mrtns blog - articles

Rethinking the 40-Hour Work Week

Mon, 26 Feb 2024 00:00:00 +0000

Rethinking the 40-Hour Work Week: A Modern Workplace Mysterium

The concept of the 40-hour work week has been a staple of the modern workplace since the dawn of industrialization. This time-old standard has shaped our understanding of what it means to have a “full-time job.” Yet, as we continue to evolve in our professional capacities, especially with the rise of knowledge work, it’s worth asking: Why do we still cling to this model?

Why 40 Hours?

The 40-hour work week has its roots deeply embedded in the history of industrialization. The shift from agrarian societies to industrial cities necessitated a standardized work schedule that could align with factory demands and shifts. This structure was designed to maximize productivity in a time when manual labor was paramount.

History of the Work Week: The industrial revolution brought with it the need for regular, predictable work schedules. This led to the standardization of the 40-hour work week.
Industrialization and Shifts: The division of the day into shifts allowed factories to operate continuously, maximizing output. The 40-hour week was a compromise between labor demands for a shorter work week and the business need for productivity.

When Do Knowledge Workers Have Time-Off?

Unlike manual labor, knowledge work often doesn’t have clear boundaries. The brain doesn’t operate on a strict schedule.

The Challenge of Turning Off: Knowledge workers often find it difficult to “turn off” outside of official work hours. That shower or walk where your mind wanders? It’s still working, solving problems in the background.
Eureka Moments Outside of Work Hours: Many can relate to the experience of finding the solution to a problem while engaged in a completely unrelated activity. This illustrates how intellectual labor doesn’t confine itself to a schedule.

Problem With Contracts

Traditional work contracts, with their emphasis on hours worked, struggle to fairly measure the output of knowledge workers.

Measuring Output: It’s challenging to quantify the productivity of knowledge work in a way that aligns with a fixed hourly schedule.
The Office Illusion: Just because someone is physically present in an office for 8 hours doesn’t mean they are effectively working all those hours.

Societal Implications and Problems With Contracts Without Hours

Moving away from hour-based contracts presents its own set of challenges, especially when considering societal perceptions.

Perceived Fairness: There’s a significant challenge in reconciling the flexibility of knowledge work with the more rigid schedules of traditional “real” jobs. How do we ensure fairness across different types of work?
Work vs. “Being at Work”: There’s a growing realization that being present (either in an office or at a job site) doesn’t necessarily equate to productive work. This distinction is particularly acute in knowledge work, where outputs are not as easily quantifiable.

Conclusion

As we continue to navigate the complexities of modern work, it’s becoming increasingly clear that the 40-hour work week, a relic of the industrial era, may not be the best fit for the nuances of today’s knowledge-driven economy. The challenge lies in crafting a new work paradigm that recognizes the unique nature of knowledge work, respects the balance between work and life, and addresses societal expectations of fairness and productivity. The future of work may not be tied to a clock, but to the value and outcomes we produce - with all challenges that apply to a model like that.

Launching Nord Nord Sec

Tue, 12 Dec 2023 00:00:00 +0000

It’s been a while since i actually managed to finish a post here. I got tons of notes for lots of different topics. Being it books, infosec related stuff or just random thoughts. But I never manage to finish writing the posts.

After thinking about it, i realized that i - as much as i like it for programming - don’t like the hassle of using git for writing blog posts. I don’t want to commit and push every time I want to see how the post looks like. I also don’t want to create a local version before publishing it to do that. I want to be able to just write and publish.

So I decided to take a look around, what the current state of blogging seem to be. I realized, that I recently started adding newsletters or some sort of curated lists to my reading. I also realized, that I usually take notes on the stuff I read. So why not just publish those notes?

And this is how the idea for Nord-Nord-Sec was born. It’s a newsletter, that I’ll probably publish roughly every week. Maybe more, maybe less. I’ll provide some links and comments from me about the stuff I read. I might also throw in a bunch of notes and thoughts about them.

So If you’re interested - feel free to subscribe to the newsletter. I won’t spam your inbox with random crap. Pinky promise!

still alive

Tue, 17 Jan 2023 00:00:00 +0000

i’ve been trying to capture the last year for quite a while. i’ve also tried to sum it up in a few words for quite a while. so i sat here and stared at an empty editor window. cursor blinking. mind blank. i can’t even say why, because everything went fine. all are healthy. the kids are growing - arguing, playing and laughing together. i also read and learned a lot. about me, about technology, security, productivity etc etc. maybe i’ll write something about that stuff later. and probably book-by-book (or topic-wise) and not some single, big and bloated “recap” post.

with that said - here’s to a great 2023! i hope y’all had a good start and keep kicking ass <3

steam deck recap

Mon, 24 Oct 2022 00:00:00 +0000

After I’ve been quite hyped about the pre-order already, I know had quite some time to use the deck.

tl;dr The Steam Deck is an amazing device if you are a pc gamer who is comfortable with - using a controller. - don’t need 4k 144Hz AAA graphics - ideally already have some games you bought and never played

After I got it in Spring 2022, I went through several emotions in the first two hours: Joy, because the carrying case seemed so sturdy. Then I was annoyed, because the fan was noisy. But then I was happy again, because the beta-software made it disappear.

After that rollercoaster, I started downloading games from my library, that I already owned and were compatible. And since that moment, I (almost) never looked back.

Some of the games i played on it:

dead cells
dark souls 2
shadow tactics
horizon zero dawn
dome keeper
rocket league
xiii
fall guys
apex legends
minecraft

As you can see, with minecraft and fall guys i’ve also left the relaxed territory of the steam store and installed non-steam-native games. With a tutorial it was easy enough - but I’m also a linux user for quite some time. If you don’t know your ways around the terminal, I wouldn’t recommend that to anyone.

I also don’t try to “run all the things” on it or tinker - It’s a gaming appliance and this is fine for me. So I can’t say anything in that regard. I’ve read some blog posts about repairs, changing thumbsticks etc and it seems that Valve did a great job for that as well. You can also order replacement parts or send it to one of the official repair centers if anything is broken.

Regarding the hardware, here are my two cents:

I have small hands - but I’m able to reach all the buttons without problem. I haven’t played a lot while standing, but it seems to be light enough for me that I didn’t care (yet).

I’m barely using the gyro besides in minecraft, but it appears to be pretty precise. I’m open to suggestions what I should play with it…

Despite some negative opinions i read, I’m happy with the thumbsticks. Happy enough that I barely use my steam controller at my pc anymore because it lacks thumbsticks…

As I got the 512GB Version with the Anti-Glare glass screen, I can’t say anything about the cheaper screens - but this one is great. It’s playable outside, even if you’re not sitting in the shadow. At night you can dim it that it doesn’t hurt in your eyes or wakes the child sleeping beside you. Top notch :)

The additional buttons on the back are amazing for shooters like apex or horizon zero dawn - never let go of your movement/aim thumbsticks! really cool.

And the speaker that valve put in that handheld are way better than expected. I barely play with headphones as the sound is good enough for me not to care any further.

Apart from the games and the literally zero issues I had as long as they were somewhat verified, it has been great to be able to hang out on the couch with my wife in the evening, when I really wanted to play some games - but she didn’t want to join me in my office. Understandably - I also prefer the living room…

I barely travel at the moment, so I can’t say much about this use-case. But being able to enjoy Horizon Zero Dawn while sitting in the train was pretty neat. If I’d commute, I’d totally carry it all the time.

What didn’t work though was “not to buy new games” before i diminished my pile of shame - so yeah…

never stop learning

Sat, 30 Jul 2022 00:00:00 +0000

A few days ago, someone asked me if i learnt certain stuff in school - which i didn’t. For them, it seemed to be totally crazy to keep on learning new stuff after you finish school, university or apprenticeship etc.

That’s honestly very confusing for me. Imagine you stopped to develop when you left school! At that point I was, for the lack of a better word, a dumb asshole. I knew jack shit about anything that would actually be useful in live. I had no idea what i wanted in life or how i wanted to live it.

And I’m pretty sure - and even hope - that i’ll be thinking the same about my 30s in 10-15 years. Is there a point where learning ever stops? There is probably always something new or interesting to explore. Let’s keep doint that!

reorganizing my stale productivity methodology

Mon, 18 Jul 2022 00:00:00 +0000

Recently, I kinda felt frustrated with my setup of reminders, todos, task lists etc - so i slacked. pushed more and more on another day or didn’t even check my lists at all. After working with a homegrown sort of Getting Things Done for over two years, i stil managed to stick to my daily routines. these routines - like taking out the trash, prepare the vacuum-bot, water plants etc - were a thing that i desperately needed to monitor and make sure they got done. Funny enough: Even though i stopped checking my lists with these things, I still did them.

This happened, because I finally developed several habits regarding these things. I also have no idea how long it’s actually a habit, as I have no clue how long I do this subconsciously.

As I grew fond of the GTD methodology, I still didn’t stick to it. Most of the time, I skipped the step where you reflect and review the tasks… So now I want to make time for doing this and:

capture all tasks, todos, chores etc
organize them in categories
actually do them
regularly reflect about the whole process as well as individual tasks

Previously i tried to categorize most tasks within a certain room or place. To give you an example, I categorized tasks as “kitchen” related or “garden” - or even “shopping” to be able to quickly check if i’m at a certain place what has to be done. I’ve got a bit annoyed with that, as some tasks didn’t have a clear place where they have to take place. So i’ll start without this and try to identify patterns.

I hope the added reflection as well as finding/identifiying new categories will improve my productivity methodology.

why the ms gamepass is the future

Sun, 10 Apr 2022 00:00:00 +0000

i’ve just reactivated my ms gamepass. for 1 euro. we didn’t use the stupid xbox for several months, so i’ve paused the subscription for a while - and again i got the 1euro/month price. this is amazing! since we bought the console, i’ve probably paid not even the price of a single game and played a ton of different titles. this is exactly how MS is winning the console market.

the playstation might have better exclusives, the nintendo consoles might have the more famous characters, series etc - but the fact that i can play a ton of games, whenever i want, for almost free is why i’d never buy another console (steam deck aside, as i bought it for different reasons) besides one from MS. and i don’t even like most of the things they do beside their consoles… this is something i wouldn’t even have considered ten years ago.

yet i stil remember the feeling when i played the first few hours of HALO back when i bought the original xbox. or the amazing feeling when i bought it in the store. the weight of the box, the moment when we sat in the car and drove home. the unboxing and the connection to the tv - this is one of the most intense memories from my early teens… sadly, i sold the thing a few years later with all my games when i needed a new monitor for my PC :(

i really hope the steam deck will burn itself in my memory like this as well.

snapd on kali

Tue, 22 Feb 2022 00:00:00 +0000

I’ve recently set up my old laptop (trusty old thinkpad t430s) again to use it as my daily downtime driver. as i do some bug hunting or testing out tools that might be handy during a pentest, i decided to go for a baremetal kali installation. i know, don’t use kali as a daily driver, stick to a vm, etc etc. I promise you, i kinda know what i’m doing here ;)

after completing the installation, i wanted to use snapd. So I just followed the official documentation and thought everything will work now.

Turns out: It doesn’t.

