Privacy Policy

Privacy Policy for blog.isitinfosec.com

If you require any more information or have any questions about our privacy policy, please feel free to contact us by email at isitinfosec@gmail.com.
At blog.isitinfosec.com, the privacy of our visitors is of extreme importance to us. This privacy policy document outlines the types of personal information is received and collected by blog.isitinfosec.com and how it is used.
Log Files
Like many other Web sites, blog.isitinfosec.com makes use of log files. The information inside the log files includes internet protocol ( IP ) addresses, type of browser, Internet Service Provider ( ISP ), date/time stamp, referring/exit pages, and the number of clicks to analyze trends, administer the site, track users movement around the site, and gather demographic information. IP addresses and other such information are not linked to any information that is personally identifiable.
Cookies and Web Beacons
blog.isitinfosec.com does not use cookies.
DoubleClick DART Cookie
.:: Google, as a third-party vendor, uses cookies to serve ads on blog.isitinfosec.com.
.:: Google's use of the DART cookie enables it to serve ads to your users based on their visit to blog.isitinfosec.com and other sites on the Internet.
.:: Users may opt-out of the use of the DART cookie by visiting the Google ad and content network privacy policy at the following URL - http://www.google.com/privacy_ads.html
These third-party ad servers or ad networks use technology to the advertisements and links that appear on blog.isitinfosec.com send directly to your browsers. They automatically receive your IP address when this occurs. Other technologies ( such as cookies, JavaScript, or Web Beacons ) may also be used by the third-party ad networks to measure the effectiveness of their advertisements and/or to personalize the advertising content that you see.
blog.isitinfosec.com has no access to or control over these cookies that are used by third-party advertisers.
You should consult the respective privacy policies of these third-party ad servers for more detailed information on their practices as well as for instructions about how to opt-out of certain practices. blog.isitinfosec.com's privacy policy does not apply to, and we cannot control the activities of, such other advertisers or web sites.
If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers' respective websites.

Facial Recognition and privacy

ow.ly/lsGm50xXHQ3

I posted this article to my twitter, LinkedIn and Facebook pages because it is an issue that has been a hot topic through the last decade.  While improvements to the technology have been great and false positives have decreased there is still gaping holes when it comes to minorities and women.  It is apart of the CCPA that went into effect at the beginning of this year and it is a point of contention in Washington State WaPA.  The federal government is also trying to figure out how to regulate this technology and what protections do Americans have if they have been falsely identified.  There is bipartisan support for "getting it right" but what does that exactly mean?

The CCPA discusses biometric data collection and states "...businesses that are covered by the law will need to inform consumers if they are collecting biometric information, be prepared to provide that information to consumers if they exercise a right to access request and delete that information if a consumer requests it."  The issue becomes how exactly does one delete facial recognition from video feeds or systems?  Can a criminal request "to be forgotten" or have that data removed from the system before they are apprehended?

That is just one angle to deal with and the false-positive rates are the other. We are seeing similar bias when it comes to machine learning as the bias' of the person feeding the data will eventually end up in the machine.  The technology in both realms is not there despite dramatic improvement to them and will still require human intervention to ensure that the machine/system is not misidentifying someone.  As some of the senator's state in the article that represents districts with minorities, they feel that their constituents could be wrongly identified and most would not have the ability to fight that case.  Despite all this, the federal government has introduced legislation this past Monday that would effectively regulate facial-recognition technology.

While I would like to have hope that our government will "get it right," I cannot help but feel special interest and big tech companies will find a way to push their own agendas or skirt whatever legislation is passed.  It will be interesting to see how this plays out both at the federal and state levels as states will follow California and pass their own version of privacy acts.

