@sroberts advanced persistent incident responder

Open Source Blogging

So it’s been more days than I’d like since my last blog, sadly since I’ve been dealing with some discomfort in my arms along the lines of an RSI, something I plan on discussing more. That said I’m on the mend, and wanted at least a small post so I don’t feel like such a slacker.

Since I setup my blog a number of folks have asked me what I’m using, how it’s set up, etc. To make that easier to understand I decided to open source my blog so a similar setup is just a fork away. I’m also excited since this will allow me to publish content without actually pushing it to my blog, giving me a chance to solicit feedback without having to email markdown files.

The Repository:

sroberts.github.io - There it is. The whole thing

Quick Rundown

Here’s whats behind my blog:

Blog Package: Jekyll

The amazing open source blogging platform lives up to it’s reputation for clean, easy to use blogging. I already write Markdown all day, so it’s an easy to way to write blog content as well.

Blog Theme: Hyde

Gotta love a literary turn of phrase, Hyde gave me a great look without forcing me into lengthy HTML/CSS customization. I trust the professionals.

Hosting: GitHub Pages

Create pull request, commit post, merge pull request, have blog. Easy.

Text Editor: Vim

I’ve been trying to force myself to use Vim for most things, this is no exception. Square’s Maximum Awesome package makes it usable.

Spell Checking: Aspell

I’ve already mentioned how great Aspell is, but it’s really a life saver for words I put in front of real people.

Image Editor: Pixelmator

On the rare cases I post images and need them edited Pixelmator is the best combo of features & ease of use.

Bonus: hub

It’s great being able to do things like open a pull request without leaving the command line. I also use hub browse to jump to the right place on the web more than I care to admit.

Bonus: GitHub Pages Gem

This gem keeps everything inline, making sure you always stay up to date on Jekyll version, Pages compatibility, etc.

Bonus: GitHub Issues

I also use the repository Issues to keep track of posts I’d like to write, notes, etc.

Going Forward

I welcome feedback and suggestions via the open issues. While I want to avoid discussions of content in there please feel free to comment on what I’m planning to write and changes I plan to make. Feel free to rip off content, just give credit where credit is due. And thanks to all those who built the tools, I couldn’t do it without you.

Online CTFs

I’ve been lucky enough to play in a number of computer attack & defend (sometimes only one or the other) Capture The Flags. They’ve been some of the best learning experiences I’ve ever had and a ton of fun. It really compresses all of cyber security, minus that boring policy stuff, into a smaller time frame.

Even with all the benefits there is one tough part: you can’t always spend a weekend in a friends basement with a pallet of Redbull or on the floor at DefCon CTF. Until CTF season rolls around this spring there are two new all online CTFs from big name companies:

  • Square/Matasano: MicroCorruption
  • Stripe: Stripe-CTF (Link appears to be down at this point.)

I took a quick look at MicroCorruption over lunch and it’s unique take focused on embedded software security is fascinating. They’ve put together a great interface, putting hardware debugging & exploitation in a web browser. I’m really excited to get into Stripe-CTF, which seems a little more language/programic centric rather than exploitation driven. I think I’ll be starting on MicroCorruption this weekend, but either way they are two different topics to learn, both a great way to do it.

Command-line Spell Checking with Aspell

In an effort to improve my “Unix” skills I’m trying to do more and more on the command line, such as writing this blog. This has worked out for me in a lot of ways, making much of my work faster, less environment dependent, and easier to reproduce/script. I’ve learned lots of tricks to help with this, but recently came across one of the best ones: Aspell.

First a confession: people get into the computer industry for lots of reasons. My reasons were kind of different: I couldn’t spell and have terrible handwriting. In 4th grade being told this magic box would make my ideas legible and spelled correctly was game changing for me. But I digress.

So while Vim is great and all one of the things I struggled with is being able to spell check documents. Then I found Aspell:

GNU Aspell is a Free and Open Source spell checker designed to eventually replace Ispell. It can either be used as a library or as an independent spell checker. Its main feature is that it does a superior job of suggesting possible replacements for a misspelled word than just about any other spell checker out there for the English language. Unlike Ispell, Aspell can also easily check documents in UTF-8 without having to use a special dictionary.

I’ve been really impressed with Aspell and after using it a few days it’s gotten a place on my “must have software” list. It’s pretty simple:

\$ aspell -c _posts/2014-01-20-commandline-spellchecking-with-aspell

Brings up a straight forward text interface:


The suggestions are usually spot on and it has most of the features you’d expect from a mature spell checker in an application like Microsoft Word or Apple Pages, both of which I rarely touch anymore given the strong the combination of Vim, Aspell, and Markdown. If you’re working on lots of text documents on the command-line I cannot recommend it enough.