First thing I realized was, that I didn’t have vs code in my launcher and /snap wasn’t part of my $PATH. The second part was easily fixed with a export $PATH:/snap in my .zshrc. For the launcher-problem, I needed some googling - but I found the solution quickly on reddit. Literally a missing link.

ln -s /etc/profile.d/apps-bin-path.sh /etc/X11/Xsession.d/99snap

After linking it and rebooting, vs code showed up in the launcher. Great - but now it still didn’t start.

Clicking the icon - nothing.

Trying to launch code from the command line, an error got presented: snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks.

Turns out, there was a missing configuration for apparmor. After reading this issue on github, I pieced together a snippet to fix it:

sudo apt install apparmor-utils apparmor-profiles && \
sudo apparmor_parser -r /etc/apparmor.d/*snap-confine* && \
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine* && \
sudo systemctl enable --now apparmor.service && \ 
sudo systemctl enable --now snapd.apparmor.service

After running this, even snaps that have to be installed with the --classic flag work again.

how to approach bug bounty - without getting frustrated

Sun, 20 Feb 2022 00:00:00 +0000

I’ve recently watched one of the most inspiring talks i’ve ever seen. How to crush bug bounties in 12 months by hakluke. And although the title suggests that it is about optimizing for earning, the real optimization when you hack on bounties is on yourself.

If you are - like me - interested in bug bounties or cyber security in general, you can (and probably should) start with doing bug bounties. Just for the sake of learning on real world targets. Make sure to stick to the scope of the program(s) you chose and get started.

Following the advice from hakluke in this talk, you could start with automating the boring tasks away. If you focus on that part, you might even be able to generate passive income from bounties. Or at least reduce the manual effort to the fun part of exploiting the juice stuff you’ve found.

And no worries if you don’t find anything in the first days, weeks or months - if you stick to it and make a habit out of investing some time in your automation, skills or just general tool-handling, it’ll pay itself forward.

Another factor that plays a huge role in this talk is the looming threat of burn out in IT security professionals. This is also something that should be taken into account when you start doing bug bounties: You might be highly motivated and might be able to do six, 10 or even 12 hour sessions hacking away. In the long run, you won’t keep up with that pace. So if you are serious and want to make this something that lasts for longer than a few weeks you should see it as a new habit that you form. So don’t burn yourself out with extreme intensity at the start - but rather dip your toes in and do one or two hours every day. You’ll be fine.

And with that said - gotta go back to my automation-fiddling

obsidian2hugo - an update to 'changing blog tech'

Wed, 09 Feb 2022 00:00:00 +0000

It’s been a while since i discovered and kinda fell in love with obsidian. As in my last post about changing blog tech already said, i’d love to use it as my blogging-solution as well.

As I’d definately loose the rss feed of the blog, I’ve already cancelled the thought - but my mate Markus faced the same problem and simply wrote a thing: obsidian2hugo. I still need to test it for myself - and set up a web server etc before i do it - but then I’m good to go.

It’ll be a nice opportunity to change the style of the blog. :]

booklist 2021

Thu, 13 Jan 2022 00:00:00 +0000

I’ve probably never read (or listened to more) books than last year. Some sucked big time (looking at you, ‘9 Tage wach’), some are among the best books I ever read. I’m not a big fan of scores or star ratings, so here are a few books (in no particular order) that left an impression:

Die Wirecard-Story: Read it two times last year - and still can’t believe that this actually happened. Fascinating how far you come if you’re just audacious enough.
Hail Mary: I just love Andy Weirs Style. His characters are always entertaining and I’m especially happy that I’ve listened to Hail Mary as an audiobook. I’d recommend doing so as well, as the audio book has a particular feature that a real book is missing. (Won’t spoil it for you, so I’ll leave it at that)
How to Hack Like a Ghost, Breaching the Cloud: So.many.things.to.learn! Fascinating insights in the mind of someone who clearly has done his fair share of cloud-hacking.
Mariannengraben: Don’t know if i’ve ever laughed and cried so much.
Lass mich die Nacht überleben: Fascinating, thrilling and disturbing account of heroin addiction.

Insane Mode, Principles, Agro Mafia and every book by Rainer Zitelmann were also impressive and are right behind these.

All things considered, I’m quite happy with my reading last year. It was a lot of differnt things and covered a wide range of topics, authors, genres and moods. And almost every book lead to some ideas and thoughts afterwards.

Here is the list in chronological order of my reading last year, starting in january 2021:

Ray Dalio: Principles
Hamish McKenzie: Insane Mode
Nassim Nicholas Taleb: Antifragile
Philip Tetlock, Dan Gardner Superforecasting
David Graeber: Bullshit Jobs
Volker ter Haseborg: Die Wirecard-Story: Die Geschichte einer Milliarden Luege
Peter Lynch, John Rothchild: One Up On Wall Street: How To Use What You Already Know To Make Money In The Market
Marcel Eris, Dennis Sand: Montana Black
Marcel Eris, Dennis Sand: Montana Black II
Dan Abnett: First and Only
Dan Abnett: Ghostmaker
Dan Abnett: Necropolis
Dan Abnett: Honour Guard
Sandy Mitchell: For the Emperor
Werner Heusinger, Christian W. Roehl: Cool bleiben und Dividenden kassieren: Mit Aktien raus aus der Nullzins-Falle
Sandy Mitchell: Caves of Ice
Sandy Mitchell: Ciaphas Cain: Death or Glory
Sandy Mitchell: Ciaphas Cain: Duty Calls
Sandy Mitchell: The Traitor’s Hand
Andy Weir: Hail Mary
Robin Sharma: The 5 AM Club
Cliff Stoll: The Cuckoo’s Egg
Mai Thi Nguyen-Kim: Die kleinste gemeinsame Wirklichkeit
Marcus Luttrell, Patrick Robinson: Lone Survivor - SEAL Team 10
Tom Clancy: Gnadenlos
Tom Clancy: Die Stunde der Patrioten
Tom Clancy: Red Rabbit
Tom Clancy: Jagd auf Roter Oktober
Tom Clancy: Der Kardinal im Kreml
Tom Clancy: Der Schattenkrieg
Tom Clancy: Das Echo aller Furcht
Tom Clancy: Ehrenschuld
Tom Clancy: Befehl von oben
Tom Clancy: Operation Rainbow
Tom Clancy: Im Zeichen des Drachen
Tom Clancy: Im Auge des Tigers
Tom Clancy: Dead or Alive
Tom Clancy: Ziel erfasst
Flow Sparc: How to Hack Like a Ghost, Breaching the Cloud
Tom Clancy: Gefahrenzone
Greg McKeown: Essentialism
Tom Clancy: Command Authority
Tom Clancy: Mit aller Gewalt, Mark Greany
Tom Clancy: Die Macht des Praesidenten, Mark Greany
Tom Clancy: Pflicht und Ehre, Grant Blackwood
Tom Clancy: Anschlag auf den Praesidenten, Mark Greany
Tom Clancy: Letzte Entscheidung, Mike Madden
Becky Chambers: The Long Way to a Small, Angry Planet
Chuck Wending: Zeroes
Marc-Uwe Kling: Quality Land 2.0
Christoph Bermann: Bitcoin
Annalena Baerback: Jetzt
Andreas Eschbach: Black Out
Andreas Eschbach: Hide Out
Andreas Eschbach: Time Out
Colin Bryar, Bill Varr: Das Amazon Geheimnis
Dr. Felicia Rehage, Eiko Weigand: Lassie, Rex & Co
Marie Kondo, Scott Sonenshein: Joy at work
Arno Strobel: Die APP
Frank Sieren: Shenzen Zukunft made in China
Satya Nadella: Hit Refresh
Rainer Zitelmann: Kapitalismus ist nicht das Problem sondern die Lösung
Sophie Passmann: Alte weisse Männer
Katharina Nocun und Pia Lamerty: True Facts
Daniel Kahneman: Noise
Franziska Schreiber: Inside AFD
Giulia Becker: Das Leben ist eins der härtesten
Naomi Klein & Rebecca Stefoff: How to change everything
Cal Newport: Deep Work
Mark Owen, Kevin Maurer: Mission erfüllt: Navy Seals im Einsatz
Kohn Doerr: Measure what matters
Cal Newport: So Good they cant ignore you
Jasmin Schreiber: Mariannengraben
Detlef Kügow: Sozialismus
Mark Benecke: Mein Leben nach dem Tod
Jasmin Schreiber: Der Mauersegler
Ray Croc: Die wahre Geschichte von McDonalds
Richard Branson: Losing my virginity
Stefan Liebert und Hajo Fitz: Kokain
Gisela Baur: Warren Buffett Der Jahrhundertkapitalist
Sonia Rossi: Fucking Berlin
Dominik Forster: crystal.klar
Jörg Böckem: Lass mich die Nacht überleben
Nick Martin: Die dunkle Seite. Was nicht so geil war in 10 jhren Weltreiser in 10 Jahren Weltreise
Rainer Zitelmann: Reich werden und bleiben
Gerald Hörhan: Investment Punk
Oliver Meiler: Agro Mafia
Rebecca Solnit: Wie Männer mir die Welt erklären
Gerald Hörhan: Der Stille Raub
Eliane Retz, Christiane Stella Bongertz: Wild Child
Dr Markus Elsaesser: Dieses Buch ist bares Geld wert
Gerald Hörhan: Gegengift
Jens Brambusch: Rollkofferterrorisren
Tobias Ginsburg: Reise ins Reich
Gerald Hörhan: Null Bock Komplott
Nicola Schmidt: Erziehen ohne Schimpfen
Andre Kostolany: Die Kunst über Geld nachzudenken
Mans Mosesson: Tim Die offizielle Avicii Biografie
Das Escape Manifest
Niki Lauda mit Conny Bischofberger: Reden wir über Geld
Peter Thiel: Zero to One
Christiane F.: Wir Kinder vom Bahnhof Zoo
Ernst Paul Döefler: Aufs Land
Peter Modler: Mit Ignoranten sprechen
Angela Doe: Es ist ok
Martin Steinhagen: Rechter Terror
Morton Rue: Die Welle
Sophie Jones: Erlöse mich von dem bösen
Andreas Eschbach: Perfect Copy
Andreas Ohligschlaeger: Hunde als Weggefaehrten
Danielle Graf und Katja Seide: Das gewuenschteste Wunschkind aller Zeiten treibt mich in den Wahnsinn
Greg McKeown: Effortless
Greg McKeown: Essentialism
Isabelle Neulinger: Meinen Sohn bekommt ihr nicht
Danielle Grad und Katja Seide: Das gewuenschteste Wunschkind aller Zeiten treibt mich in den Wahnsinn - Das Geschwisterbuch
Rainer Zitelmann: Setz dir groessere Ziele
Adrian Rouzbeh: Erfolg aus Prinzip
Carl Tillessen: Konsum - Warum wir kaufen was wir nicht brauchen
Arnold Schwarzenegger: Total Recall
John Jackson: Corporate Cybersecurity
Kevin Mitnick: Ghost in the Wires
Invent and Wander: Jeff Bezos

Feel free to pick one or more of these, have a look at them and let me know if you enjoyed them. Keep reading, keep learning.

changing blog tech

Wed, 06 Oct 2021 00:00:00 +0000

there has been not much going on here for quite a while - the sad thing is, that has nothing to do with no content in my head, but with the tech-stack of the blog itself.

