more on the new side project

So after looking around, asking a few people and doing a little reading I've updated www.ratsandrogues.com. Kind of funny that that is going faster than setting up rattis.net.

So yesterday, I set up WordPress, and re-wrote the two entries that were on the Rats and Rogues page. Then created two accounts. Then finally set up email using virtual domains (Postfix + Mysql + dovecot, etc).

Wish I could say it was all easy and simple. But it wasn't.

Problems I came across:
Wordpress:

1) www.ratsandrogues.com/feed wasn't working. The feed validator sites were saying not feed webpage. Going there got a 404 error.

2) If I set the url to be a custom for the entries, I could get a 404 error. But leaving the urls set as standard instead of custom would work.

2.5) the settings page for custom url said that .htaccess was not writable.

Solution
It looks like all three issues were related. One large problem with simple solutions but took forever to research.

2.5) created the .htaccess file in the root directory for the wordpress site. then changed ownership to the apache daemon user name.

That allowed the site's setting page to update the .htaccess file.

1 & 2) This one took more time, and lots more research. It looked like that .htaccess file was being ignored. I remember disabling .htaccess when I set up mod_security. Did some reading. I had set AllowOverride NONE in the config file, and I've had to make changes to the vhosts under that global directive. Once I changed that for only the Rats and Rogues site both the rewrites for custom URLS and the feed started working.

Email:
Uh this one was a mess.
1) getting the alias forwarding table to push to multiple people.
2) getting email to forward to the people above.

Solutions:
1) I searched around forever trying to figure out how to insert more than one name in the time. I saw some screen grabs that showed it but no idea how they did it. Then one webpage said that most use PHPMyAdmin. Yeah, didn't want to install that. To make it work:


INSERT INTO forwarding (`source`, `destination`) VALUES ('aliasemail@example.com', 'email1@example.com, email2@example.com');


Which is just the written out way of saying give the value of the 2 columns, 'source' and 'destination', with 2 elements. The first one is the alias email. the second one is a list of emails seperated by commas (,) between the single quotes (') for the second element.

2) With both names in the forwarding table, I gave it a test.

<user2@example.com> (expanded from <alias@example.com>): User
unknown in virtual alias table

<user1@example.com> (expanded from <alias@example.com>): User
unknown in virtual alias table


Fixing that required commenting out:

receive_override_options = no_address_mappings

in the Postfix main.cf

Which left me with:

User unknown in virtual alias table


which was there because while trying to fix the other problem I set the domain name in

virtual_alias_domains =


once I fixed that, everything worked.

Hey look I have new side project

The Rats and Rogues InfoSec Podcast.

www.ratsandrogues.com

new site isn't up.

So the last entry said, I was working on a new site. Sadly I haven't had the time to dedicate to it like I thought I would.

I also realized, I never got around to writing my review for the WIFU / OSWP class. Well.. that's not entirely true. I wrote one, but was never published. I was thinking yesterday about it for some reason, and was planning on writing a review last night from a slightly different perspective.

Now I just need to find the time.

times change

So... I don't know.

I got my VPS up and running finally. Went with Linode. Had several friends speak highly of it. Went with a default Debian Squeeze install. Got it hardened as best I could. Now I'm getting ready to hit it with LAMP.

Linux, Apache, Mysql, PHP.

I was thinking LEMP, (NginX instead of Apache), but since I'm going to be running Drupal, and really want an easy set up (follow the howtos and be working kind), I'm going to skip LEMP. Can always change later.

So what will this VPS be doing?
- Personal website. Blog, resume, photo gallory, email etc. Yes I said blog.
- Offer up a site to my martial arts school. Cheaper and more control than what they are using now. Using a CRM framework (drupal again) should make it easy enough to have updated.
- Maybe a site for the Locksport groups
- shell access for me. Mostly for IRC.
- Photo and video exchange site for the parkour group I'm in. Maybe.

something fun.

Need to work up to clearing a standing student.

http://youtu.be/0LwQPLjihZw

bodyfat update

23.4%

244.6
43 inch at navel
45 inch hip
13 inch forearm
7 inch wrist

If I remember right, those are all down from last time, well except for the forearm..

some days

Last night / this morning was a maintenance window at work. Lots of stuff to do. One call had about 30 people on it.

