A blog for noobs by noobs

This is just an example for my newest user training video (coming soon). All it does is say Hello Georgia anyhow.

grmn00bs.py

MD5 sum: a3e75154e163037c63ff0ffae4d923e9

I’m fairly certain I unwittingly committed a serious crime. I went through airport security using someone else’s boarding pass, bearing a name that’s only resemblance to my own completely legitimate and self representative government issued ID was that our last names shared the same first letter. The TSA agent, you know the one, with the little hologram checking flashlight, looked at my ID, my boarding pass, my ID again, me. I thought he seemed a tad skeptical, taking longer than necessary on a process he must step through about a million times a day. I will admit that passport photograph was taken when I was 16, and I can look a little like a fraud at 7 am after several nights of limited sleep. Rather than being annoyed at the slight holdup, though said lack of sleep had me about at the end of my rope with the usual ubiquitous airport annoyances, I realized this man was only doing his job to protect my safety. I can certainly hang around an extra 30 seconds so I don’t get blown to bits. Then he marked a bunch of esoteric jargon on the boarding pass I was not yet aware was not mine and sent me on through security. Who needs Bruce Schneier’s boarding pass switching trick when you can make it through security with just any old boarding pass that you find lying around the airport?
I though there might be a snafu in the whole thing once I realized the flight I was waiting for was not my own and examined the boarding pass realizing Mr. W____/S____ was not in fact me. The problem I anticipated was the lack of said marks on my boarding pass. However, this was not the case, and I boarded my correct flight without incident.
How did I end up with someone else’s boarding pass? By what strange luck did I happen to have my own boarding pass waiting in the bottom of my backpack to save the day, no doubt saving me from a lot of awkward questions, possible detainment, and at the very least missing my flight by having to go back out through security to get the whole mess sorted out. As it happens, I took advantage of the online check-in and boarding pass printing option the evening before the flight. I decided to check my bag (mainly because I didn’t feel like lugging around my mammoth cissp book in not one but two airports). So I had to wait in line at the kiosks anyhow. I did not instruct the kiosk to print out another copy of my boarding pass, however before taking off towards security I noticed a boarding pass in the kiosk. Not one to leave personal information lying around, I grabbed the pass, assuming the kiosk was living up to their generally unreliable reputation. Now that I had two copies of my boarding pass, why wouldn’t I opt to use the thick, newly printer one rather than the day old, wrinkly one cluttered with weather and restaraunt information? I should have inspected the boarding pass for accuracy; I humbly admit this. I’m sure kiosks spit out the wrong boarding passes on occasion and even more often dazed and overwhelmed individuals leave their boarding passes behind. In my defense it was quite early, I suffer from severe flight anxiety that only massive doses of Xanax can assuage, and I did after all have another boarding pass on hand that I had carefully inspected for accuracy.
I did not attempt to board the other individual’s flight, but I did feel somewhat concerned for my safety. I won’t go into the specifics of ideas that came to mind for how black hats and terrorists might leverage this lack of constant vigilance on the part of TSA employees. I have enough trouble flying with fears of mechanical failure and turbulence. So please Washington Dulles International Airport and any other airports with this problem, step it up. Our safety is on the line.

I am not a software engineer. Studying large software products while getting my master’s degree pretty much convinced me that God, in fact, does play dice with the universe. It also gave me plenty to work through with my therapist. However, at some point after embarking on my quest to become the world’s greatest information security professional, it occurred to me that I used to be not so bad at coding. That was before group projects in graduate school caused me to develop psychosomatic symptoms and forced me to forgo so much as coding in Alice. On the other hand, I was able to present a very thorough risk analysis of why I was ready to be released from the loony bin.

Then I got a bit distracted from the storyline and went off on a side quest to learn a new scripting language with one of my partners in crime. The loot I was after was the extended capability to write security tools, resulting in a dramatic increase in career opportunities. Daring to risk forgoing “planning the planning” on the grounds that this was such a small project, we were such a small team, and all the other excuses in the software engineering failure case studies, I dove right into drafting out a needs list. I got really into it for a while, going off on random tangents, secure in the fact that I could clean it up into the correct format before sharing it. The fact that said needs list was not due sometime early last week no doubt aided the creative process in this case.

What I ended up with had a little note in the margin of the fifth page, “If I had turned this in for software engineering class, I would have been expelled.” It’s true what I came up with was no needs list. Aside from flying in the faces of prescriptive grammarians and often bordering on incoherence, many of the notes shouldn’t have been addressed until the features list or even detailed design. There was even a small block of pseudo code mixed in with the idea for this article. Additionally there were details I wanted to remember to look up about the language and possible security issues that needed to be addressed.

