I, Hacker
Hacking and music and activism, oh my!
2014-11-17

For months, he had worked relentlessly. He cut down the tree, split the logs, and brought them down to workable planks, and that was only the beginning. It was only a few days in when his family began to wonder if he had finally lost it; why was a man who had never done a day of manual labor in his life taking on such an endeavor? All he ever said was, "My family deserves the best."

Once he had the planks sawn, he built a drying room to make sure that they were perfect. He waited and waited, measuring the water content every day. Then one day, everything was spot on. He took them into his brand new workshop and began to plane them down. By the time he was done, the surface was absolutely even.

He jointed the planks together, ensuring that they fit together like a glove. The surface was coming together, slowly but surely. Each day, he'd do one more joint and smile at his progress, even if it was driving him a bit mad.

He turned the leg parts on his new lathe, making absolutely certain that each section would fit properly in the next. It was essential that they telescoped cleanly, or his plan would never succeed. This odd design choice got no end of questions from his wife, but he brushed them off the same way he did all others.

Then the sanding. Lord, the sanding. From morning to night, he sanded in increasingly finer grades of paper. His arms ached, but his family deserved the best and he would settle for absolutely nothing else.

Finally, he stained and sealed the wood. Once the finish was to his liking, he sanded it again and buffed and polished until he could see himself in it. He had the finest table that he had ever seen.

While his family was away one afternoon, he and a friend moved it into the dining room, replacing the old dingy Ikea table with his perfect piece of craftsmanship. He got to work cooking a meal to commemorate the occasion, in preparation for the inaugural dinner that evening.

When his family returned home, they couldn't believe what they saw before them. The table couldn't have looked any better, with its nice wooden centerpiece, a roast suckling pig, and sides as far as the eye could see. They all stood slackjawed before he invited them to sit.

He raised his glass and looked at his wife, smiling. She knew that smile all too well, and immediately her eyes fell to the table. The fear built in her stomach as it all became clear to her.

"Family; those I love so very much," he began. "I know you all think I've lost it. That I've gone off the deep end. Well, today I think you'll see that that's untrue. You just all deserve the best, and this table was the only way I could give you that."

"You sit before my months of work; this beautiful piece of work was just a simple birch tree only a few months ago. I couldn't have done it without your love and support, even if you did think me a bit mad. I love you all, so I won't keep you from your food for longer than I need to."

"I've noticed you all looking at the height of this table; I know it seems odd. But you'll note that you all have a handle just under the table, in front of you. Just grab hold of that and lift it up and the table will follow, effortlessly."

"Lift some birch, then you dine."

2014-10-28

The Birdwatcher sat alone, eating the same porridge he ate every day, listening to the same record he always listened to. Days were mostly the same for him, ever since he lost his sight. He tended to his garden and sat by the edge of his pond, listening to the birds and the waves.

He never complained, not that anyone was around to listen anyway. He knew the purpose to his life and nothing would keep him from it; he didn't need anyone's pity and he wouldn't take any, even if his eyes had failed him and the rest of his body wasn't far behind.

Each day at noon, he would sit near the pond and feed the birds, enjoying their presence even if he could no longer see them. He kept bread in his binoculars case, a reminder of who he once was. While he longed to see them again, he had a lifetime of memories to tide him over. They were a comfort to him, but he had to live, so once every week or two he would find the largest swan he could and take it away from the flock before thanking it for its sacrifice and killing it.

He stripped the meat from the bones and put most of it in the freezer for later; the rich vegetables from his garden supplied most of the nutrients for his diet, so he only needed a bit of extra protein and fat from the swans.

However, he could've gotten meat from any number of birds -- it was the bones he really needed. He hated to kill his favorite bird, but he knew that only their bones could do what he needed, so he set them aside to dry.

He had done this for years with nary an interruption, until a knock came on his door. It took him a moment to remember what that sound was, it had been so long. But when he opened it, a boy was standing there, soaked to the bone, seeking shelter from a thunderstorm. The man could hear the cold on his voice and invited the boy inside immediately.

Once he got the boy a change of clothes from his son's old trunks, he finally asked the boy's name. "David," the boy spoke from between chattering teeth as he spooned porridge into his mouth and wrapped the blanket tighter around himself. "And yours, sir?"

