Leaderboard

Just for you guys, I reconfigured my PC to turn on the RGB. Its placed under a desk in the 'office' (at home), next to where my wife now also sits while she finishes her PHD. So the whole thing is pretty much hidden. I use 4 monitors with a KVM so that we can switch between the machines, otherwise we have 2 screens each, when we both are working. Specs: Intel Core i9-10900K ASUS ROG STRIX Z490-F GAMING Nvidia RTX 3090 TUF gaming OC Samsung 970 Evo Plus NVMe PCIe M.2 1TB Kingston SKC2500M81000G 1TB Seagate FireCuda SSHD 2TB (2016) Seagate Barracuda 2TB (2018) Kingston HyperX DDR4 3200 C18 4x16GB

When I was in high school I got really into flash animation and I used to make animated avatars and videos for an old site. Back then I used Adobe Flash CS3 Professional, but it was a pirated copy and the program itself was extremely expensive (as is the modern version). Luckily, there's an extremely similar program called Macromedia Flash 8 that's fully free! (Only compatible with Windows unfortunately) Now I hear you asking "Freak, isn't Flash a dead technology that isn't used anymore?" Well it isn't supported on modern browsers, but that doesn't mean it's dead. You can still watch flash animations and play flash games in a flash player or something like VLC, but you can also just export any animations you make as an MP4 instead of the traditional SWF. https://macromedia-flash-8.soft32.com/

This is a pro-tip/PSA for my fellow keyboard enthusiasts: if you're not using double-shot PBT keycaps, you are not living life correctly! I have what I thought was the perfect keyboard, namely the G.Skill RIPJAWS KM780R RGB. With Cherry MX Red switches, 6 macro keys and a profile that wouldn't look out-of-place on a Klingon battleship, it's a most suitable companion during long coding sessions. Before I heard of PBT keycaps, though, I never thought the cheap ABS plastic caps that came with the KM would be a problem. After looking into PBT caps, I started to notice the very real problems. The shine that develops from the accumulation of oils from fingertips was one thing. The bigger issue was the frequent slippage caused by the super smooth, non-textured surfaces. I don't need to be a speed typist most of the time, but I can imagine how constant slippage would be a major obstacle for competitive gamers. After some contemplation, I decided to shell out about $100 for a Razer Huntsman TE for its compact design, TKL layout, brand name and, most importantly, the higher-quality, double-shot PBT keycaps. I was almost ready to buy before the reservations hit me. For one thing, I'd really miss my macro keys, as I do use them regularly; for another, the multiple reviews for the Huntsman TE suggest its extremely light actuations would make it unsuitable for regular everyday typing. It's a gaming keyboard through and through. At this point, I was wondering if it were possible to keep my KM keyboard but just swap out the keys. G.Skill does have replacement keys, but they're also made of the cheap ABS plastic. Looking around, I found these Ducky caps on eBay. (Note: the Ducky spacebar is extra long and may not fit your board, so you may have to be stuck with your old spacebar.) After about two weeks of using them, I can honestly say this was one of the best shopping decisions I ever made. The textured caps made my slippage problem all but disappear, and I can actually enjoy typing again. On top of that, I only spent about 1/3 of what I'd need to spend for another whole keyboard when my current one is still working perfectly fine in every other way. In summary, if you're in the market for a new keyboard, make sure they come with PBT keycaps. If you're not but currently using ABS caps, get yourself some PBTs. Your fingers will thank you.

I had my eye on the Vortex POK3R for a long time, which is a 60% board and somewhat similar in design to the Happy Hacking. I eventually decided against it; I can do without the numpad, but I think I'd miss the arrow keys way too much. Often, I'm busy with my hands and need to scroll with only one free hand, which would be too awkward to do on a board like the HHK or POK3R. I don't have any experience with Dvorak boards or layout designs like the Kinesis Advantage, so I have no informed input. I do think it's interesting how they choose to combat carpal tunnel by placing the keys at a lower depth than the wrist wrest. The depth may also have a positive effect on the abovementioned slippage problem if that's a concern for you too. The specs do not indicate of what material the caps are made, but they look like they're textured rather than smooth, so they have that going for them. One thing I'll mention if I haven't sufficiently emphasized this in my original post: PBT caps feel very good against your fingertips. Yes, I got them to address a problem in functionality rather than for comfort, appearance or anything else; with that said, I cannot ignore how much more enjoyable they make the typing experience. Hopefully, this will give you some more food for thought!

#From the site: Offensive Security Proving Grounds (PG) are a modern network for practicing penetration testing skills on exploitable, real-world vectors. With the new additions of Play and Practice, we now have four options to fit your needs. Which PG edition is right for you?