It runs on github-pages, which means to publish/write a new post, i have to be on my computer. the time i spend here, has significantly decreased during this year. this is nothing i regret, the only thing i regret is, that i can’t easily write stuff down here and publish it…

i switched in my note taking from notion to obsidian.md, because i searched for something that i can edit not only in a browser or an app, but also from my terminal. my personal knowledge base is now - finally - just a folder full of markdown files. obsidian just has a nice app on top of that, that aids in browsing, linking and sometimes rendering the notes. in addition to that, it offers several paid services - e.g. sync and , most important in the context of this blog post, publish. which means i can just publish documents from my personal knowledge base as blog post.

i’ll give it a try and will then decide if i move the content from here over there - and change the dns entry to point to that new side then.

my biggest problem right now is, that this means i’ll lose the rss-feed, which is kinda sad. maybe i’ll find a solution for this problem either before i do the switch or after.

Why I preordered the Steam Deck

Tue, 20 Jul 2021 00:00:00 +0000

Last week the pre-order phase for Valves new Steam Deck went live.

I’ve heard about the device for the first time, when a colleague shared it in our company slack. I had a look at the specs, watched the video presentation and decided to order it.

Before I’ll explain the why, let me first give you a quick run-down of the specs:

it’s a pc
AMD Zen 2 CPU (4 cores, 8 threads)
2.4 to 3.5Ghz clock speed
AMD RDNA 2 GPU
16GB RAM
three different configurations for storage
- 64GB eMMC
- 256GB NVME drive
- 512GB faster NVME drive
7 inch touch screen display
- 1280x800
- 60Hz
Bluetooth
USB-C
approx. 700g weight
later: there will be a dock

The device is available in 3 configuration - whose most imprtant part is the disk space. The 512GB NVME version also comes with a premium anti-glare etched glass display (in addition to an exclusive carrying case and some digital nonsense like a steam community profile bundle and a virtual keyboard theme.

So, after I thought a few hours about it, I decided to buy that thing. Why? Mostly because I thought about buying a switch lite for quite some time, because i don’t like to play in my office, where I also work a big part of the day. What turned me off of the switch (lite) was the fact, that i would have had to buy every game seperately that I wanted to play on it. So it might look cheaper at first, but the games drive that price up significantly.

Looking in my steam library, I have the result of several summer, winter, whatever sales sitting there untouched, waiting for me to finally play them - so why not on the steam deck? without any additional costs!

The next reason was that i love the steam controllers touch & gyro input - but hate the fact that there was no thumbstick for movement on the left. The steam deck has both on both sides. A touchpad and a thumbstick - I’m sure it’ll work great!

What games do i want to play on it? I guess I’ll start with some games i started but never finished quite some time ago, that play great with a controller: WItcher 3 and Skyrim. I also have loads of Indie Games and I’m sure I’ll have some fun with it.

But besides the games themselves, there is another reason i look forward to this: It’s a pc. With bluetooth - So i’ll be able to pair my headset to it, join a teamspeak server or discord and play with folks together, as if I’m sitting on my desktop pc. While being able to lounge in the garden or living room.

Speaking of living room - The steam deck can be plugged in at any screen - with the necessary usb-c to hdmi/display port cable and can be used as a “traditional” console as well. Even with mouse and keyboard, if you might want to play a shooter or strategy game.

So I don’t know about you - but I’m definately hyped for this device and look forwared on the delivery in Q1 next year!

What about you? Would you buy it as well or what are you missing on a device like this?

my communication readme

Tue, 13 Jul 2021 00:00:00 +0000

I’ve discovered an interesting concept through a racket from Neil Studd: The communication readme.

The communication readme is a file, that clearly describes my personal preferences for communication. Why do I have a Readme?

We all are different and as much as I’d (sometimes) love to read minds, we usually have to resort to simpler means of communication. To make the process of communicating as smooth as possible, I decided to let you know.

How best to communicate with me?

I prefer a concise and clear message to a meeting every time. Just send me your question or whatever you have to say or want me feedback on and I’ll get back to you as soon as I’ve seen and resolved it. I hate phone calls/audio-only conversations. If you need me synchronously, I’d be glad if we would use our cameras. I also love to know before we start to meet, what the agenda of the meeting is, that i could come in prepared.

How do you book a meeting with me?

Typical working hours: 7AM to 4PM. Before and after this time, I’ll be with my family. I might see your DM, but if I can’t answer it straight away, I won’t respond until the next morning. Weekends are completely off limits.

If you are sending a meeting invitation without an Agenda, I will probably decline the appointment.

Icebreaker Topics

Family. My wife & kids are the most important people to me. Although I like my work, I’ll maximize on family-time whenever possible. CTFs. In my spare time, I’ll be trying to solve as much CTF challenges as possible. Got some recommendations for Hack The Box Boxes? Bring ‘em on! Gaming. From time to time I enjoy an hour or two in different Video Games. Dota 2, CS:GO, Valorant, League of Legends, Apex Legends - or nice atmospheric single player games like Metro: Last Light are totally my jam! Food. I love good food, cooking, eating, drinking - I’m all for recipe-sharing and restaurant-suggestions!

What quirks do I have which you should be aware of?

I prefer a breakfast-break to a classical lunch break. So you have better chances catching me between 12am and 1pm than between 9am and 10am. My office is on the sunny side of the roof - During summer i might complain about the heat, although it’s not too warm for you yet. It’s window points toward the garden. You might hear children play.

Things that frustrate me

DM’s that don’t get to the point. Don’t just “hi” and wait for me to reply. Emails with complicated quotations and replies to former emails. Or long email threads with lots of people. Meetings without Agendas. If you don’t know what you want to achieve, please don’t invite me to your meeting.

eCPPT certification review

Sat, 29 May 2021 00:00:00 +0000

It’s been a while since I blogged, which had several reasons. One of the reasons was, that I wanted to (finally) tackle the eCPPT Certification. I’ve started to study for it in 2019, but didn’t manage to go through all the material and especially the labs, to feel comfortable taking it before my daughter was born. So I’ve postponed it.

So I’ve always had it in the back of my mind. When work became a little bit relaxed, it was time to start going at it again. I started to study for the cert again - and luckily, due to the amount of penetration tests and CTF challenges that i did since the last time, it went better than expected (but not faster). My biggest enemy was, as I had already anticipated, the Chapter on Buffer Overflows. I really had a lot of problems wrapping my head around it for a long time. Thanks to Heith Adams aka The Cyber Mentor (@thecybermentor) and his Practical Ethical Hacking Course, I was able to finally get it done.

The material provided by eLearn security was also good, but the change of perspective really did it for me.

After this obstacle was out of the way, I kept working away and it really was a great course. The labs are very well designed, the materials are plenty and provide everything you need to pass the exam. Nevertheless, follow the links in the end of each chapter and use the opportunity to learn even more - you’ll maybe not need it in the exam, but the real world is cruel and loves to chew through new penetration testers ;)

The exam itself is different than the eJPT exam. For the eJPT you have to answer 20 multiple choice questions. To answer these, you need to hack through a lab - which was pretty neat when starting out in the cybers. For the eCPPT you have to provide a detailed, written and professional report about the vulnerabilites you have found in your exam-engagement. You have seven days to complete the assessment and additional seven days to produce the report. Yes, 14 days in total.

The network you have to penetrate is modeled after real world companies (albeit the tech could use a refresh) and provides you with lots of attack surface and different paths to achieve root on every box.

After I finished the exploitation of the lab and compiled my report the waiting began. Although it was much faster than the maximum of 30 business days that the grading can take time, the week of waiting felt like an eternity. And despite being very confident that I passed, I was extremely happy when I received the email with the information that I have passed.

So since a week I’m finally a eLearn Security Certified Professional Penetration Tester (eCPPT) :]

Kicking off 20201

Mon, 01 Feb 2021 00:00:00 +0000

We’re already one month into 2021 - Feels a bit weird, right? Days (and nights) go by and nothing changed yet. Not that I’ve expected a big change until spring. We’re still sitting in a somewhat-lockdown, wear our masks and social-distance. We’re still waiting for a vaccine shot.

Apart from that: There will be changes this year - and everything I’ve already know of this year, fills me with joy. To kick off 2021 right, I want to share something that makes me happy. Maybe it’ll make you smile.

After moving out of our old home, I feel better every day. Lots of pressure is still falling of my shoulders and I’m more happy every day when I see fields, the garden and not many people all around. It’s so relaxing not hearing people, cars, trains, ambulances and the general buzz of the city every day and night. It’s quiet.

The gardening season will start soon-ish. This time, we’ll have enough space to plant something else than tomatoes - I’m looking forward for my Chili-Experiment, Pumpkins, Bell Peppers etc. The home-grown tomatoes will be part of the garden as well.

With my new home office and the newly acquired space, I’ll be able to get my first 3D printer. As soon as I’ve built a hybrid of desk and workbench, I’ll get a Prusa Mini .

In summer, a new human will join our little family. I’m looking forward for you, little one. It’s already kicking me (and my awesome wife).

Later this year, there will probably be a vaccination and people can be seen again. Hopefully.

If this has happened, we’ll also be able to have some vacation again. At least a few days at the sea.

I know it’s hard right now for lots of folks. We need to keep distance and be careful - but don’t lose hope. This too shall pass. We’ll make it together. Stay strong and look for the little things that make you happy in the meantime.

Python 2 is dead. REALLY!

Fri, 29 Jan 2021 00:00:00 +0000

I’m currently working with python. I’m not the biggest fan of python - and this stems mostly from the annoyance that is python 2 and/or 3 confusion. Python 2 has been EOL since January 1st 2020. It is dead for over one year now. Okay, not that long - at least compared to the time, that it was possible to start a new project with python 2. Now even pip tells you, that python2 is eol and lots of libraries stopped to support it.

I’m looking forward to say goodbye to python 2. Maybe I’ll enjoy it a bit more, when it’s finally burried.

So if you think about starting a project in python and you have always used 2 until now - please don’t. Just go with 3, even if it means you have to re-learn stuff. We all have to learn something new all the time anyways. Let the dead language rest.

python 3 all the way \m/

2020 in review

Thu, 10 Dec 2020 00:00:00 +0000

So, it’s that time of the year again. It’s getting dark, cold and the people start(ed) decorating their houses and gardens funny. With the strange addition that a global pandemic is going on - which kinda kills the mood a bit.

Buuuut, that’s already the end of the year. We should start in the beginning - at least i like to do it (this year) in a more chronological order.

january

The year started great. There were news from China of a new strain of SARS - but that was still far, far away. I spent the days and nights with my wife and our newborn daughter. Still feels weird thinking about how little she was.

february

I spent only three months on parental leave, so i had to work again from february onward. In retrospect, the first three months were very relaxed - and she started demanding way more from us parents when she started moving around. Should have taken the leave there - but yeah… Luckily i work from home since the beginning of 2019 already, so i managed to witness a lot from her. And help my wife whenever necessary.

The new strain of SARS started to move around the world - from now on, i kinda expected an impact on germany, but i seriously underestimated the intensity and duration of it. Kinda by accident, I started to research stocks, concepts and ideas for early retirements and how-to save/invest money for your children. Turned out to be a good time, as the markets would drop soon.

march

With the beginnig of march, several things hit me. On the one hand, we got a huge project at work which challenged me quite a bit. I worked a lot, thought a lot about it in my free time and worked on (some) weekends. It was intense - i learned a lot - but it was a weird time.

