Welcome to the updated gnorman.org

Glenn at work

If you’ve followed me for long, you’ll recognize that this site made a dramatic change recently. All the content is still here; it’s simply riding on a different platform, which I hope we’ll all find easier to work with. The old platform didn’t let me set up comments, but going forward most of my material will allow them from registered users.

So here at GNorman.org you’ll find my personal posts, discussions and class materials. Keep in mind that my “companion” site, https://schoolforhackers.com, will house our growing hacker community, with the understanding that we’re talking about “clever engineers,” not “criminal engineers.”

There will be plenty of material coming on both. Thanks for following, and don’t hesitate to drop me a line.


 * * *

[ Book Review ] :: CISSP Training Kit (Microsoft Press Training Kit) 1st Edition

This year (2015) is the year the CISSP changes from a 10-domain test to an 8-domain test, beginning April 15, 2015. I teach certifications, and always find these updates tricky: often the new materials don’t come until six months later. As I write almost all the new CISSP books are only “Available for pre-order.” So while I’m considering the CISSP certification, I’m looking at books for the 2012 version of the test (10 domains).


What’s nice is that a book selling for $70 a few months ago now costs a little over $40. And though this one uses the “old” domains, the infosec information itself is still completely relevant, and the practice questions alone are worth the price. (One of my top pieces of advice to students is to take lots of sample tests. They’ll point you to your weak areas faster than any other method.)


The book itself is hefty: 700+ pages of dense, small-font text and many, many long bullet lists. For better or worse, that’s the nature of the game in this area of expertise. At this level of certification, most readers are going to be able to deal with this kind of prose, though not necessarily everyone will love it. Consider:


The determination of value of the company’s good reputation is somewhat subjective, but it is certainly a valuable asset that needs protection and can be damaged by breaches of security. It is therefore a component of the risk assessment that must be quantified in order to establish an appropriate (cost-justified) level of protection. As each threat to each asset is identified and quantified, you must also determine any possible damage to the company’s reputation for the threat-related breach and additionally quantify the potential losses due to the (qualitative) damage to the company’s good reputation.


I guess some people will like that kind of prose, if that’s the kind of prose they like. I can deal with it, and I appreciate the effort for extreme clarity. Generally, though, I prefer to read – and write – text that says what’s important, simply.


When it comes to issues other than the writing style, I have to praise this book as wildly comprehensive. If you’re a network person the discussion of Layer 3 devices will be familiar ground, but accounting and patents and intellectual property protections likely won’t be. You can be versed in fire suppression issues and still be surprised by the provisions of Sarbanes-Oxley. Do one good, deep pass through the book (I recommend frequent, small chunks) followed by a pass doing spot-study of as many high points as you can identify. Then beat yourself with sample tests until you’re passing them consistently.


On the tests and questions: each certification organization has their own take on how to make things hard, ISC2 included. CompTIA questions, for example, are frequently tricky simply because of poor grammar or garbled syntax. ISC2 questions are generally quite sharp, crystal clear, and often followed by a set of choices for which you’ll need a razor to parse out the fine distinctions. Microsoft’s sample test sticks to this format beautifully, though there is only one on the included CD. But with 250 questions you can do lots of practices with 20-50 randomized questions and get the benefit of seeing familiar things side-by-side with new questions. This is definitely the high point of the kit for me; taking lots of sample tests, particularly good ones like this one, is the top technique for passing these certifications.


For any certification, I recommend not one but two books, at least. Since the newer material is still on its way, this book would be a good way to get strongly warmed up on the CISSP. Then get the best new book you can (for the 8-domain test) to finish your studies, thus buying only one top-dollar book. But that’s just my suggestion.


Full disclosure: I get textbooks for review from several sources, in this case from Pearson IT Certifications. I also work for a certifying organization (ISECOM), participate in building certifications (the OPST and SAI), write textbooks and teach at two universities (UNM and NMSU), so while I’m not the usual test subject, I am frequently the instructor.

* * *


Playing with the Raspberry Pi

I’ve been tinkering with the Pi for a couple of months now, after resisting the call of RISC for years. These little machines have finally caught up to about Pentium II performance, which is to say they’re moderately good as a desktop PC, and excellent as a tiny Linux server.

The Kali people maintain an ARM image, though, which inevitably meant my students came to me about setting up Kali on the Pi. Depending on the student, I’m okay with that, but in most cases the request is cue for a sit-down talk about trust, as in, do you know these Kali people and if they had bad intentions should you be running this OS in your home? Nothing against Kali: I’m just nervous about any system with lots of moving parts, most of them mostly invisible.

That’s why I’ve been working with customized images of Fedora 21 and 22 with the Security Spin added on. I like this distro and the community that supports it (I know them personally), and the whole product suite is very thoroughly reviewed. Which is to say, I’ve made a trust decision.

And Fedora maintains an ARM image (yipee!), so off I went and ordered a Pi.

So: I don’t understand the unboxing video thing. I guess it’s a good way to verify you got all the parts? But since I’m going to use the devil out of this thing in my classes, might as well document from start to finish. So here’s the beginning:

* * *

When Security Is Too Hard For Your Mother: a Dark Matters article

We in the US have been getting our InfoSec pants pulled down and our lunch money stolen on the playground for months, years now. I’ve bitterly complained about the nation/state actors and the non-nation actors and our own government actors, with all the usual results of complaining.

We’d better get serious immediately, at the personal level, about security. When I first approached ISECOM I liked the idea that security should be the default, that it should be hard, in fact, to do unsafe things. But things like money, politics and entrenched interests have kept us from achieving the significant leap forward we’re going to need to secure our information.

