The Madness of the USBs (and Thunderbolts and alternate modes…)

I see rough issues coming for A+ students in terms of identifying the sudden proliferation of USB versions and ports, Thunderbolt versions, “alternate modes” and “multiplex modes.” Consumers are going to face lots of compatibility problems, because there are so many modes: some cables do one thing, while other cables that look identical do different things. And how about Thunderbolt over USB? Nightmare is a legitimate description.

http://blog.fosketts.net/2016/10/29/total-nightmare-usb-c-thunderbolt-3/

* * *

Excellent TechRepublic Article: “10 mistakes to avoid when troubleshooting IT problems”

Don’t you hate those clickbait “10 Great Pictures of …” or “10 Mistakes Men Make,” etc. etc.?

I say, as always, consider the source. For instance, TechRepublic is a pretty darn reliable, high-quality site for the hard-core geek (and you are one if you’re here reading this).

Whether trying to diagnose a single device or dealing with the urgency of a company-wide outage, there are solid best practices on what NOT to do. With that in mind, here are 10 things to avoid doing, so you can limit the pain and keep things running as smoothly as possible….

Yes! Exactly! Please show me your painful mistakes so I can wince and try to avoid them forever (at least try). Check out the list and see what you think:

http://www.techrepublic.com/article/10-mistakes-to-avoid-when-troubleshooting-it-problems/

* * *

Hacker Highschool: Download Uncut Lessons

Here are the lessons I produced as a contributor and Project Manager of Hacker Highschool, 2012-2016, complete and uncut, with the names of all contributors intact.

These lessons are distributed under the Creative Commons 3.0 License. Parts of these lessons are Copyright 2016 Glenn Norman. For updated project information visit http://hackerhighschool.org.

HHS_en1_Being_a_Hacker.v2_GN_2015-09-28.pdf

HHS_en2_Commands.v2.GN_2015-01-06.pdf

HHS_en3_Beneath_the_Internet.v2.GN_2013-08-06a.pdf

HHS_en4_Playing_With_Daemons.v2_GN_2013-12-09.pdf

HHS_en5_System_Identification.v2.GN_2015-06-23.pdf

HHS_en6_Malware.v2_GN_2014-12-10.pdf

HHS_en7_Attack_Analysis.v2_GN_2014-12-22.pdf

HHS_en8_Forensics.v2.GN_2015-01-07.pdf

HHS_en9_Hacking_Email_GN_2014-12-24.pdf

HHS_en10_Web_Security_and_Privacy.v2.GN_2015-08-13.pdf

HHS_en11_Hacking_Passwords.v2_GN_2015-08-21.pdf

HHS_en12_Legalities-and-Ethics.v2_GN_2013-10-17.pdf

HHS_en13_Cloud_Computing.v2_GN_2013-10-25.pdf

HHS_en14_Databases.v2.GN_2012-08-22.pdf

HHS_en15_Doxing.v2_GN_2012-09-23.pdf

HHS_en16_Exploits_and_Vulnerabilities.v2.GN_2013-06-29.pdf

HHS_en17_Mobile_Devices.v2_GN_2015-05-12.pdf

HHS_en18_Physical_Security.v2_GN_2012-10-02.pdf

HHS_en19_Wireless_GN_2013-07-01.pdf

HHS_en20_Social_Engineering.v2.GN_2013-07-01.pdf

HHS_en21_Hacktivism.v2.GN_2013-11-02.pdf

HHS_en22_Cyberbullying.v2.GN_2013-01-24.pdf

Online Education: A list of Internet educators

Online Education

For the most part, I teach live classes. But I’ve used and reviewed many online school platforms (yes, including the obvious ones). Udemy and the like offer some excellent materials – and some not-so-exellent – but there are full-on universities online too, that offer real degrees, as well as the many certification organizations and trainers.  This list isn’t an endorsement of any of these, but unless I see real value, providers don’t make this list.

Cyber Degrees

Not primarily a training site, Cyber Degrees is a great resource for people looking for the right degree or certification to advance their careers. They offer school listings, descriptions of career paths and degrees and a ton of useful resources. If you’re considering online education, start right here and know the field before you spend a dime. Highly recommended.

http://www.cyberdegrees.org/

University of the People

It’s accredited, which is huge: these are real AS, BS and MBA degrees in Business Administration, Computer Science and Health Science. And it’s free.

http://www.uopeople.edu/

Interactions, Trust and Google Chrome: my Veracode article

Glenn Norman on Veracode

During my time as Project Manager of Hacker Highschool (2012-2016) I had the opportunity to write articles for several security publications. This article, “Interactions, Trust, and Google Chrome”, appeared on January 14, 2016, and looked at the obvious and not-so-obvious trusts we give Google and interactions we allow with them.