In parallel to that putting some strain on me, the covid numbers in germany were rising. Some sort of lockdown was inevitable, yet the people around us did not seem to care. The thought of not being able to leave our apartement finalized our decision to move. We wanted to have a garden. Having a BBQ and being able to relax there made the thought extremely attractive. Especially as we grew tired of the city over the last years.

april

Our little monster was growing and started to talk, move and tried to eat - which was great to witness. Work was still a lot, especially as the lockdown was happening and severely impacted the activities during leasure time. Even grocery shopping sucked, because somehow people thought that buying toilet paper for several years was necessary.

We actually made some progress with our plan to move to the countryside - we finally have found a neat old house in the middle of bavarian nowhere and made an appointment to check it out, as soon as the lockdown was lifted.

may

Time to check out the house - although it looked great, we decided it wasn’t for us and we keep looking. Seeing the house, the garden and the nature around it was a nice reminder that the city-life will not last for too long…

After some more research in houses, we decided we’ll have a look at houses in the north of germany. It seemed to be a bit cheaper, we both like the general attitude of the people there and also nature is nice. Plus, we would be able to just drive to the sea in summer.

june

Started looking for houses in the north. With a small vacation upcoming, i made some appointments and we were able to check out five or six different houses. Decided to take one kinda on the spot - the owners were nice, the house looked as if it will be nice (when it’ll be finished at the end of the summer) and it was within our budget. Perfect!

We already started to prepare for the move - after speaking to some trucking companies about the costs for moving, we decided to severly down-size. So we started to sell clothes, furniture, gadgets, etc etc.

july

After several months with the pandemic, it still feels weird seeing masked people everywhere. Luckily, the warm weather enabled the restaurants to open again - as they could serve outside - and they also developed working concepts for opening indoors as well. It still felt weird to sit in a restaurant again. The more important part was that contact to others was kinda possible again… Although i’m not much of a people-person, it was nice to meet with friends and talk to someone who was not living in the same house.

Work got a bit quieter through this time, which was a great opportunity to read up on some stuff and do a little bit of ctfs again. FeelsGoodMan

august

Summer. No garden. People everywhere in public places. Holy shit, good that we already have a date when we can move. People seem not to care at all about the pandemic. Walking through the park looks like everyone is getting together and sharing beers. Festivals, yeah!

The flat starts to get empty - Great for the lil one who enjoys the copious amounts of space to crawl and roll around.

september

It is getting colder. Winter is coming and the covid numbers are probably rising soon again. With most of our stuff already sold it already feels a bit like an ending. Empty flat, new house far away, the days get darker. Ironically, work got busier again with several things going on in parallel plus the need to organize moving through the whole country.

october

It is time. For both the move as well as the second wave of covid. So we had to do it alone. While i looked daily at the numbers provided by the RKI, i hoped to get away as soon as possible - hopefully before we have another lockdown. The numbers in the new area seem to stay low - great!

700km to get to an area with less infections gonig on? Count me in.

november

Arrived in the new place. Covid numbers stay low here, which is great. Especially considering the fact, that not everything was finished when we moved in - so the occasional handyman was here to fix or finish several things. During november we mostly unpacked, ordered and started to settle in. The neighbours seem nice. At least from the distance that is necessary right now.

We already started to plant trees and bushes in the garden. As soon as the winter is over - we’ll have some (more) BBQ and be able to enjoy this way more.

december

Here we are. What a weird year it has been. Thinking about it, the most things are either related to Covid or the move. These two things have dominated my 2020. Luckily, no one from my family had it (yet). And with different vaccines on the horizon, it hopefully stays that way.

Witnessing this whole ordeal has shown me the importance of health and family again. Also: I’m glad when the year is over and i look forward what 2021 will bring us.

if you made it this far - thank you and i wish you all the best for you, your family and the year 2021. Feel free to share your past year with me. You can find my email here.

Ready Player Two

Mon, 30 Nov 2020 00:00:00 +0000

A few years ago, I’ve stumbled upon Ready Player One - and dove in deep. It was one of the books, that pulled me in so deep, that I forgot what happened around me. The story about the young Wade Watts, a nobody that has no money, no future and no friends kinda resonated with me. He is one of the most stereotypical nerds that someone can imagine.

The ending was great and it left room for a Sequel - without a sequel being necessary. A few days ago, I read that the Ready Player Two is about to release in November 2020 and so I prepared myself. Over the last few weeks, I read it again.

Yesterday, I got my hands on the brand new audiobook version of Ready Player Two. I started listening to it and did not stop, until it was done. It was a nice ride, although it can’t compete with the Prequel (which i consider one of my favourite books).

My biggest problems with it is, that the quest for the Seven Shards feels rushed as hell, especially compared to the prequel. 3 vs 7 quests… Almost the same size of the whole story. Also, RP1 was focussed on Wade, the nerdyness of him and his friends and in RP2, he may be the driver of the story, but the others are way more important than him. And then there is the sidekicks that get introduced, stay away for 90 percent of the story and have a great impact on the story. And they are probably interesting enough for an own book… It just feels forced to me.

Yet, the book is great. The story is nice, the characters don’t do anything out of place. Also, the nerdyness is (in my opinion) turned down quite a bit. It’s way less obscure than the things you may learn for the first time in RP1. It’s basically Dungeons and Dragons, Lord of the Rings, a little bit of 80s and 90s arcade gaming. It’s great entertainment, but it’s not more.

Start your SonarQube Server in a local docker container

Wed, 21 Oct 2020 00:00:00 +0000

As I always have to search for that - I’ll take the liberty of saving me the hassle of googling it all the time.

docker pull sonarqube
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

Then: Go to http://localhost:9000 and log in with admin:admin

That’s it.

clone a webpage with .git exposed

Wed, 09 Sep 2020 00:00:00 +0000

If you ever have discovered an exposed .git folder on a webpage and asked yourself how do i clone the damn thing?

wget --mirror -I .git http://TARGET.com/.git/

Then you can just use

git checkout -- .

to reset the branch and use git as you are used to - discover secrets and/or flaws.

hack the planet or at least the web \m/

why i can't work with windows

Sat, 05 Sep 2020 00:00:00 +0000

Preface: This is not meant as bashing. I’m aware that lots of people are happily working with Windows every day - and I don’t want to change that. If you like Windows: Good for you! I’m the last one who wants to convert you to Linux. Why? Because I simply don’t care what you are use to get the job done. Almost a year ago, I realized that I had no idea what it’s like to work with a current Version of Microsoft Windows. The last time I’ve used it was with Windows 7 - which is already End of Life (EOL) for quite a while now. So I decided, it’s time to start a little experiment:

Setup my main machine with Windows 10
Use it daily

Oh boy, I did not think it would be that frustrating.

At first, it kinda worked kinda okay-ish… I’m used to a little bit of searching when I want to install some software on a system. I’m also fine, that I can’t install every software right out of the package manager. But not being able to install anything at all from the non-existant package manager. What the Fuck? So the workflow is: search the web - go to the developers website - search for the ‘download’ button - install the software. Updates? Well, the software may or may not check for them.

So the initial setup was a drag. An annoying and ineffective waste of time.

After that crap, the system was ready to use. Fair enough: It was faster, more responsive and even more stable than I though. With the Windows Sybsystem for Linux (WSL), you are actually able to use linux cli tools. After testing it for a while, I used it less and less - don’t get me wrong, i love the command line and it’s tools. Hell, I even write this blogpost in vim and might be able to exit the goddamn thing! But under Windows - it is the tool in itself. You can’t edit any system settings or accesss logs in /var/log/.. Sounds weird - but that is the experience you face ‘over there’.

To do any settings, Windows offers a bunch of total different looking and working GUI applications. Ugh. Nothing beats the adventure of searching for the settings for my bluetooth headset.

After a while, i realized another thing: Somehow I’m creating a big mess of files all over the file system. Some things land in ‘Documents’, some get just dropped in ‘Downloads’ or directly at ‘C:’. Oh, and the focus on physical drives is stupid and I hate it. Y U NO mount?!?!?

The thing that finally broke me and made me format the goddamn thing and put ubuntu 20.04 (old man wanna go LTS) on it again? The annoying updates. The annoying Dialogues that keep popping up and that the fact that I can’t update when I want?!

So yeah - I’m finally back on ubuntu. Brave new world! And it already feels so much better using the damn thing.

Neil Stephenson - Cryptonomicon

Fri, 31 Jul 2020 00:00:00 +0000

It’s been quite a while for a post around a book i’ve read - which has nothing to do with a shortage of books. I’ve recently finished Can’t hurt me by David Goggins as well as 10x DNA by Frank Thelen and re-read several Books from Daniel Suarez. Can’t hurt me had a very intense impact on me and will be honored with a bigger post in the future (soon(tm)).

Cryptonomicon might be one of the books that y’all read several years ago - or at least are aware it exists. A friend told me it is

basically recommended reading for everyone in infosec

and that peaked my curiousity. As I had a spare audible-credit lying around, i’ve bought the book and dove right into it. After several hours in, I still had no idea what the fvck was going on - and i’ve let it sit in my library for a while. This had nothing to do with the writing or the characters. These aspects of the book were great. Relatable, nerdy characters combined in interesting or funny or thrilling scenes that are jumping between two times and over the while globe. It was just the amount of seemingly not connected plots and actions that threw me off and finally killed my interest.

Luckily I’ve read on twitter, that someone else went through the same struggle in the beginning - and told me to push trhough. And it was true. I broke through the book (although it was basically in the middle of the book) and enjoyed it from that point onward. It’s hard to tell what it finally was, but it felt like something clicked into place and I went with it.

My biggest critique probably is, that it took Stephenson so long to capture my interest - I mean, come on - cryptography, an action-packed World War 2 storyline and nerdy, weird and funny characters… Whelp, I’m glad it clicked finally and I might actually look forward for the moment, someone decides to make a movie based on cryptonomicon. Just pray it’s not Uwe Boll.

Penetration Testing in die Cloud skalieren mit axiom

Wed, 01 Jul 2020 00:00:00 +0000

Dieser Artikel wurde als erstes auf dem codecentric blog veroeffentlicht.

Beim Thema Penetration Testing und Cloud koennen Pentester*innen meistens frustrierte Geschichten von Rate Limiting, IP bans und aehnlichen unannehmlichkeiten erzaehlen. Will man keinen Bann bei AWS, Azure und Co riskieren, so muss die Rate an Requests den automatisierte Tools gerne mal ausspucken deutlich reduziert werden.

Problematisch ist dabei allerdings, dass es besonders bei groesseren Web-Applikationen dann sehr, sehr lange dauern kann, bis man als Pentester*in erste Ergebnisse sieht - auf Basis derer man sich sich dann weiter durch die Anwendung analysiert.

Besonders unangenehm sind natuerlich hier - zumindest fuer Pentester und Cyber-kriminelle, die automatisierten und hinreichend aggressiven Antworten der grossen Cloud Provider auf etwaige Angriffe.

Fuer die Loesung dieser Problematik - und noch weitere Benefits wie Hardware- und Ortsunabhaengigkeit, (a)synchrones Zusammenarbeiten - gibt es gute Ansaetze.

Zum einen gibt es die moeglichkeit, Pentest-Infrastruktur direkt in der Cloud aufzusetzen. Schnelles rotieren von IPs, Horizontal skalieren und so die anfallende Workload auf mehrere Maschinen und vor allem IP Addressen zu verteilen.

