2021-12-28 07:29:00
It's been years now, since Internet meme imagery has started showing up in corporate communications: from adverts to internal Powerpoint presentations, you've probably seem them. A quick talk at the office made me remember that classic episode of Star Trek:tNG, where the crew have a run-in with the Tamaran who speak in metaphors.
It made me realize, as linguists have been pointing out for aeons apparently, that we as global people can definitely head in the same direction. I mean, sure! My best friend Menno and myself can speak in 90s animation memes! So why not?
Here's how you could explain the current Log4j hullabaloo in meme-speak.
JNDI: There's no way this could go wrong!
Log4j: ORLY?
Log4j: Yo dawg, we heard you like resolvers in your logs! So we put...
2021: Pwning log4j hypetrain, let's go! To the moon!
Researcher: Shit's on fire yo.
InfoSec: My hair is on fire! My hair is on fire!
Management: Let's go! In-n-out! 20 minute adventure
InfoSec: One does not simply ...
DevOps: Science dog has no idea what he's doing.
DevOps: I know nothing about ... at this point I'm too afraid to ask
InfoSec: This is fine.
2031: Remember when? ... Pepperidge farms remembers!
kilala.nl tags: work,
View or add comments (curr. 0)
2021-12-27 15:37:00
Fabian Faessler, aka LiveOverflow, runs a wonderful YouTube channel where he explains all kinds of InfoSec and other hacking related topics. I'm a huge fan of his two-part explanation of the recent Log4j vulnerability.
We've seen plenty of proofs-of-concept and rehahshes of JNDI-problems. In his video, Fabian instead delves into the matter of how we even got into this mess.
The screenshot above is from part 2. It asks developers the honest question: what would have been better, more secure? Do we want a logging solution which can resolve arbitrary variables and macros? Or should we have a plain logger, which needs to be spoon-fed what it needs to log?
In secure design, we should always choose for option B. But I guess that historically "features" and "shiny factor" won over "basic design".
If you have half an hour, I suggest you grab some coffee and go give this series a watch!
kilala.nl tags: work, security, studies,
View or add comments (curr. 0)
2021-12-27 11:07:00
I just found this awesome page (a very long read), which is a retrospective of Mike Sass' five-year education path. Lots of good advice about studying infosec, and mini-reviews of many trainings (SANS and others).
https://shellsharks.com/training-retrospective
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-12-27 08:37:00
A few weeks ago CertNexus announced the public beta of their CyberSec First Responder (CFR) exam, version 410. Three years ago I took the beta for CFR-310. At the time I wasn't overly impressed by the exam, so I decided to take it again to see if they improved.
They did not. I can actually literally repeat what I said three years ago, while replacing "Examity" with "OnVue".
Comparing this to CySA+, I like CompTIA's exam a lot better.
My take-away: if you're in the US and must get a DoD 8570-listed certificate for one of the CSSP roles, then you may find CFR to be easier than CompTIA's CySA+ or Pentest+.
CFR is also marginally cheaper than CySA+ ($350 vs $370). But it's the renewal fees where you may want to opt for CompTIA, if you have more than one of their certs. Both companies charge $150 per three years, but in CompTIA's case the fees for multiple certs are often combined, so you don't have to pay multiple.
I'm curious to see what the end-result of my scoring will be. But if I do pass, I will not be paying my CFR annual fees.
EDIT:
One thing I don't like about the CFR-410 exam is this section on page 5 of the objectives document:
"The information that follows is meant to help you prepare for your certification exam. This information does not represent an exhaustive list of all the concepts and skills that you may be tested on during your exam. [...] The information beyond the domains and objectives is meant to provide examples of the types of concepts, tools, skills, and abilities that relate to the corresponding domains and objectives. All of this information [...] does not necessarily correlate one-to-one with the content covered in your training program or on your exam."
It sounds like they're saying: the exam may include specific tools and techniques not listed as examples on the objectives document.
You could argue that's fair enough, because it's impossible to list all tools that you'll ever run into on the job. But on the other it creates a moving target for students who are already anxious enough about taking a big exam.
