Friday, 23 November 2012

Zero Slides @ IrissCon

So if you're unlucky enough to follow me on Twitter, you'll have seen that I had a conundrum with my presentation at IrissCon :)

After a little work yesterday morning, during IrissCon, I tweaked the presentation and reduced the number of slides and successfully tested my "Security Onion in EC2" demo over the hotel wifi. I even managed to show a few others what I was going to do and received good feedback :) To add to my preparation, during lunch I hooked up my laptop to the main screen in the conference and everything looked sweet, even the "live" demo (@BrianHonan took some nice pictures also).

I was so relaxed this year in comparison to previous years (I only had a 30 minute talk to do, right). Looking at Jason and the Honeyn3t lads (organisers of the CTF this year) , I recognised the bloodshot eyes and I could see the amount of stunning work that they had done (the world map of domination was simply awesome).  My relaxation was commented upon by several folk so I must've been a right pain last year, sorry!!!

After lunch I ended up in the second room, where the Iriss CTF was going  on. I went to check out some of the nmap scans of Team404 and ended up stealing a chair and a laptop. Looking at the World Map being dominated by the Bitbucket crew, I sat down to give some help and ended up taking control of 3 boxes and was on two of them for 2 hours but got very few points due to missing newline characters and the restrictions of DOS :( It was a lot of fun (getting on, getting kicked off by another team) though so a BIG thank you to Team404 and the Honey3t guys for allowing me to sit down and have fun (much more fun sitting on the other side of the table)!!!!!! As a result of this though, I missed all the early afternoon talks, including Marcus Ranum's talk........doh :( I actually missed most talks due to talking to folk outside in the hallways, preparing for my own talk and spending time in the CTF room but I had a great time chatting and learning. I caught a fair bit of Mick Moran's talk and it was pretty powerful stuff!

I did get to see @EoinKeary's slides around how we're doing web application wrong and I was gutted I missed his talk (but I  did get a personal walk-through), it looked excellent, especially the Kinder Eggs slide :)

Anyway, onto the main point of this blog post, my MacBookPro died a very public death as I plugged the VGA cable into it to start my presentation and it did this flashing performance as it moved from blue to white to black back to white. Half of me was thinking -

"Really? Seriously, what is this sh*t? Murphy's Law :("

whilst the other (geek) half thought
"This is actually quite cool, I didn't know a Mac could do a BSOD :)" 

Thankfully, I had actually prepared, gone over my presentation several time and I like to think I knew what I was talking about (thanks to @bobdob and @rtby for the prep presentation). As a result, I presented on

"Peeling your Network Layers with Security Onion"

with no slides, no notes and no props. It appears that I've received good feedback, folks said nice things about the presentation and I had questions from the floor and afterwards some personal questions. If you saw the presentation and want to see the slides to help decipher what I was waffling on about, check them out here.

Security Onion is an awesome tool and I like to think I did it justice. I plan on trying to help Doug et al on the project as much as I can - I want to add some cli options to the setup script and seriously look at implementing a "Chef" solution for MongoDB.

Remember Security Onion -
  • is a great way to see what's actually going on in your network
  • provides a clarity that many commercial solutions cannot
  • is an awesome solution as not a only an NSM server/sensor but also is a stunningly loaded analyst workstation
  • has a tonne of tools - frameworks, network ids, host ids, network forensics tools, nice guis, asset management the awesome sguil and many more
  • comes with everything complied and ready-to-go (ever tried to compile sguil from scratch)
  • has a very active mailing list with great support
  • you can still get commercial support for your Snort rules and signatures to keep your rules completely up-to-date
  • provides context so YOU actually KNOW what is going on in your network and what happened before or after
  • enables a WINDOWS ADMIN to set up a sensor in less than 10 minutes
  • is FREE, yes FREE :)

By the way, the good news is that the Mac Book is back on the road to recovery and working. @Jayester advised me to a back-up immediately whilst @BaconZombie offered 50 euro for the Mac :)

Well done to "Brian Honan" on another excellent edition of IrissCon, all credit should go to Brian for such amazing hard work. I must apologise to Brian for my laptop screw-up though :(


P.S. I took the title of this blog post from a tweet from Marcus Viertel's tweet here.