"Most refer to me as the birdwatcher, or they did when I socialized with people, but you can call me Isaac."

They idly chatted as the old man worked the swan bones into a fine powder with his old stone mortar and pestle. The boy looked inquisitively at him, but kept his questions to himself, figuring that the man had already helped him out enough.

Finally, the boy finished eating and said with wonder, "I've never tasted anything like that; what is your secret, if I may ask?"

The man chuckled and began, "Well, son, that's a long story. Many years ago, I was visited by a boy not much older than you, shortly after my eyes gave out. He stayed only a few days, but I can say without a doubt that he is the most important man I've ever known, and I know that you are here to finish what he started, even if you don't know it yet.

"His name was David as well, and he had come here under similar circumstances. By the time he left, I knew him to be a wise man, the likes of which I had never met before or after; in fact, he was the last person I ever spoke to, some twenty-five-odd years ago. He revealed to me the secret of regaining my sight and despite all the time that has passed, I still believe him to this day."

The boy rolled his eyes, but he suppressed the doubt in his voice when he inquired, "What was this secret he bestowed upon you, and why do you believe I will finish his work? And what does all this have to do with porridge, anyhow?"

"The reason I know that you will finish what he started is simple: he told me that when my trials were to come to an end, you would come to my doorstep. A boy named David, seeking shelter from the storm.

"As for the porridge, the reason is in my hands. I'm grinding down swan bones to a fine flour of sorts now; I use it to thicken the mixture and, at least to me, it is the greatest taste on earth."

While an odd choice of ingredient, the boy couldn't help but agree, and in fact he had helped himself to another bowl while the birdwatcher was explaining all of this.

"But I never would've thought of this if it weren't for David -- the first one, that is. He explained to me, much to my confusion, that the way to regain my sight was through the bones of the things I loved most. It took me some time to make it palatable, but when I came to this, I never ate anything else."

The conversation largely died down after that, with neither of them sure of how to continue it. Once the storm had completely passed, the birdwatcher invited the boy out to sit by the pond and feed the birds with him, which he couldn't resist after the hospitality the old man had shown him.

David was pensive; the story the birdwatcher had told him was interesting, but he couldn't imagine that he was anyone of import, being a simple blacksmith's son. However, he kept this to himself; no point in attacking the man's belief, especially after such a great meal.

The old man was lost in thought, but finally jumped back to reality. He spoke, slowly at first, his voice quivering, "Maybe I misinterpreted this, after all this time. I had always thought that I would regain my sight, but he never said that. Not those words, at least."

After his earlier conviction, this admission shocked the boy, and he spoke rashly without considering that he was speaking to his elder, "How could you possibly misinterpret this, and only realize it after 25 years?! What did this seer say to you?"

"I will never forget what he said to me. As he walked out my door for the last time, he turned to me and told me, 'Take swan to know swan.'"

THE END

2014-10-27

It's been a while since I've written anything, and this is completely unedited (something I will be remedying soon), but enjoy a bit of sci-fi.

The Drift

He steps into a classroom. He steps into his lab. He steps into an airport. He steps into the future, each step happening beside each step. But the question remains: who is he?

When the second 'he' came into the picture, morning rituals were the first to have to change; he figured that he could get away with one toothbrush, as long as all of him didn't use it at once. Parallel lives increased productivity, but scheduling resources became more complex with each new 'him'. After all, once you've had a taste of the future, it's hard to stop.

Three bodies, three locations, all capable of independent thought and with their own working memory. This wasn't terribly out of the ordinary -- most companies had been paying for body doubles for years, to aid in productivity. What he had over the other phyclones was a simple -- and yet essential -- modification: a long-term memory sync.

The engineers found early on that wiring all memory between phyclones led to a technological schizophrenia; memories interrupting memories across your bodies. Nobody had made the leap to capturing memories as they were committed to long-term memory. At least not until he did it; now he's taking over the world, one step at a time. But the question remains: who is he?