Now I'm the junior most member on my team. There are still things I don't know how to or can't do. Not that I don't know how. I mean I know how did them at my last job. Just don't know how we do them at this job. Can't because I don't have the needed access. Some of it I'm figuring out how to do work's way.

Anyway. there was an issue with an SSL cert. Really looks like someone sent us the wrong information in the turn up requests, since the same typo was in all of it (DNS and SSL). Anyway that got fixes late last night, but the people who were complaining didn't bother to test it. Ended paging everyone on my team. The one that fixed it asked why I didn't test it. Which I was in the process of doing when the other people said to start making the pages. Really those should come from me, not other people. Anywho. The other guy on my team was able to take care of the DNS stuff. But man was he ranting (and rightfully so).

Then at the very end, I got a huge win. Something wasn't working. Looks like another case of bad info. I was able to fix it. Before I started looking at it I had no clue what to even do. I vaguely knew the problem was related to NAT and Routing.

But I really found the problem falling back on one of my older skills that I love to use. Its kind of funny really because I was mentioning on a forum yesterday how great that skill was.

The skill - Being able to set up, and read a packet capture (sniffing) with TCPDump in real time. Once I found out what the problem was, I fixed it. with about 60 seconds to go in the maintenance window. :)

physical update

weight 249.2lbs tonight. 24% body fat. vO2 max = 32 (went down). Tested tonight with my Heart Rate Monitor

Pulled or something calf. Did it about a month ago, running aggravates it, but only some times. 2 out of 5 runs, I've had to stop running because of the pain. The first time I could barely walk. This time I could walk but couldn't run.

I got a Fitbook. The little things looks really neat. It's a 12 week exercise and food log. I've been looking for templates for both, and this looks like what I've been looking for wrapped into one book.

The problem, with this calf, I don't know if I'm going to be able to do the cardio parts I had planned. You know, couch to 5k (yes I'm still working on that, starting over again this week), and Fighter Workout for Fat Loss Cardio. I know with the calf like this I can do push-up, kettlebell swings, and other related exercises, but can't get the cardio going because it gives out. Hoping the jumping of rope is possible.

Anyway, the next 4 weeks are planed as:
100 push-up challenge (I never seem to finish anything)
Fighter Workout for Fat Loss (Kettlebell program by Josh Hillis, great guy, and a 24 week program)
couch to 5k, if my body will let me.

Mix in some wing chung (yeah, another new martial art for me) and Tang Soo Do.

Food goal, is to move back to a more vegetarian like diet, and brown bag my lunches. (but the cafeteria is so good at work).

Shiming cuffs at Bsides Detroit Lock Pick Village

http://youtu.be/KiU52hvgeys

and were my shoulders sore after.

locks...

They really suck. I think I've said that before. :-)

Anyway, one of the reasons locks suck, is because of the short cuts they take to make them. What kind of short cuts?

Well, I measured several pins tonight. Key Pins (the pins in the key way), and driver pins (the pins in front of the springs), that actually cause it to need the key.

The driver pins were roughly 3 different sizes. My calipers do 3 decimal places, in inches mode. It has a 4rd spot for a 5. The 5 is either there or not, meaning about .0005 of an inch.

The driver pins I was working with tonight measured between 0.181 and 0.182 inches. The spooled driver pin from the same lock measured slightly larger.

I'll try again in MM and see what those numbers look like but not tonight.

21 day kettlebell program

So a little while back, I got a Kettlebell workout program, but was too lazy to do it. It was Josh Hillis' 21 Day Kettlebell Challenge.

Truth be told, I don't think I could have done it without the other people who started the same day as me. It only took me 15 days to realize they were both across the pond. Would get up,and they'd have it done already. I was like what?

Anyway. I tried the week before, and fried my legs. Even walked funny for a week. After a quick heal, I started the same time as them, and one other person. The third person was inspiration too, and I felt bad when she got sick and had to drop out.