I’m not a Google Hater; in fact I find their tools really useful in my consulting work. But I’m very cautious about sharing certain things, for instance my wifi network passwords. Check it out for a fuller discussion.

Article links:

https://www.veracode.com/blog/2016/01/interactions-trust-and-google-chrome

Google cache: https://webcache.googleusercontent.com/search?q=cache:2y8kFQkdBxgJ:https://www.veracode.com/blog/2016/01/interactions-trust-and-google-chrome+&cd=1&hl=en&ct=clnk&gl=us

Perma.cc cache: https://perma.cc/KL36-8RZA

Author profile:

https://www.veracode.com/blog/author/glenn-norman

Google cache: https://webcache.googleusercontent.com/search?q=cache:KPmWIWVgB98J:https://www.veracode.com/blog/author/glenn-norman+&cd=1&hl=en&ct=clnk&gl=us

Perma.cc cache: https://perma.cc/F832-EMF4

My Years With Hacker Highschool: Should We Be Training Hackers?

Glenn Norman

Flash forward from my first conversations on LinkedIn with Pete Herzog in 2010 to February of 2015, and one of the most persistent topics about Hacker Highschool: Should we be doing what we were doing at all? Were we training evil little script-kiddies, or maybe al-Qaida?

That whole line of thinking leads straight back to the problem of definition: “hacker” means something very different to the public than it does to the hacking community itself. Yes, we were in fact trying to bring young people into the hacking community, but no, we were not leading anyone to a life of crime. Far from it. Examples of ominous consequences are sprinkled liberally through Hacker Highschool, and discussion of exactly how visible you are when you’re doing inquisitive things.

The Hechinger Report tackled exactly this issue in the article “Should we train more students to be hackers?” by Chris Berdik, who defines it brilliantly (see links below):

For many people, the word ‘hacker’ conjures up shadowy criminals unleashing malicious cyber attacks. Beyond the headlines, however, there’s a whole world of hacking that has nothing to do with criminality and everything to do with becoming inventive, autonomous and more secure members of a society immersed in technology. Broadly speaking, these young hackers fall into two groups — security hackers, who learn how computer networks can be attacked in order to better defend them, and hackathon hackers, who compete in all-night coding binges to invent new applications and re-engineer hardware.

Notice that there’s no major third group called “criminals.” One way or another, it’s all about the engineering, about figuring things out and making things work and keeping things running. There’s a definite mentality here, maybe similar to aspiring chessmaster mentality or violin virtuoso-in-training mentality.

Chris quotes me:

“It’s the hacker mentality,” and technology employers can’t get enough of it, says Glenn Norman, a network security consultant who teaches the subject at the University of New Mexico.

Norman also teaches security hacking to high school students at an after-school club in Albuquerque called Warehouse 508. He’s a co-developer of “Hacker High School,” a nine-lesson curriculum published by the Institute for Security and Open Methodologies (ISECOM), a nonprofit network security consultancy.

The whole reason I was into all of this was the grins I get when my students open a whole new set of digital eyes on the universe. But I could see, as my teaching career approached two decades, a long, steep decline in younger students. My security courses brought lots of mature network admins and developers, but fewer and fewer students under 30. Were high school students losing interest? Or were they, I began to suspect, being steered away? Consider:

As college hackathons proliferated, high school hackers started to filter into the competitions. Soon, they started high-school hackathons. One of the first was held in March, 2014, at Bergen County Academies High School in Hackensack, New Jersey. Jared Zoneraich, now a senior at the school, organized the all-night coding bash (hackBCA) along with other kids he’d met at college hackathons. Four hundred students showed up….

I think there’s plenty of interest, if the will can be found. I’ve worked on too many hiring committees in my consulting career seeking highly qualified and specialized people that I knew would eventually be hired on an H-1B visa. There’s a huge debate on both sides about whether there really is a STEM worker shortage, whether the US can or does generate as many tech workers as the enterprise needs, whether we really need to bring tens of thousands of tech workers from overseas when we have American workers training their own cheap replacements.

