voicemail. He called me back and he was like hello Charlie. I'm calling you back because you left me a voicemail, which is just one step above emails and is also terrible. I, uh, yeah. Listen, I need to put this, I need to kick this device off the network.
It was quite possibly the most Paulding, but he could do. I'm gonna confess the last time I had to work, an issue related to a class that Paul is teaching. I communicated with him via Facebook Messenger.
Sometimes you just do what you got to do to get things done. But Paul was the manager of IBO when I was an undergraduate, and in that environment, he was very encouraging. I didn't know a lot about networking I didn't know anything about networking but he let me work on a project called the Cisco education archives, which was entirely about gathering resources to show schools. At the time, like, secondary, and elementary schools, how to network their environments. In a time when people weren't doing that in most schools and most schools do not have the skill set to be able to do that or to know what resources to purchase or anything. And so in the course of building the archive I got to learn a lot about that myself. You really encouraged that learning by doing. And then shortly after I got my first dedicated security gang. I ran into him on campus while I was visiting a friend and he had heard that I had been hired to work in security. So he said, Young Mr. Williams, managing firewalls. Well I never thought I'd see you on that side of the security desk. I have laughed about that for 20 years at this point that's just like the best thing that I've ever heard from an old boss.
I love the fact that people have pauldron stories.
Totally, one character. Yeah.
Another person that I would look to as somebody who really influenced me in terms of encouraging creativity and encouraging learning was an old manager of mine named Keith Ritchie. He hired me to be on the security team for a very small regional ISP, one of my very first jobs out of college. I didn't have a ton of security work, I had managed a couple of firewalls in a very minor way. But he really believed in giving people opportunities to pursue what it is that interested them. And so when I said I want to learn security but I don't know security. He hired me in a heartbeat. And it gave me an opportunity to learn a lot about technologies that I didn't even know existed prior to that position, managing IPS working with other teams that interrelate with information security like sis admins and the helpdesk and all kinds of folks sales teams support engineers, people that I had never really understood were a part of the company that we work for, but I got to learn all these things by being there and doing them, and he was very patient. At the same time that he was very encouraging and I think that patience is a huge part of what makes people good role models, agree with that. For me,
the people that I think really helped me out. Were a guy named Jeff Ryan, who was at the nonprofit he hired me on as sort of a jack of all trades he knew that I was working on my graduate degree in cybersecurity and that I wanted to go be a security professional and he also knew that the opportunities were there within that organization to gain meaningful experience. It also meant that I would have to do desktop support. Which, you know it's tough right because you like really want to focus on what your, what your perceived area of expertise is, but that forced me to be more social. Right, and pushed me out of my comfort zone and I had to engage with end users and not necessarily socially engineer them to where I needed them to be to fix the problem. But sometimes we had to socially engineer them, or we needed them to be to fix the problem. So, you know, you find the silver lining there in whatever situation you're in, and then admission security, often involves more persuasive speaking than we think it will. Yes. And then, I think I might not have even been there a year, and this is like the CIO, and he basically says I'm going on vacation. You're the guy, cuz it was just me in interns, so like somebody had to be the guy, but he trusted me. And that really gave me faith in my ability to do to do the work. So much so that I applied to work at UNC where another guy, trusted me to do the work and that was David Alexander, and he gave me a shot, who on paper I was a generalist, right, with a few certifications to prove that I understood core concepts but as far as demonstrated work history and us specifically security related role. I hadn't had that, and David gave me a shot. And he said, All right, we got this project how's the sound I said, sounds great network that project and throughout the course of that project got to demonstrate other skills. So those are two people that understood what opportunity looks like, and gave me a shot.
I think an important part of both of our stories is that there was someone who recognized that generally speaking, people will often live up to the expectations set for them and that they were, they were willing to create an opportunity for us to rise to the occasion.
I think that's a great way of putting it. So let's jump into because, you know, we are on a timeline. This isn't like our normal podcast or we can,
because we will blather I enjoy blathering.
Yeah. I'm a fan of it.
Let's jump right into what should people do, looking for resources to learn looking for opportunities for me. I would recommend everyone jump right into command line, whether it's Linux PowerShell, whatever get comfortable making mistakes and entering commands, even if you're just doing the most boring benign stuff, get used to that type of interface. One day you'll find you're just not making as many mistakes, and you're gonna have a handle on manipulating your machine or your software in a way that the GUI just doesn't always allow.
