ramblings of a {sys,net}admin…

Recently, I have been — often without realizing it at the time — doing a lot of reflection and reassessment about myself. Only during the last few days have I realized what I was doing. I am now officially committing myself to do some of the things I’ve been meaning to for quite a while as well as “getting my priorities straight”.

Getting organized is at the top of my list. For as long as I can remember, I have always been one to write things down and/or “make lists”. I usually have so many things going on in both my private and work lives that I have to — if I don’t, I’ll forget things. I’m also guilty of using my Inbox as a task list, which is a bad thing. For the past year and a half or so, I have gotten fairly involved with “Getting Things Done“. “GTD rests on the principle that a person needs to move tasks out of the mind by recording them somewhere. That way, the mind is freed from the job of remembering everything that needs to be done, and can concentrate on actually performing those tasks. What distinguishes GTD from other time- or action-management systems is the idea of grouping tasks by the context (defined as a place or set of available resources) in which they are to be performed.” (–Wikipedia).

About the same time I started getting involved with the GTD methodology, I picked up a copy of “Time Management for System Administrators” by Thomas A. Limoncelli. I was able to relate tremendously to the book — I’m a system administrator as was Mr. Limoncelli. The book outlined the unique aspects of a sysadmin’s daily work life and ways for a syadmin to become better organized. “Time Management for System Administrators” was the first book I’ve read cover-to-cover in a number of years. The things it talked about really hit home and I was determined to put them into practice. And I did. For a while. Then I quit.

It wasn’t a conscious decision to stop, it just happened slowly over time. Over the last week I’ve really been devoting myself to becoming better organized and most of that centers around GTD. I’ve spent countless hours trying out and evaluating a number of online, web-based systems that are designed around GTD: Vitalist (I have a premium account), Toodledo, and Remember the Milk (RTM). I also took the time to install Tracks on a test box at work, but wasn’t all that happy with it. I think I’ve finally decided on RTM — both for its features and because it has a nice API. I currently have 42 tasks entered into RTM, 30 of which are active (i.e. “uncompleted”). I currently have RTM set up to send me a once-per-day reminder e-mail of all my tasks due that day, and I get notifications via Twitter as well. If I can just stick with it, I think it’ll help tremendously.

Continuing my education is the next thing on my list. I currently have somewhere around 69 credit hours completed and have decided I want to continue my education. I’ve decided on pursuing a Bachelor of Science in Information Technology from Franklin University in Columbus, Ohio (home of the Ohio Linuxfest). I’ve spoken to the folks there and every one of my 69 credits will transfer, which is awesome! For the classes I have to complete, a number of them can be taken at my local Community College and Franklin will give me credit towards the B.S. The remainder have to be completed through Franklin, of course. I know firsthand that working full-time and attending school part-time is not the easiest thing in the world to do — especially when I also teach and volunteer for some non-profits in my “spare” time. It will simply come down to being able to effectively managing my time, which goes back to GTD (above). It might be a little on the optimistic side, but I’m confident that I can complete the B.S. in three years. I’ve reviewed the requirements, completed all the necessary paperwork, and have a telephone appointment with a “Student Services Associate” at 2pm on Tuesday to finish things up. At that time, I’ll get signed up for the first course, PF321, “Learning Strategies”. I’ll begin in January.

Obviously, my job is still a priority of mine as well. I don’t spend every waking moment of my “free time” VPN’d in and working on things like I used to, but I still love my job and (a majority of) the people I work with. Building on my skillset is something that I want to continue doing as well, to benefit both myself and my employer. In that regard, I have plans to also add to the list of certifications that I have and will probably start by completing the requirements of the MCSA (I’m already an MCP).

I’ve also made a conscious decision to pay off some of my debt. I don’t have a lot of it, but I usually look at my bills, see what the minimum payment is, double it and round off. I could pay things off a lot faster than I have been — it’s just a matter of doing it, which hasn’t really been a priority for me. That said, I’ve decided to cut down on some of “leisure activities” and put the money towards the debt. Tuition at Franklin will be much higher than at the local Community College (where my tuition is paid for), so that’s another bill I’ll have that I don’t have now. I put together a “Net Worth Worksheet” and have set some pretty realistic goals with regard to my finances. Christmas is getting close, though, and I always blow lots of money this time of the year… maybe I’ll wait until January to start on this. =)

Oh, and I sold my motorcycle too. I’ll miss it, but to be quite honest, I’d probably just end up getting killed on the damn thing. That wouldn’t really be good.

