Do you know who you are?

GAT circa 1995

The above photo was taken in the backyard of my house sometime around 1995 at one of the infamous 617 barbecues known as Grillathon. There are some people in that pic who are now rather famous in certain circles. There are a LOT of people who where at the BBQ who have gone on to bigger and better things within the infosec industry. There are even more people from the same 617 area who now head security departments at fortune 100 companies, hold high level positions at DOD, who hold millions of dollars of VC money in the palm of their hand.

Some have embraced their past, they openly admit who they associated with, and wear it almost as a badge of pride. Others actively hide away from it. They want no mention of their past associations or that they even once used a handle. <gasp> I’m not talking about admitting to past crimes or other transgressions. There is no need to say you pownd an entire country in 1998 (who didn’t), no, I’m just talking about admitting who you were, and who your friends were. I don’t understand why this scares some of us so much.

It is one thing to not advertise certain facts but its another to actively go out of your way to dissociate with your past, and it pisses me off. We all know who you are and who you were, do you?

Speaking of 617, you may have noticed Lady Ada (Limor Freid) on the cover of Wired this month (April 2011). One of dozens of people from the late nineties 617 BBS scene to go on to huge success. I’d love to make a list of people who where in the scene then and where they ended up but I suspect it would upset a lot of the people who are hiding their past.

I might do it anyway. I would be afraid of leaving people out, remind me who was around 617 back then and where they are now. If you were around back then and think making such a list would be a bad idea, let me know that to. I may not listen to you, but I might. Depends on how pissed I get about it.

Résumé Wackiness

So I recently decided to move to a new city, as I result I quit my job as an IT Manager. One of the last tasks I had was to place advertisements, read resumes, and interview prospective replacements. It had been a while since I had hired anyone and usually I had HR sifting through the first round of resumes. This time however, I was it, this company had no HR department. Considering that the position was not an entry level position I assumed that the people who would be applying for the job would know how to write a résumé, I was wrong, I was very very wrong. After tweeting out my frustrations many people asked what exactly I was seeing, so here it is.

First let me explain the what the job was. The company in question was a small 30+ person creative company. They had a mix of mostly PCs with a smattering of Macs, all authenticating against an Active Directory domain. They had a file server, a firewall, a security and telephone system, and a few other unusual tech pieces which is pretty much the same in any company. They needed one person to handle it all. I had already done most of the hard work by upgrading and organizing the mess that was there when I arrived several years earlier. The job needed someone to handle everything from paper jams and software updates to managing the VPN and telling the CEO what new technologies he should be looking at. Not an entry level job but not a CIO either.

The job description was initially posted to Craig’s List and then to Linked-In. One thing about my experience hiring for this position that was different than hiring elsewhere was that all the résumés came directly to me. No one filtered them out before hand. Résumés from Craig’s List came in one big bunch at first followed by a big surge from Linked-In. I would say I got 80% of all the resumes I received within a week of posting both ads. Linked-In seemed to have the longest tail with résumés arriving at a pretty steady rate for about two weeks although some people were still responding to the Craig’s List ad up to three weeks later. If you are looking for a job I would recommend looking for new listings daily. In this particular case we went from job posting to job offer in three weeks. People who applied during the third week did not get the same consideration as those that applied during the first week. The job was listed on a Tuesday and I was already interviewing people on that Friday. I suspect in some companies they may wait until they get all the submissions and then start going through them, however every position I have ever hired has been a ‘We need to fill this position now, get them in as soon as possible’. I’ve never had time to collect a bunch of résumés and then leisurely sort through them.

As for the résumés themselves… well, I was surprised. People seem to have forgotten what the résumé is for, it serves one purpose and one purpose only, to get the interview. That’s it. You will not get hired for any job based on how good your résumé is, what you might get is an interview. For the record I received over 80 résumés in three weeks. With that kind of competition you really need make sure your résumé is going to get you that interview. Out of those 80 applicants I actually brought in and interviewed eight people. I don’t know if that can be extrapolated to the wider job market as a whole but 10% sounds about right to me.

