This past week was a crazy week. I came back from being out of the office with COVID. Felt OK, just couldn’t go back in until either a negative test or enough days had past. Monday was my first day back.

We’ve been working on a major feature for the uber project. Something that hits milestones that get reported to big-wigs. Tuesday was supposed to be the first demonstration of it – didn’t have to work fully, but the point was to get the various teams to integrate their stuff. Tech lead had been saying we were looking strong. I walk in on Monday and now the tech lead is out for COVID reasons, won’t be in all week, and has named me as his backup. OK, the demo’s looking strong, right?

In the full thread, I rant about what I walked into. Everything was broken. Meaning, some things weren’t even lined up to work: weren’t being built in the right environment, weren’t configured for deployment to that environment, etc. Worse, the things we did have built and deployed were suffering from two hairy problems not seen in our dev environment.

First, DevOps had rotated the keystores and even though we had the right location and password, our code was complaining that it couldn’t decrypt the key. Turns out they’d added an extra layer of passwords that our code wasn’t set up to handle. Scrambled to swap to an alternate form of keys that didn’t have as many layers, which meant I had to redeploy our base infrastructure. I hadn’t deployed it the first time – the tech lead had – so I was wading through deployment scripts and properties files trying to set things up correctly.

OK, averted that problem. Had it in hand well before the demo on Tuesday. The one I didn’t have as well in hand: the infrastructure relies on Docker containers running in kubernetes. We don’t launch the containers – the infrastructure does. In our dev environment, everything worked well. In our demo environment – crash and burn. The container failed to start and complained about a permissions error. The tech lead had mentioned the problem the previous week and said DevOps had fixed it. What he hadn’t realized is that they’d fixed it for a particular running container, not for the infrastructure overall. Whenever a new container got launched (because we deployed a new thing or changed the settings of a thing), we’d experience the same problem. I ended up applying DevOps’ same workaround for each container that was ready for the demo, so we’d at least have something to show.

You can read the rest of the thread for the rest of my ranting from Tuesday. I was steamed. But today’s Friday, and by Friday, I have conquered. I found a better workaround solution for the not-running containers bit, one that doesn’t require us to hand-edit k8s yaml descriptors. I got all of the things we had working in dev built and deployed in the demo environment, tuned settings to hit correct endpoints, made sure everything was running well, coordinated with other teams on what Kafka topics to use, and wrote bash scripts that make REST API calls to set up test data and trigger calls that help us show our stuff in action. Oh, and did that while coordinating with other members of the team on pressing support concerns, as well as wrote new code. (That new code isn’t done yet, but…)

Successful week! The tech lead is coming back Monday, just in time for the rescheduled demo. Given that next week’s my last week on that particular project, a great way to go out – saving their bacon in style!

After a day of supporting First Lego League as a judge (lotta fun!), I was delighted to see an early release of next week’s WiCys cyber challenge. The title is ‘Wireshark doo dooo do doo’ and it’s only a 50 point challenge, so I was expecting a not too difficult exercise in finding things in a network traffic file.

Not too difficult is right. After checking the file properties (and importantly, looking at the comments, as well as doing a quick search in the text of the file for the flag format of picoCTF – hey, easy finds are still points!), I looked through what the file’s protocol hierarchy said it held. Mostly HTTP, with a little bit of line-based text data. Let’s start there.

Results: two packets that returned text/html or text/plain data. The line-based text data one has a syntax that looks a lot like a flag: foo{morecraziness}.

I tried using CyberChef’s Magic decryptor, without success. I even tried telling it what I expected the first bits of the text to be (“The flag is picoCTF”) – stil no dice. I then tried an online substitution cypher breaker I’ve used before: https://www.dcode.fr/rot-cipher. In this case, the first thing it returned in its long list of possibles was ROT13, with text that said THEFLAGISPICOCTF. OK, that’s my likely winner. I went back to CyberChef and used its ROT13 recipe, figuring it’d better handle upper/lower, numbers, etc. Bingo. Flag in hand, all w/in ~15 minutes.

