The Hitchhiker's Guide to Information Security

so I actually have a bit of a confession to make i graduated from university with a degree that absolutely nothing to do with computers all right absolutely nothing no idea for me now I wasn't afraid of them I wasn't like didn't not that I didn't like them but I just didn't really care too much about them in terms of they were nothing more to me than either video game machines i plug in a curtsy to play a game boom I've done or as i hit university they were glorified typewriters what i thought was really cool about the glorified typewriter was that I didn't have to like put that tape in and hit back and Presley cuz there's a couple of nods the

rest of you probably going what the heck is that but for me that was really about the extent of them but then when I graduated so I hated a degree in English but I actually wanted to get into writing and I tell people I was you know I was trying to write articles and stuff like that truth be told actually just getting university I was also writing essays for students good actually good money in that that's not being recorded is it was a long time ago i'm sure they won't lose the degrees now but through the so i bought a computer took it home for nothing more than the purpose of obviously this writing and then I ran

into a situation where i worked on this long essay that was due for this this poor student and i lost it I couldn't find it I didn't didn't know what happened to it I don't know if I didn't save it I really don't know and this really confused and frightened and worried me because I didn't really have you know what happened to this where did it go and I always hadn't got wrapped up in this hole how does this thing work what am I actually doing when I work on this thing um i would read ur i started reading started talking to a lot of people and i started to learn a lot more and now this is going back quite a ways

there was no app store for that alright if you couldn't build or cobble it together yourself you didn't get it now you just click and go home it's done wow that was so hard um so i started to learn and i suddenly realized that the computer was actually all about languages I'm like hey I studied languages when only that it was a very strict form of language that was way easier to deal with than actually the English language or many others for that matter there was no you know mismatch no confusion and the computer expected a certain language a certain sequence and if you gave it to it you could do amazing things and I got

playing around with different programming languages truth be told my favorite still to this day is pearl using a whole damn but it was scriptable you could get ran on you know compiled at runtime you get immediate feedback I could load modules I love this thing it was amazing and really I my writing shifted from writing and well essays and ultimately what I hope to be articles into writing programs compiling them and seeing what happens in getting all excited about that and then I went into what I described as my poetry phase and my poetry phase was really where I started sending the things the computer wasn't supposed to expect out of order all that kind of stuff just to see how

it responded watching it die in front of me going hey what's all this garbage it spewed on the screen and actually taking the time to read it I mean that's how weird I am I thought it was extremely interesting to me and that's really what life or a into computers started with but then something even cooler happened I started reading about this thing called the internet and internet working communications in general I played with a bit of little you know contain networks at the time even in some work for some but hadn't really done the bigger connections thing started did a couple of billboard bulletin boards things like that but then one day I decided I'd look into this whole

networking thing at that point everything ultimately changed for me it was a completely a different world and really my life changed for it so I lot of people ask me oh how did you get into you know computers and security I'm like I literally just fell into it so i thought i'd share with you kind of the hitchhiker's guide is it we Douglas Adams fans in the in the audience did you all bring your towels I'm very good very good everybody brought their towels you don't travel without your towels right if you if you don't know what it is I should look it up I thought it was a fair analogy in terms of things I'm

doing there by the way how many people came hoping or expecting to see something related to Star Wars no one good cuz you know I'm done with that don't ask anymore maybe spaceballs I might be interesting but but the networking piece you know really kind of changed everything for me now something i should say upfront to as well I'm not going to pretend I actually know everything you know even from back then i come from a position of well you know back in my day hahaha all right I gotta confess even back in my day boy did I make a lot of mistakes for example once i was hired by a company to evaluate this operating system called os/2 warp

versus this new thing called windows 95 and they really wanted to understand before they made the investment which was the better approach for their business so i took both those operating systems was kind of cool they bought him for me so i get to play with them and i did a whole evaluation of the operating system of course i didn't ask what they plan to do with it what applications are in a good run i just looked at the operating system and guess what 10 as to clearly the networking alone on this thing just blew my mind I'm like this is an impressive operating system so i told that company you need to invest in os/2

best thing ever funny enough they never hired me again that was kind of it at that point so I'll freely admit that I'd actually really don't know anything but I do lots of suppositions and I have lots of experience but his experience of trial by fire