P.P.S. As a FYI, next week, along with @securityninja and @marcwickenden, I'm hosting a slimmed-down version of HackEire @ Realex, which will be cool and exciting. Sign up here!!!!

Friday, 2 November 2012

In Bits

I figured this lunchtime workout from yesterday was worth posting as I'm feeling the effects today and swim training was a little tough as a result -

  • Warm-Up: 3-4 minute cycle; 10 minutes of skipping, abdominal exercises, hip stretching, push-ups & various bridge-type exercises.
  •  Main:
    •  3 sets of

      • Pull-Ups {1, 2, 3....max}
      • Push-Ups {2, 4, 6....max}
        where max equals failure :) The first set I hit 7/14, second set 5/10 and the third set 3/6, not too shabby!
    •  3 sets of
      • Clean into Front Squat (double kettlebell) {5}
      • Single Leg Deadlift with one kettlebell {5 each leg}
        where max equals failure.

  • Cool-Down: 5 minutes of stretching and 3-4 minute cycle.

This tough workout was made slighly tougher by mistakenly doing presses with the first set of cleans, ouch :(

Wednesday, 31 October 2012

Dublin GTUG

So last night I spoke at the Dublin Google Development Group, which is held in the Google Offices in Barrow Street. For all the times I've passed those offices, either by foot or train, I've never actually been in there and usually looked enviously upon their facilities (I believe they've now got a 25m pool, which for me would be, well, awesome). I was invited by Eoin Bailey (from Trinity), who up until last night (I believe), has been running the group and interestingly, the "head" of the group cannot be a Google employee. Apart from the slick, professional set-up there's also food and non-alcoholic drinks beforehand with a potential retirement to the Schoolhouse afterwards.

The facilities were obviously excellent, sweet theatre ("What's up Doc" was the name I believe) with excellent seating, screens etc as you'd expect. The group were seemed interested in my talk but I think I lost most folk when I began talking about sharding, possibly my fault :( Working the bank holiday as the only person in EMEA and having a crazy day on Tuesday, due to the effects of Hurricane Sandy on my NYC colleagues, meant that I turned up knackered and with essentially little prep done. Far from ideal and a big no-no for me usually but as the invite had been agreed a long time ago, plus it's always good to spread the word of "MongoDB" and challenge oneself (I think). I think one of the great challenges is to stand up and try to explain technical stuff that you think you know, the trick is not to do it tired but all the same, I definitely learnt a lot last night from standing up there. My slides can be found here (bear in mind, that many of these slides were actually cut from the deck that I presented, due to time constraints and the difficulty of deciding "what constitutes an introduction").

The presentation seemed to have gone done well, there were some questions (whilst the books, mugs and stickers SWAG went pretty fast) and people said nice things, though they could have been being just polite :)

The second talk of the night was by Chris Woods. I've previously chatted and worked a little with Chris on MongoDB so it was good to see a familiar face. Chris is a very clever guy, totally gets "MongoDB" and had a really interesting presentation with some funny war stories. His web app is called Voczie, can be visited here and in his words -

VocZie combines RSS feeds with Twitter to let you see and participate in the conversations which happen around the news stories we all read every day... 

Chris isactively looking for more traffic to his site so that he has to deal with "scaling out" and is very excited about "sharding" so I strongly encourage you to visit his site :) Chris has a short write-up here on the perils of standing up to talk in front of random strangers and his slide can be found here.

I really enjoyed my visit to the GTUG and I think it's easily one of the cooler and more technical user groups I've seen in Dublin. I went home knackered but it was good evening, meeting new folk and seeing Chris's cool use case.

I hope to come back as an attendee, if I'm allowed back in :)

Thanks to Eoin, Raphael and Jean (hopefully I haven't forgotten anyone) for their hospitality, Chris for talking eloquently about MongoDB and Gianfranco for his moral support!!!!