So I started the program with 16kg, and 2 handed swings. Too easy, didn't feel worked out and my heart rate monitor agreed. Each day has a number of calories with it, and on 2 hand swings, I was around 1/2 to 2/3 that number. So I switched to 1 hand. closer but not enough. So I got a 20kg Kettlebell. I've been wanting one for a while. started swapping between the 16 and the 20, and after a few days switched to 1 hand with the 20kg. Man was that worth it.

Sadly, even though I kept my percentage of body fat, I've put on 10 lbs. The way the clothes fit, I don't think it was muscle either. Start at 240lbs, and finished at 250lbs.

:\

Weight is up. 250 lbs. 45 inch waist, 43 inch hipps, 13 inch forearms and 8 inch wrists. :(

22% body fat. Oh well... of to do my kettlebell workout.

it all works...?

go the laptop working, got the netbook working. Even went war driving tonight.Tomorrow, I'll convert the data to the right file to load into google earth

So current toys for war driving.
Netbook running Windows 7 / Ubuntu / Backtrack 4r2, with an encrypted 90gig share.
Alfa wireless (needs an antenna for the top of the car)
BU-353 gps dongle

wasted day

So, I got some new toys recently. Like Thursday. One was an MP3 adapter for the car. It's kind of nice. But would be nicer if it could go just a little lower in the frequencies. I found that 87.9 seems to be a good channel to use, but the new device only goes down to 88.1. Which has a station on it.

Boo for living in one of the largest radio markets.

The other toy was a BRU-353 GPS dongle for my computer. Which I want to use with my Alfa wireless card, and laptop or netbook to go war driving. I spent most of the day trying to get the the GPS to work. It hasn't yet. I don't know if the problem is faulty hardware, or if it was because I was in my house testing. Although I had it suction cupped (comes with it) to my front room window. So hard to tell.

Although in the process I ended up breaking my laptop. I use it the most, prefer the keyboard and shape. Sure it's not a widescreen monitor but that is fine. The keyboard on the Eee PC netbook is just a little too small, and the trackpad way to sensitive.

So I broke the laptop. By installing and removing programs trying to get the GPS to work. Some how, the system got messed up and figured it didn't need some 300 odd packages related to Gnome / Desktop environment. It dropped it's network management software too.

I was happy between /var/log/dpkg.log, some awk and sed, and a little help from my netbook and usb drive I was able to recover the networking. Which led me to being able to recover the rest of the software. :)

I really thought I was going to have to go through the hell of re-installing.

And I just got done installing backtack linux 4r2 on the netbook. Triple boot, but ubuntu isn't booting so I'll have to solve that. Think it'll just be a case of fixing grub.

Life is good. My head only hurts a little. :)

Although I still need to get the GPS dongle working, and get a magnetic mount antenna for the car to war drive with.

Hacking Dojo week 2

So this week was a little interesting in how it came about. And why I'm not posting on it until so late tonight. Monday, for class, due to issues with work, I was going to be late. I loaded up skype on my Galaxy S, to either start listening, or something, and saw that Thomas Wilhelm had bail on us last week. Worked out for me, I was 20 to 30 minutes from being somewhere I could take the class.

This Week's Class:
So the 2011-04-04 class was on Passive Informtion gathering as listed in the ISSAF. The class is canceled didn't mean that we got a free week. Instead we were told to pull the video from 3 months ago, off the site, and watch it.

The topic was searching for as much information for a target, based on scope, without touching the target's servers at all.

One of the things I caught in the video was the use of Personal Wiki's to keep track of your notes during the course of the attack. Something a little better than a text editor. I can see the point, to a point. Easier to make call outs, add images, links and other things than a text editor. So I spent some time today looking for a personal wiki. I'm trying Zim right now, but might just do a local install of media wiki. I've used Leo in the past, but that's less a wiki and more an outlining tool. (Offensive Security uses Leo for their stuff).

Some of the tools covered were remote whois and dns look up servers. How Google caches work and how they don't cache images but hit the servers for them (Google cache only copies text everything else it pulls live from the web site). How to use the Wayback Machine at archive.org, and how to search a couple of other things.

A lot of what was covered here, was in the recon chapter of Dissecting the Hack: Th3 F0rb!dd3n N3tw0rk and Hacking: The Next Generation.