He's been asking himself that a lot lately. Memories are shared, but each body's subtle differences in brain chemistry meant that behavior changed from clone to clone. His girlfriend noticed it first, remarking that he used to tilt his head to the left when going in for a kiss. That one simple comment led to a full-blown identity crisis. Was he his memories, in a redundant storage system and synced by the minute? Was he his bodies, with their variations and slowly drifting personalities? Or were they all worker ants, listening to the hive leader, soulless and alone?

The fourth 'him' led to the fifth and sixth in rapid succession. Exponential growth in productivity meant that his income increased by the day, each one learning more and pushing further. It wasn't until the third generation of phyclones that he noticed the personality drift, so the fourth generation was an experiment to see just how different he could be. His thought process was simple, but they put it to a vote: is it better to have multiple personality types? Arguments from both sides were heard. Proponents spoke of the benefits of a diverse ecosystem; that differing opinions and viewpoints would lead to better decisions. Detractors made it clear that once the drift was pushed into action, there was no turning back.

The proponents won, and they were quickly shown to be right. The rate of progress exploded; his research capacity outpaced that of the phyclone institutes with generation six. The use of a central storage array was the next piece to go, being upgraded for a peer-to-peer memory sync. Distance of communication was a limiting factor, so repeaters were set up in the dorm common areas that would share the signal to the other clones.

But the detractors were right too. With the personality drift came cliques -- clusters of phyclones working on research of mutual interest -- and this led to infighting. Once the clones started grouping themselves into separate dorms, maintenance of the sync repeaters was deprioritized; everyone they wanted to share memories with was in the same building.

He stepped into the future and ripped away all his human bonds, without realizing it. Step by step in parallel, the clones drifted not just from each other, but from the human species as a whole; each generation evolving further and further. Millions of years of evolution were directed and packed into a three year period, as the generations of clones exploded. The hundredth generation was reached right after the year one marker; the thousandth after year two.

His phyclones had taken over most of the LA Sprawl, having outpaced the economic output of existing industries. He couldn't recognize most of him anymore; their bodies were each uniquely generated to fit their intended roles, a technological Adonis.

The drift led to what most people considered a new species -- the first posthumans, bringing us out of the dark ages we had been in -- but he continued to ask: who is 'he'? His phyclones no longer shared their memories with him; they no longer looked like him; they were often not even the same sex as he was. It was clear that the drift had made something new, something great. But when did they stop being him and start being this new race?

He walked down Alameda St and stepped into Union Station, passing newsstands plastered with his many faces. He stepped one step at a time, a serial life. There was an emptiness as he stepped into the train heading up to Seattle and away from the Sprawl that He now controlled. But there was a big city just waiting for Him and his disciples.

It was time for Him to make the next posthumans.

2014-04-16

I'm going to say something controversial in today's social media: The world is a great place. In fact, it's a better place than it's ever been before and only getting better. Let's talk about some awesome things going on.

  • Since 1975, world illiteracy has been cut in half, from about 40% to 20%. It's projected to drop to 15% by next year. 1
  • Death from Malaria has dropped by 49% in Africa and 42% worldwide in the last decade. 2
  • The average IQ in the US has risen by 3 points each decade since the 1930s. 3
  • Every statistic around racism (support for interracial marriage, opposition to segregation, etc) has dramatically improved year after year. 4
  • There's less violence now than at any point in human history. 5
  • Humans are living longer than they ever have before -- girls born after the year 2000 are more likely than not to live to 100 years old! 6
  • Poverty around the world has dropped by a massive amount. From 25% in the US in 1959 to 10-12% now. 7 Global poverty is down 50% in just the last 20 years. 8
  • In the last two decades, 2 billion people gained access to clean water. This dramatically lowered mortality rates and increased the quality of life for nearly 30% of the population. 9
  • From 2000-2012, Internet access went from 5% to 35%. That's an increase of 566%. 10
  • With that connectivity to the Internet, students around the world now have access to the likes of Khan Academy and Udacity, providing everything from basic education in arithmetic and math, to complete computer science Masters programs. And all of it is free.
  • With Kiva, you can lend money directly to people who need it to buy inventory for their stores, materials for buildings, and many other things. You can directly help make others' lives better. You can do it right now. Seriously, go.
  • With Watsi, you can fund medical treatments for those who can't afford it. You could save a life. Consider a monthly donation.