Monday, 15 October 2012

Being a Support Engineer @ 10gen - Part 2

So back in July, I wrote a blog post talking about my experiences being a so-called "phone jockey", i.e. a support engineer, for 10gen. For those cynics out there, it wasn't written by HR, modified by marketing or requested by management or anyone in our recruiting team - I wrote it off my own back because
  • I've a tendency to do things off my own back
  • I wanted to explain what being a "support engineer" actually meant and more specifically, what it entailed in a small, innovative, fun company like 10gen
  • I now have somewhere to point people too when they ask my what life as a "support engineer" in 10gen is like
  • to get kudos within 10gen and please management
When I wrote the blog post, I intended it to be a once-off (why would anyone agree to writing a multi-part blog series) but I was encouraged to at least write a second post by @francium and she's very cool so I let it slide and agreed!!!

One of the ideas that I had was talking about a typical day in my role but since no day is typical, I'll talk about some of the things that I've done since the last blog post - 
  1. Run two (of our three) MongoDB User Group sessions @EngineYard, in Dublin, (the fourth is coming up in December, do come :) ). The last session was pretty awesome, much better than the alternative, watching this -

  2. Begun working closely with the Engineering team on some new security-related features for the next version of MongoDB - here and here. I even got to go back to 10gen-NYC for some testing, design and product management work on the new features though I also came away with a few documentation tasks sadly.
  3. Led the work on a bunch of other internal security stuff, which I've had the chance to spearhead before.
  4. Started trying to learn python......hhhhhhmmmmm. One of my goals is going to be taking a Coursera course. It will be tied in with my professional goals so I'll have extra incentive there also and to be honest, so far it looks quite cool.
  5. On-boarded new commercial support customers in EMEA.
  6. Learned a tonne (aka a "ton") more about MongoDB and obviously taken a lot more support tickets but hey, c'est la vie!
  7. Kicked off some research and work on packaging management on Ubuntu/Debian.
  8. Filed a bunch of enhancement requests for our SNMP functionality (this became a sort of boomerang as I'm not only the requestor now but also the owner, aaaahhhh does that I mean I've to do some C++?).
  9. Gotten to grips (as much as I need to) with git :) I've even put a bunch of troubleshooting scripts up there for giggles (yep, I know they're crap).
  10. Dipped my toes into Hadoop and quickly undipped them, ouch!
  11. Fallen in and out of love with Stack Overflow and Security StackExchange.
  12. Done a tonne of interviews, some tips when interviewing with me:
    • It's not a good idea to say you want to leave your current job because you don't enjoy supporting silly customers.
    • It's "mongo", not "mango" :)
    • It's not a good idea to swear (I swear too much myself but I don't think it's the best idea in an interview)
    • I'm typically the 3rd, 4th or 5th interviewer and often a week or two after the initial screening. At this stage, I expect you to have installed MongoDB, know a little about the following -
      • documents
      • collections
      • ports
      • schemaless
      • replication or sharding (i.e. spell them)
    • If you don't know something, don't put it on your CV.....otherwise it's "fair game".
    • The answer to "Have you any questions?" is not "no". To me, this implies a lack of interest in the job.
  13. Basked in the glory of my last blog post!!! 
  14. Continued to order the awesome burritos for the team, from BurritosBlues. We do a weekly lunch, which whilst it sounds a little cheesy, it's actually nice to sit down with the team and slag the sales guys :)
  15. Lastly I'd have to say that imho, I've also been able to get to know some of the most intelligent and passionate people I've ever met and that's kinda cool as it encourages me to try to improve every day. I'm hoping I hit the 10,000th hour thing in the not too distant future so I can consider myself some sort of expert on databases!!!!!!
So yeah I've "Support" somewhere in my title, but that's not all I do. If you work in a technology company and you don't think you do "support", you're sorely mistaken.

MongoDB is a database, written in C++,  uses BSON documents for storing data, runs on a multitude of platforms and is deployed in a huge variety of implementations. There are drivers across a substantial number of languages for your web application to interact with MongoDB. So yeah, there are many areas to get stuck into, as well as being that "phone jockey" will not be bored and your job will be VERY technical!!