So I hooked up with, and then managed, Hacker Highschool, and promoted it locally and nationally. It was a time-sucker and I loved it. But it wasn’t sustainable for me.

Hacker High School’s founder, Pete Herzog, managing director at ISECOM, says that despite the curriculum’s popularity, it’s becoming too costly to support and update, and won’t survive much longer without corporate sponsorship.

How true.

http://hechingerreport.org/train-students-hackers/

Google cache: http://webcache.googleusercontent.com/search?q=cache:yjNudF4MBtYJ:hechingerreport.org/train-students-hackers/+&cd=1&hl=en&ct=clnk&gl=us

Perma Link: https://perma.cc/95QB-TDFQ

My Years With Hacker Highschool: In The Beginning

Glenn at work

I first started talking with Pete Herzog through LinkedIn in 2010. His pocket institute, ISECOM, had produced some really interesting material, including the Open Source Security Testing Methodology Manual (OSSTMM) and Hacker Highschool (HHS). Lots of his ideas were great, but wrapped in language that made them really difficult to understand. In my innocence I thought, “Hey, I can contribute by drastically improving the quality of the prose here.” Soon I was working on a lesson, and by 2012 Pete had asked me to take over as Project Manager of Hacker Highschool.

It was a fun, and hysterically busy, beginning. We charted out a whole series of lessons beyond the original 12 released in 2004, and enlisted what grew to become a cadre of contributors over 200 strong. There’s a trail of articles and updates by me, Pete and many others that chart that effort. It was a ton of fun, and I met a lot of great people, but it also consumed every bit of my free time for several years, and most important, didn’t make money.

Eventually we tried to improve the financial situation, but that’s a story for another post. (We weren’t successful.)

Anthony Freed, a cool open-source writer and commentator, penned the article “Hacker Highschool Revamps Lesson One on Being a Hacker” (November 29, 2012) at https://www.corero.com/blog/278-hacker-highschool-revamps-lesson-one-on-being-a-hacker.html (cache at https://webcache.googleusercontent.com/search?q=cache:ui9CjyGtt6wJ:https://www.corero.com/blog/278-hacker-highschool-revamps-lesson-one-on-being-a-hacker.html+&cd=1&hl=en&ct=clnk&gl=us, Perma link at https://perma.cc/5ZMN-SYE5 ):

Hey kids, wanna get your hack on? The developers of Hacker Highschool, a free cybersecurity awareness and education project, have just issued a newly revamped version of the organization’s first lesson plan titled Being a Hacker, and will soon be reissuing updated curricula for all 23 of the course’s tutorials.

Pete described it as “open, free”, which is not to be confused with Open Source (the 2004 version was copyrighted, and version 2 was released under a Creative Commons-attribs-no-derivs “license”):

“This open, free project is a relaunch of the lessons first published in 2004. Over 60 volunteers, led by me and managed by Glenn Norman have been working months to provide a total of 23 lessons. The first of which has been released today, ‘Lesson 1, Being a Hacker’. The final lesson is on Trolling,” Herzog said.

Ah, those optimistic early days. I wish we could have made HHS a viable ongoing enterprise, but there’s no money in “open and free.” There is, however, a viable business model for shared community education about hacking, and I’m working to develop that now (2017) at School for Hackers (S4H): https://schoolforhackers.com/. I’ll have a lot more to say about S4H in coming posts, but for now I’ll just say it’s NOT about teaching teens cyber-security awareness; it’s very much for adults.

Stay tuned.

Welcome to the updated gnorman.org

Glenn at work

If you’ve followed me for long, you’ll recognize that this site made a dramatic change recently. All the content is still here; it’s simply riding on a different platform, which I hope we’ll all find easier to work with. The old platform didn’t let me set up comments, but going forward most of my material will allow them from registered users.

So here at GNorman.org you’ll find my personal posts, discussions and class materials. Keep in mind that my “companion” site, https://schoolforhackers.com, will house our growing hacker community, with the understanding that we’re talking about “clever engineers,” not “criminal engineers.”

There will be plenty of material coming on both. Thanks for following, and don’t hesitate to drop me a line.