And you know what? This is only the tip of the iceberg. In nearly every way you can imagine, the world is getting better. There are problems, but they're just that: problems. And every problem has a solution.

So next time you think "the world is really going downhill," stop and think about whether that's true, or whether you're simply seeing the bad and blocking out the good. The world is a great place; let's make it even better.

Happy Hacking,
- Cody Brocious (Daeken)

2013-06-11.1

Introduction

Today I'm proud to announce a first-of-its-kind web security course. Spanning 12 intensive weeks, this course goes well beyond what's possible in traditional trainings and will transform you into a web security professional.

Note: this is not in any way affiliated with my employer.

Goal

My goal with this course is to take you from web developer to web security professional. You will know common (and uncommon) vulnerabilities, how to discover them, how to exploit them, and how to protect against them.

By the end of the 12-week course, you will be in a good position to build secure products, work as a security consultant, and generally break everything that comes across your desk.

There are no written tests or fill-in-the-blanks homework. Every exam is a practical one and you will be finding bugs from day one.

Security professionals are more in demand than ever; whether you're looking to move up as a developer or jump into the security field, you will get your money's worth.

Upon successful completion of the course, I will -- if you opt-in -- personally refer you to several of the top security consultancies in the world. You will be the perfect candidate!

Prerequisites

  • You are a developer with experience working on and with web applications.
  • You understand HTML and can read and write Javascript well.
  • You know at least one of {PHP, Python, Ruby, Java} and can read and understand web applications written in them.

What to expect

As mentioned before, you will be finding bugs on day one. You can expect 2-4 hours of course work in the week following each class and 3-4 practical exams throughout the course. Your success in this course is highly dependent upon completing the assigned work in a timely fashion, due to the depth and breadth covered.

If you start to get in the weeds or just have some questions, I'll be available to help you out and get you back on track. You'll also have access to private forums for students, and an IRC channel in which to discuss problems.

Syllabus

Week 1

The first week, we start with an introduction to the course and end with you finding your very first bug. This sets the pace for the rest of the course.

  • Introduction
    • Structure of the course
    • How to contact me
    • Resources
  • General introduction to security
    • How to think like a breaker
    • How to write up security findings
  • Tools and setup
  • Your first bug

Week 2

In this week, we will discuss how browsers work, from the ground up. This will give you insight into how you can violate trust boundaries and lead us right into breaking web applications. You'll also learn about cross-site request forgery (CSRF) attacks, one of the most common you will find in applications today.

  • HTTP requests
    • What they look like and what the contain
    • How cookies work
  • HTML
    • How it's parsed
    • How legacy code in browsers helps attackers
  • Javascript and DOM
    • How Javascript runs
    • How the DOM works
  • Content-type sniffing overview
  • Encoding overview
  • Same-origin policy
  • Cross-Site Request Forgery

Week 3

In this week, we'll dive in with several common, severe vulnerabilities. We'll examine real-world cases with a focus on how to discover them, how to exploit them, and how to mitigate them.

  • Forced browsing
  • Directory traversal
  • Improper authorization
  • Authentication bypasses

Week 4

In this week, we'll discuss in-depth two of the most common and crippling vulnerabilities found in web applications today. You'll learn discovery and exploitation techniques as well as mitigations.

  • Cross-Site Scripting
    • Reflected
    • Stored
    • DOM
    • Common protections and how they fail
  • SQL Injection
    • Typical
      • Discovery
      • Exploitation
    • Blind
      • Discovery
      • Exploitation
        • Tools

Week 5

In this week, we will discuss several vulnerabilities with far-reaching consequences for web applications. Command injection will be a focal point, wherein you will learn how to bypass standard protection mechanisms and see how subtle bugs can lead to major bugs in real-world applications. You'll also get an introduction to testing web services and web APIs.

  • Clickjacking
  • Command injection
  • Cookie tampering
  • Session fixation
  • Testing web services/APIs
    • REST
    • SOAP
    • JSONP

Week 6

In this week, you will learn how to turn an application's logic against itself, enabling you to read and write files, execute your own code on the webserver, and more.