Even if you're completely new to it, something is as what other people might consider simple, and many people might consider scary as downloading and installing Linux, just take some notes through each step of the process, you don't have to get it right, you can always reimage the machine later. But you know messing it up as an opportunity to learn and being prompted for different options as you do the installation is another opportunity to learn. You can look up the documentation on one, well why would I want to encrypt this file system, things like that.
Grab a VM and make a little stack build a little web server and then blow it away when you're done, and you know what you just learned how to do that.
Yep. Another really important component of learning is finding people who support you find a support crew, they don't have to be people that you're friends with or colleagues with in real life or offline. They can be people that you simply observe discussing this stuff you can find a useful forum a good subreddit, whatever sort of environment where you can find productive educational conversation that allows you some sort of Avenue into at least just like learning what the jargon is
don't count on it, but don't underestimate the potential for kindly internet strangers to help you learn. I was a member of a forum for a little while. While I was preparing for the G Pen certification and a guy named Kurt, who I've never met in real life, I added him on LinkedIn, but afterwards he gave me a free practice test, and like the official sanctions key to do the test, and that's an incredibly valuable resource, and so thanks Kurt, I got the cert you know he knows that. Sure. I messaged him but like when you find a community and you contribute in a meaningful way. Or just listen, and provide quiet encouragement like you don't have to be the loudest voice in the room, someone will notice you. And when you need assistance, potentially be there for you.
I think it's also kind of heartwarming that you just told the only existing story of real human connection via LinkedIn.
The forum wasn't on LinkedIn we didn't meet on LinkedIn.
No, but people who knew each other for some purpose other than trying one trying to recruit the other for a job
or selling them something. Yes.
That might be edited out I don't
something that I really think is important and this goes back to what I was talking about doing desktop support. Like in person. Get comfortable talking to different people like types of people that you would never talk to in your personal life, not because they're bad just because they're different than your social circle right. Get comfortable engaging with the people around you. Think of it as a roleplay learn to communicate, you might even make friends along the way with people that you otherwise might not have.
I think that in many ways we're an example of that in that people who never would have met. If it weren't for work. And then we clicked immediately. I think and a really important note is get comfortable talking to different types of people, even if you're anti social in your personal life. Yeah. This is especially true if you want to do information security for a living. Like I said earlier, a lot of your interactions are ultimately going to boil down to being persuasive speaking in some form or fashion, and you have to make a conscious decision about how you're going to present yourself in order to get what you want. A lot of times, being a professional is a form of social engineering, and that sounds like it's spin but it's really not number of times in my career when I had to say okay there is a version of me that I have to perform in order to get what I want is longer than I could ever possibly remember, I feel like an important corollary to that is, go out of your way to network with people who are not like you, and are not like the majority of people in your environment. You've got to seek perspectives and experiences, other than your own to increase the range of viewpoints from which you're going to draw your colleagues perspectives and try to come up with solutions for whatever the project or goal is that you're working on,
like the echo chamber thing you want to avoid the echo chamber.
Yeah, the tech industry is overwhelmingly sometimes a monoculture. But if you think of like the technical tools that we use. We want as many different ways to solve a problem as we can get, you know, we don't just give up on a problem if it turns out the tools that we have available to us aren't good enough. We find new tools we figure out new ways to approach a problem. And in many ways, the ways that we network and the social connections that we build professionally and personally as we pursue this stuff are the same, the more different types of people we get to know the more different types of people that we work with and that we welcome into the environments where we work, the more perspectives and viewpoints we have available to us, there is this obvious problem of the tech industry kind of being not just a boys club but like a white boys club. And in ways that that creates opportunities for the tech industry to overlook things here I'm thinking specifically of in 2009 when HP developed a people tracking webcam. That was incapable of seeing African American people. That was a development team that needed to be more diverse.
Yeah, so yeah the punchline is don't allow your environment to become an echo chamber. Yes, diversity is not just a hashtag, it's something that brings real value into the world, and will bring value into your life, not only professionally but personally as well.
Yeah. And it's not just about like reducing people who are not like yourself now down to another widget that you can use to solve a problem. It's more about like increasing our own internal ability to conceptualize the world and the perspectives of the people in it.
