# Reader

Read the latest posts from Infosec Press.

## February 7, 2023

How I prepared for and passed the Microsoft Azure Fundamentals AZ-900 exam.

So, in addition to all the “alphabet soup” after my name, and the five (5) AWS certifications I hold, I had some time on my hands and decided to get some Microsoft/Azure certs. Why not? The first eight Fundamentals exam vouchers (US$99 each) are FREE! And, the reality is that even organization that are gung-ho AWS may have some Office 365, Sharepoint, or Active Directory that they are using. So, being a “multi-cloud / hybrid-cloud” kind of professional makes sense. Dollar$ and ¢ents.

Microsoft has a program called “Microsoft Virtual Training Days” (MSVTD). Where, for “XX-900” Fundamentals certifications, by attending a two-day (3.5 hours day #1; 2 hours day #2), they give you a 100% discount on a $99 Pearson Vue exam voucher. The MSVTD you attend doesn't even have to be in a language you speak! However, be ready to answer “Knowledge Check” questions and it helps to have Google Translate handy. So, Basically, they're giving away Fundamentals level certifications for the cost of attendance. And, they're good forever! No continuing certification requirements! Today, I passed with an 850 our of 1000. I'd post a picture of my score, but I haven't figured out how to embed images here yet. So, if I could do it, so can you. Here's how I did it. First, I read the rules for the certification on the Microsoft website. You can't win the game if you don't know the rules. https://learn.microsoft.com/en-us/certifications/exams/az-900/ Then, I purchased Scott Duffy's Udemy course and practice tests. https://www.udemy.com/course/az900-azure/ https://www.udemy.com/course/az900-azure-tests/ I went through the Udemy course first. Seriously, it took me about 2 days to pre-study the AZ-900 and pass one practice exam. A plus is that it counts as 6 CPEs against pretty much any and all ISC2, ISACA, and DRII credentials. TIP: In hindsight, I should have done more of the hands on labs even though this is supposed to be geared towards non-technical and technical new to Azure candidates. Because I probably could have done better on the exam if I had put in more lab time on the console. Not the CLI or Powershell...the Azure Console. Because I don't like paying after-tax dollars on anything I don't have to, I wondered if there was a way to get free exam vouchers. MS Fundamentals level exam vouchers are US$99.00!
That's the price of a nice breakfast cronut here in San Francisco!
Low and behold I learned about the MSVTD program from Medium! https://medium.com/techwasti/az-900-certification-how-to-get-free-voucher-and-how-to-pass-eef7c9b4f33e

So, YOU MUST create an account at https://learn.microsoft.com/ if you want to get the voucher “discount”. Then while signed in, I navigated to the bottom of the page to “Virtual Training Days”. You've got to attend one of these if you're going to get the voucher. The voucher “discount' will be credited to the email address you use. I suggest using a personal email address rather than a corporate email address “in case you change jobs” 😉

The program is popular, and I was in a hurry because I was already scoring in the high 80s on the Udemy course practice exam. So I signed up for the earliest offering which happened to be in German and at Midnight Pacific Time: 2.5 Hours-ish each of two consecutive nights. I used Google Translate to as I watched. The MSVTD training is a good complement to the Udemy course.

About a week later, I got my “discount” applied to my Microsoft Certification account.
TRAP: Be sure to clear your browser cache and/or open an incognito window and sign in to your Microsoft Certification account to overcome a bit of a glitch in getting my voucher discount. Depending on where you live the PearsonVue testing center (if you go for in-person proctoring) may be booked up and you will have slots open that are a week or more into the future.

I returned to my study materials two days before the exam to “refresh” my knowledge.

And, here I am with another newly minted credential, and with practical knowledge that will help me with The Real Exam...when I'm sitting at the table with technical and non-technical clients assessing their business situation and facilitating a collaborative conversation towards creating and delivering business value.

There you go. The whole Secret Sauce with all the ingredients! Enjoy!

Read more...

## February 4, 2023

Becaause toooting it wasn't enough...

“Financial Times Sets Up Mastodon Server, Realizes Laws Exist (Which It Was Already Subject To), Pulls Down Mastodon Server”

“Bloop!”