Ausserdem: Gibt es diverse Linux-Bordmittel, mit denen das wackelige Neuland-Netz hinreichend resilient genutzt werden kann. Zum Beispiel tmux, screen und rsync, um konkret zu werden.

Doch wie baut man sich diese Infrastruktur am besten, schnellsten und effektivsten auf? Setzt man auf IaC (link zu iac blogpost) Tools wie Terraform, Ansible oder Cloud Formation (oder deren Pendants anderer Cloud Provider)?

Setzt man auf VM Templates in der Cloud um moeglichst einfach mehrere identische Maschinen zu spawnen?

Und realisiert man rotierende IP Adressen vielleicht einfach ueber extra VMs als SOCKS Proxy?

Alternativ zu diesen aus der Cloud Native Software Entwicklung bekannten Tools ist axiom (link). Ein Framework aus bash-skripten um durch die API von digital-ocean (initial, voll supported), IBM cloud und Linode (beide recht neu) dynamisch Infrastruktur on-demand zu starten und zu nutzen.

Sehen wir uns Axiom doch einmal zusammen an.

Setup

First things first - was muss installiert werden bzw. vorhanden sein, um mit Axiom loslegen zu koennen.

Der einfachheit halber orientieren wir uns dazu an der offiziellen Installationsanleitung (https://github.com/pry0cc/axiom/wiki/0-Installation)

Diese fordert folgende Installierten Tools:

git
curl
ruby
jq
packer
doctl (Zur Steuerung von Digital Ocean via API) → https://github.com/digitalocean/doctl
Interlace (https://github.com/codingo/Interlace)
rsync
lsb_release
fzf

Zusaetzlich wird noch ein API Key fuer Digital Ocean benoetigt und ein SSH Schluesselpaar zur Verbindung zu den Maschinen.

Sobald alle Anforderungen erfuellt sind, kann Axiom installiert werden. Die einfachste Variante ist der allseits beliebte curl-bash:

bash <(curl -s https://raw.githubusercontent.com/pry0cc/axiom/master/interact/axiom-configure)

Natuerlich sollte man das erst tun, nachdem man sich das Skript angesehen hat und versteht, was passiert.

Alternativ koennen wir das Projekt auch einfach in ~/.axiom/ clonen und dann axiom-configure ausfuehren.

Das Skript fuehrt insgesamt sehr angenehm durch den Installations-Prozess. Quality of Life Features wie die golang Installation sind dabei natuerlich besonders angenehm!

Wenn saemtliche Abhaengigkeiten erfolgreich installiert worden sind, folgt als naechstes die Einrichtung eines digital ocean accounts fuer Axiom.

Alles was dazu noetig ist, ist ein API token - der kann im digitalocean Interface in den Account Settings unter Tokens/Keys ein neuer angelegt werden.

Wenn das alles funktioniert wie gedacht, sollte euer Terminal irgendwann so aussehen:

Der erste Schritt zum verteilten Pentesten ist geschafft - wie geht’s jetzt weiter?

Erste Schritte

Bevor wir Anfangen koennen, muessen wir als erstes eine neue Axiom-Instanz erzeugen. Das passiert ganz einfach via axiom-init <instanzname>. Nach einigen Sekunden warten, ist die erste Instanz gestartet und wir koennen tiefer eintauchen.

Von dieser Instanz aus, koennen wir - ohne einen weiteren manuellen Schritt auf diverse Tools wie amass, assetfinder, dnsx, ffuf, gobuster, etc zugreifen - und haben bereits Zugriff auf einige gute Word-lists, beispielsweise das gesamte SecLists Projekt (github.com/DanielMiessler/SecLists).

Ansonsten koennen wir mit dieser Maschine quasi genau so arbeiten, wie mit jeder anderen Pentest-VM.

Aber was passiert mit den ggf. extrahierten Daten sowie den Log- und Ergebnissfiles? Die sind ja nun auf dieser Cloud-Maschine.

Hier gibt es auch ein tolles Feature - axiom-scp um Dateien von und zu der Cloud-Kiste zu verschieben! Die Benutzung ist quasi Deckungsgleich mit dem regulaerem scp. Geht flott von der Hand.

Bisher war alles recht bekannt und einfach - alles wie gewohnt, alles von einem Rechner aus. Das soll sich im naechsten Schritt aendern.

Hoeher, schneller, breiter - axiom-fleet

Mit axiom-fleet beginnen wir, uns ein grosses Stueck der Power von axiom zu bedienen. Dem verteilten bzw. skalierten Arbeiten. Mit axiom-fleet koennen wir mehrere Instanzen gleichzeitig auf- und abbauen und orchestrieren.

Um eine Flotte gleicher Rechner zu spawnen, funktioniert mit folgendem Kommando:

axiom-fleet acidburn -i=5

acidburn ist hier der Name unserer Flotte

mit dem Parameter =i=5 geben wir die Anzahl der Instanzen an. Je nach Zweck bietet sich hier an. Fuenf Instanzen haben sich bisher immer als recht passabler Kompromiss zwischen Preis und Leistung herausgestellt.

Nach ungefaehr fuenf Minuten stehen unserer 5 acid burns dann bereit.

Jetzt noch alle selektieren mit axiom-select "acidburn*" und wir koennen auf allen 5 Rechnern gleichzeitig arbeiten - zum Beispiel via axiom-exec.

Mit axiom-exec lassen sich shell Kommandos auf der ausgewaehlten Maschine ausfuehren - oder eben auf allen ausgewaehlten.

Skaliert scannen

Das ist an sich auch ganz nett - allerdings stellt sich dann noch die Frage, wie man eine Workload z.b. zum Directory Brute Force (gobuster), screenshots (gowitness) oder scanning auf XSS (dalfox) jetzt am besten auf die ganzen verschiedenen Instanzen aufteilt. Auch crawling durch Webseiten z.b. mit hakrawler oder Fuzzing via ffuf wuerde ja von einer verteilten Workload profitieren. Man will ja nicht 5x dieselben Requests auf eine Seite schiessen, sondern das moeglichst effektiv parallelisieren.

Die Loesung dafuer ist axiom-scan. Hier werden unter anderem die bereits genannten Tools sowie viele weitere bereits implementiert. Dieses Modul verteilt die Input-Datei dann auf die aktiven Instanzen und parallelisiert so die Workloads.

Auch die Problematik, das die Ergebnisse am Ende wieder zusammengefuehrt werden muessen, wird hier bereits erledigt. Keine doppelten Treffer und dadurch unnoetig lange Listen.

Angenehmer Nebeneffekt des ganzen ist natuerlich, dass die einzelnen Requests nicht von der Angreiffer-Maschine ausgehen, sondern von n Instanzen verteilt auf das Ziel eingehen.

Solltet ihr ein Lieblingstool haben oder sonst irgend eines vermissen, ist es auch recht intuitiv, wie axiom-scan funktioniert und anhand der bereits vorhandenen Module kann man schnell neue Module erstellen & nutzen.

Sonstige Features

Neben diesen Kern-Features gibt es noch einige weitere Features, die die Arbeit mit axiom sehr angenehm machen. Das koennen Kleinigkeiten sein wie eine fertige golang Umgebung mit gesetzen Umgebungsvariablen - oder dass das grossartige SecLists Reporitory bereits ausgecheckt ist und wordlists fuer alle moeglichen Verwendungszwecke mitbringt.

Beispielworkflow

Nach all der Theorie und der Vorschusslorbeeren, wollen wir uns jetzt noch einmal einen Beispiel-Workflow ansehen und durchdenken, wie axiom waehrend eines Penetrations Tests eingesetzt werden kann.

Recon

Waehrend der Recon Phase des Engagements ist es unser Ziel, moeglichst viel ueber unser Target herauszufinden.

Gehen wir von einer Web-App aus, die unter [acme.com](http://acme.com) erreichbar ist. Nun gilt es, sich einen Ueberblick zu verschaffen, welche aktiven Subdomains wir erreichen koennen und natuerlich auch generell den Aufbau der Webseite.

Hierfuer starten wir mit amass und suchen nach DNS eintraegen fuer acme.com. Je nach dem bekommt man es hier schnell mit einer grossen Menge an unterschiedlichen Subdomains zu tun.

Die Validitaet und Erreichbarkeit der einzelnen Subdomains (fuer http-Requests) pruefen wir nun mit httprobe, was uns eine Liste an erreichbaren Webseiten liefert.

Ab hier koennten wir uns natuerlich von Hand durchklicken - oder wir nutzen axiom-scan mit dem hakrawler um den Aufbau der einzelnen Webseiten zu extrahieren.

So bekommen wir Stueck fuer Stuck mehr und mehr Informationen ueber unser Angriffsziel. Und dank der moeglichen Parallelisierung geht das ganze auch noch deutlich schneller wie mit einer einzigen Maschine!

Exploit

Wenn wir einen moeglichen Angriffsvektor gefunden haben, koennen wir allerdings trotzdem unsere voll eingerichtet Maschine nutzen - um unsere IP dabei vor dem Bannhammer zu schuetzen, starten wir eine neue axiom Instanz und nutzen diese als axiom-vpn, um im Fall der Faelle ganz einfach eine neue IP bekommen zu koennen.

Alternativ kann die Instanz auch einfach via axiom-ssh genutzt werden und der Angriff startet direkt von dort aus.

Besonders Charmant ist hier natuerlich vor allem, dass auf und abbau neuer Instanzen relativ einfach und schnell geht. Neue Instanzen zu starten dauert ca. 5 Minuten. Automatisierung ist eben nicht nur in der Software Entwicklung eine grossartige Sache! Auch wir Angreifer koennen hier profitieren und die langweiligen Sachen einfach weg automatisieren. Die gesparte Zeit stecken wir lieber in die Validierung oder Entwicklung von Exploits!

Fazit

Alles in allem ist axiom ein sehr cooles Projekt, mit dem man mit wenig overhead und einer schnellen Einarbeitung - wenn man bereits eine solide Basis im Umgang mit Linux Kommandozeilen-Tools hat.