Talking about perspectives of the world, as a noob. You need to identify exactly what it is you want to do, beyond being the elite mythical x or right. Yeah, like figure out what it is you like, I can't tell you how many students have approached us at UNC me like, how do I be a hacker. It's like.
Let's talk. What do you like, do you like investigative work do you enjoy trying to make things do what they're not supposed to do, do you want to invent a new way to solving a problem that already has existing solutions but you think you can do it better pick a place to start. And then sometimes that's the biggest hurdle, right, to try things out. This is a job that can be a lot of fun. Information Security is so broad in the opportunities that you have. You're not going to spend 30 years doing the same thing.
And if you do this for a living, the odds are very good that you're going to be called upon to work with people whose specialization winds up being something other than your own. And so you're gonna always be presented with opportunities to learn a little bit about something that you don't normally do, and to share a little bit about something that you do often get called upon to do with people who don't often get called upon to do that,
which I think leads into the idea of like don't expect or even don't even desire to be perfect like don't like make mistakes, recognize that you'll make mistakes, expect that you will have to continually learn to stay relevant, really.
Absolutely. A big point that I make with my team as team lead is the people who do stuff are also the people who break stuff. Mm hmm. That's just the way it is. We're occasionally going to mess something up, occasionally we're gonna knock something offline, take something down every member of my team has at some point killed some part of the network. That's just the way it is. The only thing to do is accept that that's going to happen, own it, honest about it when it does happen. And that part is really important in part because that is the only way anyone will ever believe you. When you later say something is not your fault. When I make a mistake. I tell everybody that I made a mistake so that the next time that I say it was not a mistake, they will believe me, you
only really need to be good enough.
Let me edit that
I don't know I feel like maybe we should just keep that but go for it. Well, like there's always gonna be someone better than you at something else, right. So, have fun, explore learn new things understand that, you know, you're never going to be the elite mythical hacks or somewhere, there is somebody that is that sees things in binary, they are living in the matrix, and they still have things to learn, there are people out there who can program in machine language, the fact that there will always be somebody who knows more than, than I do. And the fact that there will always be somebody who's smarter than I am, doesn't mean that it's not worth my time and effort. It just means that there are things that I know that they don't and things they know that I don't, and that's what makes both of us valuable. A lot of times I think people in our industry get caught up in seeing other people in our industry as the competition. Yeah, instead of as partners and teammates.
Yeah, a lot of that was kind of the warm and fuzzies right like that was we were talking about attitudes and we were talking about somewhat abstract things. Let's get into free resources that are available that people can leverage. Sure, I don't mean that to sound negative when I say it was the warm
and fuzzies, it just Yeah, no,
you have to have the right mindset. Before you can use the tools effectively.
I think one of the really important points to make around that and sort of in this gap between the human stuff, and the technological stuff, is that a lot of times people are drawn to this industry or drawn to hacking as a passion or a hobby, because they're interested in the technology, not in the people, and they need to know up front, that it is going to involve a lot of working with people, perhaps more working with people than working with technology.
So we're going to blast through these resources relatively quick. If you go to go.unc.edu slash 2600, you can pull down a zip file that will have something really fun in there that we'll get to in a bit. But also, that sounded really sinister, it's nothing bad it's actually a free tool that we want you to play with, but it will also have a document like text document or something that has all these resources listed,
because this is the virtual swag that we would have given out in person.
Speaking of swag. So we have the virtual swag that we would have given out in person, we applied to this conference before it went all virtual, we have stuff that we are going to give out we have stickers. We have little cups with our logo, we've got little one inch buttons, drop us a line at email@example.com, if you want some of that stuff and we'll we'll get it in the mail to you. So you've got virtual swag. I'll mail you a sticker, we would have done that anyway just now we got to put it in the mail. Yeah, to the nuts and bolts, some full size courses, and guides Linux fundamentals we very early on said go work in the command line. Linux fundamental live lessons is more than 10 hours of video training by Pearson So Pearson advanced comm slash courses slash Linux fundamentals. It's free, it'll help you build an understanding of working with Linux Metasploit unleashed kind of getting into the fun stuff here in depth medispa guide totally free through offensive security Comm. You want to talk about a little bit about some self paced hands on workshops, some of which are more well known and some of which are a little less. One of them is the hackers or web app CTF hacks or it's a realistic web application hacking game it's designed to help players of all abilities develop their skills, all the missions are based on real world vulnerabilities. So, playing this game actually does teach you things that you would use in production, some big ones that are pretty well known hack the box, the damn vulnerable web app. This is where we get to the fun one. This is not a well known one. This is developed in house by our interns in the UNC security office Asana Sati Zach Goodman Lorenzo Marinelli john fishbach these four guys wrote a web application that you can basically teach yourself SQL injections and a few other attacks with, and it comes with full documentation. So if you don't know anything about the attack attacking a website, a database driven site. This will walk you through this is a learning tool and you can get firstname.lastname@example.org slash 2600 with full documentation.