Aside from all of this, I have took the time to take some goals that I’ve had (many of them for years) and put them down on paper where I can review it often. Keeping those sorts of things fresh in my mind is the only way to keep myself motivated towards completing them. The months ahead will definitely be interesting, that’s for sure…

I teach a course entitled “Linux Networking/Security”. A few weeks ago we covered chapter seven, “Security, Ethics, and Privacy”. The homework for that class was a three-part assignment in which the student plays the role of system administrator for a fictional financial services company named Safety First Financial Services, Inc.

The last part of the assignment read as follows:

You came in to work at Safety First this morning and reviewed your system logs, only to discover that a cracker had broken into the retirement calculator Web site during the night and downloaded the registration details and retirement plan summaries of about 400 customers. What will you do today?

I got some good answers to that question, which we discussed in class. Responses included things like contacting HR and Legal, removing the server from the network, attempting to find the exploited vulnerability, etc. The best response I received came from a student who broke down her day into steps:

I decided to put this one into steps. Some steps will be going on at the same time and these are not truly in a specific order.

1. Really loudly say “AAH FUCK!”
2. …

I laughed when I first read that, then thought for a moment and decided to give her extra points for that. Honestly, it’s the first thing I’d do too. =)

On June 1st, Max Spevack, Fedora Project Leader, sent a message to the fedora-announce-list entitled “Discounts on Red Hat training for Fedora folks”.

You can read the message for yourself, but Red Hat is offering discounts (in some cases, up to 25%) off of Red Hat Training for users of and contributors to the Fedora Project. This was good news to me, since I’ve recently been thinking about taking the RH300: RHCE Rapid Track Course, which normally goes for $2,798 (including the RHCE exam).

As an employee at a .edu, I’m eligible for a 12% discount from Red Hat already. I was hoping I could get the 20% stacked on top of the 12%, but Max Spevack let me know that wasn’t gonna happen. =) With the 20% discount, the cost would be right around $2,238. The RH300: RHCE Rapid Track Course is being held in Indianapolis starting October 1st — that’s close enough for me to drive back and forth everyday, avoiding additional costs for airfare, hotel accomodations, etc. I haven’t asked yet, but I’m really hoping I could get $work to spring for this.

We actually run way more stuff on Microsoft Windows than we do Red Hat Enterprise Linux and I know that $boss would be much happier if I were to get some more Microsoft certifications. I’m already a Microsoft Certified Professional, but my reasoning is that if I knock out the rest of the exams for the MCSA by myself, I’m much more likely to get $work to pay for the RH300. I’m not sure if that’s logical reasoning or not, but it seems like it might be a “reward” for me or something (I’d much rather have the RHCE than the MCSA/MCSE).

We shall see… =)

A week or so ago I came across an article entitled “A Student-Hacker Showdown at the Collegiate Cyber Defense Competition”. I heard never heard of this particular event before, but it definitely sounds cool. I would love to get a team together at the school where I work and try to compete in this next time around. I’d also love to hear from anyone who’s been involved in it in any fashion. For those who don’t know, I work at a post-secondary institution in Bloomington, Indiana, and do various sysadmin/netadmin/infosec chores there. I’ve thought about trying to organize some sort of “capture the flag” game, but it’s never moved past the “hey, that’s a cool idea” phase in my head. =)

Here’s another open position, this time it’s a “Lead Security Engineer” at Indiana University:

The following position reporting to Tom Davis, IT Security Officer, Office of the Vice President for Research & IT, at IUB is being posted internally and externally. If interested, you must apply online at http://www.indiana.edu/~hrm/employment/ola.html. Refer to position number #00016490.

Lead Security Engineer - PA 14

Generally, assists the staff and management of departments within OVPIT and UITS as well as senior technical managers in various University departments in examining their environments for system and information security exposures. Provides high level technical and practical expertise/consulting. Must gain, maintain, and apply a significant depth of knowledge in many widely varied technology areas, including computing, data and voice networking, and complex security systems and software.

Responds to requests for security analysis and input to technology projects. Designs, develops and implements complex security software. Evaluates, recommends, and implements vended security software. Responds to requests for security analysis and reviews. Analyzes develops, implements and maintains network and system security analysis and other tools. Collects, analyzes, and distills information regarding current known system vulnerabilities and solutions. Collects, analyzes, and disseminates information regarding current intrusion methods and protections. Collects and disseminates or applies information regarding current best practices. Responds to incidents of breaches in computer security and provides advice to and/or participates in the collection of technical evidence. Recommends security policies and procedures. Develops and maintains automated reporting and other mechanisms. Produces reports, papers or other products.