Also, if anyone is interested in signing up for the class. I found out yesterday the course cost is going up by $50.00 soon, but if you get in now, you'll be locked in at the $95.00 price, until you cancel.

injury... :(

So on top of getting sick last week, sinus infection, I landed wrong on my hip. My bad hip. I've been limping off and on for about a week now. Thing is still sore. It's been bad enough, that I've thought about getting my cane out.

I ended up missing the 5k I was looking forward to. I'll have to see if I can get the hip back in shape enough, and work up enough to try one later this month somewhere.

Hacking Dojo week 1.

So I signed up for the Hacking Dojo recently. At $95.00 a month for 1x a week hacking class it seemed like a good deal. I figured I'd do a running review of the class on my blog. Maybe I'll write up a fancier one later.

The Hacking Dojo has several different levels. The lowest level is actually a 2 month class, that teaches the "Basics". Things like scripting, virtual labs, etc. The others are a pay by the month class.

The Class Format:
The class meets once a week at a set time. The classes meet via Skype conference call, and a web based desktop sharing program for "screen casting".

You can join the class at anytime, as long as there is an opening. Other than the Mukyu, which is ran for 2 months and can only be joined at the start of the cycle.

The Shodan Level, the one I'm in, are designed to recycle every 3 months. Basically go through three months of classes and then if the students have kept up with the home work and labs, they can test out of the class to the next level. The Shodan level classes are designed to teach students the basic frame work of Penetration testing. The exam is just as much about the ISSAF as it is about hacking the system.

First Impressions:
So I started with the Shodan class, because I have experience with Virtual Boxes and Virtual Labs, shell scripting, and some of the other topics that were covered at that level. I can't scrape a web page yet (one of the things you're expected to already know how to do in the Shodan class), but I'm sure I'll be able to figure it out when I have to. The one thing I'm more worried about is the lack of scripting / programming I've done over the last couple of years. I can do some basics but been a long time since I've had to do any real scripting.

I kind of lucked out when I signed up. I've been saying I'm going to for a while now. I was going to start with the lower class, but said meh, go big or stay on the porch. The first week's class I was lucky. It was the Review class for the last 3 weeks. It works good as an over view class too, giving the student an idea of what is to come.

The class incorporates both a Wiki and a Forum for peer level conversations. However, probably possible for a little bit of mentoring there too. But I haven't looked into it that much yet.

Moving to the next level:
To move up to the next level, you can ask to take the test at any time. It is a 2 part test. Both parts are timed. The first part is a 48 hour written exam, that must be passed before taking the second part. It's not just a bunch of answers, but includes having to prove your work with screen shots. The second test is the Practical exam. Where you have 72 hours hack the system.

After passing, you can move up to the next level, Nidan.

Stick around, my next class is in 2 days. I'll update sometime between then and next Sunday.

new to me tools

I like finding "new" tools. That doesn't mean that the tools themselves are new, just new to me.

In Information Security, I play mostly on the defensive side. Firewalls, nmap scans of my boxes (the ones I'm responsible for), centralized logs, and google advanced searching.

That doesn't mean I don't want to learn some attacker skills. I'm always trying to learn more, to add more value. Even if the majority of my job now, doesn't involve much security (other than the occasional firewall rule).

Therefore I'm reading books on hacking. The one I'm reading now is Dissecting the Hack: The F0rb1dd3n Network. In the STAR section's first chapter I came across 2 tools that seem to be useful. They're plugins for Firefox.

Passive Cache Search: Lets you search the Google cache of a webpage. Usually searching the cached page still pulls down pictures and other multi-media from the site. But Passive Cache is supposed to have a way to do it as text only from the Google cache

Advanced Dork: Tool to help create advanced Google searches. This one should be fun. It's the one I've been playing with the most out of the two.

back and forth

So I fired up my old skype account a couple of months back. I was trying to get it to work on my phone, but it won't without an upgrade and well.... AT&T / Samsung can't get their stuff together to push an update.

Fast forward to this week. I was talking to a co-worker about having long conference calls on a regular basis. I made a comment about upping my minutes on my account and carrying a charger to keep it charged. His comment was to just get a decent headset and use skype with the $3.00 a month dial out.