Resources:
https://www.clarip.com/data-privacy/california-privacy-law-facial-recognition/
https://www.wired.com/story/how-to-teach-artificial-intelligence-common-sense/
https://www.wired.com/story/tainted-data-teach-algorithms-wrong-lessons/

2020 No Looking Back

2020 is off and running and I am already trying to catch up.  Being sick at the end of  December did not help much either.  I titled this post "2020 No Looking Back" because this past decade was filled with pain and growth.  For every achievement, I made it was met with an equally painful situation.  I was able to graduate both with my Bachelors's and Masters's degrees and was able to obtain my CCNA and my CISSP.  I also ended my marriage, suffered through some rough personal times through it all.  I am not where I thought nor wanted to be, I had a grand plan to already be in the Cybersecurity arena by the time I was 30 and well entrenched in it by my 35th birthday.  This was to assist in preparing me for my children's future as well as my own.  In a couple of months, I will be turning 35 and just entering the cybersecurity arena as a practitioner and not just a lurker.  Not quite the plan I had envisioned as I approached my 30th.

I had my review about a month back and my director, who I have been working with now for 14 years, had an observation.  He mentioned to me that despite all the headway I have made in my career I seem to still be stuck when it comes to my personal life and relationships.  It got me thinking what has happened to me and the young gentleman who had all these ideas and plans? Like everything I do, I gave too much of myself and put others in front of my well being, my career and my mental health. 

I have been thinking a lot lately about what I am going to do to ensure I catch up and position myself to succeed both in my career and personally.  One thing is I am going to commit to learning more and working on the tech skills that I am weak in.  That process has started as evidenced by the posts I have made regarding the different programs and things I am learning.  The next is I am going to be more active in social media and reading different articles and news in cybersecurity.  I know I will not be the first to tweet it or put it on LinkedIn or even Facebook but I want to get in the habit of showing that I am active in reading and commenting on things in the industry.  I am planning on expanding my network by attending more events as well as volunteering and teaching which has always been a passion of mine.  I believe that these are the building blocks I need to catch up and position myself to be where I should be by my own standards.

The is no looking back and while I will carry the wounds from the past decade I will wear them as scars of war.  I have learned a lot and I am still learning about myself and what limits I have that I need to break.  I look forward to sharing my experiences with you as I go and I hope those that are coming behind me will be able to learn something from the mistakes I have made.

Assembly Primer Recap

As I mentioned in my last post I was in the middle of completing a series of YouTube videos on Assembly Primer for Hackers.  I am proud to say I finally finished the video series and I would encourage anyone trying to learn Assembly that they should definitely watch this series.  The eleven videos that I went through broke down how Assembly programs work and how information is pushed into registers and different memory locations.  The instructor provided us with code to use and was extremely thorough in his explanation of the different concepts.  I learned how to move things in and out of registers and how to verify and debug programs using GDB.

The greatest moment occurred near the end of the video series.  The last 2 programs which went over functions and function stacks gave me issues as the programs that he wrote were for 32-bit architecture and I was running GDB in a 64-bit architecture.  I spent a good portion of yesterday on video 10 trying to get certain push and pop functions to work.  The program called for a "pushl" and "popl" which are commands used to push and pop in a 32-bit architecture.  After banging my head against the wall for a bit and a lot of Googleing I still could not get it but thankfully the first comment told me how to change the push and pop commands as well as the registers, for example, %eax becomes %rax in a 64-bit system and "pushl" becomes "pushq" and "popl" becomes "popq".

The last video which had to do with function stacks gave me a little bit more trouble but not as bad as video 10.  When I got the program I saw the same push and pop commands I saw in video 10.  Since I already knew how to fix those I did those first.  I was able to compile and link but when I ran it the program through an error.  Eventually, after much back and forth, I re-wrote all the commands to represent 64-bit architecture and was able to compile, link and run the program.  The only problem is that it was just exiting out and not writing HelloWorld.  I tried running it in GDB to see if it would shed any light but I could not figure it out on my own.  As I watched the rest of the video I saw my issue as the instructor explained how and where things were being placed in the stack.  Since he was basing his program and video off of 32-bit the memory space was in 4-bytes instead of 8 in the 64-bit architecture.  After doing some math and mapping of the address space I was able to successfully edit the program to look at the right memory space to pull the HelloWorld and print it on the screen.  After recompiling the program and running it, HelloWorld appeared and it was a joyous moment.  I was able to understand what was going on and how to read the stack properly to adjust my program from 32 to 64 bit.

