The Ethics Of Food

When you sit down to your evening meal, it’s unlikely that you take a moment to think about where the food has come from. We have all become accustomed to having what we need, when we need it, from gluten-free options to low-carb keto-friendly recipes. We can eat strawberries in January and exotic fruit from the other side of the world, such are the delights of the modern diet options.

While you should always enjoy your food, it is worth spending a moment thinking about the ethics behind how we eat. There tends to be a price — sometimes financial, sometimes environmental — for everything that hits our plate. Sometimes, that price can be extortionately high, and one you might not be willing to pay if you know the extent of it.

Below are three examples of the ethical questions surrounding modern food, and how you can make small changes to address some of the issues raised.

#1 – Fair Trade Food

For third-world countries, globalization has meant that there are more work opportunities than there might otherwise have been. However, it’s wrong to assume that the citizens of these countries are in work that pays well and supports their living. Sadly, multinational corporations have a terrible history of exploiting their third-world workers in an attempt to boost their profit margins.

The Fair Trade movement is an effort to combat this issue. Farmers who work within Fair Trade practices are paid a fair wage, one that is enough for them to live a decent life on. If you’re curious to see how this works, you can find out more about the Fair Trade movement at fairtradecertified.org.

One note: Fair Trade food is a little more expensive than non-Fair Trade items, but the difference is relatively small– and can make a huge difference to the lives of farmers around the world.

#2 – Overfishing

Overfishing is becoming a huge problem throughout the world. Fish are being caught at such a rate that the declining populations don’t have the chance to reproduce and replace.

Companies who produce fresh and tinned fish are well aware of this issue. That’s why some companies have banded together to try and increase sustainability in their offerings. If you’re curious about these programs, then visit globalsalmoninitiative.org for more information on one of the leaders in this area, and see the difference these initiatives can make.

You could then put that knowledge into practice, and ensure that you’re always

#3 – Food Miles

Being able to eat any food you want at any point in the year is wonderful, but there’s a serious downside when it comes to the carbon footprint of that food.

Out-of-season and exotic fruit has to travel a huge distance to reach our stores, as it can’t be farmed naturally in the US. All of that travel is catastrophic for the environment, which is then made worse by the sheer volume of food waste the world creates.

It’s far better for the environment if you stick to locally-grown produce. Yes, you will be restricted to fruit and vegetables that are in season, but it can be fun to branch out and see the meals you can create with only local goods.

As it turns out, the food that goes onto your plate and the process is went through to get there is more complex than you might have originally thought. With a few small changes, you can be sure that you’re eating as ethically and sustainably as possible.

OSCP and PWK Tips, Resources & Tools

Here are some resources and tools I found useful while taking (and passing!) the Pentesting with Kali (PWK) course in preparation for the Offensive Security Certified Professional exam. It has been about two weeks since I passed, and I am still reveling in the satisfaction that has come with it, as it was ultimately a year-long effort to prepare for and take the course in order to pass the exam.

Many people post the usual resources that you can find on various blogs related to the course (g0tmi1k, highoncoffee, pentestmonkey, etc), and those are absolutely useful, but what I have assembled here are less common, and are hopefully useful for those of you about to embark on, or already in, the OSCP journey. They were useful for me.

Enjoy!

How to Pass the OSCP

https://gist.github.com/unfo/5ddc85671dcf39f877aaf5dce105fac3

My favorite part is this, right at the beginning:

1. Recon
2. Find vuln
3. Exploit
4. Document it

However, I would add a step so that it looks more like this:

1. Recon
2. Find vulnerability
3. Exploit
4. Privilege Escalation
5. Document it

Most of the machines in the PWK labs require that additional step. You seldom run across a VM where you run an exploit and get root right away, with no intermediary privilege escalation step needed. In fact, it is an entirely unique skill that you need to develop, practice, and practice again. What’s more, you have to learn “privesc” for both Linux/Unix and Windows machines — two entirely different methodologies.

Path to OSCP

https://localhost.exposed/path-to-oscp/
An interesting ‘trials and tribulations’ story of one man’s path to accomplishing his goal: the OSCP certification. Contains both video logs and various notes and snippets that may be helpful to you.