A cautionary tale where... 1) Know the business objective WHY you're introducing IT and associated risk into the business. 2) A “Compliance Impact Assessment” has been performed early as a means of identifying the requirements for an IT project. 3) Consideration of the free, yet valuable, advice from Electronic Freedom Foundation is reviewed (see link inside article to “User Generated Content and the Fediverse: A Legal Primer) 4) Like any other IT investment take a risk-based approach to the business decisions on whether and how to undertake a business opportunity.

Thanks for attending my TedTalk!

Aloha! Be Safe and Be Well! Alan

#mastodonmigration #governance #risk #compliance #it #failure #duediligence #duecare #server #deployment

Link to Techdirt article “Financial Times Sets Up Mastodon Server, Realizes Laws Exist (Which It Was Already Subject To), Pulls Down Mastodon Server” from the huh? dept Wed, Feb 1st 2023 12:01pm – Mike Masnick : https://www.techdirt.com/2023/02/01/financial-times-sets-up-mastodon-server-realizes-laws-exist-which-it-was-already-subject-to-pulls-down-mastodon-server/

Link to Electronic Freedom Foundation “User Generated Content and the Fediverse: A Legal Primer” By Corynne McSherry December 20, 2022: https://www.eff.org/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer

Read more...

## Markdown Reference

Automatically generate table of contents by checking the option here: Settings > Format > Markdown.

## Format Text

Italic emphasis , Alternative italic emphasis

Bold emphasis , Alternative bold emphasis

Strikethrough

Break line (two spaces at end of line)

Block quote

Inline code

Code blocks
are
awesome


## Lists

### Ordered & unordered

• Unordered list
• ...with asterisk/star
• Test

• Another unordered list

• ...with hyphen/minus

• Test

1. Ordered list
2. Test
3. Test
4. Test
• Nested lists
• Unordered nested list
• Test
• Test
• Test
• Ordered nested list
1. Test
2. Test
3. Test
4. Test
• Double-nested unordered list
• Test
• Unordered
• Test a
• Test b
• Ordered
1. Test 1
2. Test 2

### Checklist

• [ ] Salad
• [x] Potatoes
1. [x] Clean
2. [ ] Cook

Link

File in same folder as the document. Use %20 for spaces!

## Tables

Left aligned Middle aligned Right aligned
Test Test Test
Test Test Test

÷÷÷÷

Shorter Table Syntax
Test Test Test
Test Test Test

## Math (KaTeX)

See reference & examples. Enable by checking Math at Settings > Markdown.

### Math inline

$I = \frac V R$

### Math block

$$\begin{array}{c} abla \times \vec{\mathbf{B}} -\, \frac1c\, \frac{\partial\vec{\mathbf{E}}}{\partial t} & = \frac{4\pi}{c}\vec{\mathbf{j}} abla \cdot \vec{\mathbf{E}} & = 4 \pi \rho \ abla \times \vec{\mathbf{E}}\, +\, \frac1c\, \frac{\partial\vec{\mathbf{B}}}{\partial t} & = \vec{\mathbf{0}} \ abla \cdot \vec{\mathbf{B}} & = 0 \end{array}$$

$$\frac{kt}{ke} = \sqrt{2}$$

## Format Text (continued)

### Text color

Text with background color / highlight

Text foreground color

Text with colored outline / Text with colored outline

### Text sub & superscript

Underline

The Subway sandwich was super

Super special characters: ⁰ ¹ ² ³ ⁴ ⁵ ⁶ ⁷ ⁸ ⁹ ⁺ ⁻ ⁼ ⁽ ⁾ ⁿ ™ ® ℠

### Text positioning

text on the **right**
text in the **center** (one empy line above and below required for Markdown support OR markdown='1')

### Block Text

lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum.

Click to Expand/Collapse

Expanded content. Shows up and keeps visible when clicking expand. Hide again by clicking the dropdown button again.

### Break page

To break the page (/start a new page), put the div below into a own line. Relevant for creating printable pages from the document (Print / PDF).