Sollte man noch keine dynamische Infrastruktur zur Verfuegung haben, um Pentests skalieren zu koennen, schnell VPN Server zu deployen, ist das eine super Alternative zu terraform, ansible und co - auch wenn man mit diesen IaC Tools natuerlich deutlich mehr Moeglichkeiten hat - der Fokus auf Penetration Testing fehlt ihnen.

remove declutter move on

Mon, 29 Jun 2020 00:00:00 +0000

Once agains, it has been quite a while since the last post. looking back on my last collection of thoughts, a lot has changed. people start moving back to offices (what i seriously do not understand at all), we see masks that are not worn properly and meanwhile - i keep working from home and minimize contact with the outside world.

don’t get me wrong - i’d love to sit in a cinema again or visit a restaurant without a reservation in advance, but right now, it feels way too risky. whelp. now that pandemic confused me again. that’s not at all what i wanted to write about…

why ‘remove declutter move on’ you might ask? i have to agree, it’s a bit cryptic. yet it is exactly how i feel right now. with our daughter crawling around (everywhere) and already beginning to stand up, we needed to child-proof the apartement. i’ve already started with my office, which was basically a storage space and looked like a giant mess. it felt pretty good to declutter and sell tons of stuff. now we moved to the kitchen and the living room and it really feels good. i don’t even know why, but without all that crap flying around that no one needed, my focus improved. awesome side effect: less crap to keep clean. more money in the wallet.

but it’s also great as we are going to move in a new home in 3 months and i’m lazy and don’t want to drive too often between the two places…

Covid-19 changes

Thu, 14 May 2020 00:00:00 +0000

The Covid-19 pandemic has changed (almost) everything. One of the biggest changes to notice was the shift to work from home. Suddenly, everyone who was able to, was ordered to #StayHome - something that has been "not possible" in lots of corporations. And after a while, I heard lots of people asking themselves, why they should return to their offices. Even some companies like [twitter](https://www.theguardian.com/technology/2020/may/12/twitter-coronavirus-covid19-work-from-home) will allow their personnel to work from home indefinately. If you ask me, that's something that everybody should be able to do (if the job allows it). Of course, my perspective is heavily biased by being an extremely privileged *knowledge worker* in the information age. But what is with the other people? To ones that have to work on the 'outside'? Well, these people - nurses, cashiers in supermarkets, truckers, bakers, etc - were **vital for the system** basically over night. They have worked for years and never got any respect. Society looked at Hedgefonds Managers or rich startup tech-bros if you asked to show you "successful people". Yet societies all over the globe are fine with them just sitting at home. But what would happen if the nurses and the people who take care of the steady supply of food decide to #StayHome as well? If you are still thinking about it: Stop. We would be royally fucked. Maybe we should start and pay them accordingly.... ツ Besides these two things, something else changed: Priorities shifted. Just think about it - half a year ago, lots of folks never thought about their health. We thought about where we want to go for vacation, which restaurant to visit or if we can afford a new car or a bigger flat. For now, most of these things don't matter anymore, as long as we're healthy. I'm pretty sure, this new focus is a good thing. After all, the only really important thing for us is that our families are safe and healthy. Consuming *more* from whatever we thought was important is apparently not the most important thing in the world. Keep that it mind - and take care of yourself and your loved ones.

restart and refocus

Tue, 11 Feb 2020 00:00:00 +0000

I think I’ve written a post like this on almost every blog i ever had - the first post after a long(er) radio silence. This will be a train of thought, without structure - so if you bare with me, feel free to continue reading. I don’t mind if you, dear reader, skip this post.

The last year has been quite the ride for me. I’ve fully transitioned to an infosec-role, got my first cert and learned a ton (thanks to everyone involved at hackthebox, the hack in the box conference, blackhat, defcon, the ccc and linux academy). Despite all that, i also became a father. This still feels weird to type and read…

Of course, this has introduced lots of new things in my life and shifted my priorities a bit. It also made me realize, how much time i spend glued to displays or with headphones in, consuming media, news, theories and knowledge. For example i was pretty proud being able to listen to an enormous amount of podcasts each week, due to the fact that i worked myself up to 2x listening speed. After a while i recognized, that this came at a cost - i couldn’t remember shit about what has been said. But not only there, i also forgot way more shit that i used to. I’ve always been prone to forgetting something, that’s why i made it a habit to write (almost) everything down that i have to do, but i took notice. Not being able to complete my backlog of podcasts also introduced unnecessary stress to my life, so i decided i need to get rid of that as well. I did a considerable downsizing of my podcasts and reduced the listening speed to 1x. Speaking about focus: Everything purely development related got kicked out - it’s too much to keep up with this as well as the cybers. I also unsubscribed from some very long and “talkey” podcasts, as it does not contribute to my focus and therefore distracts me from achieving my goals.

After a few weeks i already noticed an improved focus and i don’t miss anything. The important stuff always reaches you. Feel free to drastically reduce your intake of news etc. This also forces you to focus more. What is important and what is not? With that in mind, I decided to (finally) finish what i started last year - my eCPPT Certification. I did not manage to finish that in time for the birth of my little one, so i decided to start over. Back to square one and study!

To get myself into the groove, I started doing hackthebox again - already got three users, two roots and solved one challenge. FeelsGoodMan!

When this is done, I want to dive in one of the three big cloud providers and learn about building stuff there in a secure way - and probably about pwning it as well! I haven’t decided yet, if it’ll be azure, aws or gcp - time will tell. I’m leaning a bit towards azure, as it seems to be extremely in demand right now…

Guess it’ll be a busy year - I’ll try to do updates from time to time and will drop stuff i learn on the way right here.

cu soon and have a great year 2020!

dorking public google drive documents

Tue, 24 Sep 2019 00:00:00 +0000

This neat google dork i found site:http://drive.google.com + “drive/folders” will give you a sizable list of public accessable google drive instances.

Remote or Nothing

Mon, 23 Sep 2019 00:00:00 +0000

In the last years, I transitioned from working full-time on-site to work remote for most of the time. Neither was this always easy, nor does this work for everyone. So please take everything with a grain of salt and have in mind, that these fews reflect my own observations working in the technology sector.

When you talk to people from different backgrounds what they think of remote work, the answers tend to vary quite a bit. Some think working from home (which means ‘remote’ for most), means that you’ll be available on the company messenger and make sure to get as much of the housework done before you clock out. Others will tell you that they can’t imagine doing anything remote, because they need to talk face-to-face with their colleagues to get anything done. Some may worry of not being able to stop working if work and home meld together. Of course, as with most things in life, the truth lies in the middle.

In the next few parapgraphs, I’ll give my opinion on some (perceived) drawbacks of remote work.

The drawbacks of remote work

Remote work is not real work - all you do is doing housework on company time!

Of course, all that ever happens in an office is absolutely efficient and value-driven hard work. ¯_(ツ)_/¯

All jokes aside, of course there will be days where you’ll be able to empty out the dish washer between two meetings or a conversation with the neighbour you pass by each other in the stairwell. But most people I work(ed) with are not lazy. People do actually want to work and achieve something. Of course, no one likes to do menial tasks all day long. But you’d be fascinated if you realize how many people sit in an office and browse reddit for 7.5 hours and go home afterwards, because the work they are doing isn’t challenging. If you keep challenging your employees with interesting, engaging problems (and trust them to solve them for you), they emptying their dishwasher will not seem to be a problem worth discussing.

I can’t do remote, I need to talk face-to-face for my work.

What happens if I tell you, that it’s not always necessary to get an immediate response and the full attention of anyone near you. Sometimes it’s even better if you can’t just go over to Jim and ask him how he deployed the application last time - because you just detected an information bottleneck. What happens if Jim gets hit by a bus on his way to work? (Please Jim, take a look in both directions before crossing the street!) So either you need this documented somewhere in writing. On the other hand, if it is already thouroughly documented: Why didn’t you just read it up and let Jim do his work instead? Interuptions can destroy carefully constructed thoughts and might burn through more time than you’d think. Although almost everybody has seen this already, have a link to the comic that explains interuptions from a programmers point of view.

Working remote is not for me - I need to separate work from home life

Valid and understandable notion. Before I had a dedicated space to do my work, I struggled immensely with this. The desk i worked at was the same desk I played games or made music at. This made it far too easy to “just check work emails once more” or underestimating the youtube recommendation algorithm and wasting an hour or two watching videos. The solution to this are probably as divers as people can be. For some it might not be a problem at all. One computer, one mobile phone, multiple uses. Other need separate devices or a room dedicated to do their work. The thing that did it for me (finally) was switching back to having separate phones. Completely separate. No private mails, messages or apps on the company phone and nothing work-related on my personal one. Without this separation, I’d catch me reading slack messages or drafting mails late at night, during lunch or at whatever place I was.

But what about meeting people? Isn’t it a bit lonely to be remote all the time?

It actually is important to go out from time to time. Meeting friends, taking a walk and have a chat with someone. Sure thing, it helps to relax and unwind - but this is not confined to an office location. But I have to agree that working remote might make it easier for yourself to stay in the comfort of your home and don’t come out if it isn’t necessary. So you should be aware of this and act accordingly.

The benefits

After investing quite some time in the (conceived) drawbacks of working remote, here are the key benefits that I discovered for me.

The most obvious one: No more commute. Don’t cram yourself in public transportation for at least an hour every day just to sit at another desk and do the same stuff you could be doing from anywhere else as well. This might be the time you need to finally get in shape, play more with your kids or enjoy with your partner! Don’t throw it away, make use of it!

Another thing that comes from working seperately from your team: Focus. Concentration. No one can walk over and interupt you in the middle of a thought. You are in control of notifications and are able to limit interuptions. Just make sure to be reachable if shit really hits the fan.

Another aspect to remote work is, that I learned to value time spent together with my colleagues more. If you have to make the conscious decision to meet up, everyone will make sure to get the most out of it.

One thing that also comes up a lot if you read about remote work is flexibility - be it when you do your work or where to do it. I can’t say too much about the when, because I usually stick to a certain schedule that I know that works. Not only for me, but also for the people I work with.

The conclusion

All things considered, I wouldn’t want to have it any other way. I know how to work around the (biggest) pitfalls and don’t see any benefit in wasting time and resources just to work at another desk in another building.

In case you’re still interested, here have some links:

switching from gnu-screen to tmux

Tue, 17 Sep 2019 00:00:00 +0000

After using linux (or any sort of unix-like operating system) for a few years, most users get pretty comfortable on the command line - and from time to time open several terminal windows/sessions just to avoid having to stare on the output of another long running process. If you find yourself in this position more often, you’ll find yourself searching for a thing called terminal multiplexers. This is a tool that enables you to switch between multiple terminal-panes inside of your shell-session. Awesome, right? They also might offer you features like tiling vertical or horizontal, if you need to see several things at once.

A few years back, I started using gnu-screen as my multiplexer. Recently I got a bit annoyed with it though. One thing that bothered me from the beginning was, that the name screen makes it pretty hard to find relevant information via online search engines. So it was almost always way more tedious to find the information i wanted as i would expect it… Something I also disliked more and more was, that I always had to open the same few panes after a while. I usually have very similar workloads and got used to having panes labeled as nmap, gobust or revshell (for example). And then I discovered tmux-continuum while reading this post on stackoverflow - yes. tmux. Not screen - and the urge to finally ditch gnu-screen got strong enough. After reading several guides to switching, I decided that the work involved is not too much and that I would manage to do that within lunch break. And I went for it.

See the .tmux.conf I currently use below:

# set prefix to ctrl+a
unbind C-b
set -g prefix C-a

# toggling windows with ctrl+a ctrl+a
bind-key C-a last-window

# jump to the beginning of the line
bind a send-prefix

# don't rename windows automatically
set-option -g allow-rename off

# start with window number 1
set -g base-index 1

# Notifying if other windows has activities
setw -g monitor-activity on

# split panes using | and -
bind | split-window -h
bind - split-window -v
unbind '"'
unbind %

# vim copy mode
bind P paste-buffer
bind-key -T copy-mode-vi v send-keys -X begin-selection
bind-key -T copy-mode-vi y send-keys -X copy-selection
bind-key -T copy-mode-vi r send-keys -X rectangle-toggle
bind -t vi-copy y copy-pipe "xclip -sel clip -i"

# statusbar
set -g status-position bottom
set -g status-justify left

# List of plugins
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'tmux-plugins/tmux-sensible'
set -g @plugin 'tmux-plugins/tmux-resurrect'
set -g @plugin 'tmux-plugins/tmux-continuum'
set -g @plugin 'tmux-plugins/tmux-yank'

# tmux-continuum
set -g @continuum-restore 'on'

# Initialize TMUX plugin manager (keep this line at the very bottom of tmux.conf)
run -b '~/.tmux/plugins/tpm/tpm'

This offers me (so far) everything i need. From vim-like copy and pasting (as found in this blog post) to preserving my opened panes, the status-line and the shortcuts that are deeply ingrained in my muscle-memory.

find on windows

Fri, 21 Jun 2019 00:00:00 +0000

If you find yourself on a Windows host and desperately search for a file, remember

dir \s\b\a <filename>

This commands acts as an ‘as good as it gets’ replacement for the classic unix find command.

s includes all sub-folders

b bare format (no heading, file size, summary)

a display all files

AI Superpowers: China, Silicon Valley and the New World Order

Mon, 10 Jun 2019 00:00:00 +0000

I just finished reading AI Superpowers: China, Silicon Valley, and the New World Order. The Author Kai-Fu Lee paints a picture, what Chinas role, perspective and history with AI. It was a pretty interesting read and a look into an area of computer science that I don’t follow as close as others.