Glenn

 * * *

Hacker Highschool: Foreword and Copyright Statement

Foreword From Glenn Norman, Project Manager, 2012-1016

Downloads: http://gnorman.org/2017/05/16/hacker-highschool-download-uncut-lessons/

As I’ve described in an earlier entry, I first got in touch with Pete Herzog and ISECOM (http://isecom.org) in 2010 through LinkedIn because, as a professional editor, I thought I could make a contribution to the writing and layout of some of his products. Initially I thought about working on the OSSTMM (http://osstmm.org), but accepted Pete’s offer to work on lessons for Hacker Highschool (http://hackerhighschool.org). In 2012 Pete asked me to take on the job of unpaid volunteer Project Manager for the Hacker Highschool Version 2 Rewrite Project, which I accepted.

Over the next four years I managed over 10,000 emails, almost 100 contributors and over 200 supporters of the project. Some of the lessons went through as many as 50 drafts, all of which I managed and edited. I learned a tremendous lot about hacking, hackers and hacker culture, most of it positive. By 2016, however, financial pressures forced me to relinquish the role of Project Manager.

The Hacker Highschool materials are open and free to the public, released under a Creative Commons Non-Commercial, No Deriviatives, Attribution Required License, which is an extension of copyright not formally embodied in law. Formal, legal copyright, of course, is always owned by the creator of a work, unless the creator is paid, or signs away rights in a contract. This means that all materials contributed to Hacker Highschool remain the copyright property of the contributors.

After my departure, ISECOM chose to keep our contributions but remove the names of several people from the Contributors pages, including mine.

So to preserve record of the contributions of the many good people of the Hacker Highschool rewrite project, here are the lessons that are my work product as the volunteer Project Manager of the Hacker Highschool Version 2 Rewrite Project from 2012-2016.

Parts of these lessons are Copyright © 2016 Glenn Norman, including editing, arrangement, verifying and integrating contributed materials, and original text. All rights are reserved, though these documents may be freely distributed provided this statement remains intact.

All other materials remain the copyrighted property of their respective contributors, beyond their use and acknowledgment in Hacker Highschool Version 2.

Review: CompTIA® A+ 220-901 and 220-902 Cert Guide, by Mark Edward Soper (2016)

Here’s another in my series on reviews of the textbooks I use to teach my classes. In this case it’s an A+ text from Pearson with some pretty nice online value-adds.

CompTIA® A+ 220-901 and 220-902 Cert Guide, by Mark Edward Soper

Copyright © 2017 by Pearson Education, Inc.

ISBN-13: 978-0-7897-5652-7

ISBN-10: 0-7897-5652-8

Early study materials for the A+ were rough and ready, often terse little volumes that assumed a lot of foreknowledge. We’ve come a long way in the 13 years I’ve held, and later taught, this certification, to the point that you can find great material in book, ebook and online course formats, covering a lot of learning styles. Mark Soper’s CompTIA® A+ 220-901 and 220-902 Cert Guide is an in-depth Cert Guide, in Pearson-speak, as opposed to their usually shorter, drill-oriented Exam Cram series. I’ve taught both formats and generally prefer the greater detail of the cert guides, but I was impressed by David Prowse’s Exam Cram ebook on this same topic.

The “value added” materials have been getting better too. Most publishers have long offered CDs with test and study materials. But as optical drives have been going out of style while online storage has come on strong, I’m seeing almost everyone leaving the CD behind, and using the CD sleeve in the back of books for a slip of paper with an Activation Code, as this book does. I initially thought, Oh, there go the goodies, but I’ve found the reverse is true. More on this below.

Prose style really matters, too. My students make loud noises if reading the text gives them headaches, which magically transfers the headaches to me. From an earlier review:

When it comes to highly technical books, there are plenty of them that are written by committee, and read like it. I’ve got nothing against a dry, factual style, but my students seem to be more willing to read single-author books with a breezier prose style. [Prowse’s] book falls into the second category, and has the kind of comfortable, personable text that makes reading 982 pages a lot less of a chore. By comparison, the 901-902 text by Mike Meyers runs 1472 pages of chatty first-person conversation, while the text from Docter, Dulaney and Skandier is 1312 pages of formal discussion (what did I say about writing by committee?).

The previous edition of this Cert Guide was written by Soper, Prowse and Scott Mueller, and was my text of choice teaching my A+ 801-802 classes. It ran to 950 pages of text, plus end material (and included a CD). In the current edition, Soper goes it alone while Prowse works on the video course and the Exam Cram book, and Mueller apparently works on the 23rd edition of his amazing Upgrading and Repairing PCs series. I wondered if the quality would suffer or improve, and if the character of the book would change, but Soper keeps up the really excellent written material thickly scattered with high-res grayscale photos, screen shots and key topics tables. Possibly to the down side, the book now contains about 1150 pages of text, plus end material. It’s still one of the shorter texts, but they are all becoming behemoths.