## Multimedia

### Videos

Youtube Welcome to Upper Austria

Peertube Road in the wood

### Audio & Music

Web audio Guifrog – Xia Yu

Local audio Yellowcard – Lights up in the sky

## Charts / Graphs / Diagrams (mermaidjs)

Pie, flow, sequence, class, state, ER
See also: mermaidjs live editor.

graph LR
A[Square Rect] -- Link text --> B((Circle))
A --> C(Round Rect)
B --> D{Rhombus}
C --> D


## Admonition Extension

Create block-styled side content.
Use one of these qualifiers to select the icon and the block color: abstract, summary, tldr, bug, danger, error, example, snippet, failure, fail, missing, question, help, faq, info, todo, note, seealso, quote, cite, success, check, done, tip, hint, important, warning, caution, attention.

!!! warning 'Optional Title' Block-Styled Side Content with Markdown support

!!! info '' No-Heading Content

??? bug 'Collapsed by default' Collapsible Block-Styled Side Content

???+ example 'Open by default' Collapsible Block-Styled Side Content

This Markdown reference file was created for the Markor project by Gregor Santner and is licensed Creative Commons Zero 1.0 (public domain). File revision 3.

Read more...

## Bzzzzzz

from BeeSalad🐝🥗

B bzzzzzzz bzzzzzzzzzzz bzz bz b bzz bzzz bzz bzzzz bzzzz bzzzz bz b bzzzzzz bzz bzzzzzzzzzzzz bzzzzzzzzz bzz bz bzzzzzzzzz bzzzz bzzzzzzzzzz bzzzzzzz. Bzz bzz bzzz bzzzzzzzz b bzzzzz bz bzzzzzzz bzzzzzz, bzzzzzzzzzz bzzzzzzzzz, bz b bzzzzzz bzzzz bzz bzz bzzzzz bzzzzzzzzz bzzzzzz bzzzzzz bzzzzzzz-zzzzzzz bzzzz bz bzzzzzz bzzzzzzzzzzzz. Bzz bzz bzzz bzzzzzzzzzzzzz bzzz bz BZZZZ, BZZ, bz BZZZ.

Bzz bzzzz bzzzzzzzzz bz bzzzz bzzz bz bzzzzzz bzzzzzzz, bzzzzzzzzzz bzzzzzz, bzzzzzzz bzzzzzzz, bzz bzzzzz bzzzzzzzzzzz. Bzz bz bzzz bzzzz bzz bzz bzzz bzz bzzzzz, bzz bzzzz bzzzzz bzz bzz bzzzzzzz bzzzz bz bzzz bzz bzzzz.

Bzz bz bzzz bzzzz bzz bzz bzzz bz bzzz bzz bzz bzz bzzzz bzz bzz bzzz bzz bzz bz bzz bzz bzzzz bzzzzzz bzzz bzzz. Bzz bz b bzzz bzzzzz, bzzzzz-zzzzzzzz bzz bzz bzzzzzzzz bzzzzzz-zzzzzzz bzzzzz. Bzz bz bzzz bz bzzzzz bzzzzz bz bzz bzzzzzzz bzzzzzzzz bzz bzzzz bzzzzz bzz bzzzzzzzz bzz bzzzzzzzzz bzzzzzz bzzzzzzz, bzzzzzzz bz bzzzzzzzzzz, bzz bzzzzzzzz bzzzzz bz bzz bzzzz.

Read more...

## Why I want to be a security archineer.

### Where I came from, where I am, and where am I going.

I started working in IT roughly 20 years ago. I was a student worker in the IT department of a local community college. While I had started my college career as a mechanical engineering major, I changed my major after speaking to one of the Computer Science professors. (I just so happen to have been assigned the Tech building for my work as a student worker).

Student workers were assigned very repetitive, somewhat menial work. To say the work we performed could have been done via a Shell script is no exaggeration. As the months went on I discovered I had aptitude for this type of work. What started as a problem/solution focused career of mechanical engineering type work changed to IT/Computer/Network problem solving.

I continued down this career path as desktop support at a handful of places of higher education. I watched my more senior coworkers in IT and the work they performed and I decided I wanted to go into the sysadmin networking field. I made that my goal.

I worked on my bachelor's degree (having completed my Associates at the previously mentioned community college) in Computer Science for a few years off and on while working. A life changing event while I was working in Atlanta had me move back home and transfer to the local university. I discovered they had a concentration in information security, and that became my choice. Though I had a hard time breaking into the information security field, when I finally did, I discovered yet again, I had a knack for it. It took me a bit over 3.5 years to finally become FTE in the information security field, and that was as a Cyber Security Engineer.