Qualifications: Bachelor’s degree (Computer Science desirable) is required, and at least three to four years related experience, or equivalent combination of education and experience. Advanced systems analysis, programming, and systems administration experience is required (UNIX preferred, Windows and others very helpful). Working knowledge of computer networking configurations, general data networking, associated protocol suites (e.g., TCP/UDP, IP, etc.) and related issues is required. Solid technical background, with the capacity to subsequently learn and apply security and audit principles and practices is required as is demonstrated excellent oral/written communication skills, and interpersonal skills.

Working knowledge of voice communications, associated protocols, and related issues is desirable. Other desirable technical experiences include C and PERL programming, and relational database management systems.

Limited Criminal Histories (LCH) checks will be required for all external finalists and for internal finalists with less than 1 year on staff.

I’ve been on what seems like a virtual scavenger hunt today. For some reason, I feel like going to some more conferences. A few months ago, I went to the Security 505: Securing Windows course put on by SANS (yes, I passed the exams).

I’d like to take the SSCP exam sometime within the next few months. It’s actually being offered in Indianapolis and Louisville in May, so I may try to do that. For less than $400, the price isn’t bad and should be an asset, until I meet the experience requirement for the CISSP.

A number of universities host the SANS courses, often at great discounts to employees of the government and educational institutions. Since I fall into the latter category, I can get excellent discounts on them. For instance, the SEC 505 course I went to cost $750 for .gov and .edu employees, and nearly $3,000 for everyone else. Virginia Tech is hosting the SEC 504: Hacker Techniques, Exploits, and Incident Handling course in a couple of weeks. The course is $600 and the exams are $300, so that’s only $900. Since I know $boss can’t really spare the $900 out of our budget (which is sad), I’d just about pay that out-of-pocket. I’m not sure I can get the “okay” to go on such short notice, though.

Oh, I’m going to be speaking at Notacon 2006, can’t remember if I’ve mentioned that before or not. That’s four days or so that I’ll be out of town. I’ll be speaking about Patch Management in a Windows environment. Nothing spectacular, will just demo deploying Service Packs through GPOs and managing Windows Server Update Services in large(r) environments. Anyways, it gets me in free.

I came across the Defcon web site as well. Though I’ve wanted to go to Defcon for years, I’ve never managed to make it. This year it’s August 4-6th (in Las Vegas, of course), and I’m definitely going to try to get out there for that. Never been to Vegas, so that should definitely be fun. I suddenly have this feeling I’ll be broke when I get back, though. Hmm.

About two weeks ago I was in Muncie, Indiana for the “Cooperative Computer Incident Response” conference put on by CERIAS of Purdue University. It was pretty interesting and we got to hang out and exchange info with a number of law enforcement guys (Indiana State Police and FBI guys). Oh, that one guy from the ISP didn’t wash his hands after taking a leak, but I can’t remember his name…

Anyways, I’m always on the lookout for good security conferences to go to. Let me know if there are any good ones coming up that I’m missing out on. Bonus points if they’re in the State of Indiana.

In today’s ever increasingly technological world, what’s the value of an online education?

I’m currently in the last semester (I hope) of an A.A.S. degree from a state College. I’ve been looking into my options as far as transferring into a four-year program go, as education is something that’s pretty important to me.

Just today I received an acceptance letter to Indiana State University, which is about an hour away. To be honest, I’m not real excited about that. Okay, I’m not excited at all. I don’t really care about their CS/IT programs. Security is where my interest lies, with networking coming in close behind. Information Security is my passion.

Recently, I came across Capella University, a fully accredited institution offering a B.S. in Information Security. They’ve received and evaluated a copy of my official transcripts and, if I transferred right now, I’d receive credit for nearly 50% of the courses in the curriculm. That’s pretty exciting to me, as I don’t want to have to “redo” the last few years worth of work.

I think I’m definitely not the typical college student. I started college a month short of my 24th birthday, and it’s taken me three years to get where I am now (three courses shy of an A.A.S.). That’s mainly because of time commitments — I work full-time at said educational institution, as well as running a business on the side.

Personally, I’m wondering how much educational value I’d get out of any CS/IT/IS program. My knowledge has been gained “in the field” and from hands-on work. I think that’s a much better way to learn myself, but I can’t deny that adding a bachelor’s degree to my resume is going to help things out.