so I should explain so to get on the internet when I first started you know figure out about this internet thing I mean you could get those AOL disks in your ear McDonald's and stuff but all that did was I had to call a long distance number because it wasn't really available in canada so however a local college where I was living at the time actually offered an internet course I thought all this would be perfect because as part of it you get internet access so I showed up that day I listened for a bit but they were really you know kind of basic blah and so really I just got my my you know we

actually they're offering windsock at the time although i was playing different OS i got my disc to connect and I got my username and my password and then like i said i sat down for a little bit just long enough to realize that the school was nice enough to have essentially they had to give you your username and password of course I told you make sure to change it when you log in and it was a randomly generated series of characters were then they just incremented the last number by one for each student yeah and they were also nice enough to give all of us everybody else's email addresses so we could start using this internet thing so I had a

lovely list of email addresses I knew where I fit in the sequence they were nice enough to do it alphabetically as well which was great that could sequence so the end result of that was I actually spent maybe 30 minutes in the class I'm supposed to be three-month course and then I left and I never came back they mailed me my failing grade but I never was removed from that system because of course I had countless accounts that i could get into with continue to log in i actually used to taunt the the administrators and every time they get rid of me I'm like Foom and of course sure enough the next you know the next

class came out after that guess what they did they continue with the same sequence alpha beta ties it took him a while to figure out what the heck I was doing there actually I'm not sure if they ever did because I eventually a local ISP appeared on the market and they connected they showed up there so I walked in and right away the owner goes hey welcome you know first isp for the area we're happy to offer you service i'm like great what's my username a password what phone number do i call he goes oh well you bring in your computer we offer a free setup because you had to really help people get this

thing up and working does anybody remember windsock right you actually had to install your IP stack to connect in it was a whole ordeal but I just walked in and looked and what yeah no I'm good my computer staying at home where's my no phone number username password see you later and off I went and I really you know from that point on it really became there we go it really became a kind of a free-for-all League school apologies um it actually became a real free-for-all for me on the network and at one point I started playing with some websites and I actually does remember okay this is how open we were on the internet yeah remember when we first set

this up we got two computers to talk to each other we were just amazed that happened if you told me then that we're gonna put something in between that might actually stop that I think you were insane are you kidding i just got them talking it didn't always you know work so well sometimes it broke but experimenting and playing around i start playing around with this this thing called the web and i actually created a web page and i started doing some CGI scripting with pearl they gave me full access to the cgi bin and so yeah I was smart but again at the time it was just hey they were just impressed anybody used it I think I was the only person

that oh I get web access let's do something with that so I created a web page which is just one of those classic you know you know 90s style hey this is my webpage sign my guestbook and at the end i put but you know what you're not really interested in this what you're really interested in is dirty pictures and i had a link there now when you click the link i didn't actually have any dirty pictures up there what happened was it triggered the system to do a run a finger command does anybody remember finger I can't believe this actually existed but it was very popular it would connect to the remote system pull and email he would actually respond

with your IP if you hit the finger protocol would respond with your name and your email and most system was would do this so would do a finger it would pull the email I would parse with email and it would auto generate an email that sent to you out of my account of course it says haha caught you trying to look at dirty pictures and then of course on the screen all would peer was police have been contacted you were trying to access pornography but I thought this was you know whatever and I learned a lot about CGI scripting and then one day I logged in I go to check my emails i'm like well i got like 10 emails which

back then really a lot of people emailing and it was these people randomly around the internet emailing me back going I was not looking for dirty pictures I remember one guy who was actually a reverend out of the the southern US he was adamant that he was not looking for dirty pictures and something was horribly wrong and he I didn't reply to them but this guy had to reply and go no it said click here for dirty pictures and you did otherwise you wouldn't have got this it's kind of how computers working they don't magically do stuff for you and so I thought this was funny and then the next day I checked my email and I think it was up

to like 50 messages coming back at me I thought well that's kind of weird and of course I'm gonna dial up so it's taking a while to download stuff and then the next day it was somewhere around a hundred and then by the end of the week there was literally a thousand emails had piled up I had let my machine trying to download all night to try to clear these out and and then I started logging in just via the shell and wiping out my mail file because I'm like I can't even use that now and sure enough within another hour there'd be a few hundred more pouring in and then I couldn't well I could connect my isp I couldn't get

online anymore and at this point the owner started calling me it turns out I was indexed in yeah who's top 10 funniest websites he was actually on a fractional t1 out of a main office in Ottawa that had the full t1 I not only took out the local office I took out the main office with just pure traffic coming in so he calls he's frantically trying to reach me I'm frantically trying to hide from him thinking oh my God he's gonna kick me off this is terrible what have I done it was just a joke he finally locks my accountant says you have to come in and talk about this I thought oh this is this is over maybe