Going to have find some more interesting puzzles for the rest of the week…

On Thursday, Dec 16th, I turned in my last paper for my last project for my last class of my cybersecurity degree. On Friday, December 17th, my teammate turned in the last deliverable of the project. I’m done! We’ve gotten feedback on our deliverables already (“Exceeds Expectations” – a common refrain) and a hearty “best wishes in your future endeavors” from our professor. I’m done! I’m done! The grade hasn’t posted on my transcript yet, but UMGC is holding virtual commencement exercises today. I’m walking on cloud nine, just not on a stage. I wouldn’t have walked on the stage anyway – I just wanted the achievement, not the hassle of getting to some event somewhere to be announced to people I don’t even know.

Instead, I’ll spend my weekend working with balloons for a Clementine gig this afternoon and just generally being ecstatic that I’m done!

For certain assignments for our class, we’re required to submit videos. I’ve done it before by saving my narration in a PowerPoint file, but this time I opted to export it to an MP4 and publish to YouTube. Why, I’m not sure. Seemed like a good idea at the time.

Replaying my video through YouTube, I’m amused to see the list of things YouTube next recommends for me, after viewing a video entitled ‘CYB670 Team2 Project3 CyberOperationsAndRiskManagementBriefing’. (Eh, I should probably have cleaned that up a bit and put in spaces at least, but…)

In order of listing:

All of those sound much more interesting than my briefing on cyber risk management. Tempted to add a few recommended links for the professor’s enjoyment! Definitely check out the Carol of the Bells!

Between open carry laws that don’t require training or registration and a new law that incentives folks to turn in women or those who help them, Texas looks like it’s become quite the dangerous state. Churches and the government should establish refugee resettlement programs for any Texas women and their families that seek to leave. Texas is seeking to become a retirement only state. Warning: it’s hard to care for retirees without younger folks.

In a surprise shift in my career, my customer and employer is now supporting work from home. After a few weeks of working from home 4 days of 5, here are a few surprising reflections:

  • Not commuting is wonderful!
  • I can happily wear Crocs and PJs 4 days out of 5. (We have no video meetings!) That whole idea of dress for success? Doesn’t apply when you’re in the groove in code.
  • Makeup is an optional thing
  • Jumping out to the gym in the middle of the day means fewer people => more access to the weights. And not having to be at work (and no video meetings) means showering is a thing that can be done when the work day is done… (No, you don’t want to share a home office with me on workout days…)
    • Surprisingly, old people at the gym are the ones who are getting too close for my comfort in COVID times. Guess who’s at the gym in the middle of the day?
    • Note that me being at the gym in the middle of the day suggests the logical inference that I am old, which I attempt to avoid acknowledging…
  • While there are no distractions from too loud coworkers, the puppy who wants to play can consume some significant cycles that need to be accounted for in the timesheet
  • Beer can be consumed, but should only be done (1) in the evening, (2) when you’re almost done anyway, and (3) used as a stopping function. E.g., I’m on beer #2, billable time is over!

In July, I signed up to be a “fundracer” for a group doing great things in the Baltimore area. Back on My Feet is a national organization with a Baltimore affiliate. In each affiliate location, they set up running groups at local homeless shelters. They worry about making sure that running groups have structure and running partners (both residents from the shelter and from the community), help folks connect with shoes, and connect participants with employment and housing opportunities. Their model literally walks/runs alongside the folks they’re seeking to serve, committing to regularly be there with them and connect. They’ve got some impressive stats, too, in terms of numbers of folks employed and housed through the program – check out their website. The program says: “Our unique model demonstrates that if you first restore confidence, strength and self-esteem, individuals are better equipped to tackle the road ahead.” and that they “seek to engage you in the profound experience of empowering individuals to achieve what once seemed impossible through the seemingly simple act of putting one foot in front of the other.”