Examples of IT security frameworks COBIT Control Objectives for Information and Related Technology (COBIT) is a framework developed in the mid-90s by ISACA, an independent organization of IT governance professionals. ISACA currently offers the well-known Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications. This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules. ISO 27000 series The ISO 27000 series was developed by the International Standards Organization. It provides a very broad information security framework that can be applied to all types and sizes of organizations. It can be thought of as the information security equivalent of ISO 9000 quality standards for manufacturing, and even includes a similar certification process. It is broken up into different substandards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the British standard BS 7799, defines the operational steps necessary in an information security program. Many more standards and best practices are documented in the ISO 27000 series. ISO 27799, for example, defines information security in healthcare, which could be useful for those companies requiring HIPAA compliance. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection. ISO 27000 is broad and can be used for any industry, but the certification lends itself to cloud providers looking to demonstrate an active security program. NIST Special Publication 800-53 The U.S. National Institute of Standards and Technology (NIST) has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Although not specifically an information security framework, other frameworks have evolved from the NIST SP 800-53 model. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standards' (FIPS) 200 requirements. Even though it is specific to government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program. NIST Special Publication 800-171 NIST SP 800-171 has gained in popularity in recent years due to the requirements set by the U.S. Department of Defense that mandated contractor compliance with the security framework by December 2017. Cyberattacks are occurring throughout the supply chain, and government contractors will find their systems and intellectual property a frequent target used to gain access into federal information systems. For the first time, manufacturers and their subcontractors now have to implement an IT security framework in order to bid on new business opportunities. NIST SP 800-171 was a good choice for this requirement as the framework applies to smaller organizations as well. It is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations, which aligns well with manufacturing or other industries not dealing with information systems or bound by other types of compliance. It may not be a good fit by itself for industries dealing with more sensitive information such as credit cards or Social Security data, but it is freely available and allows for the organization to self-certify using readily available documentation from NIST. The controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53, but they are less detailed and more generalized. It is still possible to build a crosswalk between the two standards if an organization has to show compliance with NIST SP 800-53 using NIST SP 800-171 as the base. This allows a level of flexibility for smaller organizations that may grow over time as they need to show compliance with the additional controls included in NIST SP 800-53. NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity is yet another framework option from NIST. It was recently developed under Executive Order (EO) 13636, "Improving Critical Infrastructure Cybersecurity" that was released in February 2013. This standard is different in that it was specifically developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries have all found themselves targeted by nation-state actors due to their strategic importance to the U.S. and must maintain a higher level of preparedness. The NIST Cybersecurity Framework differs from the other NIST frameworks in that it focuses on risk analysis and risk management. The security controls included in this framework are based on the defined phases of risk management: identify, protect, detect, respond and recovery. These phases include the involvement of management, which is key to the success of any information security program. This structured process allows the NIST Cybersecurity Framework to be useful to a wider set of organizations with varying types of security requirements. CIS Controls (formerly the SANS Top 20) The CIS Controls exist on the opposite spectrum from the NIST Cybersecurity Framework. This framework is a long listing of technical controls and best practice configurations that can be applied to any environment. It does not address risk analysis or risk management like the NIST Cybersecurity Framework, and is solely focused on hardening technical infrastructure to reduce risk and increase resiliency. The CIS Controls are a welcome addition to the growing list of security frameworks because they provide direct operational advice. Information security frameworks can sometimes get caught up on the risk analysis treadmill but don't reduce overall organizational risk. The CIS Controls pair well with these existing risk management frameworks to help remediate identified risks. They are also a highly useful resource in IT departments that lack technical information security experience. HITRUST CSF It is well known that the HITECH/HIPAA Security Rule has not been successful in preventing data breaches in healthcare. The original HIPAA compliance requirements were written in 1996 and set to apply to a broad set of technologies and organizations. More than 230 million people in the U.S. have had their data breached by a healthcare organization, according to the Department of Health and Human Services. The overly general requirements included HIPAA and the lack of operational direction as partly to blame for this situation. HITRUST CSF is attempting to pick up where HIPAA left off and improve security for healthcare providers and technology vendors. It combines requirements from almost every compliance regulation in existence, including the EU's GDPR. It includes both risk analysis and risk management frameworks, along with operational requirements to create a massive homogenous framework that could apply to almost any organization and not just those in healthcare. The only bad choice among these frameworks is not choosing any of them. HITRUST is a massive undertaking for any organization due to the heavy weighting given to documentation and processes. Many organizations end up scoping smaller areas of focus for HITRUST compliance as a result. The costs of obtaining and maintaining HITRUST certification adds to the level of effort required to adopt this framework as well. However, the fact that the certification is audited by a third party adds a level of validity similar to an ISO 27000 certification. Organizations that require this level of validation may be interested in the HITRUST CSF. The beauty of any of these frameworks is that there is overlap between them so "crosswalks" can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section "Plan and Organize;" Sarbanes-Oxley defines it as "Internal Environment;" HIPAA defines it as "Assigned Security Responsibility;" and PCI DSS defines it as "Maintain an Information Security Policy." By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes-Oxley, PCI DSS and GLBA, to name a few. IT security framework advice The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies will probably want to stick with COBIT in order to more readily comply with Sarbanes-Oxley. The ISO 27000 series is the magnum opus of information security frameworks with applicability in any industry, although the implementation process is long and involved. It is best used, however, where the company needs to market information security capabilities through the ISO 27000 certification. NIST SP 800-53 is the standard required by U.S. federal agencies but could also be used by any company to build a technology-specific information security plan. The HITRUST CSF integrates well with healthcare software or hardware vendors looking to provide validation of the security of their products. Any of them will help a security professional organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them. Source