Something else that people seem to forget is that a real person is actually going to read the résumé eventually. All those buzzwords you use to get caught in the HR search engine are going to read like crap when a real person tries to decipher the buzzword and jargon filled ten page diatribe you submitted as a résumé. Which brings me to my third surprise, length. Seriously I see no reason at all to go beyond three pages, ever. In my book two is acceptable but if you really want to impress me go with one page. I received exactly one résumé that was one page long. Guess what, he got an interview. On the other end of the spectrum the longest one I got was seventeen pages and the second longest was eleven pages. I think I glanced at the first two pages of both and threw them on the ‘no’ pile.

I don’t usually check to see if a résumé has education listed, formal education does not impress me, I wasn’t hiring for an entry level position so I was looking for experience, however most people did list some sort of secondary education. It has been my experience that most schools force students to take some sort of career development class where they teach you how to write a résumé. Either most people forgot what they learned or schools are teaching shite. If you have never taken a résumé writing class or slept through that class in school find a class at your local Adult ed center and take it, or ask someone who works in HR to critique your résumé or something. Also don’t forget the cover letter. It doesn’t have to be long but I personally consider not including some sort of letter other than the résumé to be rude and lazy.

So what do I want to see on a résumé? First follow directions. If the job listing says to submit to a specific address then do so, don’t just hit reply on the Craigs List ad. This really upset me, if you can’t follow simple directions why should I hire you? Unfortunately it happened way to many times. At least half the résumés went to the wrong address.

The résumé should be easy to read. This should go without saying. This was for an IT Manager position not a graphic designer. Multiple colors and wacky fonts with strange layouts do not impress me. They go straight to the No pile.

If you are applying for an IT Manager position and your last job was a CTO then you are probably a bit over qualified and will end up in the No pile. If you are not really a CTO but just gave yourself the title because you are the only tech guy where you work, don’t. If you are applying for a lower position than you currently have then dumb down your résumé. If I think you are just going to jump ship as soon as you find something more on your level I’m not going to hire you. I probably got 20 or so résumés that list CTO or CIO as their last job, almost all of them wet straight to the ‘No’ pile.

I received one résumé with no job history at all, just a list of certifications and schools. This guy had every cert I think I had ever heard of. There were more acronyms than words on the page. I got nothing against certs, and if you got ’em put on there, they can’t hurt, unless they are the only thing you have. Personally I want to see experience. Even when I am hiring for an entry level position where applicants are likely to have no relevant experience I still want to see job history. Even if it is landscaper, Burger King and Best Buy, list it. I want to know that someone else thought you were worth hiring and that you could keep that job.

And speaking of experience the first thing I look for is job titles, make sure those stick out some how on the résumé. I want to see job titles and I want to see dates of employment. If you only list the year like say 2005-2006 and those years aren’t very far apart I’m going to get suspicious. I mean I’m a tech guy I understand people jump around a lot but if I see four jobs in three years there better be a logical progression of positions or you will end up in the ‘No’ pile.

Oh, and a biggie, fix ALL typos and grammar errors. The résumé should reflect your absolute best work, a typo, spelling error or simple grammar mistake probably won’t kill your chance at an interview but it won’t help and there is no reason for it. Get someone else to proof read it for you. Personally I suck at spelling and grammar, so much so that the way I write got its own name, ‘Spaceronics’, but there is no excuse for such mistakes on a résumé.

So if you want to get called in for an interview for a position I am hiring for keep the résumé short, three pages max, easy to read, highlight job titles and dates of employment and try to make your work history as relevant as possible. Dumb it down or smarten it up as necessary (Do NOT lie on the résumé, ever!) For a bonus make sure it prints out well. I think anyone who follows those steps and applies for a position they are somewhat qualified for should at least get a phone call. Good Luck.