I’ve fundraced for BoMF before. They get entry slots in the local Baltimore Running Festival, which runs in October as a 5K, half-marathon, and marathon. I used to be more of a runner and would train for the half. I’m older and a bit less in shape than I was, with other priorities at the moment that keep me from dedicating time to build up to logging 12 mile+ training runs on weekends. But…. I can put a few fewer steps in front of the other and make the 5K (3.1 miles) happen. I’m now regularly running 2-2.5 miles during the week, with a long run on the weekend of 4 miles. I’m slow, but getting slowly faster. Using that same approach to commitment that the running club participants put in, I’m slowly seeing results. I’ll only earn success and complete the race if I keep it up, though, just as they’ll only earn their success if they keep putting in the work towards employment and housing.

If you, like me, find the approach valuable and/or inspiring, support Back on My Feet and their mission by supporting me in my fundracing. Earlier this month, I met my “goal”, which was the minimum tally to enter the race on behalf of BoMF. That said, just as your own home’s budget would appreciate any bonus amounts, so of course would BoMF’s. More $$ means abilities to support more folks and do bigger things.

Oh, did I mention? Thanks to one donor’s request, I’ll be running this a tutu, clown socks, with a clown horn and probably a goofy hat (heat dependent). Want me to up the ante somehow? Let’s talk! Want me to show up at your event in such??! Well, that’s possible, too. Although I can’t promise to run in full Clementine mode (clown shoes are _not_ a safe running option for 3.1 miles!), other events are possible…

Last link to make it easy to contribute here!

Succumbed to temptation today and bought a laptop. I’ve been thinking about it for a while. In two more weeks, I’ll need to hand back in the one I’ve been using from work. This Macbook has stood me well through college and capture the flags, and I’ll be sad to see it go, particularly since it’ll take another week after that before my new one arrives. That said, 32GB of RAM, a 1 TB NVME drive, an NVIDIA GPU with 8GB, and an AMD Ryzen chip: gotta put this poor box to shame. I’m going to have to grow my chops in reverse engineering and cyber exploitation to match it!


You may have seen a few more geek notes on here of late. I’ve really enjoyed jumping into CTFs. My objective isn’t to win, but to find more ways to solve puzzles.

This weekend’s adventures were a little different, though. My company sponsors UMBC’s CyberDawgs team, and they’ve asked us to contribute challenges to their upcoming CTF. I tasked our IRAD team with coming up with a few and I wrote a couple, as well. So this weekend I spent some normalizing our submissions’ README files and doing a final test of the submissions.

One of the submissions was really giving me trouble. The IRAD team member who’d developed it had demonstrated it to us, but the solution instructions in the README just weren’t “clicking” to then be able to reproduce a solve, much less help anyone else understand how to solve. It’s customary in CTFs to have a Discord channel where mentors can offer assistance to those on the right track; given that I don’t want to be up all night myself providing that support, thought it best to provide a walkthrough for someone else..

Not only did I “crack” it (helped, of course, by the solution instructions in his README), but then I was able to provide a linked reproducible recipe using a tool called CyberChef that is really useful for a lot of CTF grunt work. I’m avoiding linking to the recipe or giving any more info on the challenge, of course, given that there’ll be hopefully lots of folks taking a crack at it in early May. I’m now more confident, though, that there may be some folks who solve it AND I better understand a particular kind of encryption approach.

Notes from this week’s CTF – geek notes for Tina. Should have collected notes on more challenges, but, eh…

Received a PCAP file that said it had secret coordinates in it. PCAP was completely USB traffic, specific URB_INTERRUPT

  • https://wiki.osdev.org/USB_Human_Interface_Devices#USB_keyboard
  • Isolated traffic for appropriate device, after examining device descriptor response to find keyboard
  • Started mapping out the HID keys by hand, until a teammate suggested https://github.com/TeamRocketIst/ctf-usb-keyboard-parser
  • Ultimately used tshark to extract the data, via tshark -r ~/Downloads/file.pcap -Y 'usb.device_address == 2 and usb.data_len > 0 and !(usbhid.data == 00:00:00:00:00:00:00:00)' -T fields -e usbhid.data | sed 's/../:&/g' | sed 's/^://g' > keys.txt
  • (Note: the second se is because the recommended one ended up prefixing all the lines with : – second sed strips it off)