Okay, there's hacked up me. It's a free community based project powered by elearn security, where you can build host and share vulnerable web application code for educational research purposes, just like the kind of stuff that we're giving you from our interns. It aims to be the largest collection of runnable vulnerable web applications code samples CMS says, The platform is available without restriction to any party interested in web application security and it said hack me.
Hacker one on one to another one. There's a lot of these resources and this
list isn't exhaustive, so you might know stuff that we don't feel free to email us and tell us about it when I was getting started, the only way to get your hands on any sort of like virtual network or virtual lab environment to do hands on learning of networking technologies, was to buy very expensive educational materials usually associated with getting a certification from a specific vendor. Now there's a ton of this kind of stuff out there and a lot of it is free and open source, and it's really fascinating to me. So there's educational network simulator, it's specifically designed for high school or secondary education students learn basic network components, things like IP addressing subnet masking it's designed to teach real fundamentals but it uses what are largely fake protocols were sort of like simplified protocols. It teaches you how networks work in the same way that like a lawnmower engine teaches you how an engine works but just because you took apart a lawnmower engine does not mean you should run across the street and take apart your neighbor's Corvette. Another one is lab Tanner's. It's from the Naval Postgraduate School center for cybersecurity and cyber operations which is by far the fanciest name that we're going to have in this as a bit of a mouthful. I was writing in my, in my notes, it says hula free and open source lab exercises self contained tools has nearly 50 lab exercises built in, and all of them fully documented it explicitly includes labs for network security exercises such as spoofing ARP address configuring a firewall using in Nmap to scan a host, you can exploit well known TCP IP vulnerabilities, you can experiment with SYN floods, you can experiment with SQL injections, all kinds of really useful hands on stuff that you need to be able to understand if those sort of stuff you're going to defend against CNET, not that seen that.
Yeah, I was like wait what I'm looking at your notes. Ah,
yeah so years ago the University of Western Australia created something called. Yeah, the, the CNET networks emulator.
Now I'm making fun of myself I have no idea what you're talking
The University of Western Australia created something called CNET network simulator it runs on Linux and Mac OS. They don't have a Windows version but they say that there are ways to get it running under Windows. It's designed to be used in their undergraduate networking courses and it includes the ability to simulate wired networks, but also importantly wireless networks, which is sort of unique. I've never used it but it looks really cool. And it looks like there's plenty there for people who really want to geek out and be able to dig in. then there's common open research emulator core that one comes from the Navy, it lets you emulate networks, and if desired, you can emulate them across multiple different physical machines, seeing a really complex with a virtual network, and you can hook that virtual network into real networks, and have a talk, which is even cooler. And it kind of sounds potentially dangerous. Yeah, which is sort of my favorite flavor of interesting. Yeah,
no, you could you could get yourself in trouble with that I like that. Yeah.
And the last one that I want to talk about is it's called kathira cathode ray, I'm not sure exactly how to pronounce the name because our, there are some accents and some interesting places, but it's a version of NEC kit which is an another simulator it's built in Python to be extremely lightweight. It's designed specifically to be used by student populations that you experiment with networks and with network security. It includes both traditional physical networking protocols and also software defined networking features, which is what kind of makes it unique, and it's useful to people trying to learn, like many different kinds of environments. Again, like the part about that that just blows my mind is how many really complex and customizable virtual network environments and laboratory environments are available these days for free. Yeah, cuz
I remember just being like you paid a bunch of money and you got Cisco's exactly like that
many years ago, I had to pay like $300 for a book that came with a CD, right, that had on it the ability to simulate like two Cisco routers on a Cisco switch.
Yeah, that's what I remember.
And then, and even then they were trying to sell you the bigger version of the software.