  • Arbitrary file reads/writes
  • Local and remote file inclusion
  • File upload flaws
  • Unchecked redirects

Week 7

In this week, we'll discuss how to effectively review source code, an invaluable tool in the security professional's skillset.

  • Source code auditing
    • What you can reasonably expect to accomplish
    • Tools
    • Tracking coverage
    • Entrypoint tracing

Week 8

This week will focus on how to think through secure design and architecture, identify threats, and enable more secure development.

  • Threat modeling
    • What it is
    • Why it's useful
    • Why full threat modeling is a waste of time for consultants
  • Secure design
    • Questions to ask
    • Red flags
    • Supporting legacy designs

Week 9

In this week, we will discuss securely storing passwords -- and what's possible when this is not done -- as well as go through the core things you need to understand about crypto and what to look for in a secure application.

  • Password storage
    • Pitfalls
    • Doing it right
  • Crypto crash course
    • Stream ciphers
    • Block ciphers
    • Asymmetrical ciphers
    • Hashes
    • MACs

Week 10

This week will focus on various common crypto bugs and discuss how to take advantage of them and how to prevent them.

  • ECB failings
    • Block reordering
    • Block replacement/corruption
  • Padding oracles
  • Hashes versus MAC
  • Stream cipher XOR

Week 11

Leading into the final week, we will cover several advanced exploitation techniques that will come in handy in secure real-world applications.

  • WAF bypasses
  • XSS via alternate encodings
    • Encoding sniffing
  • External entity injection
  • Advanced SQL injection

Week 12

In the final lesson, we will review all that has been learned, then run through several real-world scenarios from both an attacker and defender's perspective.

  • Review of web vulnerabilities
  • Review of crypto and vulnerabilities
  • Scenarios for secure architecture design
  • Scenarios for general web security

Schedule

Current plans are to begin classes the week of August 11th, then the subsequent 12 weeks from there. Each class will be one hour long and take place twice weekly (two identical classes), to accomodate different schedules.

I'm going to be taking a poll of students to see which of the time slots I propose will be best; as it stands, there will likely be one in the evening during the week (EST/GMT-5) and one earlier in the day on the weekend, to give coverage and flexibility to the majority of the world.

Price

The price is $1000 for early-bird sign-ups and $1500 for the remaining seats. This comes out to $125 a week ($83 for the early-birds) -- the best money you'll ever spend to expand your knowledge and further your career.

This price will double in subsequent runs of the course and seats are very limited. Being the first run, there will certainly be some bumps in the road, but I guarantee that everyone who participates will find it very valuable.

Sign up

You can sign up for the course at Eventbee, here. See you in class!

FAQ

Who are you and why are you doing this?

I'm Cody Brocious, a security consultant and reverse-engineer with nearly a decade of experience in the field. You can see my portfolio and read more about me on Wikipedia.

The reason I'm doing this is that I absolutely love the security industry, and having more people in the field makes it more exciting and makes the world a better place. Whether you stay in software development or become a security consultant, you will be making software safer and more secure for all of us.

How are the classes being run?

Each class is a live video stream where I give the class, diagram things out as necessary, and show relevant code and attacks. While that's going on, you'll be in an IRC channel where you can discuss the class and ask me questions in real time. The recorded class and IRC logs will be available after the fact for review.

In addition to this, you'll receive an outline of what the class covered and anything else that may help you along with your coursework.

What is the coursework? What about exams?

The majority of the coursework will be styled as a CTF (capture the flag). In essence, you will be breaking from day one and putting these attacks in practice. The exceptions are some of the crypto and the secure architecture/threat modeling portions of the course. These will be graded for your benefit but do not count towards your score.

Exams are largely practical as well, but will be more open-ended, as you will see in real-world security testing.

Can we work in groups?

Absolutely! I encourage you to form groups -- local study groups especially, if you're able -- and make use of the forums and IRC channel that will be provided. The one exception is on exams, as those are graded.

What do I get for completing the course?

You will receive a unique certificate upon successful completion of the course -- cryptographically signed, of course!

I have a question that isn't covered. How can I reach you?

Feel free to shoot me an email at cody.brocious+course@gmail.com with any questions you may have. I look forward to speaking with you!

Sign up

In case you didn't already sign up above, you can do so at Eventbee, here.