It was extremely fascinating, seeing how China approaches innovation in general and especially Artificial Intelligence and Deep Learning. A book about technology and innovation in China is not complete without talking about WeChat, Alibaba, Tencent and everything that happens on- and offline in the land of the rising sun.

The biggest take away of that book for me is, that China is superiour in many regards to the US and the rest of the world - and that is the free flow and easy access to huge amounts of data. Also known as big data - and in china, that is really big. With the rise of WeChat as the Mega-App that is omnipresent in the peoples lives, huge amounts of data have been collected, labeled and correlated. The App is basically everywhere and enables users to order food, discuss politics and science and pay the ticket for public transport - all without leaving the app.

What separates chinese startups from the usual suspects out of the silicon valley, is their willingness to control the whole value chain - not only the detached digital part of it. Online to Offline - O2O - is the key to success here.

I’m really curious, how the future for AI will look like - and wether or not china will be the leader in that space.

obtaining a full interactive shell with zsh

Thu, 23 May 2019 00:00:00 +0000

If I’ll ever forget it again, hopefully i’ll remember this post.

After getting a connection on your reverse shell, we do not have a fully interactive shell yet. This is especially obvious if you try to sudo or something that requires a real terminal. We are confronted with the problem, that No TTY or askpass program is present. To solve that, we can upgrade our shell.

First, put your netcat session in the background with

ctrl + z

Get the number of rows and columns with

stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/'

To ignore hotkeys in the local shell and return to your reverse shell, enter

stty raw -echo; fg

For zsh users it is important to enter this in one line!

Configure your rows and columns

stty rows ROWS cols COLS

And then

export TERM=xterm-256color

All you need to do now, is reload your shell:

exec /bin/bash

Easier (if possible) is the classic python oneliner

python -c 'import pty;pty.spawn("/bin/bash");'

a tribe of hackers

Thu, 02 May 2019 00:00:00 +0000

After listening to the interview with Marcus J. Carey, curiosity led me to buy yet another book.

The book is a 14 question interview, that is conducted with lots of security folks that are widely known in the industry.

Before reading anything but Marcus’ own answers, i’d like to chime in with my own.

1) If there is one myth that you could debunk in cybersecurity, what would it be?

One thing that i hear a lot is, that folks think they are not important and got nothing to hide. That’s bullshit. Simply appearing as someone else online might be extremely useful for a bad actor - and could ruin a big chuck of everyones lives.

2) What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

Roll out 2FA. Yes, even SMS as a second factor is way better than no second factor.

3) How is it that cybersecurity spending is increasing but breaches are still happening?

Maybe we are only noticing breaches now, that went undetected earlier? Even if that would not be the case, todays cyber is more complicated and heterogenous than ever before. The perimeter-thinking can not be applied if you consider cloud, byod policies, folks remoting full-time etc. Just with the hyperconnected-ness of todays IT, it gets too complicated to graps. At least for a single person or even a single (security) team.

4) Do you need a college degree or certification to be a cybersecurity professional?

I guess that depends on where you live and where you look for work. I did my bachelors degree in computer science which has served my quite well. On the other hand, I’m kinda lazy when it comes to self study so the schedule with regular lectures and tests helped me there.

5) How do you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

I’m interested in security since i first read about malware, worms etc. I casually followed the field - mostly through podcasts and reading books - until 2016. Up until them, I became a Software Engineer and looked for a new job. With the new job, I had to freedom to switch my focus to InfoSec completely.

6) What is your specialty in cybersecurity? How can others gain expertise in your specialty?

As I can’t look back on too much of a career so far, I’d consider myself an ambitious learner. Diving into topics and learning as much as I can.

One of my focus topics is cloud security, because as more and more companies are adopting cloud usage, it’s interesting to see different approaches to security in that environment.

7) What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

If you think you have what it takes: Apply! Job-Ads are wishlists. Nobody has everything that recruiters list there. Also, remember that the interview goes two ways. It’s not only you, who is looking for a new job and therefore apply to a company, the company is also applying to you. If you don’t think it’ll work for you, keep looking. Life is too short to be stuck in miserable jobs.

8) What qualities do you believe all highly successful cybersecurity professionals share?

Effective, clear communication. That and staying hungry for learning.

9) What is the best book or movie that can be used to illustrate cybersecurity challenges?

The Art of Intrusion in combination with Ghost in the Wires would give you a pretty good overview of a lot of the security challenges. Combine that with The Phoenix Project and you can relate to the common struggles of developers.

10) What is your favorite hacker movie?

That’s a hard question. I’d say it’s close between Hackers, War Games and Sneakers - if I have to chose between those three, Sneakers would win.

11) What are your favorite books for motivation, personal development or enjoyment?

For personal development, I’d like to recommend Deep Work by Cal Newport. Since adopting deep work, I noticed a serious improvement in my quality of work.

For Enjoyment I tend to re-read Lord of the Rings from time to time and I recently started again with Perry Rhodan. Easy to read Sci-Fi to relax.

12) What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Update all the things all the time. Delete Apps you don’t use anymore. And reduce your use of social media - or quit, if you feel it does not serve you any good.

13) What is a life hack you’d like to share?

If something doesn’t take long - just do it. Why schedule a 5-minute task for some later point in time. Do it now and you don’t have to remember it.

14) What is the biggest mistake you’ve ever made, and how did you recover from it?

That’s a hard one. The one thing in life that I regret is, that I did not act earlier when I felt miserable. Took me a few years to figure that out, but I think it has worked out since that.

To make sure this does not happen ever again, I regularly check, if I’m still happy and how I progress on the path to my personal goals.

book review: the goal

Fri, 26 Apr 2019 00:00:00 +0000

Just finished reading (or rather listening The Goal by by Eliyahu M. Goldratt, Jeff Cox. I had it on my list for quite some time, after I heard the recommendation got tossed around for people who liked The Phoenix Project by Gene Kim. As I very much enjouyed the latter, I decided to listen to that recommendation.

The Goal is a fast-paced thriller-style novel, that follows Alex Rogo around on his quest, to safe his production plant. He gets help from one of his old professors, Jonah, that nudges him in the right directions while asking questions. The questions get not only Alex thinking about the workflow on a factory floor, but also the reader gets pulled in the Theory of Constraints, that Jonah presents - as a proxy for Eli Goldratt. Step by step, Alex discovers where the (totally un-intuitive) problems are located and works with his team, to resolve it.

Apart from the core message - the theory of constraints explained in-depth with the factory as an examle - the book is very well written. The story that evolves around Alex’s private life is quite classic and offers nothing new or unexpected, but it offers a nice personal touch to the work-related story. The factory-plot on the other hand is very intense and (especially nearing the end) was a real page-turner.

As I have literally no experience running or even working at a factory floor, I’m curious how well the learnings from the Theory of Constraints work there. I guess, there will be some reading in order…

If you are only interested in the cold, hard facts, the wikipedia article gets you started. But skipping the book will make you miss a pretty interesting and well written story ;)

steam controller - the struggle with rocket league

Thu, 28 Mar 2019 00:00:00 +0000

last week, i finally decided it’s time for a controller again. as i have a somewhat spare older gaming pc here, i decided it’s time to repurpose it. there is space behind the tv - why not using it as a steam box?

while researching what controller to use - or if i should just buy wireless keyboard/mouse, i realized that the mainboard does not have bluetooth - so i need a dongle anyway. the steam controller comes with a dongle already. well, why not, i thought?

so i ordered it. it arrived reasonably fast (2 working days) and included batteries!

plug it in, updating firmware.

with the right thumb-pad, you can controll the mouse. nice, the controller is usable for casual web-browsing! and obviously it got recognized by the os already.

start steam in big picture mode - and the first weird thing happened. the controller settings said no controller - after a minute of frantic web-searching, i realized i need to install the steam-devices package. did that, controller showed up. now let’s start rocket league! the game for which i purchased the thing in the first place.

controller works in the menu.

join game

nothing.

after hours and hours of web searching, messing with the config, restarting steam, recalibration etc, i found the following:

Forcing Steam Play/Proton because the Linux build has a bug with the Steam Controller support where the controller will not work in-game. Menus work fine, and changing to generic xinput controls work fine, but I want to use the native SIAPI support which works fine on the Windows build of the game. Steam Controller works perfectly with Rocket League using Steam Play/Proton.

source

did that, enabled proton - and it WORKS. Thanks a lot, unknown proton user - i was starting to get really mad. I really hope this get’s fixed soon, because it seems to be a pretty weird bug… Plus i now have to run proton wrapper for a game, that is natively supported.

book review: the art of intrusion

Wed, 20 Mar 2019 00:00:00 +0000

One of the stories that got me interested in infosec a few years ago, was the story of kevin mitnick. out of curiosity - and lacking an idea what it takes to pull something of like that - i decided to jump in deeper in the world of cybers. so after browsing the bookstore a bit, i stumbled upon the art of intrusion - written by kevin mitnick and william l. simon. so i was already intrigued. but instead of only telling more stories from or about kevin, the book explores several fascinating, interesting or crazy hacks. in contrast to most of the hacks in his story that evolve around social engineering, the art of intrusion focusses on technical or physical exploits.

without going too much into details, a few thought’s on the book: - it was overall an interesting (and rather quick) read - the story-telling, especially regarding technologies or technical details was kinda inconsstent. sometimes it went into great depth of explaining something, and in other parts the book blasted through stacks (and heaps) of different technologies without any explanation - it from 2006. so some things appear almost antique - it’s a collection of hacker-stories. there is no coherent story from start to finish - at the end of each story, there is a summary of the attack and some possible counter-measures. i consider that to be the most valuable part of the book - some stories are anonymously told and not verified

With all that in mind, would i recommend the book? for sure. just don’t expect anything similar to ghost in the wires or a textbook with lessons and facts about information security.

setup pi-hole on ubuntu core

Tue, 05 Mar 2019 00:00:00 +0000

goal

The internet gets more and more tracky, annoying and slower every day. After hearing from several people lately, that have tremendous fun with their pi-holes and the ability to surf the web without ads and trackers - even on devices that usually don’t have adblockers, i decided to give it a go.

problem

The snap is not in the snap store (yet), but available via github. So yeah, curl - nope. Not available. wget? nope. nc would be possible - but i’m not that keen on writing my get request just to download a zip-file from github… So the search began.

solution

After searching the net for quite some time, i’ve found out how to git on ubuntu core. This would enable me to clone the snap repository from github and install the pi-hole snap.