I have been a security engineer for over 2.5 years now. I enjoy the work, and have found a 'talent' for this type of work. I also realize that I have a lot to learn. This (as is any specialty within IT) requires constant learning and constant skill growth.

When asked by those much younger of what kind of job/career/work they should pursue, I tell them my hypothesis: “You can do what you love and you might learn to hate it; you can do what you hate and try to learn to love it (if it pays well); or you can do what you do well and make a career out of it.”

I chose the latter.

Read more...

## January 25, 2023

from Tom's Takes

VMWare

In my day job I've been learning VMWare. In my night job (same as the day job, yay startups) I've been applying what I've learned. It's pretty spectacular. One of my coworkers has developed an awesome set of PowerCLI scripts to allow us to automate a CRAZY amount of our workload. I am overjoyed at every network I clone using them, so a huge thanks there.

VMWare on Google Cloud Platform is crazy powerful – I wish I could homelab some of this stuff. Today I stress-tested our Google Cloud – it performed amazingly well. I can't wait to share more about what we're doing, but I truly believe we're helping to revolutionize the cyber training and education industry.

Read more...

## January 23, 2023

from drsbaitso

Brief Thoughts on PKI and Certificates at Scale

This started as a reply to @davidseidl@mstdn.social and a thread about certificate expiration in a small organization (https://mstdn.social/@davidseidl/109638543580938963). He made some good points, but there's scaling issues for enterprises, as I outline and address below.

At the scale of a couple dozen certs, calendar alerts and individual/backup responsibility is okay. Once you get into hundreds and thousands of certs, you need to plan and automate as much as possible.

At enterprise scale, you're probably using certs for a number of tasks: * User Authentication * Device (server, service, container) Authentication * Data encryption in transit * Data encryption at rest

When you're working in an enterprise (1,000+ employees), maintaining the infrastructure necessary and helping developers understand how to accomplish their goals absolutely requires its own team. You're likely dealing with multiple certificate issuers (internal and external), along with ensuring all the moving parts of certificates (issuers, CMT, CRL/OCSP, and the servers/databases underpinning them) are working smoothly.

That also means thousands of certs on hundreds or thousands of devices, services, or containers. Unless you want your entire day to be consumed with manually updating certs (and maybe you like to do the boring stuff like that), automation is key.

A good Certificate Management Tool will do several things: * Find what certs are already out there through scanning * Manage certificate life-cycles * New certificate provisioning/installation * Renewing existing certificates * Maintaining certificate history * Centralized revocation in the event of a breach * Report what you have in appropriate granularity * Alert appropriate parties in cases where automation isn't yet available

Certificate Inventory: A CMT should be able to scan targets (though an IP range, an Active Directory OU, a list of URLs, et cetera) and find the certificates are either offered through various interfaces (like HTTPS) or stored on the device (like in the Windows CertMgr). The second option will require an account the scanner can use to authenticate to the account.

Certificate Life-Cycle Management: The bread and butter of installing, renewing, and revoking certificates. Maybe you want one cert for a service/application on a dozen servers. Maybe you don't want to have to manually deal with your public-facing .com cert every 60 days. Maybe you have a honeypot farm with a valid cert for $reasons that you want to be able to revoke with one button. That's the heavy lift a CMT provides. It can also maintain a history of previous certificates, so you have more pieces of the “when did this stop working” puzzle. Reporting: Execs love pretty graphs, and some accountants love internal billing. Reporting from your CMT can make this literally automatic. Need to migrate from$OldCertIssuer to \$NewCertIssuer, and Management wants some numbers on who's behind the curve? Security needs to audit all your externally-trusted certificates? Reporting!

Automation should be the target for the majority of your certificates' life, but sometimes automation just isn't available. Old line-of-business applications can be picky, and maybe you don't have the maturity yet for automation success. There are also some high-security edge cases where a manual process is required. Even if your CMT can't talk to the device (say because it's in a segregated network), the certs will still expire when the clock says they do. Or perhaps you have a third-party service that can't request certificates on their own. This is where monitoring and alerting can come into play. Monitoring and alerting on certificates before they expire can let you plan and communicate changes in a calm, orderly fashion instead of “oh gods the cert expired and we need to replace it five minutes ago!”.

