SANS FOR572 and GNFA Review
SANS FOR572 and GNFA Review I completed SANS FOR572 with Phil Hagen on-demand from May to September of this year. Today I passed the GIAC GNFA certification. This was my first SANS course and I plan to take more in the future.
First things first - how did I study and pass? My course completion was strung out far longer than I recommend. Life got busy, my homelab hardware crashed a few times, and all of the sudden I got the email that 60 days remained on my GIAC attempt.
Homelab Game Streaming Setup
Homelab Game Streaming Setup My gaming rig has always been the odd one out in my lab. I’m a strong advocate of keeping your daily driver out of labbing shenanigans, however more recently I’ve been questioning this concept. My gaming PC is exceptionally powerful, underutilized, and could offer some much needed relief to my Kubernetes nodes. Naturally I became obsessed when I stumbled across Craft Computing’s new video on game streaming.
Converting SANS Course vmdk Images to qcow2 in Proxmox
Converting SANS Course vmdk Images to qcow2 in Proxmox SANS courses distribute their machine images via vmdk, VMware’s disk image format. SANS courses spend a lot of time stressing their minimum system requirements, which makes sense given that the trainings were traditionally taken in a classroom over the course of a week. There wouldn’t be any time to fiddle with system issues. Now that courses can be taken on-demand, I knew I wasn’t going to run the SANS VMs on my laptop but instead on my homelab hypervisor.
Book Review: Retire Before Mom and Dad: The Simple Numbers Behind A Lifetime of Financial Freedom
Retire Before Mom and Dad: The Simple Numbers Behind A Lifetime of Financial Freedom “Retire Before Mom and Dad” by Rob Berger aims to be a primer to compound interest and financial freedom to young adults. Introductory chapters to the book are slow and eye rolling. The author’s constant Matrix references of “taking the red pill” is an extreme exaggeration of what is simply acting like a financially responsible adult. Finances ARE boring and I dislike when folks act otherwise.
WireGuard on an Amazon Fire Stick
WireGuard on an Amazon Fire Stick I recently installed WireGuard on an Amazon Fire Stick so I can plug into my home media server from any TV in the world. I largely followed the guide set out by m00nie.com, but still wanted to document the steps I encountered myself.
Prepping for WireGuard clients You should have a WireGuard server set up and ready to accept clients. In my case I use OPNsense as a home router with a WireGuard plugin natively available.
Reflecting on Google Cloud's Asset Key Thief
Reflecting on Google Cloud’s Asset Key Thief Vulnerability In the first half of 2023 I discovered and disclosed a Google Cloud service account private key exposure vulnerability. I dubbed it ‘Asset Key Thief’ (as cloud vulnerabilities do not receive CVEs). In a nutshell, private keys that allow for the assumption of service account principals, and whatever permissions those service accounts are permitted in a Google Cloud environment, could be exfiltrated out of an unrelated asset inventory API.
An Opinionated Guide to Homelabbing
An Opinionated Guide to Homelabbing I love homelabbing. There’s something exciting about having your own compute and corner of the internet in the era of the cloud.
Homelabbing has not been without its headaches. I’ve put myself in many different pickles and this guide aims to provide high level guidance towards practices that I believe will make your homelab journey more enjoyable.
These thoughts are presented in no particular order.
Book Review: Countdown to Zero Day
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon “Countdown to Zero Day” by Kim Zetter is an incredible, in-depth technical account of the events revolving Stuxnet and its sister malware strains, Duqu and Flame. Zetter spares no details throughout the book, giving readers an in-your-face view about the mechanical underworkings of nuclear centrifuges, malware domain sinkholes, and zero-day exploit chains. In short, “Countdown to Zero Day” does not hesitate to get in the weeds.
Nationwide Quote System Revealed PII Information of Customers
Nationwide Quote System Revealed PII Information of Customers On May 7th 2023, I worked with a close friend to responsibly disclose a bug in Nationwide’s quoting system that revealed PII data of arbitrary customers. The bug was initially witnessed within Nationwide’s quote estimator web page, as anyone signing up for a quote would notice that Nationwide was displaying information to them that was from a different customer.
We understood this vulnerability to reveal the following PII information of arbitrary customers:
Book Review: Sandworm
Sandworm “Sandworm” by Andy Greenberg is a fascinating reflection of the Russian state prior to the modern Ukrainian conflict. Published in 2019, the book dives deep into Russia’s powerful hacking teams from modest inception to their infamous hacks at the Olympics, during elections, and towards their neighbors. I highly recommend this book for those interested in getting a deeper context to the Ukrainian conflict.
The book constantly touches on the need for a Digital Geneva Convention.