The next series I am going to be watching is on exploit research and given how well the Assembly Primer series went I cannot wait to tackle this one.  Until next time.

Assembly Primer for Hackers

Metasploit, BURP, Assembly and MORE LINUX

It has been awhile since I last posted I hope everyone had a Happy Thanksgiving and is getting into the holiday spirit.  Aside from stuffing my face with food I also have been continuing the lessons that have been laid out for me to become a better security professional and prepare myself to take the OSCP.  After my introduction to Linux I continued learning more Linux commands such as how to compare files using "diff" and how to change passwords for a specific user. It was eye opening to learn about the diff command as in the past I have usually copied the files to notepad and use Notepad++ to do compare.  The training covered everything from extracting and compressing gzip files, setting up SSH, partitioning with GParted, shell scripting and process, jobs and killing processes.

The next lesson was learning how to use Metasploit.  I have always known that Metasploit was a powerful tool and I had always wanted to learn how to use it.  The  YouTube videos covered using tools and exploits such as SSH scanner and FTP Login to creating and using payloads and backdoors.  It helped that Metasploit gives you a vulnerable box to test with and I cannot wait to crack open my Metasploit book once I am finished with my lessons.

BURP Suite was up next.  BURP is a suite of tools used to detect vulnerabilities in web applications. Unfortunately I could only use the community version which didn't allow me to try the full suite of tools it has.  I am hoping that once I add it to my tools at my company I can go back and practice the things I could not do.  The one thing I would ask the company that manages BURP is that if I am using the community addition I should be able to modify the settings for the tools that I have access to.

Currently I am working on the basics of exploit development.  I am watching a series of videos on Assembly for Hackers.  This is my first dive into Assembly and it is a lot to take in and remember.  From understanding the memory space your application runs in to writing an assembly program and the various sections of initialized and uninitialized data and registers.  It is a lengthy video series in terms of minutes per video but it is a lot of information.  I am excited to see how the rest of the videos are and then begin the video series on exploit research.

Well that is it for now.  I hope to post more frequently and include articles and stories on top of the things I am learning.

I survived Linux Basic Training

Hello everyone.  As I stated in my last post the next step was basic Linux commands.  Using the website linuxsurvival.com I began the journey of learning the basic Linux commands.  The tutorial is actually done very well as it not only teaches you the commands and some terminology but also allows you to practice the commands as you learn them.  Through out my professional life I have had to learn Linux commands on the fly.  Some of the early commands that I learned about were grep, ls and of course cd.  This tutorial went over those commands but also how to use the manual (man), how to do a recursive copy and remove using "-r" as well as a quick overview of Linux file security.  That part of the tutorial i found was one of the most important things for me as I have had issues in the past with changing security and ownership of files and directories in order for me to run programs.  The tutorial only went over permissions such as read, write and execute for a file or directory and did not go over changing ownership groups.  For anyone starting out with Linux and want to learn some basic and frequently used commands in Linux then Linux Survival website is a great place to start.

Windows Command Line

So I have begun my training following a plan that was laid out by my mentor.  The first thing was the basics of windows command line.  Now I have been in IT for over 10 years and have worked primarily on Windows operating systems.  Up until this point I have only used the Windows command line interface (CLI) to check my IP, flush DNS, perform NETSTAT and on occasion run specific programs that can only be ran from the CLI.  I had an idea that I could use it to make folders or move files around but I always defaulted to using the Windows GUI to get the job done.  I never realized that it can be equally as powerful as Linux CLI.  Going through the introductory lessons I learned that some of the commands you would use in Linux such as mkdir for making directories are the same in Windows.  One of the cool things I learned, besides changing the color to look like the matrix, was see the attributions of files.  It was so easy to just be in a directory and type "attrib" and see all the files and whether they were hidden, read only or a system file.  It is definitely was a great way to start off the training and next up is Linux command-line.  Looking forward to seeing what I learn there and get to share. Until next time.

source for windows command-line basics - Windows Command Line Basics

interesting story for today - Hacker News - Monero Hack