My biggest challenge at present is time management and learning to say "no" but for me, that's a nicer problem as opposed to the alternative.

Remember - we all "support" and we all "sell", trust me :)


P.S. IF YOU'RE READING THIS as one of the folks that have received the link to my blog in order to understand what we do, please send your cv/resume in and kick off the process!

P.P.S. Francesca,'s a two-part series, no trilogy here :)

Friday, 24 August 2012

Simple Script to test Sharding on MongoDB

Sharding, eh? There's so many questions on a daily basis about sharding -
  • What is sharding?
  • How do I do shard?
  • When do I do shard?
    • How do I know I need to shard?
  • How many shards do I need?
  • What shard key should I use?
  • Can I change my shard key?
  • What's a hotspot?
  • How many shards do I need?
  • Do I have a replica set within a shard?
  • etc
 and everyone is unique with a different use-case so the answer isn't always the same.

Here's the official documents page (on sharding) and Kristina's blog, which is simply excellent on so many levels - I recommend reading both links (btw, it'll take a while :). Kristina uses some awesome analogies to explain sharding.

This blog post isn't about the technicalities of sharding, there are much more intelligent people than me who can explain that. I wrote a simple script to learn a bit more sharding and for reproducing issues and I thought I'd share it. It's written in bash because I didn't want to worry about dependencies :)

After you run the script, you should be able to run 
 $ mongo twitter --eval 'sh.status()'  
from your local shell and you should see something like the following indicating that you have now created a sharded cluster with a sharded database "twitter", a sharded collection "tweets"
 MongoDB shell version: 2.0.6  
 connecting to: twitter  
 --- Sharding Status ---  
  sharding version: { "_id" : 1, "version" : 3 }  
   { "_id" : "shard0000", "host" : "localhost:10000" }  
   { "_id" : "shard0001", "host" : "localhost:10001" }  
   { "_id" : "shard0002", "host" : "localhost:10002" }  
   { "_id" : "admin", "partitioned" : false, "primary" : "config" }  
   { "_id" : "twitter", "partitioned" : true, "primary" : "shard0000" }  
     twitter.tweets chunks:  
         shard0000  1  
       { "query" : { $minKey : 1 }, "max_id" : { $minKey : 1 } } -->> { "query" : { $maxKey : 1 }, "max_id" : { $maxKey : 1 } } on : shard0000 { "t" : 1000, "i" : 0 }  

Hopefully it's of interest or help to someone :)

Sunday, 19 August 2012

Killer Kettlebell Workout

Since starting kettlebells (3 months ago) my fitness, strength and flexibility have definitely improved. My hips have a strong tendency to lock, meaning that my gluteal muscles don't fire so the hamstrings are over-compensating.

I've noticed a definite improvement on the bike when climbing (legs have more power and less restriction at the top of the motion) whilst body fat and overall weight has dropped.

I did this workout on Friday past and although I'm biased, I think it was pretty cool and so thought I'd share -

  • 7 minutes run
  • Half-Planks * 10 L/R
  • Backward leg-lunges with stretch * 10 L/R 
  • Front squats, toes touching the wall * 10
  • Skipping * 50
  • Bridge * 10
  • Single-Leg Bridge * 10 L/R
  • Skipping * 50
  • Reverse-Curls * 10

  • Ladder
    • 3 * {Pull-Ups (1, 2 3) & Push-Ups (2, 4, 6)
  • Countdown
    • Swings/Squats (35/5, 30/10, 25/15, 20/15, 15/20, 10/25, 10/30, 5/35)
    •  All the swings were with 24kg; Squats (24kg all sets for first 15 reps, then 20kg)
  • 7 minutes run
  • Stretch

Friday, 17 August 2012

Help, someone's trying to hack my Facebook account!

So I received a phone call with a friend saying the exact words in the title.

This friend suddenly started receiving password notifications for several of their social networking sites (Facebook, Twitter etc) and other applications. The more interesting aspect is that this friend has an upcoming legal case so the multiple password notifications from independent applications and sites was a little more than conincidental. Given all the incorrect uses of the word "hacker", I refuse to call this person or people "hacker(s)" and really, what he/she/they did is not that subtle.