An end-state goal is essentially the same as a well-oiled CI/CD pipeline (and in fact interacting with your CMT could be part of of that process). Review reports, alerts, and observability metrics. Let the computers handle the boring parts while your team handles the interesting choices of fitting use-cases and designing good, scaling solutions.

When you're using certificates for data-at-rest encryption, that data is only useful if you can decrypt it. We use our CMS to handle key escrow for our servers. There are specific additional security requirements around that, and we work with our internal security teams to ensure everything is handled properly.

Our CMS acts as a proxy/relay for most certificate use-cases in our environment. We've got a couple of distinct certificate authorities that do different things, but half the certs flow through our CMS. Sometimes that's “store and forward a CSR, return signed cert”, sometimes it's “Fill out a few fields, we'll take some default data, and handle everything behind the scenes”. The other half is just grabbing data from an Active Directory Microsoft Certificate Authority for reporting purposes.

Just because you're not ready for heavy automation doesn't mean you won't see value in a CMT/S. Step one of solving a problem is always identifying the problem. CMT/S will help with that too.

Good CMT/S will integrate with your existing toolsets. If you've got a smooth container deployment pipeline, ideally you can integrate your cert management with an API call or two to include standard, short-lived certs automatically.

The journey through automation (and away from waterfall development) is a long and winding road. How do you eat an elephant? One bite at a time. When you're looking to change and mature a culture, start with small wins. Build momentum. Get some easy-to-understand examples (especially within your own team) you can quickly (elevator-pitch style) demonstrate to others. Just as important is knowing when to say “This is a bigger challenge than anticipated, and we can leave it as a manual process for now.”

Read more...

## January 23, 2023

from drsbaitso

Layoff Advice From Experience

A ton of people have had a really bad time recently, with 200,000+ lay-offs over the past few months. I had a thread on birdsite last year with some good advice, so I thought I'd recap and generalize it here.

Things suck for a lot of folks. And they're going to suck for a little while.

I'm sorry.

Getting laid off a month before my 4th work anniversary felt almost exactly the same as finding out my long-term relationship was over because she was cheating on me. The same feelings of betrayal. The same sudden emptiness. The same massive, unplanned changes to life and routine.

Recognize that this is a sudden, drastic life change. Your routines are all destroyed. Your social circle may have just changed drastically. Don't be afraid to lean on your friends; they're there for you.

I don't know how long your runway is, but take some time to decompress. Whether that means tackling some projects you put off, or digging into your To-Be-Read pile, or binging on every season of Survivor is up to you.

Have some light conversations with contacts that you're in the market, but let the resume/application/interview prep wait a bit. It can wait, and will be better if your head is screwed on straight.

Interviewing is a specific skill-set, and you may benefit from waiting before jumping right to interviews. Again, this all depends on how long your runway is. Some limiting factors are immigration status, requiring heath insurance, or immediate monetary needs. All this advice is subject to change based on your specific circumstances. Review the current articles, gather your great stories, and start editing your anecdotes.

Take the swag and put it away. Don't throw it out, just tuck it out of sight. Maybe you'll come to a place where it reminds you of the good times you had. Maybe you'll decide to ceremonially burn it in the woods (responsibly). But it can wait until your head stops spinning.

Sometimes you lose a political game you didn't even realize what happening. Sometimes someone three levels above you loses a political game THEY may not have realized was happening. Neither one is good, but putting the pieces together helped me.

The same truth about dating (there's no “one”, you make the relationship through work) applies to companies too. Your last team may have been something special, but you can make a great place and team with good people anywhere. You can make a new special. YOU can make a new special.

I thought I had found a place I was going to spend the next 30 years at and retire from. Between internal politics and the 2017 tax code change, that rug was pulled out from under me. Since then, I've had two great positions where I'm doing even better work. But the trust of just standing on a rug is gone. Now I'm always read to jump.

Be okay with sitting in the weird quiet for a bit. Then dust yourself off and make a new special.

Read more...

## First Post

from ath0

I signed up for this without thinking through what I'm getting. Shiny! Squirrel!