Red Team Uniform

Allied Security Jacket

So I happened to be walking by the thrift store today and they had a rack of winter jackets on hangers outside on the sidewalk with a sign on them that said “Jackets $5.00”. The really interesting thing was that one of the jackets happened to be from the local security company Allied Security with the logos still prominently displayed. It would make a great costume for a Security Red Team. Something to think about next time you see a Security Guard wandering around somewhere maybe he shouldn’t be or who seems to be asking you a lot of unusual questions.

You sir are a bonafide Douchebag.

thefixer wrote:

Who gives a shit about your opinion, your an obsolete groupie, of obsolete hackers who sit around all day stroking eachothers cocks, at “cons” like blackhat, you spend your 3,000 on tickets, while the whole thing is a sham, no real blackhats there, just a bunch of tired ass white hats, stroking eachothers egos, trading stories of the glory days of the 90s, you are all hypocrite`s who have long since sold out and and spew your rhetoric from your comfy corporate desks. You are no longer the wiz kid who awes your parents and friends, no, You are now the thing you once hated, You are tools of infrastructure now, you wrap yourselves in the flag and serve the same system that is enslaving us all, you and your kind have contributed to this framework to end the wild west of the internet and take power from the poeple and give it to the fascists. You discust me.

You sir are a bonafide Douchebag.


Hackers Need Not Apply

Back in the nineties, the glory days of Hacking, just after the golden age of the late eighties, many companies were starting to get into the whole Internet Security thing. Everyone and their brother had an Internet Security company and VC were just crawling over each other to give them money. One thing most of the early companies had in common was a staunch refusal to hire ‘hackers’. They would give speeches at conferences and say ‘We hire only the best security experts, but no hackers’ They would issue press releases that said the same thing. I remember reading these and laughing because all the hackers I knew worked at these very same companies. (The ISS XForce said this all the time, and everyone who worked there was a hacker.)

At the time this was a brand new industry that basically took shape over night. There were so many security startups you literally couldn’t through a rock without hitting one. Foundstone, Guardent, @Stake, and those are just the big names that I remember off the top of my head, there were dozens of other smaller firms all vying for a piece of the pie and for the ever decreasing pool of talent. Basically if you knew what a war dialer was, could run a file of hashes through L0phtCrack and knew how to clear your browser cache you were hired as a Security expert at a 100K a year. It was that easy.

So what did all us hackers do? Well, we got jobs naturally. We got jobs at the very same companies who said “We don’t hire hackers”. Very very few of us actually had criminal records and those who did usually had them sealed due to a juvenile status at the time. So when it came time to fill out the employment history on the job application you filled it out truthfully, Landscaper, Burger King, Tech Support, and now Security Expert. Nowhere did you write down ‘Hacker’. When we went into the job interview we did not wear a big sign around our necks that said ‘Hacker’.

At some point after @Stake acquired the hacker think tank L0pht Heavy Industries this whole ‘we don’t hire hackers’ thing started to change. A lot of companies saw that it added to their credibility to say that they had a hacker or two on staff or if they didn’t actually publicize it they definately didn’t make assinine statements like “We don’t hire Hackers”.

Well, I guess things have come around full circle. Because Enrique Salem over at Symantec has stated that “You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”

Enrique has been at Symantec for 16 years now but maybe he was to busy doing whatever is was he was doing before he got the CEO job in April to realize that his company does hire hackers. Or at least they did ten years ago when they bought @Stake and its old L0pht (and CDC) members. (OK, so I guess technically they bought them and didn’t actually hire them but semantics.)(Hey, always wanted to make that pun, hehe) At least one of the old L0pht folks was still working there up until a few years ago.

But even now there are more people than I can count on one hand who I know personally that work at Symantec who are publicly well known hackers. They speak at Hacker cons, are known by their handles and call themselves hackers. They don’t go around advertising where they work but its not a big secret to those of us in the community. I don’t think they have criminal records and I doubt they go around breaking into other peoples computers but then hacker does not equal criminal.

If you want to go around and say “We don’t hire hackers” that’s fine, just realize that there aren’t going to be very many people left to hire and you sound like an idiot when you say it. (Hey, DHS, are you listening?)