I will admit at some point I may have played it up a bit. I got the idea into my head that after I became the world’s greatest information security professional I could publish my random software notes in the style of the Journals of Kurt Cobain. All the n00bs will buy it, and art house geek will finally become chic. Regardless, I felt like I had gotten more vision for a software project in one hour of free association than I had from any of those long team meetings back in graduate school trying to churn out an acceptable risk list by 1am yesterday.

What exactly am I suggesting here? That we expend valuable company resources sending the software team out to the woods with a pen and paper to take acid every time a new project begins? Even the most dedicated software engineers might protest having yet another phase added to the software engineering life cycle. I had to do a project in graduate school breaking down the steps of software development in every methodology from rapid prototyping to waterfall. I know what I’m complaining about. Or maybe I’m yet another two-guys-in-a-basement type who thinks we should just chuck the whole software engineering methodology and turn the whole business into some sort of improvised performance art. I’m not really advocating any of that. Rather I’m suggesting that taking some time to think about the problem with no goal in mind other than seeing where your thoughts take you might be worth its weight in time spent watching Youtube at work.

Take my advice or don’t. I don’t care. I’m not a software engineer. I’m an information security professional. I’m in business because software engineers don’t write down ideas for potential security vulnerabilities.

This will come out all wrong if I don’t begin with “I love Cyber Defense.” There it is; I said it. My one true love is not David Foster Wallace after all but an obscure excuse to get assassinated by a bunch of professionals on a Saturday morning. I blame this notion of the collegiate Cyber Defense Competition for single-handedly launching my career, getting me into famous-people parties at conferences, and the fact that it is debatable whether I am 22 or 24. If I was the director of the Viteman foundation for the advancement of education, I would invest a good deal of my doubloons to see that there will always be a Red Team at the Mid-Atlantic qualifier. However, being as I am instead just another recent college graduate who thinks maybe just maybe she can make it in security, I can’t do much more than whine about it. It being Rachel waking me up before my alarm on a Thursday in a panic to tell me that the world we have come to depend on has ceased to exist. No one who has ever been Cyber Defense captain would dare refute her. That’s not to say that anything can prepare a team for cyber defense, but back when I was captain I used to chant, “It isn’t qualifier if the Red Team doesn’t have root before you start.” Everyone knows a captain’s word is law. So what then is a qualifier-esque scenario in which the student teams connect to the competition VPN from home, spend 3 hours hardening 3-4 systems with some services, and then are scored by Core Impact and some other penetration testing tools not to include a Red Team?

The rationale for this decision includes allowing more teams and smaller teams with smaller budgets to compete and saving money for everyone involved. I am all for saving JMU money so they can budget more for my filet mignon, though filet mignon is part of the JMU Cyber Defense Team tradition in Lancaster, PA at qualifier while we are all a little too nervous to enjoy it properly. In the spirit of all fairness, I believe everyone, read everyone, should have a chance to compete in Cyber Defense. I’m not even precluding non-security-type majors. Cyber Defense can be a good way to know if you want to do this for your whole life. I suppose by nature you have to be in college to compete, but I’m looking forward to competition going international with a top showing from the Uganda Christian University where beneficiaries of Hackers for Charity will be further honing their skills. The press release also notes that this system has been used by other regions such as the Midwest. “Why does it matter what the Midwest is doing?” I ask flippantly before realizing that the winner of past two national competitions Baker College hails from the Midwest region. Fair enough. They are no doubt doing something right out there, but I seriously doubt having an offsite qualifier without a Red Team has much to do with it.

As previously stated I think everyone on the face of the planet should have a chance to participate in the Collegiate Cyber Defense Competition; however, I suppose I don’t see competing in this setup quite the same thing as actually competing. You can never be ready for regionals. Every year White Wolf has managed to throw some righteous challenges our way. Even as a Red Team member it will be an opportunity to get some experience with cutting edge technologies that are coming to the forefront of information security. Having been through the Collegiate Cyber Defense Competition and even having taken gold at the qualifier, I still knew I was in for trouble that no amount of preparation could absolve the moment I saw the final team packet the morning of the regional competition. I remember Tim Rosenberg of White Wolf Security commented, “Think you have enough USBs?” upon seeing ten around my neck. The answer: “no, not even close.” It’s just a given that the real winner is always the Red Team. The most a Blue Team can hope for is not to cry and vomit, learn more than you will learn in any classroom, and maybe, just maybe, knock out and keep out a few Red Team exploits along the way. My question is how can teams that have never done this before ever hope to have a good experience at Cyber Defense regionals? Without getting their feet wet in the one day qualifier where the Red Team is in before it even begins, how will they know how to hit the ground running and come home from regionals proud? I once heard it from a friend who did Cyber Defense before there was a qualifier that, “one team decided to walk out in the middle of the competition.” In my personal opinion a team that goes through only the form of qualifying round suggested above will not get the most out their experience.