Thanks to stackoverflow user dehli, i mangaged to install git via the classic mode - where apt is still available. The following snippet is from his answer on stackoverflow.

snap install classic --edge --devmode
sudo classic
sudo apt update
sudo apt install git

The rest should be working as described in the readme.

alternative

If you do not want to add git to your system, you could also use docker and let the pi-hole run as a docker application.

closing thoughts

Now all you have to do is choose wisely. I have the feeling, that the docker-repository is way more active and therefore i tend to go with that way. On the other hand, i like the auto-updating feature of snapd pretty much and would like to use the snap. I’ll definately will be watching the development of this!

tl;dr

to setup pi-hole on ubuntu core, either use docker or install git via the classic snap to add git to your system.

perry rhodan

Sat, 23 Feb 2019 00:00:00 +0000

last week during shopping, i’ve stumbled upon something i have not seen in years: a perry rhodan dime novel. i’ve started reading these novels when i started to explore science fiction 20 years ago. i started with number 1, and now i just finished 2999 - and with number 3000, a new story arch begins.

this brought up so many memories. i’ve spent many hours, days, nights with perry, bully, gucky and many others. looking forward for the next series, and i hope the stories stay as captivating as they were before.

i also learnt, that you can buy all of the old episodes as ebooks in the shop. the future is now!

first visit @aws meetup nuremberg

Tue, 12 Feb 2019 00:00:00 +0000

after subscribing to the meetup itself a while ago, today is the first occasion i made it to the aws meetup in nuremberg. the topic that caught my attention and made me leave my cozy home was Zero Trust in AWS. Eduardo Rocha, Senior Sales Engineer and Security Analyst at GlobalDots, will give an overview about the implementation of zero trust concepts on Amazon Web Services.

Eduardo started out with explaing the Zero Trust concept in general. The perimeter is dead, because the way we work changed (fuck yeah!) - people tend not to drive in the same office building every day. They are travelling between customers, working on the go or simply stay at home where they work. In addition to that, there has been a change in how companies do IT. Instead of maintaining a huge and costly datacenter, they started using the solutions cloud providers like aws offer. Scale on demand and use hosted services instead of maintaining everything by themselves. To re-create something that is similar to the oldschool perimeter of the past would have two effects:

it’s expensive, because you’d need more infrastructure
you would miss out on a lot of the flexibility of the cloud

So he explained, that it makes sense to operate under the assumption that you are navigating in hostile waters. to mitigate this and as one key element, he identified exhaustive logging and verifying.

so the proposed solution, that his company is dog-fooding already: adopting a cloud perimeter

leverage a zero trust security and delivery model for successful digital transformation
data plane/control plane
log everything
verify everything

Unfortunately, we got stuck discussing performance issues, scalability and wether or not this is something new instead of focussing on the concept in general - i would have been really interested, how they implemented trust in that system. are things like geolocation, time of the day, device-id’s etc taken into consideration, when the controller decides if you can access the services?

Afterwards there was another talk about siemens mindsphere and there was pizza - unfortunately i had to leave a bit early, because it was already getting late.

Although i was a bit disappointed of the technical depth and the way the discussion took, i’ll be definately be back at the aws meetup. and it got me curious, what direction and implementations of zero trust techniques we will see over the course of the next few years.

the infosec mindset

Fri, 25 Jan 2019 00:00:00 +0000

after being interested in hacking, malware, intrusion detection, social engineering and all the funny and interesting things that define the infosec field, i decided to drink from the fountain. i took the plunge and decided to invest in it and finally got serious with it. i started learning more, reading more and took part in ctfs.

after solving a few of the easy machines on hackthebox, i started to realize something:

you always learn
you’re forever a noob
sharing is caring. i got so much help and support that it would feel weird not to “give back” in some way
security is a mindset

the thing is the most important, and i’d like to elaborate a bit more on that. why should security be a mindset? isn’t it something that is easily solved with technology? in the end, it’s the technology that gets exploited, aye?

well, yes and no. there are lots of exploit out there that use weaknesses in the code. but yet, one of the most important - if not the most important attack vector is the human sitting in front of the keyboard. ask every experienced social engineer (or most children) - humans want to help and they want to make your life easier. so being aware of the human nature is one part of a security-aware mind. being aware, that someone might want to exploit you. not the computer in front of you, not the smartphone on your table. you are the target. because sometimes it’s just easier asking for a password than exploiting a vulnerability.

another part of the security mindset affects the developer. the developer (as a persona) is very target-oriented. they want to get stuff done, implement yet another feature and are very methodical. tests get written, documentation gets writte - and before that user stories are breaken down into tasks and the necessary information gets extracted. all of this is part of the process, that defines the image, that the programmer has in their mind. an image, that is filled with what needs to work - and sometimes with the how. maybe they also have some test cases in mind. this can be pretty dangerous, because the developers might focus only on the expected behaviour, expected input etc. but what with all the edge cases? speaking from personal experience, this happens quite a lot. the owasp top-10 do not by accident contain lots of easily mitigated stuff. dealing with sql injections is really not a technical problem in 2019…

but even with security-conscious developers, this is not yet solved. the best team of security-aware developers can be mislead by or severly limited in their abilities by a product owner (or whoever creates the user-stories/specification) that focusses on features and on features alone. especially when time or budget is short (and it kinda always is), then security can easily be ignored (“if we don’t look, everything is secure, right?”) or be seen as a competitive disadvantage. creating a secure product is hard and expensive. at least more expensive than just ignoring security completely. as long as the customers don’t take their money somewhere else to punish organisations that obviously don’t care about their security, nothing will change in that regard.

and with customers in mind, we reached the next group where a security mindset could pay off: the paying customers. if scandals, breaches and gaping security holes are not enough to turn your back on some companies and products - well, why should anything change? if we do not vote with our money, nothing will change and everbodies data will be public in the end.

to sum it up

tl;dr

security is a mindset. developers, product-owners and customers can profit from developing an eye for security in the products they use - or we will be faced with more and more breaches.

to create secure software, everyone involved in the process can benefit from being aware of security not as a cost factor, but as a matter of quality.

book review: the attention merchants

Tue, 22 Jan 2019 00:00:00 +0000

the attention merchants by tim wu, the author of the master switch, is an in-depth analysis of the current state of the market for the users attention. a market that is unknown by big parts of the population. as in the master switch, he starts from the beginning, telling the stories of the first snake-oil sellers and how their methods and sales techniques transformed over the time. and yes, snake-oil was meant literally. How and why? Find out in the book!

Tim Wu manages to create a enthralling narrative that takes the reader through a journey through time and space, from marketplaces where everybody shouted at people and tried to gain attention - to the now, where we give our attention willingly away and feed it into platforms like facebook, instagram or twitter.

we seem to have transformed our default state of mind when zoning out to watching tv - and are now binge-watching whole tv shows over the weekend to escape from reality. we always want to see and read and know about the next big thing. the fear of missing out is so strong, that we are always drawn to our screens. swiping away hour after hour. face it: we’re addicts.

after reading through the history of the attention merchants and thinking about the current state of tech - we have to question ourselves whether or not we want to play that game.

or should we rather remove ourselves from this mad circus?

movie review: the cleaners

Sun, 20 Jan 2019 00:00:00 +0000

the cleaners is a documentary, that shows the work (and life) of five content moderators for different social media platforms. if you have ever thought who deletes all that stuff in social media - this movie is for you.

the cleaners shows, what it does with people, who are basically forced to watch every video, image and the acompanying posts in social media. these are the people, who have to deal with rape, murder, war, unsolicited dick picks and hate speech. every day. the billion-dollar companies that try to get everyone of their users hooked and want to harvest all that attention, have outsourced these jobs to the phillipines. where the people actually rather deal with all that user generated hate than gather trash and search for anything valuable in there. probably no one else would even think about doing this job for more than a day otherwise.

the movie shows not only, how much disgusting stuff gets uploaded all day every day - in case you needed proof - but how the big attention merchants don’t really care. all they want is more users that spend more time on their platforms. and you’ll probably learn a thing or two about what people are uploading. if you think you know it all, you are most certainly wrong. it’s worse than you think. but not only the content moderators get a voice but also content creators (artists), alt-right zealots, activists who try to paint a better picture of the war in syria or politicians.

the filmmakers were able to create a chilling portrait of an industry that we’re not even aware of. it’s direct, hurts and yet does not comment or tries to create an opinion. not even when one of the moderators describes her job as eliminating sin to protect the users.
combined with the huge number of opinions and points of view, it’s ultimately the choice of every user, if they continue using this system or say ‘goodbye’ to all that hate, fake news and attention-harvesting.

CEH starts here

Fri, 11 Jan 2019 00:00:00 +0000

one of my goals for 2019 is to, for the lack of a better word, formalize my education in the information security space. to do that, i decided to obtain the CEH, also known as the Certified Ethical Hacker certification.

i decided to start with that certificate, because it covers a lot of ground and is well known in the industry. i might not be the certificate that offers you the highest infosec street cred - but i don’t care about that. i do this for me, because i want to learn.

prep

to get a grip on the materials required, i’m taking the prep course on linuxacademy.

schedule

i want to get certified some time in 2019. according to my estimation (and course schedule on the prep course) i should be able to finish the prep course until end of march - and as soon as i feel comfortable enough, i’ll schedule the exam.

recently read books

Thu, 10 Jan 2019 00:00:00 +0000

the every computer performance book by Bob Wescott

i’ve revisited that one due to work-requirements and i needed to refresh my knowledge on that topic a bit.

i consider this one of the best (because technology-agnostic) books about performance engineering i’ve read so far. bob does an amazing job of conveying the core knowledge that helps developers in their quest for performant applications.

Deep Work: Rules for Focused Success in a Distracted World by Cal Newport

this one was a pretty surprising hit for me. Cal describes how he and other accomplished people manage to handle their work and advance their knowledge - without missing out on family or social life. for me, the simple things like quitting social media, scheduling your days and actually clocking out when the work is done seem to work pretty well. in addition to that, the book was easy to read, had a straight narration and didn’t take any detours. all in all: thumbs up - read this if you want to improve your life-work balance.

Turn the Ship Around by L. David Marquet

this has been some kind of a disappointment. neither because of the narration nor because of anything i disagree with - it’s just that the whole concept of leader-leader (instead of leader-follower) approach to leadership is totally obvious to someone who works and believes in the agile methodologies. it actually annoys me, if someone doesn’t think about what they are doing and just wait to get orders. or the other way round. only ordering what to do instead of focussing on how to achieve the best possible result. if this seems weird to you, go and read that book. if the navy can profit from that approach, i’m sure your organization can as well.

Scrum: The Art of Doing Twice the Work in Half the Time by Jeff Sutherland

Jeff Sutherland, co-creator of scrum, tells some stories of ridiculous improvements in team performances that he witnessed and supports these stories with the underlying concepts in scrum. nice read, interesting stories and a great opportunity to re-visit the concept and theory behind one of the most successful agile methodologies.

new years resolution for 2019

Fri, 04 Jan 2019 00:00:00 +0000

no review of 2018 - i rather look forward to 2019. what i’ve planned for 2019:

get the CEH
get fluent enough in golang to write (relatively) simple cli programs
- file system operations
- network ops
- data manipulation
practice more photography. grab the camera kinda regularly and shoot
lose a few pounds, get used to working out (again)
finish my tattoo

that’s it. nothing too much and nothing too fancy. wish me luck.