PC Protect

Internet scams are a dime a dozen from pop ups for fake anti-virus software packages to cleverly designed phishing websites that look exactly like your banks login page. Internet criminals will try just about anything if they think they can get away with it. Today I think I ran into what I think is a totally new scam that definitely involves your land line telephone, and I am pretty sure it involves the Internet, but I’m not sure.

The telltale sign that you have been had is a monthly charge on your telephone bill for $19.99 for something called “PC Protect”. Now a business of any measurable size is going to a have a phone bill such that an additional charge of $19.99 is going to be barely noticeable and I suspect that this is exactly what whoever is doing this scam is counting on. Thankfully the company I work for has an eagle eyed accountant and when she spotted the extra charge she quickly brought it to my attention and asked what it was. I had no idea, but with a name like “PC Protect” my spidey sense started tingling immediately.

A quick google search turned up a snazzy one page website (which I can no longer seem to find) full of web 2.0 goodness that looked like it was just there to sign people up to some sort of anti-something service. At the bottom of the page in the tiny tiny fine print there was a statement about how people could dispute charges by calling a number. Well, obviously we called. The first time they claimed to be from quizrocket DOT com (no, I won’t actually link to the site) the second time they claimed to be usprizedraw DOT com. We complained about the charges and they basically said tough, that our employee John Smith authorized the charges. So we called Verizon who easily agreed to remove the charges.

All well and good but the question remains how did these people get the company phone number and an employee name to ping it to? Obviously I had a talk with John. John is one of those rare people who ‘gets it’ mostly from an IT perspective. He told me that he never visited either of those sites or any other site even remotely close to it, doesn’t use facebook, doesn’t fill out online quizzes and when he buys stuff online for the company he uses a fake phone number (Like I said, he ‘gets it’).

If it was anyone else I would probably just say he filled out a form somewhere and got phished, which is still possible. Or there may be undetected malware deep inside his machine that I haven’t found yet. (I will take a closer look soon). Looking closer at the company info I quickly started going nowhere, fake company names, with fake addresses etc…

I will be looking closer at this stuff over the next few days. If you have heard of PC Protect or if anything else in this sounds familiar let me know. In the meantime keep a close eye on your phone bills.

Financial Company Still Recommending Insecure Software

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (
Date: Monday, May 11, 2009 05:19 PM
To: (
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 []
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125

From: Joe Smith (
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125’ (
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 []
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125


Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

L0phtCrack 6 to Be Released at Source Boston

L0phtCrack, the original and still the best password auditing tool for MS windows based systems, will be re-released at Source Boston by the original authors! That’s right Mudge, Dildog and Weld Pond have required the rights to the original L0phtCrack and plan to release a new version at the upcoming conference. The new L0phtCrack will have support for 64-bit windows and upgraded rainbow tables. Woohoo! Details on potential additional new features, and pricing have not yet been released but you can bet that it will be better than Symantec’s.

Source Boston 2009

HNN Archive Posted

I don’t really know who actually owns the Hacker News Network anymore. I own the domain now but the original content was part of the sale of L0pht to @Stake which was then sold to Symantec. At this point though I don’t really care anymore. If they want it they can come and get it and suffer the negative publicity as a consequence.

Therefore I am putting all of the old HNN files back online. I figure the files don’t do anyone any good wasting away on my hard drive. So if you want to check out the news from any day between September 10, 1998 and March 30, 2000 just click on one of those links and then change the date in the URL to the day you are looking for.

A couple of notes, these are just the raw news files, no pretty pictures or other chrome. If you find duplicate files, those were the weekends. I think I have all the days but some of them may be missing, I know the last few months are not there. These were all originally written in in raw html with no spell check, and my grammar ain’t no good neither. Almost all of the links will be broken (hey, its been ten years) but a few like CNN’s might still work.

On an unrelated note, WordPress is now at 2.6.3 (yeah, I know big deal) and you can now leave comments with your OpenID!