I had some advice for my friend, which I first bounced off another good friend, Brian Honan, who was extremely helpful as always and had some awesome additions.

So this post is not intended to tell you how to be safe on the Internet or how to harden your laptop/destop/phone. I simply thought I'd publicise this advice in case anyone-else ran into the same scenario (bear in mind that this advice is primarily intended for a non-technical person, who may have to contact law enforcement -
  • Record everything. Using a bound notepad (not the type you can tear a page from), note every event with date and time of each incident, as well as the actual details of the incident.
  • Print out all emails, messgaes, screen shots etc that relating to every incident encountered. 
    • Date each incident and link it back to the record in the notebook.
  • Report it to law enforcement, they may not be able to do anything but at least it will be reported to them and they will have a record to go back on if it becomes serious. 
    • The notebook and printed evidence will obviously help with initial report and any subsequent reports.
  • Likewise report to the provider's security team (e.g. Facebook, Twitter, LinkedIn [I could only find a link to the hack, not their Security Team :(], Google etc - they all have their own security team and they should be pro-active in helping). Some companies have a "security team" in name but not in reality so your email will go to trash essentially or in geek terms "/dev/null". However, again, there is a record.
  • Report every incident to both bodies. Do not leave anything out.
  • Change passwords and use enhanced security of any service they are using, e.g. Gmail and Facebook have advanced security settings. Use two-factor authentication where possible. As we all know, nothing is infallible but raising the bar helps and tends to discourage the vast majority of attackers onto an easier target.
  • Run regular AV scans on all your machines (do not flame me for recommending AV, I know the many short-comings, however, for all its failings, it does have a place for many end-users and it will catch the "known" stuff.
  • Decouple any applications from their social network profiles. If you log into any site "with Google" or "with Facebook" etc, remove that facility from the site and set up a unique password that is complex, difficult to guess but that you can remember.
  • If required (given the many unique passwords that you now have), use a password manager. Some folk like them, others don't. I feel that most users have a tendency to use simple, common passwords or simply re-use the one complex password, both of which have been shown to be the case in multiple hacking stories this year, and ultimately password managers strongly discourage this behaviour. Overwall (imho) the advantages outweighing the negatives (such as single point of failure), although I prefer not to have my password managers in the "cloud", rather on local systems that I have physical access to. For a much more detailed discussion check this link out.
This list is not perfect, nor is it endless and I'm happy to modify it based on valuable suggestions.

The blog post is intended to help others (non-technical, not as Internet savvy as many techies) who believe their Internet accounts are being attacked for whatever reason.

Just my 0.02c and I thought I'd share.....

Thursday, 26 July 2012

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer". 

As a clue, it's not what Urban Dictionary says -

A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.
 and doesn't always involve this -
Image Source:

As you can see here, there's lots of open roles in 10gen and more specifically with 10gen, in Dublin. I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer".

I could be wrong but didn't Google come up with term "Site Reliability Engineer" to do away with the stigma associated with being a plain sys admin? 

In May 2012, I moved from the Netscaler team @ Citrix, where I was at manager rank and had learned an enormous amount of the previous 2+ years, concentrating on Netscaler (load-balancing, networking, application delivery, application security, being a packet monkey, helping grow the business in EMEA etc etc) and I loved it. However, when the opportunity to join 10gen arose, I couldn't resist and to answer the many folk that have asked me -

"But you have the GSE and all this security experience, why go work on a database?"

I joined 10gen -
  • to be challenged, 
  • to be pushed,
  • to work with Adam again, 

