Thoughts & Tips For September 2020

Paris-woodPhoto by Steve Holden. MORE LIKE THIS!

CURRENT EVENTS

No big change for us on the COVD-19 front.  We continue to be vigilant and focused: #wear_a_mask; #wash_your_hands, #social_distance, and #stay_home_if_sick.  The good news is that Christy's school as been able to go back to teaching kids in person with a host of safe guards which is a blessing and an answer to prayer.

Tour de France 2020. Who doesn't want to watch 4 to 5 hours nearly every day during September seeing some of the best athletes in the world do what most people would consider completely impossible? I am all in. I am watching via NBC Sports via YouTube TV.

Screenshot 2020-09-07 at 19.33.32

My candidate for President of the United States in 2020 is Jo Jorgensen (#letherspeak, #letherdebate). While I don't agree with everything she is advocating, she is in my humble opinion the best option for a President Of The United States who believes in and will fight for:

  • right to life, liberty, & the pursuit of happiness
  • right to keep & bear arms
  • right to live where you choose & how you chose
  • right to privacy
  • right to worship how, when, & where you choose
  • right to be treated equally under the law

OTHER THINGS THAT ARE GOING WELL

  • The PodCraft Beer Show just had episode 7 and next week is episode 8. I have had some super spectacular craft beers that have blown my palette away.  As a craft beer fan I have actually realized how much I've missed by not paying attention to the special releases that many breweries do and I had no clue how amazing they are.
  • I am still playing D&D every week or so with friends from high school.  It is frankly one of the best unattended consequences of COVID-19 for me.
  • I am still loving my water-proof MP3 player -- AfterShokz Black Diamond Xtrainerz.
  • We were able to camp at San Elijo State Beach in August which was awesome ...

Beach-2020

EXPERIMENTING WITH MEDITATION

The book "10% Happier: How I Tamed the Voice in My Head, Reduced Stress Without Losing My Edge, and Found a Self-Help That Actually Works"
By: Dan Harris (#meditation) got me to do a little experiment over the last month since finishing the book. I've been doing five minutes of unguided meditation using the Apple iOS app Oak from Kevin Rose before I stretch in the morning.  Nothing bad has happened (Ha Ha!) I actually now think a little "mind exercise" is a good thing. My monkey mind is strong! More updates as time goes on.

Screenshot 2020-09-07 at 20.33.57

If you are interested in guided meditations, then the only examples I've had experience with are Mike Foster's Guided Meditations. The Oak app has them but I haven't used them before.

TECHNOLOGY, TIPS, & SUGGESTIONS

I have just started using this new Google Chrome browser feature for organizing tabs.  So far it is an awesome new feature.

This what I've been listening to on Audible (you can try Audible for free for 30-days and get two free books if you want). Over the last month:

I am currently doing all my Audible listening on my cell phone Samsung Galaxy S10+.

I also managed to finish a few Kindle books (I am currently using a Kindle Paperwhite for nearly all my reading):

One of my "newer" (I've heard in the past that this isn't a word, but I still use it all the time) favorite bands is Lo Moon.  They opened last year for several shows that the CHVRCHES did, and I'm super impressed with them.  I recently bought their album Lo Moon on Amazon so I could load the MP3s on my AfterShokz Black Diamond Xtrainerz  as I really wanted to listen to them while swimming.  Other specific albums I listen to frequently while swimming are: CHVRCHES (Bones of What You Believe, Every Open Eye, Love Is Dead) and Maggie Rogers (Heard It In A Past Life).  I will also drag a lot of 80s New Wave to a folder for 'random' mode listening.

Def Con (the yearly hacker conference I've been going to since #18) was completely virtual this year.  A ton of solid cybersecurity content is readily available if you are interested.

QUOTE I'M THINKING ABOUT

"We are what we repeatedly do, therefore, excellence is not an act but a habit." - Aristotle


Rabbit Hole Of "Secure" Phones

Mobile-device-security

This article from Recode by Kara Swisher called "Former Trump economic adviser Gary Cohn’s next move: investing in a phone secure enough for the president: In a Recode Decode interview, he explains why he’s working to launch a new secure mobile phone aimed at government and corporate customers" got me wondering where the state of the possible was right now on secure phones.

I am pretty much following the recommendations for how to bring a phone to DEF CON -- like this one.  I use to bring a burner phone, but I've found it less and less practical for me.  DEF CON is in theory about as hostile of a Cyber environment as you can summit yourself, but getting targeted by a dedicated adversary is probably worse.