One Two Punch

https://github.com/superkojiman/onetwopunch
I didn’t discover this script until I had already rooted about 15 of the machines in the PWK labs, but I wish I had learned of it sooner. It runs a unicornscan (UDP) to find open ports, then passes them to nmap for service detection. It also looks at all 65,535 ports, so you don’t miss anything. Set this up as one of the first things you do when you start working on a new machine (it takes a while to run), then come back to check the results after you’ve done some manual exploration.

Reconnoitre

https://github.com/codingo/Reconnoitre
“A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.”

This tool ended up being a workhorse, both in the labs and in the exam. Being able to check quick nmap results while more in-depth scans were still going was invaluable for getting things rolling along.

General Tips from Techexams

http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-6.html#post1028560
This post has a lot of good tips for the OSCP exam. I can’t stress enough the need to be prepared for the exam, having all the things you need at your fingertips so that you don’t have to go digging through notes of files when you are tight on time or limited on brain power because you’ve been working on this for 18 straight hours.

Test Taking Strategy
http://www.hackingtutorials.org/hacking-courses/offensive-security-certified-professional-oscp/

  • The most useful parts of that site for me were:
    Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
  • You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

There were so many people in the NetSec Focus OSCP Slack channel that skipped the exercises, skipped the videos, and skipped documenting the requisite 10 VMs to get the bonus points for the exam. I saw more than a few of them fail the exam as a result. I would likely have failed the exam had I not completed the exercise and 10 lab machine documentation. All I will say is this:

Do not skip the exercise or lab documentation. These are free points. The way the exam scores total up, you may well need these points to pass!

Timing of the Exam

Also from this page, I chose to follow this exact strategy for timing, and it really worked for me. The important thing to consider is being able to have two fresh starts.

“The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours.”

I ended up sleeping from 2am to 5am, at which point I set an alarm and a full pot of coffee to carry me through until the exam was over. I also had the support of my amazing wife, who kept me fed and hydrated the whole time.

The Offsec PWK Kali VM

Use the provided Kali VM, do not use the latest/greatest Kali version. Offset provides you with a VM that has been customized to contain everything you need to complete the course and the exam. There is no need to update it. There is no need to run the latest version of Kali. In fact, they customize it in certain ways to make sure you don’t run into problems, so don’t try to use something different. I witnessed multiple people having problems with this in the NetSec Focus OSCP Slack channel, and I wisely used the Offset Kali VM the whole course to avoid issues.

The NetSec Focus Slack Channel

I have mentioned it a few times, but this Slack channel was invaluable during my OSCP journey.  It allowed me to ask questions, bounce ideas off others, and chat with folks who were currently in the course or had already passed it. If you are in the OSCP course and you join the group, ask a moderator to add you to that private OSCP channel once you join. Keep in mind that they do not allow spoilers, or even questions about specific lab machines.  This resource is a great asset for those taking the PWK/OSCP course, and I made some good friends from being there and suffering through it all.

Lastly, I have to say it:

Try harder!

Biggest Online Security Breaches in 2017 So Far

Worryingly, we hear about data breaches so much nowadays that we have gotten used to them. From the infamous Ashley Madison breach, where thousands of cheating partners were exposed to the TalkTalk breach, which led to youngsters being arrested, the scandals seem to get worse and worse, as cyber criminals become more sophisticated. In this post, we are going to take a look at some of the biggest data breaches to occur so far in 2017.

Debenhams Flowers – Let’s begin with a data breach that his hit the news very recently. 26,000 customers had their personal data compromised as a consequence of a cyber attack on Debenhams Flowers website. Names, addresses and payment details were taken during the incident, which targeted a third party e-commerce company, Ecomnova. At present, the Debenhams Flowers website is currently offline, as they discover more about the attack, which is believed to have taken place between February and April of this year.

Gmail – Most people reading this post will have a Gmail account, and so the phishing scam that occurred in March was a pretty big deal to say the least. Gmail users were targeted in a sophisticated scam, which saw them receive an email that appeared to come from one of the user’s trusted contacts, such as a friend or a work colleague. The email had a Google Doc attached to it, and encouraged the user to open it. However, once clicked, the link actually lead to a security page, whereby the hacker would gain control of the user’s email account. Despite the fact that Google reacted quickly and was able to stop the attack within an hour, one million users were impacted.