I can get someone money back I don't know so I walk in I sit down he goes listen you know that thing you did and I'm like yeah and he goes can you do it again well yeah and next thing you know I actually started working there now again I was a show before you get too excited about me you know getting the top the top spot on yahoo this is this is the oldest imager can get it was actually older than this this is what Yahoo actually looked at back then and quite frankly previous that i've been using something called alstom altavista which i thought was kind of cool too but the Nets keepers was really taking off at

the time um so anyway I ended up getting a job at this is Pete didn't ask for it he was like could you just come in and maybe help me with some stuff I'm like okay and that's what he said to me goes you know you're the only is the fifth customer that showed up at the door and it was the only one that said yeah just give me the number in the password I don't want all this crap he's like Hannah me disks and stuff and like and not interested so I went in there and I started learning about DNS servers and application web servers just anything anything i could play on it's also when

i first got introduced they used a bsd I unix on the back end and that's actually what started kicking me off to learn all about bsd base unix i became a big freebsd guy and then openbsd love playing with the unix is and started taking over more and more of really the the functions within the internet he used to buy his service through a main company eventually i just some like I could do that's dns entry no big deal and so eventually i was really running a most of you mostly zayas pz we spread out across southern ontario and then i remember sitting at home one day and i get a phone call and he goes that's the

boss he's like hey the males down in peterborough like how the male's down now this was back in the days where you know like right now if the males down it's like oh my god the male's down run for your life pagers go off we all go crazy back then it was like yeah the male's down whatever I'll just check it later you know go do something else so I go into look and I actually tell that it into my server that's any indication how long ago this was and I can't even get into it I can't even log into the thing it's not accept on my pastor I'm like what the heck's so I was really pissed

cuz I actually had to get in a car and drive somewhere I was already starting the work from home thing I get to Peterborough I get there and I realize this machine is not mine anymore somebody had completely taken it over filled full of software and all kinds of stuff it was being distributed around the internet and this stunned me because I had a password on it how on earth did somebody get into my system so I fix it up I cleaned it I put it back on line or restore the backup so I mean I did my due diligence I was a good server admin got it back up and running kind of scratch him a head going wow how did

that happen a couple days later same thing again another server another location I'm like oh my god what is going on here so I eventually I didn't know what it was at the time but I actually eventually set up a honeypot well not even a honeypot writing machines were the honey pot but I set up a sniffer system they were basically wide open and I would watch and I'd see the traffic and I'd started correlating it was a lot of work but I correlated I learned a lot about reading raw packet data correlated what they did and I start to realize oh my god there's so much more you can do I thought about all

the programming and stuff and I'm like now have access to do programmable things to other people's machines whether they like it or not this is amazing to me at that point it turned into kind of a free-for-all in the internet but it was a game it was really a game because there wasn't much stuff online I as part of this learning how to do these things and started finding tools i actually got most of my information from IRC Internet Relay Chat does anybody remember IRC so that was like used for the rest of you that's what we used to call Facebook you could share images movies is probably not as pretty as what you're used to but it

certainly worked became Chad I used to d sync entire IRC servers so I could take over a channel just to be a jerk because I could and my wife can actually attest to too much of this mayhem because I thought it was funny now I didn't quite understand what I was doing at the time I do now in pre-fit so I look back at it when I said id synced IRC servers I would take leaf or hub servers offline for minutes at a time these leaf and hub servers were sitting in major universities across the u.s. and Canada huh I would take them offline for a few minutes so I could take over a channel