With CompTIA's exam objectives you can always count on it that "if it's not on the objectives, it's not on the exam".
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-12-24 09:43:00
On the CompTIA A+ Discord we got into a little chat about apt package management. Someone really wanted a real-world example. Since "apt install wireshark" doesn't really tell them much, I typed up the following.
What we haven't been hitting on here and which might not come up in the objectives either is "why?". Why do we even need yum, apt, brew, choco, dnf and so on?
To answer that in as short a time as possible: installing software can be a tricky thing, because of "dependencies". Software needs more software, which needs more software, to run.
A piece of software is almost never stand-alone: it needs libraries, drivers, programming language interpreters, supporting tools and so on. And if you start working with Python, Java, NodeJS and so on, you will really get stuck in "dependency hell".
On Windows, standalone software installs often come as MSI or EXE installer. On Linux they come in the form of DPKG, RPM and other package formats. Now, if you want to run software that was installed via only such an installer, you'll quickly run into problems "Help! I'm missing X, Y and Z! You need to install those too!".
Package managers like Yum, APT, Homebrew, Chocolatey and so on help us with that. They will look at the list of dependencies that such an RPM / DPKG might have and make a grocery list. :) "You want this? Fine, then we'll also get X, Y and Z and get'm setup for you."
That's the "WHY?". It makes sudo apt install wireshark so nice, because it'll fetch ALL the extras Wireshark needs to run. For example.
Now Overwatch? That's gonna be interesting. Because where do all these packages come from? From "repositories", central databases of software packages. They are often run by the company making your chosen Linux, but there's also independent ones (like choco, brew and more). Plus, commercial vendors also often have their own repositories setup which you can subscribe to. This is how you would install Microsoft's Gitlab, for example.
Question is: do Blizzard have a repo to install Overwatch from? I don't know. :)
kilala.nl tags: teaching, work, linux,
View or add comments (curr. 0)
2021-12-22 16:16:00
Back in 2018, I took the CertNexus CFR-310 beta exam. It was okay.
This week I learned that CN are launching CFR-410 with another beta (quoting their Facebook):
"Due to the high demand for the CFR-410 beta testers, we have decided to offer 75% off the voucher for the CFR-410 beta exam for a limited time. To participate, please go to https://bit.ly/CFR-410-voucher, create an account (or sign in), add the exam voucher to your cart and enter coupon code CFRBETA75 during checkout.
For more information on #CFR go to https://certnexus.com/certifica.../cybersec-first-responder/."
Final cost after discount: USD 87.50. I booked it and am waiting for the beta to open up.
As a reminder, CFR-410 (and 310) are a security incident response exam, the acronym referring to CyberSec First Responder. It's comparable to CompTIA's CySA+ (cybersec security analyst) and the much better GCIH (GIAC incident handler). I'm curious how this'll play out!
Speaking of other upcoming betas: Project+ 005 from CompTIA is coming up. And yes, they will run a beta exam, starting in January. I might be curious enough to just give it a shot, see what it's about.
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2021-12-05 09:09:00
Less than 48h ago, the new beta version of CompTIA's Linux+ exam, XK0-005, was opened to the general public. Or is it XK1-005?! I've asked them what's up with that XK0/XK1. Since taking CompTIA's beta exams is a big hobby of mine, I jumped onboard immediately!
Three years ago I was not very impressed by the XK0-004 beta. I felt it was too easy and too heavily focused on git and legacy software like init. Since there's an embargo on the objectives (which you can download from the official page I linked above) I can't discuss the objectives nor what's on the test. But I can tell you this much:
Some of the questions were really, really long. Like, "print this on A4 and it fills a whole page" long. I felt that might scare off the intended entry-level audience, so I put that in the comments.
My conclusion: this exam is looking good! I would say that, content-wise, it's now on par with what I'd expect from RHCSA. I don't have recent experiences with LPIC or LFCS, I should give those a look sometime soon.
I expect that my next group of students at IT Vitae will still be testing against version 004, but I will start updating my training materials for the next groups. The objectives have changed thoroughly.
kilala.nl tags: work, studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.