Yeah. And the assumption was if you were going to invest $300 in that book to get that CD, you're probably also going to invest like five grand in taking a bunch of tests. Yeah.
You know my opinion on the certification racket from our working in cybersecurity episode which I will spare everyone here my, my rants and raves about that and move on to books about books, a tribe of hackers is a really good book came out, I think I think it came out in 2019,
I don't know, I got it.
It's good I have it I read it, got a lot of good press, there's a lot of motivational stuff in there, there's a lot of great perspectives, all of our intern staff, got a copy. At the end of the last academic year. And then you've got some notes in here.
Yeah, there are a couple of books that I want to recommend one is hacking the art of exploitation, Second Edition, that came out in 2019, it is distinctly not for beginners. And if you go like read the reviews of it a lot of reviews of it will say wow this book is fantastic and if you're looking for a place to start out, this is not it. But if you're somebody who already knows a lot about the ways that a computer system is architected and the ways that it works, then this is a book that will let you via a live CD that comes with it really dig in and do a bunch of hands on experimentation and run a bunch of hands on labs, with a really close up view of how a lot of different exploits work, and why they work and how to try to prevent them, if you're a programmer, things like that. And then another one that I just think is an interesting. Look at the human side of all of this technology is black software, which is a history of the racial justice movement as it intersects with the internet, from the very beginning of internet technologies being developed. Up to today. And some of it is about the importance of black inventors and engineers and software coders and folks like that in developing the technologies and some of it is about the ways that these technologies were used to sort of try to silence those voices. And again, this is a really important part of remembering that we will benefit all of us by having a more diverse environment.
Moving on to podcasts, there's only one you need to know about and it's ours data at rest, not unc.edu available modulations you're done learning. Apple, Google Play Store all the other places you can get your podcasts, but there's also. Oh, the storm cast the black hat webcast series, sans webcasts there's so many security and hacking related podcasts. What's that one dark net diaries, which is just about big hacks that one's really cool. Yeah, lots of podcast resources and again I know we're moving quickly. We are on a timer.
I just want to plug the software engineering Institute's podcasts, they cover a lot of topics but they also have a series specifically about women in software development and cybersecurity, talking about their career paths and offering advice,
so lots and lots of podcast resources available out there, cheat sheets, when you're learning command line, even when you've learned command line cheat sheets are still great sans offers a lot of cheat sheets, they also have a list of tools. All of this stuff is going to be in the text document in the file so if we're talking too fast or you have a question, like what did they say these resources will all be listed with detail in the file, go to unc.edu slash 2600, and we hope that
you download it and check it out. The purpose of our institution is to spread learning and increase human understanding. So that's what we're all about. So huge Thanks 2600 for having us. This is an absolute honor to be a part of the first all virtual
hope, as someone that's gone to hope in the past in Manhattan, to be able to be a part of this, especially in the first online one that's cool right because it's never been done before,
it's somebody who was going to local 2600 meetings at the food court in the mall. 20 some years ago, and have subscribed to 2600 for many years. This is an absolutely incredible honor. Thank
you. We hope you'll check us out on our regular show, drop us a line data at email@example.com we'll send you some swag if you want it. And I guess we'll move on to the QA. Yeah, thank you.
and that cannot be the snare because that will just sound conceited.
Actually, what I just said it could be the stare that cannot be the stinger because that will just sound conceited. That might.
I could have like done a weird clown makeup ourselves
I said, which member of kiss would you be right, you know,
nobody wants to be hakalau.
Nobody wants to be Peter Chris, they'd rather be a juggler than be Peter.
I'd be whoever the cat was oh that's Peter Chris. Okay, well then I want to be Peter Chris.
Welcome back, we're here with Michael and Charlie and be kind to the noobs. That was a great, great presentation. Thank you very much for sharing that with us. I'm glad you're here with us. Thanks for having everybody.
Yeah. Thank you for having us.
Super stoked to be here. Really happy to be talking to people in the chat as a reader and a person that's gone to the conference in the past. This is amazing.