like some kind of Jackass now I had a lot of power because not only did I have all these ISPs all this bandwidth availability these programming scale i also have reverse dns lookup control for entire blocks of sea addresses does anybody have any idea what that means did anyone have any idea how dangerous you could be especially in a day when our login based on what your ID was was a perfectly fine thing I got a little you know out of hand I went all over the place hacked everything I could incite I thought you know I I was having the best time ever occasionally people come back at me but the worst I'd ever get was you

know maybe an angry email anodor job offer and sometimes they were both I mean I get the angry email in a finish up with by the way are you looking to work by the way I actually hacked my own first domain and by that i found a it was a top-level domain I'll heck I'll say their name now it's crispy chewy Island when they first came online they offer top-level domains dot see X's the way they set it up it was one single server it ran the DNS resolver right there on it and they used a web interface for you to put and put your information and they were nice enough to run the dns server and the web server as

root so that it could alter the records and you know restarted it was also subjected to a directory traversal doesn't remember that as simple directory traversal so using just directory traversal commands I wrote my own DNS records into their system and I named my domain kill hub because the last command I had to send was a kill hub to the DNS process so it would reread the records and lo and behold for hours later I started resolving on the internet hey this is great and if I needed to change my IP I would just hack back and do to do do do you know change the records kill hop it off I go and this worked great for literally years

now over the course of those years I ventually became you know super professional I was working and then one day they moved to a real register now the cool thing was when they moved they took all the records with it so even though it was now moved an official register my I was still resolving but then that day came where i'm like i have to result i have to change my IP so i sent a quick message to the register owners you're saying hey I just I just need to change this record here if you just make that change for me that'd be cool they emailed me back and they were like um yeah this is interesting I could tell

from the tone of the letter that they were a little confused about me probably had an idea was going over there like interesting we have all your DNS records your domain everything we just don't have any records about you who owns it the company literally nothing so at that point I thought you know what I've been using the same for I think at that point five years I should probably just pay them and you know so my go I don't know what happened so they apologized because there must have been some kind of screw-up in their part but it was great though I i I'm now you know actually pay for it and own it and don't do bad

things with it anymore but that was really how I looked at the internet it was just this thing I could do and play with but then something happened we at the ISP I work for actually offered upstream service and downstream services to other smaller ISPs regional ISPs and I actually got a contacted by than once well actually contact my boss and said hey your guy there hacker and of course people knew me at that point I'd go around ravaging stuff but I contact them afterwards ago this screwed up you need to fix this hahaha I thought that was funny and he said hey he's hacked us he stole their password file and we're really worried about what he's going to

do to all our users now I knew I did had not done this I didn't actually go after their password file I so I immediately fire back oh whoa now you guys are just making stuff up and they're like look we could show you the records i'm like yeah i can write up records to it was just syslog right i mean how hard was that so we fought back and forth i always thought why would they always do this to me and I'm sure pretty sure they're angry at me well they seemed absolutely convinced it was me it was actually many months later we didn't speak for a while my I thought I was gonna go fire my

bosses like look just don't talk to me anymore keep doing your thing but don't hack them anymore and I'm like no I really didn't do it and I talked to them years later because they knew my IP they knew my locations and servers I managed and they said it was you who came in I'm like it really wasn't and the one guy says you know I actually believe you you're so Adam boat because I was always fairly open when I hacked it was like hey I gotcha and actually thought I was kind of cool when people got me to is hey how did you do that but this was not one of those scenarios and so I talked

to them and they said to me they said something it really hit me and that's when the whole you know wait of security came down upon and I started to realize that that the impact of all this and they said but your system that you're saying you didn't hack us from they go it's a multi-user system is it not of course it was a UNIX a unix box and went oh yeah maybe I did well more importantly my machine did but it wasn't necessarily me and it hit me all these fun funky things I'm doing we're actually impacting me as well and not only that through this process it went from you know being a

fun joke to starting to get to be annoying people's businesses were on there they're getting angry and literally the internet changed around me it went from we hack stuff we have fun to people actually connecting their businesses to it I remember I worked for an organization that puts some of the candidates for his banks online a year before that I was hacking away machines a friend came over the house he goes wow he was looking I just he didn't understand computers he just saw the screens going off and all this stuff he's like wow you could hack into my bank I remember saying to him Pink's aren't gonna plug into the internet that would be crazy and almost a year later