## I'm testing to see if this is Markdown savvy.

I have a Wordpress site, but it's not well used.

This isn't as fancy-schmancy as Wordpress, so that may be what I need. Less distractions.

It's also adjacent to my Mastodon account, so maybe it'll be easy.

Time will tell.

Read more...

## Mascha Kaléko

from Vorinstanz

“Lache! Alles stimmt mit ein. Weine und du weinst allein.”

Heute ist der Todestag der Literatin Mascha Kaléko. Sie starb am 21.1.1975 in Zürich im Alter von 68 Jahren. In Zürich ist sie auch begraben.

Ihre Flucht vor dem nationalsozialistischen Regime hat ihr Leben und Werk geprägt. Ihre Gedichte wurden als Chansons unter anderem von Rainer Bielfeldt vorgetragen.

Weiterlesen...

## Mattermost Mobile

from Vorinstanz

Mattermost's mobile apps would get a major overhaul, for both the Android and iOS worlds. The new versions have been rolled out since this week.

Mattermost can be used as an #OpenSource alternative to MS Teams. The details...

Weiterlesen...

## Cyber Security Bootcamps - Buyer Beware

from Tom's Takes

Today I had a run-in with some people from a cybersecurity Bootcamp (you can read my LinkedIn for further details). Suffice it to say, I've had several people join VetSec who feel like they were taken advantage of by some of these bootcamps. BLUF: Buyer beware. Many of these will not actually help you get into the industry. This one, in particular, offers no certifications (they give you vouchers if you want to go above and beyond on your own), and has almost no criteria for graduation other than showing up.

It's extremely frustrating to run a 501c3 that is doing real good work out there and struggle to find funding, meanwhile, this bootcamp gets 18k a head as long as they find meaningful employment post-graduation. This is an organization running a program they call “Certified Penetration Tester”, but they get 18k if the person lands a helpdesk role following completion of the program.

I'm sorry, but this is complete and utter bullshit. /rantover

## Hacking Your(My) Health

Anyways, moving on.

I've been participating in the HACKS v1.0 program from Ben Canning. If you're not familiar with Ben, he's a trainer and awesome dude from Hack Your Health and runs his own training company. He focuses on lifestyle changes surrounding nutrition and working out. I signed up for his HACKS group program in November, and I have to say, I struggled hard with it over the holidays. Combatting 39 years of “clear your plate, don't waste food” has been a struggle. Figuring out how to eat as much protein as Ben prescribes has also been a trick. Any time I've broken with a routine (travel, etc.) I've fallen off the proverbial bandwagon.

As I'm winding down my Navy time now, I'm glad to be able to settle into a little more of a routine and focus on my health. I'm dedicated to writing about this journey here as well.

Start date: 11/1/2022. Starting weight: 258 Current date: 1/19/2023, Current weight: 246

## Course Work

Finally, I'm working on writing a video-based course that will teach some foundational IT stuff. I can't say more until it releases, but it's been a journey already, learning the presets for OBS, buying a 4k webcam a streamdeck, and forcing me to clean up my office. My goal is to record my first couple of videos tomorrow and get them over to the publisher, and I'm super excited to get started.

Anyways, thanks for tuning in, everyone. I'll continue to share my personal and professional struggles and takes.

Cheers!

Read more...

## Texte optimieren

from Vorinstanz

OpenAI, unter anderem von Microsoft alimentiert, gibt zurzeit viel zu reden und zu Missverständnissen Anlass. Im Schatten dieser aufgeregten Debatte hat DeepL ein AI-gestütztes Tool entwickelt, das beim Schreiben “mitdenkt”. So werden Texte “optimiert”. Das Tool ist in der Beta-Version verfügbar: www.deepl.com/de/write.

Nun diesen Text nochmals, optimiert mit dem Tool:

“OpenAI, unter anderem von Microsoft gesponsert, sorgt derzeit für viel Gesprächsstoff und Missverständnisse. Im Schatten dieser aufgeregten Debatte hat DeepL ein AI-gestütztes Tool entwickelt, das beim Schreiben “mitdenkt”. So werden Texte “optimiert”. Das Tool ist als Beta-Version verfügbar” (DeepL Write, Beta-Version)

Weiterlesen...