I have to say I like Soper’s prose. He sticks to shorter sentences and obviously has a talent for stating things clearly. There is a minority among my students who like the more chatty, informal and sometimes funny language of Meyers, but they have to be willing to make a 1500-page commitment to that book.

Chapters are laid out clearly, and divided into topics with plenty of illustrations. Every book on this topic has to decide how deeply to descend into details. Do students need to know the specifics of the latest upcoming Intel memory controller topology? The hard-core geeks are going to love it. Others are going to find those details quickly obsolete, but do need to understand how the once-literal North and  South Bridges are now mostly theoretical, with chipsets doing all kinds of things differently.

What really matters is that the materials match up to the A+ test objectives, which this book does quite well. Ending each chapter are the Exam Preparation Tasks, which include memory tasks like definitions alongside exercises like using diagnostic tools to research hardware details and upgrade options. Then come Review Questions, with Answers and Explanations conveniently following. The explanations are nice, because they’re really explanations, unlike too many of the ones I see on sample tests.

One of the biggest changes for the new certification is the much-changed list of operating systems covered. XP is out, finally, but Vista lingers on, along with Windows 7, 8 and 8.1. Windows 10 is not covered. But OSX is getting a lot more discussion, which matches the workplace I see, mostly Windows but with a contingent of determined Mac users.

Here, each book handles this differently. The Exam Cram splits OS topics out among the main test topics, so there’s not one place that solely discusses Windows 7, for instance.

Docter, Dulaney and Skandier do the opposite, with 50-60 page chapters on each major OS, which might be a good idea for organization, but leads to a lot of duplicate discussions of installation and deployment, for instance.

In this book Soper manages to cover the same detail in about 35 pages each for the OSX/Linux chapter and the iOS/Android chapter, with less obvious duplication. Depending on whether you’re using the textbook later as a reference (go with duplication) or as a learning tool (don’t torture me when I have to read the whole book), this book may be the best option for students.

The most important work students can do for certification exams is taking lots of sample tests. There are resources online, of course, and many are quite good. Brain dumps, on the other hand, are worse than useless because they’ll mislead you or invite you to believe wrong answers. Note that tests and questions provided by real CompTIA Authorized Partners (like Pearson) tend to be much more realistic and closely aligned with the actual test questions, for instance the frequent use of scenario questions. There are lots of practice sites and sources of sample questions online, and students should use them – with a healthy awareness that sometimes these questions are wrong: wrongly worded, contradictory or just plain far off topic. Once you’re so advanced that you can spot these errors, generic online practice tests can be useful for learning to spot B.S.

Getting access to Pearson’s online materials takes a few steps, but isn’t any harder than registering for Facebook. You’ll download the Pearson test engine, fire it up, and use the Activation procedure to get and install the sample tests for this book. There are a total of four tests, which you can further tune to concentrate on questions by chapter/objective. Mix and match until you’ve seen every question several times. I always recommend saving at least one of these tests as a final proving challenge before taking the real certification exam; if you can ace a test you haven’t seen before, you’re likely ready for the real test.

Back in the book, there are also some memory drills, but the nicest value-add-on is the three hours of video you can watch from Prowse’s video course. They are highly worth the investment in time, I guarantee.

So I come to the things that matter when I choose a text for my A+ classes.

First, the price. At $60 this book isn’t cheap, but it’s not stratospheric for a college-level text either. Its main competitors are in the $50-60 zone.

Next, does it align closely with the CompTIA A+ Objectives? This book covers them without going in-depth on topics or technologies that will never show up on the test.

Then, how long is it? 1000 pages is tough, and 1500 pages is a huge task for my students, but few books in this area are smaller. At least this one is on the light end of the scale.

Finally, what’s it like to read the actual prose? Does it sound like it was written by an engineer or a  lawyer, or is it more like a friendly discussion of interesting technology? Soper does very well in this area.

Ultimately, you can’t go wrong with this book. All by itself it’s good; with the online materials it’s top-notch. I’ll be trying it out in my next round of classes.

Disclaimer: Obviously I am a teacher, working with two major universities and many smaller clients. Some of the books I review are provided by my employers, but many of them come to me directly through my reviewer accounts with Pearson, Microsoft and Cisco (as this book did). They all know that sending me books is no guarantee mercy on my part.

* * *