Thank you. Yes, it's
for us too. It's really been great to be able to interact with the attack with the attendees and also with the presenters, as well. But let's get right into the question then. The first question is, I always thought Wireshark was one of the first things to learn to getting into infosec didn't get named dropped and I missed it
did not get named dropped because I tried to get really fancy with my tool recommendations. And I didn't think to list Wireshark but Wireshark is foundational. It's on every machine I've ever used for work in my entire career and highly recommended really useful tool you can use it to sniff packets look at the way the packets are constructed, learn all kinds of things. If you learn how
to use Wireshark effectively, it will make your use of a sim a million times more effective because you won't be reliant on the sim to give you the data you can actually look at the raw captures and extrapolate stuff that the sim might mess
with So Sam Charlie.
It's a, it's a very fancy tool it costs a lot of money and it tells you what's wrong on the network, it does it does the work for you. It's great. You got that right. Yeah.
But sometimes we have to dig a little bit deeper.
Yes, I agree Wireshark is definitely foundational. Alright, let's go on to the next question. When did you know you are past being a noob see
if you sit on your ass and don't bother to learn, you'll never get past noobs.
We're all we're all noobs right like there's always somebody smarter than you there's always somebody better than you. There's always somebody that knows about the thing that you want to know about. So the only way to like continue out of that breaking out of that mentality of I'm a noob which that's all it really is it's just a mentality to break out of that mentality, just keep learning,
I think. I think the most pragmatic answer that immediately occurred to me was
just like Charlie Shut up.
No, not that your philosophical answer is wrong or bad, because it's not, it's, it is correct and good, but I think for me, the first thing that sprang to mind was the first time I got to spend somebody else's money.
That's when I realized, Oh,
I guess I'm doing this for real.
Yeah, that's the see, so this is if you, if you've never listened to our show. This is the dynamic, I say something one way, and then Michael says it a way that sounds a lot better
not better different.
That's right, it's beautiful to the two perspectives. All right. Our next question is, what, if any value is the value of certifications for professional, especially for a new person is it critical, good or okay if you got a cert move on.
So we did a whole episode in season one of our show, working in information security where I went off on a tirade and I'm genuinely afraid that ISC squared is going to come take away my certs and comp T is going to come take away my certs because I do think it's a racket. I think what you should too as far as a professional is get what will help you through the HR process to get the job that you want, and nothing more. It's a racket, they're always going to want you to be paying recertification fees, they're always going to want you to be chasing their next cert, and this is true of most certifying boards or groups. There is definitely value to get you in the door and over those HR hurdles. So figure out what role you want to chase. Figure out what cert will help you in that Chase and get that one but don't become a paper tiger that chases every single search just to chase certs.
And don't be one of those people who has like 47 acronyms in their email signature. Because that kind of just makes you look like a jerk. But, but also, bottom line certification organizations are essentially a mafia in our industry. And if the mafia runs the only game in town and that's the way you got to play. I think that the value of certifications is in the process of studying for a certification and not in obtaining the certification. Getting my CISSP or getting my pcnse or various certifications. I learned so much trying to prepare for those certifications that I would not have learned, had I not tried to get those certifications, it's nice to have the certification in hand and demonstrate that I learned those things. But I also think that they overstate the degree to which a certification reflects your knowledge base. If you're somebody who's just starting out. What I would say is, identify a certification that a does not cost a lot, and be, you can prepare for at your own pace and whatever that is. There's nothing, there's no wrong certification to pursue as long as you keep those in mind certifications are a great way to spend a ton of money for a free zero guaranteed return. And so, like, keep it cheap, keep it easy and remember that it's a learn studying process is the learning opportunity for you.
I would like to add, because of the work that goes into the more difficult certs there is nothing wrong with being proud of having them, I might not. I might not like the companies that run the racket. And I may have spoken disparagingly about them earlier, but there's nothing wrong with being proud of the service once you have them.
If you get it be proud of it.
Yeah, I know they're gonna bury me with my CISSP. That was eight months of sheer hell and I had been doing it for 20 years.
Yes, I remember getting mine back in 98 I have a four digit CISSP.
I thought that's a collector's item.
Yeah, right. There
was a way I feel for you on that whole show. All right, we have a couple of minutes left, about five minutes I'm going to go to the next question. Do you really need to be a Linux geek to be an infosec, or can you have a good time with Windows alone.