i'm working on one of canada's first banks online whole brokerage everything going oh my god this is crazy but we did it anyway they were terrified when they first went online but then they figure out how much money they were going to make on it but this is when i started to learn you know the the excitement for me in terms of what we do is every day was different every day was exciting applications were changing things were changing but I had an in-depth understanding from from how they were working just gonna hold this what doesn't fall it's making me nervous the the technology just felt like it was constantly changing and it was exciting

however five minutes fiery to go quick um you know as they went went through it i started i actually left security for a little while around 2000 i thought you know I've done everything years to do I hear this voice over IP things kind of cool this thing could really take off so I actually left security i went to the voice over IP it turns out trying to sell voice over IP before nortel it introduced to the market was crazy because i lived in canada and if nortel wasn't doing it clearly there's something wrong although we know in hindsight now but that wasn't true but it was a great experience for a while but then I figured out once you compress

voice a couple different ways it's about as exciting as it gets so I then started to fall back I member sitting in a class for our phone switch and I looked at him like oh my god I know this this is Sun OS and so immediately I said to put my hand up i'm lee said to the instructor i'll go what's the root password he goes there's no root password i'm like i don't know this is saying so I'm plunking away he's literally five minutes into the introduction I put my hand ago I got root he was not amused matter of fact they pulled me out of the class but then I found myself working with our team to

build security solutions to Lincoln 22 voice / AP interestingly enough at the time I was actually working on an oem relationship with this company called checkpoint realizing the VoIP thing was probably not going to go much further and I like security I ended up jumping right back into security for for all it's worth but I wouldn't turn away that experience for anything because really the things I learned on the voice over IP side we're completely applicable to security especially as these things came on understanding the the gateways and things like that so I here to tell you that if you want to get into ice acute IT security for the money you might want to look elsewhere the money is actually

being made by the business not by the security you're really part of the infrastructure and quite frankly if if how many people here do a lot of pen testing hacking stuff right it's truthfully the safer version of what I used to do by the way the stuff I used to do please don't do that online anymore I mean you actually go to jail for it now people know what it is they'll come get you but we have these cool things like Red Team Blue Team capture the flag we can still practice and test yeah somewhat little less than the real word systems but the aspect is of people coming in and hacking stuff and you know i have to tell you you're

not a rock star you're not all that exciting to the business because the reality is is they barely notice if you protect the system they certainly don't care if you break it because really you're just getting in the way of their business you're getting in the way of what they're trying to accomplish so what you have to remember when you're talking about the business and you're talking about the things you do is that it is really all about building something just going in and breaking something doesn't really help you doesn't really actually move them forward you need to learn what the other group do what the other applications are running there's there's more than just

security to the business apologizing jumping a little bit quicker but I'll put it in perspective I was in a business right if you want to excel in security you know you have to know we know what you have to have all the answers and I mean that across all the applications one of the first calls I took in a big organization they with a developer he's like oh I need developer access for this application I'm like great what service ports will you require kind of positive second goes on all of them I said well sir there's 65 65535 of them I'm going to need know which one years wow there's that many I can have all those I'm like no no

actually a thousand 24 of them reserved but because then I need to reserve my board I'm like no no that's not the way it works today we have things called application control and what we do is we stand back and if our firewall doesn't recognize that we go oh man what's wrong with this firewall instead of taking the time to go down and talk to somebody who runs the application and saying what the heck are you doing we're trying to answer the question we're trying to find the answer before we actually know what the question is and so if there's anything I could say is is if you're really interested in getting into security that the big mess occasion say

is the pen testing is great that's your tool that's your towel that gets you in and get you going but the thing that really takes you forward is how well you understand the applications how will you understand these things work and there's really only one way to do it and that's ultimately to to get involved to get out there and try it install an operating system at different ones stop using this app for that store when I was around we're not an rtfm generation we should be an RTF s generation does anybody know what that is if you don't go look it up you all need to our TFS we need to get back to what we used to do and if your

insecurities that's ultimately where you can be your strongest it's the things you learn outside of security that you bring into it that make you strong anyway I'm getting the hook here so I gotta go I'd like to thank everybody very much I thank everybody for bring me here and a special thank you to my wife who on her day off decided she come down and hang out with me at my nerd conferences she calls us so please be nice to her and thank you very much everybody you