Bonus: If you’re just getting into Vim, as I am, I cannot recommend Vim-Adventures (billed as “Learning VIM while playing a game”) and Square’s Maximum Awesome (billed as “Config files for vim and tmux, lovingly tended by a small subculture of peace-loving hippies. Built for Mac OS X.”) enough. They’ve made getting into Vim straight forward and fun.

My Favorite Open Source Security Tools

So working at GitHub it is no surprise I believe in and use a lot of open source software. I think especially for security this makes sense, for a number of reasons:

  • We need tools we can trust, so transparency is key
  • We need tools we can modify, since we often need things that don’t exist
  • We need tools that are cross platform

And the list goes on. I try to support these projects, with code, with feedback, with use, and sometimes, with praise. So, in sort of a weird security “Oprah like” favorite things list here are a few of my favorite open source security tools:

Google’s Rapid Response

Ok, #realtalk: This is an open source version of Mandiant/FireEye’s MIR incident response platform. The idea is systems have an agent that reports to a server. The server can then set up jobs to look across an individual system, a group, or an entire population for a specific indicator of compromise, individual file, or many other forensic artifacts.

Given the expense of MIR or similar systems like Encase Enterprise it’s truly astonishing the amount of effort the Google team working on GRR has put in, and it’s a huge benefit to the community that they’ve released it. You can find more information on their user mailing list and Google Code site. As a side note I made a fork on GitHub to encourage even more open source collaboration. Google has even moved GRR development to GitHub: Google/GRR/. I’m really interested in talking to folks who want to work on this.

AOL’s Moloch

So if GRR is an open source version of MIR then Moloch is an open source version of EMC/RSA/Netwitness’s Netwitness Investigator Security Analytics full content monitoring tool. Put together by the fine folks at AOL Moloch helps you capture and hunt in network traffic.

Etsy & Facebook’s MIDAS

Oh the fine folks from Etsy & Facebook gave us a gift. MIDAS, the Mac Intrusion Detection Analysis System, is a framework for building host level detection of compromises specifically for OSX. It allows building complex detection routines in Python, then provides the structure to run, store, and report on them. I’ve done a bit of work with this and see amazing potential long term.


So this project hasn’t gotten a lot of love lately, but it’s hugely interesting to me. There aren’t a lot of tools that try to make it easier to collaborate on forensic investigations, in fact most seem hell bent on the exact opposite. I’d love to see more work on this tool, and will be setting it up at home soon.

Buffer’s Thug

So you know that time you have to go investigate a nasty web page? There are plenty of options: fire up a virtual machine, try to use a stripped down browser, curl the site. All of these give away some amount of information that you’re profiling, and may miss things. Thug seeks to fix this, by providing a safe (not a real web browser) method that still correctly emulates what a browser would look like (such as an IE7 user agent string instead of a curl user agent string). Thug makes it safe, easy, and quick to do this type of analysis.

Cuckoo Sandbox

Cuckoo Sandbox is easily one of the most mature open source security tools available, and the team behind it should be applauded for that. A malware analysis system, Cuckoo runs malware through a VM, captures system changes, web traffic, and other malware relevant activity and shares it with the analyst. Having just gone 1.0 they’ve added tons of features, improved stability, and put this tool on par with more expensive commercial malware systems. If you work with Windows based malware, this system should be in your arsenal.

The Importance of Mentoring

I’m a big believer in mentoring. Classes are great, self learning is hugely important, but there are few things that help someone grow as much as having someone a little bit farther down the road to give a little bit of guidance. I’ve been lucky enough throughout my life to have had many mentors in a number of aspects of my career and life. These people have been invaluable.

I’m not the only one. A few months ago Coby Chapple, one of GitHub’s amazing designers, did a talk at a company event about the importance of mentoring, based on the Distributed Mentoring movement. Coby even put his code where his mouth is, adding a page to his personal site stating his support of mentoring and offering to mentor those who put themselves out there and email him. Going a step further he even made it easy for others to follow his lead by forking his mentoring repo creating a mentoring page of your own.

I thought this was a great idea and always meant to follow his lead, but didn’t quite get around to it. Well after setting up this Jekyll site today is finally the day. Feel free to check out my page sroberts.github.io/mentoring and reach out to me. I’m happy to do whatever I can to help folks interested in general security, digital forensics & incident response, development, using GitHub, however I can help.

I urge others, especially in the security community, to consider doing something similar. Information security is still more art than science, and as the security industry gets bigger and bigger we need more experienced folks not just to share their skills with the up and comers, but also to share the ethics and lessons we’ve learned along the way.