So I went out yesterday and got a head set. Logitec H530 USB headset. Man what a headache. At least on my Linux box. I've gone back and forth with ALSA and PulseAudio trying to get things to work right. I'm back to ALSA. While I can't listen to things through the headphones off calls. I got skype to work with Alsa and the headset where people said it sounded good on the phone.

I was using PulseAudio while listening in on the maintenance call last night, and when I was trying to ask questions, no one could hear me.

Don't know how it works with other OS, but at least with my Debian box, it's not perfect.

However, it's mostly going to be used with a windows box, so that might be another story.

another book review will be coming.

I'm reading another book that I'm going to write a review on. One of the author's said "nice review" on the Rework review. Considering the author is another one of the people I look up to in the Hacking community, I hope to do his book as much justice.

Read Rework

Listening to the Exotic Liability the other week, a book was mentioned. Book called Rework. One of the casters (I know who, but not going to name drop here) said he requires his staff to read the book. Since I look up to the guy, hey we all have our info-sec heroes and he's one of mine, I got the book.

It's a business book written by the guys at 37Signals. It was actually a very fast read, and I was familiar with the concepts already. I didn't agree with everything in the book, but I agreed with the majority of it.

It contains concepts of why hiring Rockstars just to hire them is a bad idea. Why meetings suck the life out of your team. Don't chase the large customer, do what you think is right. Run it like you want to be the best you can be. The biggest thing I like in it was the Decisions and Quick Wins.

I have project coming up. I've been thinking that it's going to be a pain, and felt overwhelmed a few times. I'm going to set up the new web site for the Martial Arts School I teach at. Updating it to run on Drupal and the like. The book showed me I can do sections of it at a time, and go from there. Thinking up a finished product and pushing to that keeps you from being agile enough to change. Things won't be as good.

But if I start small, and go from there. Get the basic site up first, and then add things as needed, it'll be better. It'll give me time to move on feedback better. Which will make the site better.

So instead of installing drupal, getting blogs and forums set up, and user accounts, locked video section and all the different pages. I'm going to start with the basic drupal website. Add a few pages to it. And then add things as needed going forward.

Seriously the book is worth the read. It shows how you can be a lean mean company, hobby, or employee and ADD value instead of just being a Cog.

ok, surprised

I don't think I'm down to the 220s yet. Sucky part of not having a scale. But... I did get my calipers and new measuring tape yesterday from Amazon. Both said I was between 20 and 22% body fat.Really a little surprised by that.

Anyway, I can take the stairs at work. I knew I could do the parking structure. Well it turns out with my badge, I can access the building stairs. So on average, I'm going down and up 6 flights of stairs at lunch time, and Down 6 and up 9 at the end of the day to go home (second floor in both, no ground access from the stairs in the building, at least not the stairs I'm using).

I feel more comfortable taking the employee bridge on the second floor anyway instead of walking across the road, dodging people pulling in and out of the garage.

Last Friday, I actually managed to run up those 9 levels. However yesterday, they kicked my but just walking up them. Although yesterday my pack was heavier than usual. It had a couple of extra books in it.

what?

at the rate I'm going, I'll be into the 220s sometime next week. Not really working out. Longer walks with my 20lbs back pack on (parking structure to office or reverse). Doesn't look like I can take the stairs at work.

I'm at 233 today.My weight has been dropping for 2 weeks now. Was at around 243 when I left my apartment 9 days ago.

Recent events

No, this one isn't about me.

So with the political unrest in an African country, and the Government killing the internet there, I got to wondering...

What could be a portable way to bypass a government kill switch. A full on non-portable station would rock too, if you can protect it.

The best I can think of, and I'm no expert, is to hook up something like...

• Rucksack


• antennas


• packet over radio *think ham radio*


• one of those cell phone base station / repeater things


• wifi router (with built in tor support)


• battery pack and solar charger

Basically the idea is an isp / cell carrier in a backpack using Armature radio as the transmission medium. I don't know how well it would work. I don't even know if it would work, but I have a project to try later.

Probably won't be light or cheap to build. But it could be very useful. The downside whoever has it on their back will be a huge target.

A base version would substitute a pelican case for the pack, and directional antennas. Point them down from on top of a tall building.


Just an idea, that I got from watching recent events.