All the worthwhile tools are. Well, okay. Most of the worthwhile tools are multi-platform, and you're going to be able to use them on whatever platform, it is you're most comfortable with. I think that it's good to learn multiple operating systems but if Windows is what you know how to use now. And that's where you can start then start there and don't sweat, trying to add You're too steep in your learning curve by adding operating systems to it. Also,
you can always add down the line, like I said earlier, there's always going to be something you don't know, there's always going to be some class of knowledge that you can chase later and build your digital Arsenal, your tool belt whatever metaphor you want to use. You can always add to it, don't let being unfamiliar with it, dissuade you from starting down the path of working in information security. That said, Linux is free download a VM play in the command line, it doesn't cost you anything. It costs, cost you nothing but your time and you will get back dividends, what you invested. Yes.
Exactly. That's definitely very good point. Regarding learning Linux okay so we got about five minutes left. You know one of the things about certifications you know you guys were referring to industry certifications, and those are really important in their general, but many manufacturers and software developers also have their own in house certifications and some of the larger players in our industry that have, you know, a portfolio of multiple software packages. How is the infosec professional supposed to keep track I mean besides the industry but doing the corporate certs.
I don't think you really can man, I mean time is your greatest resource, and you're never going to be able to keep up with everything. It goes back to what I was saying figure out what it is you want to do. Figure out what it is, where it is you want to work. And that's where you want to invest upfront. If you want to go pursue like, Oh no, if I wanted to get a Microsoft certification I could go get one. But it's not relevant. It's not going to do anything for me professionally, and I don't really feel that I need to prove that I know how to use Azure tools, so I'm not going to get an Azure server.
Yeah, I mean like, I feel like I should have my CISSP so that's why I got it. But beyond that, the only certifications I pursue these days are ones for vendors that I am currently working with to support. That's it.
Let's look at job. Your job will tell you what they will wire, our jobs we both work in the same office, our job, kind of tells us what it requires there's a little matrix and it shows like for this level this for this level this for this level that. Yeah, I'm.
Similar to the DMV matrix.
We don't have any other. There is
one more question, there's one that's a really good question of how can one get more comfortable with making mistakes in a learning environment. And I think that's a really powerful question to ask. Psychologically, the only way you can do it is to just make so many mistakes that you become numb to it. And there is nothing wrong with that, and that's a good thing to pursue and do,
they're your friends. Huh, virtual machines are your friend.
Yeah, absolutely. Build VMs mess them up mess them up on purpose, and see what happens. Make making the mistake the point of the exercise, and then you can get over that hurdle.
Exactly. I want to give a shout out to my PowerShell, my PowerShell friend over there in the chat, I'm not really keeping up with it because we're talking here but I saw PowerShell it's like yeah PowerShell.
so what is on, on the game plan for you what's coming up next any special projects.
We're wrapping up season three of data at rest, check us out we're on Apple podcasts Spotify, Google Play. firstname.lastname@example.org. I'm pretty excited about that. What else are we working on Michael
on the phone, we do an annual event on campus this year it's going to be a virtual event called security con. And generally, lots of community outreach.
Thank you so much. We really appreciate you being here on behalf of all the volunteers all the attendees and everybody here I hope 2020, thank you very much for sharing.
Thanks for having. This is awesome. Fantastic. All right,
thank you okay we're gonna go right down to the bump so we'll be back in just a few minutes Thanks everybody.
Hello hope 2020, I'm Phil ham Baker, and this is a call for volunteers to help build something that could be wonderful. Mathematical mesh is a threshold key infrastructure. That means it uses advanced cryptography, to make computers, easier to use, by making them more secure, and it offers a new level of cryptographic security. It allows it puts you, the user in control of your personal digital life. Now it's almost ready for launch. We're almost. We've almost passed the 300 unit tests that we need to go into alpha release, but I'm going to need your help to complete and deploy it, and you don't need to be an expert in cryptography to help. Obviously, the more crypto geeks can help willing to work on this, the better. But you don't need to be an expert in cryptography to help. If you want to learn. I've got a free crypto course on YouTube that you can learn from. And, but you don't need to be a developer, either. Obviously, that's useful again, integrating the mesh into existing applications. So you can wrap security around them. That's going to be powerful, but what we're going to need most off, is people willing to try out the alpha release and give us feedback, tell us is the code working, is it solving a problem for them. And what features could we add that would make it better. Make it more useful to solve their real problems. So you can find out more about the mesh in my hope talk which is in the archive. And on the mesh website math mesh Comm. So thanks for listening to my bump, and please stay.