InterContinental Hotels Group – While email platforms and ecommerce websites only have online threats to deal with, the hospitality industry has both physical and cyber security to bear in mind. If you would like some information on the former, take a look at information provided by HS Tech Group.  The InterContinental Hotels Group (IHG) breach is important because it occurred due to malware, which is running rife at the moment. In the beginning, IHG believed that 12 of its properties were impacted by the breach, which saw malware on the servers used to process payments made at on-site bars and restaurants. This meant that stolen data included internal verification codes, card numbers, expiration dates, and card numbers. However, IHG later revealed that 1,200 of their properties had been impacted by the malware attack.

E-Sports Entertainment Association (ESEA) – Last but not least, we have a breach that was announced at the very start of 2017. ESEA, which is one of the biggest video gaming communities in the world, issued a warning to all players after discovering a security incident. It was later revealed that more than 1,500,000 ESEA records were impacted by the breach, and a lot of private data was compromised in the process, including website URLs, phone numbers, birthdates, email addresses, first and last names, usernames, registration date, last login, and much more.

For more information on how you can stay safe while using the Internet, take a look at this blog post.

Decluttering

declutter photoWith the start of a new year about to happen, I’ve been doing a lot of reflection on where I’ve been focusing my attention, and what I’ve been getting out of those things. My conclusions led me to discover that I have been putting a lot of time and energy into things that don’t necessarily help me, my family, and everything surrounding those primary things (career, creativity, cashflow, etc).

So, I have decided to give up the following:

  • Caring about sports. I may watch some bigger Louisville basketball games, but overall, this has become more of a chore than anything, and I spend way too much time wrapped up in the emotions surrounding games. This is particularly unproductive when they lose.
  • Facebook. I’ve given it up before, but it serves absolutely no purpose for me. If people want to keep in touch, they know how to find me.
  • Clash of Clans. I’ve led a very successful clan for almost 2 years, and been a part of the game for almost 3. I helped start the Reddit Alliance Clans system, and all of this has been a large time sink. I did have a lot of fun, and I met a lot of great people along the way, but ultimately, it’s been entirely unproductive towards helping any of the primary things in life I mentioned above.
  • Reddit. One thing I’ve noticed is that by deleting apps off my phone, I waste a lot less time. So I am removing the Reddit app that I use, and will instead only check in on occasion when at my computer, at home. I tend to get wrapped up in drawn-out conversations (or arguments) on Reddit far too often. While some of these interactions can have positive outcomes (discussing network security, for example), most of the time I am arguing with people who will never change their minds. Why? I have no idea.

I hope to start using all the freed up time and energy (in no particular order) towards continuing my newfound interest in working out, continuing to educate myself, investing more time and energy with my family, making more music, and focusing on the things that support all of the above — the primary things in life.

I will report back more in a few months to let you know how it all goes!

Photo by ollesvensson

O, Death

“You want a physicist to speak at your funeral. You want the physicist to talk to your grieving family about the conservation of energy, so they will understand that your energy has not died. You want the physicist to remind your sobbing mother about the first law of thermodynamics; that no energy gets created in the universe, and none is destroyed. You want your mother to know that all your energy, every vibration, every Btu of heat, every wave of every particle that was her beloved child remains with her in this world. You want the physicist to tell your weeping father that amid energies of the cosmos, you gave as good as you got.

And at one point you’d hope that the physicist would step down from the pulpit and walk to your brokenhearted spouse there in the pew and tell him that all the photons that ever bounced off your face, all the particles whose paths were interrupted by your smile, by the touch of your hair, hundreds of trillions of particles, have raced off like children, their ways forever changed by you. And as your widow rocks in the arms of a loving family, may the physicist let her know that all the photons that bounced from you were gathered in the particle detectors that are her eyes, that those photons created within her constellations of electromagnetically charged neurons whose energy will go on forever.

And the physicist will remind the congregation of how much of all our energy is given off as heat. There may be a few fanning themselves with their programs as he says it. And he will tell them that the warmth that flowed through you in life is still here, still part of all that we are, even as we who mourn continue the heat of our own lives.

And you’ll want the physicist to explain to those who loved you that they need not have faith; indeed, they should not have faith. Let them know that they can measure, that scientists have measured precisely the conservation of energy and found it accurate, verifiable and consistent across space and time. You can hope your family will examine the evidence and satisfy themselves that the science is sound and that they’ll be comforted to know your energy’s still around. According to the law of the conservation of energy, not a bit of you is gone; you’re just less orderly. Amen.”

-Aaron Freeman.