Some links I looked into:


Thoughts & Tips For August 2018

  Image-from-rawpixel-id-436187-jpegPicture from RawPixel

Thrown For A Curve (Update)

See July update for my first report on my recent lower back injury with sciatica down my left leg.  Things are improving, but I'm still having numbness on my left foot and periodic spasms & tightening on my calf and glute muscles.  A review of my MRI with an orthopedic surgeon opened up the possibility of future surgery but that is still TBD.

Technology

I was able to move to Windows 10 on a new Dell tablet at work before the end of June 2018 deadline.  All in all it is working great, and I like having Type-C connectors on my work tablet and my personal HP Chromebook 13G1. For instance the same power adapter can be used on both.

Thankful For

Our July camping trip to San Elijo State Beach was awesome, and I did my first Sprint Triathlon (400m swim, 15-km bike, and 5-km run). I really enjoyed the sprint triathlon format even with my "physical recovery" slowing me down.  I'm already planning to do another one in September.

Future

I completed another Vital Smarts' 1-day Getting Things Done (GTD) class in July.  I currently only have material available for two more classes -- one in August, and then one in September.

DEFCON is coming up in August.  That should be fun.

We have another San Elijo State Beach camping trip planned for August.

Tips

I've been using some cream with Arnica on my sore muscles.  It is really good.

Quote I'm Thinking About

"The enemy often tries to make us attempt and start many projects so that we will be overwhelmed with too many tasks, and therefore achieve nothing and leave everything unfinished. Sometimes he even suggests the wish to undertake some excellent work that he foresees we will never accomplish. This is to distract us from the prosecution of some less excellent work that we would have easily completed. He does not care how many plans and beginnings we make, provided nothing is finished." - St. Francis de Sales


How I Studied For & Passed The CISSP

I got asked the other day at work on how I studied to pass the Certified Information System Security Professional (CISSP) back in Dec 2011. While I was relaying my experience, I made a few notes, and I figured it would be good to document the endeavor in a blog post.

AFC79C51-1617-4C5A-85ED-C70FE57E43BF

I think my main advantage was that I was able to get access to SANS Management 414 class via their self-study content using training dollars from work [direct link for more info].  While expensive, the 'do it on your own time' offering was much better for me than going to a class (which can also be expensive). 

One of the other key features that I liked about the self-study offering was there were seperate MP3s of all the sessions plus the online course review material.  This allowed me to binge listen to the audio content during my daily exercise, drives in the car, and while on travel (which happend about 5 times during my prep time before the test). The only bad news about all this 'listening' is that when I have a CISSP related nightmare I still hear Dr. Eric Cole's voice.

The package included printed slides for all the material (sync'd online to the audio feed): [Domain 1 - Information Security Governance & Risk Management; Domain 2 - Access Controls; Domain 3 - Cryptography; Domain 4 - Physical Security; Domain 5 - Systems Architecture & Design; Domain 6 - Business Continuity & Disaster Recovery Planning; Domain 7 - Telecommunications & Network Security; Domain 8 - Application Security; Domain 9 - Operations Security; Domain 10 - Legal, Regulations, Compliance, & Investigation], and a copy of the following book - "CISSP Study Guide" by Eric Conrad, Seth Misenar, Joshua Feldman. Also included was a series of pre-tests both online and paper and then a full practice test that was online.

Other books I used for reference included:

Once I went through all the material one time via MP3/Slides, I then deteremined when there was a class about 16 weeks/4 mouths in the future and signed up for that one.  I found it very useful to have a target date on the calendar to motivate me to block out time for studying.  I then spent every Off-Friday from work and ~4 hours each Saturday and Sunday studying the material up to the test week.  The test was on Tuesday and I pretty much studied full time Friday, Saturday, Sunday, and Monday before the test.  If my math is correct that was about ~250 hours of studying (not including the MP3 material listening which I continued doing during my exercise, driving, etc times up to the test).

In addition to the study reference material above, I also took a great deal of practice tests.  If there was a test I could take I took it. My prevous experience getting a Windows OS certification and Security+ was that there was a ton on of value in reviewing as many questions as possible. This turned into a a pretty detailed stats tracking on how I was doing and where I needed extra focus.  Here is the "final" view of my spreadsheet tracker I setup in Google Docs:

Cissp-test-tracking-1Cissp-test-tracking-2

The other thing I did that really helped was that any question I missed during any of the tests I took and turned it into a 3x5 study card.  I also kept the cards organized by the 10 major topic areas of CISSP.  This helped me really focus on studying the areas that needed the most work.  By the end I'm pretty sure I had 400 cards, and on the day of the text all I did before the test was drill through those cards.