  • to never know what a day will entail, 
  • to truly learn about the top layer of the stack (yeah, I've implemented WAFs and worked closely with the awesome Netscaler engineer team but there was still segregation and I wanted more coding/application knowledge)
  • to understand databases
  • to learn
  • to see what this "big data" thing was all about (I'd already nailed the "cloud" in Citrix, cc @securityninja ;-) )
  • to figure out the "NoSql" way of doing things; to learn MongoDB (obviously) and help make it a success; to work closely with the folk who write the code in a small, exciting start-up where I can actually bring about change
  • to learn
  • to do security, yeah I still get to do it :)
So to answer those who fear becoming a Support Engineer in 10gen will mean they'll be a phone jockey, check out the LinkedIn profiles of the guys in Dublin - 
As I mentioned before, no day is the same, but as a snapshot we answer support issues from the community and commercial cases with community being taken from the official MongoDB User Google Group and Stack Overflow and commercial cases sent directly to us. 10gen is the type of company where if you show interest or knowledge in any topic then you can quickly become the owner of that topic :)  

I've obviously done quite a bit of support work but I've already become involved in areas outside my core role (a defintion which doesn't really exist) such as security, networking, snmp, ssl, organising the weekly lunch (probably the hardest, who knew Sales guys could be so fussy), helping with the Dublin MUG, delivering brown bag sessions locally such as this one, learning to use git properly, looking at source code and mentoring younger team members. Being a young company, it truly is "all hands on deck". Everyone in 10gen does customer support in some form or another - you'll see the President, CTO and CEO answering questions on the official MongoDB User Google Group forum. I think this post sums up the benefits of everyone being involved in support better than I can.

I am definitely outside my comfort circle and there are days when I feel like I know nothing, but I'm not afraid to ask questions and I'm learning, I'm learning a lot from everyone! 

Roles in the Support Team (in NYC, Dublin, Sydney & Palo Alto) are divided across junior and senior ranks, providing an excellent opportunity (imho) at various career stages with a multitude of ways to learn, improve and progress. When I landed in NYC for training, I was astonished by the amount of "brains" but also the amount of fun everyone seemed to be having and at 34, I feel old :(

To learn more about what it's like to work at 10gen, here's a couple of more intersting blogs from some of my colleagues -

Thursday, 19 July 2012

First 10gen Weekly Lunch in Dublin

So one of the things that we try to do in 10gen is order in some food and then sit down to have together. We were slightly late to the party in Dublin but today we kicked off with burritos, tacos and "big ass" nachos from Burritos & Blues.

Along with personal name tags :)

Tuesday, 3 July 2012

Eurotash GSE

So I'd the pleasure of talking with Chris John Riley, from Eurotrash, on the night of Sunday, July 1st (yes, Chris isn't a football fan so I good-heartedly missed the half-time discussion of Spain's titi-taka brillance).

Chris wanted to chat with me about my experience sitting the GIAC GSE exam and lab earlier this year.

As always, I thoroughly enjoyed chatting with Chris and I hope it's not too painful listening to me on the podcast. I don't know much but what I would say is stay hydrated, eat as well as you can, prepare

properly and have fun!! There's a reason that the GSE has a low pass rate, so going in relaxed makes a huge difference.

Enjoy the podcast and if you've any questions on the GSE, just shout :)

Wednesday, 16 May 2012

SecurityOnion on a netbook with port mirroring on WRT54g

So firstly, this quick blog post is for Scott Runnels as he asked for it, I suppose that's what you get for saying you'll help out on an open source project :) All good!

I'd a spare Dell netbook (8gb disk, 2gb ram & 1.6gb Intel Atom CPU) lying around so I figured I'd see if I could try running Security Onion off it.

Wednesday, 2 May 2012

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, on one of the internal mailing lists, in my old company, the following question was posted –

In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ?

by one of my colleagues.

Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J

Friday, 13 April 2012

Doing The GSE

So, as many folks know, I went to Orlando towards the end of March to attempt the GSE lab. Both before and afterwards, I received several questions about the GSE :) Therefore, instead of destroying my fingers and typing multiple individual respones, I figured I'd write a short blog on my experiences with the lab section, whilst my thoughts on the written section can be found here. Apologies, this post started off short.

Firstly, let me say, that once I overcome the initial nerves (I was bricking it on the first morning), I had a great time. @Chris_Mohan and @asho_relaxo both told me that I'd have fun but I didn't believe them (in fairness, they're not trustworthy characters). Most folk enjoy the first day the most, but I loved the second morning, it was a blast, especially when you come back to that problem that you couldn't figure out and then you nail it :)