Cyber Defense has already tried to make it extra difficult with no internet, purposefully bogged down network, etc. (Pronounced etcetera for the win). I just think maybe the newly instated rules for the qualifier might be taking it to a whole new extreme. An additional information release stated that again machines will have no access to the internet, and no tools may be uploaded to the systems. Though not specifically stated, this probably means no patches as well, especially considering past waltzes around the legality of patches. But let’s face it, why not just run “Core Impact and other penetration testing tools,” against the systems and do your best to fix what it finds in the time allotted, that is if your school is rich enough to have a Core Impact license. I’m sure we all know how much that costs, which kind of goes full circle back to the idea that this setup will allow programs with smaller budgets to compete. Compete, sure, but at a disadvantage to say the least.

One might could say that the bulk of my argument is stemmed from the fact that I want yet another excuse to see how my old team is doing these days, hang with all the famous people I’ve met through Cyber Defense, and hack some stuff. While all that would be grand, and you’d better believe Scott plus Georgia equals social engineering trouble, my real concern is that some students won’t get the opportunity to be coerced into crying and vomiting by the Red Team. The Red Team is what makes this article so tragically unfinished. The Red Team is what makes Cyber Defense, Cyber Defense. Here’s a joke: a Blue Team captain just recently 21 walks into a hotel bar. Not long after that a small group of Red Team and White Team members also enter the bar. Later that year she’s at arguably the biggest hacker show of the year and walking through the press room she hears, “Hey, I know you!” from a very important table. A small crowd of people around her all looks on in disbelief, “Who are you and what have you done that’s so awesome that famous person knows you?” The punch line is she’s arguably 22 by morning, but that’s another story with a video evidence to prove it.

What’s really getting me down here is that a whole set of teams are not going to get to meet real live hackers with spouses and children and sometimes stable jobs and even mortgages. I suppose it’s in that instant that a computer hacker ceases to be this esoteric Zarathustra on the mountaintop, the geeky equivalent to Don Mafioso, and turns into exactly what I’ve wanted to be my whole life. It’s kind of like some really important type telling you, you really can be a rock star except instead of saving rock and roll you are going to save, well, everything.

Georgia

Please excuse the dust on the site. We’re currently trying to get a new theme up along with some other new things. Poor planning on my part I’m afraid.

Micheal

Only 3 days past the deadline the GRM n00bs are proud to present The Last Train to Texas a short documentary chronicling JMU’s experiences preparing for and competing in the 2009 Collegiate cyber defense competition.

Also be sure to check out the offical CCDC documentary at Cyberwatch’s channel. It features the GRM n00bs as well as the other competitors, red team members, and organizers. Georgia’s interview is in part 2, and the infamous birthday scene is in part 4.

Interviews with the red and white team members from the JMU cyber defense competition are coming your way.

Georgia “Abandon Ship” Zodiac

I recently did a screencast about the dangers of Cross-Site Scripting. Too often, developers of web applications blow off security reports of XSS. Hopefully this video outlines some of the reasons why web developers need to be more careful.

Yes, I realize I nubbed on some of the metasploit stuff. That’s what I get for not testing.

I am without internet for a few days, but here’s something until the podcast comes in a few days.

http://www.vimeo.com/6952783

Micheal, aka SneakySimian

Georgia is going to be completely offline for the next couple of weeks. Imagine a life with no internet, no phones, no electricity. In the meantime the GRM n00bs have been gearing up for our red team debut at the JMU cyber defense competition for high school students. Let the carnage begin! The event will also mark the release of the 2009 JMU CCDC video.

Here’s a trailer to tide you over:

Georgia “Saving the World” the Hedgehog

The n00bs now have email. Write us at feedback@grmn00bs.com. You can also chat with us individually to plot a coup to overthrow our tyranical ruler (me) at georgia@grmn00bs.com, rachel@grmn00bs.com, and micheal@grmn00bs.com.

There’s cool stuff coming.

Georgia “Agent Deployed” Bonaparte.

We got a lot of requests for proper RSS feeds and iTunes and since Blogger doesn’t offer that (at least, not that I could see), Wordpress it was. Changes are still afoot while we get iTunes setup and various other things setup.

Episode 5 is almost finished and hopefully once that’s done, iTunes will be setup too.

Edit: Almost forgot, here’s the link that Paul from pauldotcom posted of the podcaster’s meetup from Defcon: http://pauldotcom.com/2009/08/pauldotcom-friends-present-def.html