What about the actual test?  Yes, it was very hard. Definitely the hardest test I've ever taken. I was the last one to leave taking up all but the last 5 minutes before the scheduled end time.  I don't know how well I did other than I passed.  And since that was the goal -- mission accomplished!

If you have any additional questions, comments, etc. then please let me know.

[Originally written on 2/24/2012 but updated 2/23/3014]


Tip - Subscribing to Twitter Accounts in Google Reader

NOTE: As of October 16, 2012 the official Twitter API turned off RSS options per this article.  What I wrote here doesn't work anymore.

I personally like keeping track of some Twitter accounts (especially security related ones) using Google Reader.  Unfortunately, I've found lately though that Twitter keeps messing with RSS urls, and getting subscribed without errors can be hit and miss.

Here is my understanding of the current format as of this posting ...

If you have a Twitter account like @johnswayer that you want to follow in Google Reader.  Then take the following main URL (twitter.com/statuses/user_timeline/) and add <twittername>+.rss -- for example:

"https://twitter.com/statuses/user_timeline/" + "johnhsawyer.rss"

Becomes:

 "https://twitter.com/statuses/user_timeline/johnhsawyer.rss"

And use that for the subscribe url.  I usually use a text editor to this (Notepad+ on Windows or TextWrangler on Mac).

Did I get this right? Did Twitter change this already? Is there a better way?  Leave a comment or send me email and I'll update this post.

 


Tech Tracking #001 - New News, Mobile, Video, Security, Books, Training, Etc

Here are some new items I am tracking --


Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)

One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.

While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu.  There is no NoScript version for Chrome but you can turn off by default JavaScript via:

  1. Options (aka Preferences)
  2. Under the Hood tab
  3. Privacy > Content Settings ... button
  4. JavaScript tab
  5. Do not allow any site to run JavaScript
  6. Close button

Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:

Chrome-no-script-icon  

You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected.  Here is what Hulu.com says if you go there without JavaScript turned on:

Hulu-no-java-script-message

IMHO, this is better than running JavaScript on every site you go to by default.  The best security practice is now to only allow JavaScript on sites you trust and know.  Not perfect but better than the alternative.

P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.


Learn Some Hacker Skills Online from SANS & Paul Asadoorian

Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:

Metasploit is a fantastic tool for testing your network and applications.  Come learn about all of its new features! You can use  discount code "PaulDotCom" and save 20%!


TSA Travel Woes - Post A Comment To Their Blog

I just found out that the Transportation Security Administration (TSA) is now officially blogging (started Jan. 30, 2008) and is accepting comments on their blog posts.

The blog is called "Evolution of Security" and can be found at: http://www.tsa.dhs.gov/blog.

If you run into trouble or maybe have a great experience, then make sure you use this resource to give them some feedback.


Some New Cold War History Recommendations

I am a big history buff. I am particularly interested in stories about World War II and The Cold War. 

I came across a bunch of recently released Central Intelligence Agency (CIA) docs at the Federation of American Scientists (FAS.org):

  • "The Secret War in Korea, June 1950 to June 1952," March 1964 [pdf]
  • "Record of Paramilitary Action Against the Castro Government of Cuba, 17 March 1960 - May 1961," May 1961 [pdf]
  • "The Evolution of Ground Paramilitary Activities at the Staff Level, October 1949-September 1955," November 1968 [pdf]
  • "The Berlin Tunnel Operation, 1952-1956," 24 June 1968 [pdf]

They all have some pretty interesting information in them.  I am fascinated by considering what the redacted parts contain.

The Cold War has many different angles and perspectives. One of the other resources that is really interesting is from Tony Kahn over at WGBH's Morning Stories podcast.  Tony produced the following series called "BlackListed" (RSS):

In October 1947, the House Un-American Activities Committee opened its hearing into Communist influence in the movie business and promptly denounced 19 prominent directors, producers, screenwriters, and actors as enemies of the state. One of them was Hollywood screenwriter Gordon Kahn, whose films include All Quiet on the Western Front and The African Queen.
    
In this six-part personal history of the Hollywood Blacklist, Gordon Kahn's son, Morning Stories producer Tony Kahn, tells the story of his father's 15 years of persecution and the fear that followed him, his family, and thousands of other Americans for being accused of having the wrong political ideas.

I have currently listened to three of six podcasts, and I am really enjoying this very well produced audio program.  No matter what your political views this is is a podcast that should not be missed.