There are some pretty badass resources out there for Shodan. A good place to start to really see some of the crazy shit you can do with it, and as well as to avoid a visit from the Department of Homeland Security, can be located here: This is a badass talk. Dan is a kick-ass Defcon speaker. Also, this quick guide will introduce you to shodan: https://www.hackeracademy.org/hacking-with-shodan-how-to-use-shodan-guide/ Here are some cool pentensting related projects, that use Shodan: https://awesomeopensource.com/projects/shodan

From my understanding the Alpha your using connects via USB. Try adding it in the settings menu of VirtualBox, if that's the virtualization software your running. If it's not, then I don't know what to tell you. Do this by going to the USB settings and clicking the add button. Keep in mind with many types of devices, VIrtualbox does not like to share. It want's 1 OS to "own" it so to speak. So, if your depended on using the interent for your main box, and try using it in a VM you need to choose which one is actually going to get to use it. Make sure you also have the extension pack installed for VB. Go to help -> about virtualbox. This will give you your version number: If you have an older version, you can grab that extension pack here: https://www.virtualbox.org/wiki/Download_Old_Builds If it's up to date, go to the download page for VB, and look for the black heading: "VirtualBox 6.1.26 Oracle VM VirtualBox Extension Pack" click the hyperlink under that. To install it, you can do it with kali open, (easiest) simply click on "install guest addons" in the menu. The image will mount, then cp the files. cp VBoxAddonsLinux*.run Some shit like that this is from memory, so figure it out. (if you prefer gui, open the mounted "disk" and copy that file to the desktop). In terminal (or w/e) cd to Desktop. sudo chmod +x NAMEOFTHE.RUNFILEYOUTRANSFERED sudo ./NAMEOFTHERUNFILEYOUDOWNLOADED.RUN Reboot, the vm. OR. After you grab the extension disk from the download page as explained above, go to file -> preferences, in VBox. click extensions click on the green plus sign to the right, find your download of the extension pack. ALTERNATIVELY, if you open virtualbox, and download the extension pack, you will/may get an options like this: click I agree, and run as admin: Now that all that bullshit is done, attach your wifi adapter. Do this by navigating to the "USB" option in the preferences for that VM. if your adapted does not show up, try switching between USB 1.1 -> USB 2.0 or 3.0. Stat's came up wrong? Double click the adapter, by doing this we can manually add the Vendor and Product ID. Now go to Setting->Network. Select tab Adapter 1. Then in the "Attached to" drop down box, select Bridge adapter, "Name" drop down box select wireless adapterwhich you have , go to advance option, leave adapter type default, set promiscuous mode "Deny" and check the Cable connected box. (yes, though it is wireless adapter, we have to check it). Then Ok. Now remove the wireless adapter physically from your host machine port. Run the virtual machine (Kali Linux). After running Kali, insert wireless adapter in the port of physical machine and see it is showing WiFi interface. Connect it and in terminal, type "ifconfig" command. There will be wireless network interface wlan0. Remember if you remove the wireless adapter physically from your host and after that run Kali linux, it will prompt you a message that Network adapter (w/e name you gave it) is not found. Don't worry if go to next then Kali will run and remove the current network setting. Then it will get back to default setting with eth0.

Shodan is crazy powerful. My advice in using it would be: always think about it, before engaging in your next action.

We covered some of this in my Secure Software Engineering class. Lots of great info and lots of great tools out there. NIST is pretty awesome. SEI is also pretty amazing for looking up things dealing with code. For those unfamiliar, SEI has documentation for each language on common unsecure code snippets, why it is unsecure and better ways to write the code while achieving the same result. SEI for C as an example: https://wiki.sei.cmu.edu/confluence/display/c