Some means are available to us personally: using aliases online for social media accounts, for instance. But in other places our critical personal information is held by … our government, for instance. In not-very-secure ways. Which means that we get pwned when they get pwned. Which is often.

That’s a damned shame, because we do have the means to make security much easier, and much better. We just choose not to use them. Read my discussion here:



Gearing Up the Workforce: Will the “crash courses in coding” model work in Albuquerque?

I’ve been thinking a lot about this business model since long before seeing this article in the Albuquerque Journal:


The article comes out of an Atlanta paper and primarily deals with two companies in that area, Tech Talent South and The Iron Yard, both of which work on the theory that months of intensive education and mentorship works better than four years and giant debt. They both specifically address coding, which is a solid strategy because the demand for up-to-date coders is pretty much endless at this point. Take it from me: the recruiters frequently ping me for leads for hot recruits. If you want it, it’s there for the taking.

There is one such operation in town, and it looks interesting. But not cheap. None of these are cheap. Among all three schools I’ve mentioned, the class duration is 8 – 12 weeks, and the price is $7000 – 10,000. This is a heck of an investment, though it’s highly likely worthwhile for someone who wants to make a start from scratch.

Most of the hard-core developers I know, and I know a few, are entirely self-taught. But for those less-than-hard-core developers like me, a working familiarity with programming principles and specific languages came slowly. If you’re looking for a job, and you know you can code, the boot-camp school method may be a hot ticket.

I’ve considered opening a shop to do exactly this, though I’m watching the local firm to see how they do. Frankly, however, my emphasis is different. Sure, I do Unix, and coding, and networks and so forth. But I’m deeply interested in security, and I’m deeply interested in teaching. This is handy because a lot of security consists of education.

So if I were going to do this I’d take a careful look at the audience for a security school along a vaguely similar model. My local friends are familiar with the “DoD Order,” which requires local national lab and Air Force base personnel to pursue a continuing education in security. And we have another national lab up the road at Los Alamos, and two more bases and a missile test range down near Alamogordo.

It’s an interesting thought….

* * *

“So You Like Pain and Vulnerability Management?”

Executive Summary:

You will never catch up when you try to do security through patch management. The unknown vulnerabilities are, by their nature, unknown. And the zero-day vulnerabilities will always be irritatingly one day ahead of your malware detection.

Instead, understand and implement proper operational controls.

See the full article at


Substantial changes usually have to happen in the context of paradigm shifts. That’s just a fancy way of saying that we do things differently when we change the way we think about them.

Consider, for instance, the SANS list of Critical Security Controls. Find it at

It’s a long list of directly applicable areas of operation. They’re talking about controlling things like boundaries, and data protection, and inventories of systems and software. Okay, but this is the starting point of hamster-wheel madness. You will never patch your way to security, for one example. You will ALWAYS be a day behind the zero-day vulnerabilities.

Consider, in contrast, the OSSTMM controls. There’s a good outline at

This is a very different list of controls: Authentication, Indemnification, Subjugation…. Hey, wait, this is totally different stuff!

Exactly. The OSSTMM, which is described in some good detail at the link above, is about a whole different way of thinking. There is a good example of its application at

You cannot patch Dropbox to security, is the gist; and if you apply the right analytics to it, it may not look attractive for doing much more than sharing recipes. But that’s another story.

Let me simply suggest to my friends and security practitioners that it’s going to be worth your while to study this in more depth. Because the OSSTMM is about an entirely different vision of security, one that costs less, works better and doesn’t put you in the hamster wheel. Those are good things.

* * *

Can we trust TOR, or any public VPN service?

So, you want to cruise the Internet anonymously. You need a good VPN. That means no user logins, no logging of your activity, no blocking of traffic – and no cooperation with the NSA.

TOR, famously, is NOT all these things. Thinking you are safe by using TOR alone is a sad mistake with big consequences. A VPN is a good layer to add, assuming you do it right, if there is a truly right way. One saying I’ve heard is, “VPN before TOR, cops at your door.” Presumably TOR before VPN, ain’t no one coming in?

Back in 2014 I found this list of VPN providers and their answers to some very pointed questions about the security, confidentiality and privacy they provide their users.


More recently (2015), Jock at SecureThoughts.com directed me to a much-updated version of this article, using the blindingly clear Infographics style.


This issue hasn’t gotten any smaller over the past year; in fact, I’ve been analyzing confidential services, and finding that you’ll largely have to go to Switzerland to get them. Read the article and see just how “private” most services really are.

#encryption #hackerhighschool

* * *

Francis Bacon’s Bilateral Cypher: How to make anything signify anything

One of the contributors to Hacker Highschool has been turning me toward some very interesting examples of early cryptography. Have you ever heard of his bilateral (not binary) cypher?

This is one any student of security should read, particularly when you realize that the accompanying photograph of WWII soldiers is itself an encoded message!


Here’s a good explanation of the cypher:


And the Wikipedia page:


#cryptography #hackerhighschool

* * *

Hacker Highschool: Articles in Spanish

I’ve been discovering that Hacker Highschool is really popular in the Spanish-speaking world, so much so in fact that I’m considering really working on my rusty Spanish. Teaching opportunities in South America seem to be, ironically, more plentiful than here in the US.

“No te limites únicamente a los ordenadores. Los grandes hackers son muy creativos. Muchos de ellos son pintores, escritores o diseñadores. Los hackers pueden ser lo que en el campo de las ciencias políticas es El Príncipe de Maquiavelo”.

Check out this article in the respected newspaper El Mundo, “Lecciones de ‘hacking’ para adolescentes”:


And see another article in El Mercurio, “Con clases en línea enseñan a los adolescentes a ser hackers buenos” at


…assuming of course you speak Spanish…