My main area of interest right now, however, is in what others experiences have been when it comes to traditional classroom-based instruction versus the newer online instruction. Anyone think that one is better than the other? Feel free to post comments below or use the contact form available here to send privately via e-mail.

Thanks for any feedback.

At the .edu where I work, there are a number of C.I.S. classes taught. One class that’s new this semester is “Introduction to Computer Security”. One of the chapters of the text focuses on intrusion detection systems (IDS). The professor, Bill, asked me if I would teach the chapter on IDS and I agreed. Since I always learn better by seeing things work instead of just reading about them, I decided I’d include a demo in my “presentation”.

I already have VMware on my laptop and use it extensively during the course of my normal job duties (it makes a great little testbed), I decided I’d just come up with something in VMware. I did a minimal installation of in one virtual machine, to act as a router between two networks. This was also the machine that the IDS, snort, was running on. I then installed Microsoft Windows 2000 Advanced Server in another virtual machine, to simulate a company’s web server on the Internet. I did a default installation of Windows 2000 Advanced Server, though it was slipstreamed with Service Pack 3. Other than that, no updates were applied. This machine was aptly named “hapless victim”.

Next came an installation of Red Hat Enterprise Linux AS 4. This machine was named “evil hacker”. This machine was then fully patched, though that didn’t really matter.

First up was installing the Metasploit Framework on evil-hacker. I took a quick glance through the list of exploits and found the one I was looking for, the Microsoft SSL PCT MS04-011 Overflow. I knew that Win2K AS SP3 box was vulnerable to this and figured it’d be a good one for demonstrating.

When class day came, we went through the chapter on IDS (which was rather boring, to be honest) before we got to the good part. I took longer on the chapter than I would’ve liked, and so had less time for the demo. I didn’t really have to cut it short very much, though, and the whole class got to see just how easy it is to compromise vulnerable servers. Since Win2K installs IIS 5.0 by default (and is vulnerable to this exploit), it was a simple matter. I set the appropriate options in the Metasploit Framework and launched the exploit. Once at a command prompt, I use the “net.exe” command to add a user account to the domain and then made that user a member of the Domain Admins group. From there, it was game over. The attacker had full control of the server. I don’t think anyone in the group realized that it could be that easy to compromise a box. I didn’t, of course, go into how you would cover your tracks or anything like that because that wasn’t the goal. The goal was to show off the IDS. Once compromised, we pulled up the IDS and seen the port scans that preceded the compromise, along with the alert generated when the SSL packets themselves were detected.

It was a pretty cool demo, I think, and hopefully I can do some more stuff like that in the future for the classes. I think I probably enjoyed it even more than some of the students did.

The first session of Indiana University’s EdCert class is down, with two more to go.

The first three days (last Tuesday, Wednesday, and Thursday) were pretty interesting. The first day was spent in lecture mostly, although by the end of the day we did have Red Hat Enterprise Linux up and running (except for Jeff, who chose the Solaris track. The second day was spent doing lab exercises: turning off services, updating the boxes with the latest security updates, configuring security options (tcp wrappers, SSH restrictions, iptables, etc.), and various other sysadmin tasks. The third day everyone finished up their labs and documenting what we did, and then came the test (cue Jaws theme here).

The first test consisted of 50 (I think) multiple choice questions, going over some of what was covered in lecture and some of what wasn’t (there were additional reading materials that we were to read before the class). I ended up scoring 87 out of 100 points, though I complained about the way a question or two was worded. To pass the EdCert course, one needs an average of 70% across the board, so I’m doing good so far.

The next session is scheduled for October 18-20, 2005, and will cover such things as: - Unix shell scripting - Administering the filesystem - Administering peripherals - Administering backups - Automating tasks - Administering system software - Installing and using GNU software

Can’t wait for the next session. The guys over at the Unix Systems Support Group teaching the class are knowledgable, laid back guys who are happy to help. I’d encourage anyone in the area interested in Linux to check out the EdCert course. They’re usually “booked up” in advance, but you can always be put on a list for the next class or something.

The Ivy Tech computer club, called “IT²“, is now official! I offered to register a domain name for the club and provide web and e-mail hosting on my servers, which they accepted. A default page for IT² is actually up now, but there’s nothing there just yet.

I need to get with the officers of the club and decide who’s going to be managing the site, what e-mail accounts they need set up, etc. to get them up and running.