2020 Week 8

Sunday, March 1, 2020, 2:30:46PM

The key to making this work is not going to deep into any of the things covered:

One thing that will be rather sensitive to deal with is that the G0CT will take the Mr. Miyage approach. In blunt terms, my way or nothing. That does not mean I’m not open to challenge and progress and change, only that I will require everyone to master the way I outline first and then decide how they would like to modify it. In other words, no emacs, no zsh, no Arch, my tmux.conf, and so on. This will be a bit difficult and will no doubt cause a lot of controversy but frankly I don’t give a fuck. You want my cert, you do it my way. The end. :) Since everything is creative commons people will be able to essential fork my cert material and make their own based on it. But I will trademark the G0CT so that people do not misrepresent this stuff.

Sunday, March 1, 2020, 1:17:38PM

I’m focusing on the following areas at SkilStak:

  1. Ground-Zero Certified Technologist (G0CT)
  2. Offensive Security Professional (OSCP,OSWE,OSCE,OSWP,OSEE)

That’s it. Anything outside of those is not something I will spend any time on. I will assist people during their sessions with their own projects outside of this scope as much as possible. But I (and SkilStak) will not spend one second focused on producing or researching content for anything outside of this scope. This focus should rocket-propel the production of good and current content over the next year, hopefully before DefCon in August.

The question becomes, “Got your G0CT yet?”

If the answer is no then you have really no business going further for any of the Offensive Security stuff. But once you do have a G0CT you can charge down the Offensive Security specialization path (or any other of your choosing outside of SkilStak).

The next question is, “Do you have a degree?”

If not, then WGU Bachelor’s in Cybersecurity and Information Assurance is my recommendation and what I’ll cover (even though I won’t be getting one myself.

After you complete WGU (or if you already have any degree) go straight for the Offensive Security certifications.

This is good to be coming up now because I have been redoing skilstak.io and will change it to be on this focus. Ironically I’ve come full circle back to a “stack of skills” with a specific purpose: to provide a solid foundation on which to build everything else.

Sunday, March 1, 2020, 12:41:41PM

Loving that the newest iteration of content is focused entirely on personal empowerment that applies to anyone, not just people going for tech occupations eventually. For example, Knowledge Content Creator (KNOW) is not web development but includes simple web development as a part of the self-publishing process. Adding Self-Orienting Continuous Learner (SELF) is also a huge win. I finally have my finger on that sort of ephemeral thing that so many take away from SkilStak without formal training in it, although to be fair many come to me having already learned most of it.

It all just feels really good, really right.

Sunday, March 1, 2020, 12:04:16PM

One thing is for sure, all these years of working with rather young people (and old people who declare themselves as “non-technical”) has really been an advantage. I sort of intuitively find myself explaining everything more like I would to one of these people instead of assuming a lot of technical expertise (like so many other resources and teachers seem to do). I got to be sure not to lose that as the level of base tech skills increases in the average person I might be helping.

Sunday, March 1, 2020, 11:01:50AM

Working on a separation between the main skills and ability categories and struggling a bit with where something like ProtonMail would fall. It doesn’t go under Modern Computer User, hummm.

Sunday, March 1, 2020, 8:56:13AM

It’s become clear what comes next for SkilStak. Providing my own certifications has always been something I wanted to do and the clearest way to do that is now materializing pretty clearly. I have setup certification based learning with merit-badge-like requirements before but was overwhelmed with all the content required. Now that I’m laser focusing on the two following certificates I can use certification to create a crystal clear path to learning the skills I’ve learned are most critical and yet have no formal method of learning or validating:

INIT Technology Initiate
USER Modern Computer User
SELF Self-Orienting Continuous Learner
NOTE Knowledge Content Creator
TERM Linux Bash Terminal Master
SUDO Multiplatform Desktop Administrator
HOME Home Network Administrator
PROG Pragmatric Golang Programmer
PRIV Privacy Advocate
KNOW Prescient Technology Professional

After getting those there will a capstone (like Eagle project), a paper, a thorough personal portfolio review, and a final one hour board of review before three professionals from the fields of software development, operations, and security.

I have been breaking this material up and learning it in stages with specific goals of one of the following projects that people want to regularly do who come here in person:

That pretty much covers all the stuff most people walking through the door want to learn, but they are a different group of, um, “customer” I suppose. Streaming has broadened the number of people interested and provided an opportunity to hone in more specifically on expertise in a few core areas.

In other words, these things will still be possible, but won’t be stuff I specifically focus on.

Saturday, February 29, 2020, 7:11:03PM

The nature of learning is something so many don’t learn.

Saturday, February 29, 2020, 5:22:24PM

I’m so jazzed about all this direction now, not just because I want to do it myself but I have never seen a cleaner path to a tech career that also has immense value for the state of our world today. My new goal is to get as many of my mentored community the certs outlined in the previous post as fast as possible.

I’ve been ambivalent toward the entire question of getting certs in the past because of their dubious value capturing the actual skill set you have. But the Offensive Security certs are 100% hands-on. They are exactly what we need to see more of in the world. Besides, the entire pentesting occupation is fundamentally tied to certs for most professional work if for no other reason than to prove your hacker skills are not only legitimate but that you are not (to use their imaginations) some black-hat in a hoody.

Cert city here we come. This also means that I am going to DefCon no matter what it takes every single year and that the entire focus of both my rwxrob.live stream and SkilStak IRL community is 100% on foundational tech skills and building pentesting skills on top of those.

This means there are categories of learning I’m focused on:

In fact, Imma formalize my PTP and MTF programs into a hands-one VPN lab certification as well. I’ve been meaning to provide my own certification and that meshes well with the rest. Now that the game development and web applications development is chopped I can focus on formalizing those certs from SkilStak. The rest are all covered by other people.

I really like that sound of all that. The PTP will be the first cert I have ever heard of that tests your certified skills in keeping up, doing your own research, practicing self-evaluation and assessment, and remaining prescient at all times.

I need to cut some fat from MTF as well. Presumably stuff that is already covered by the certs.

Saturday, February 29, 2020, 3:47:10PM

Just found out that all of the Offensive Security certifications do not expire. Nothing says quality and trustworthy than that — especially when compared to the shitty certs from Pearson that are multiple-choice questions and have to be renewed every three years. That is really fucked up. Then again, the LPI certificates are pretty trust worth and they require renewal every five years.

Still, the certs are a solid path to employment that has been proven over and over again in the industry, faster than degrees and cheaper by far. Looks like I’m going to work toward (and suggest others get) the following probably in this order:

Fastest possible:

$120 Linux Essentials Basic Linux mastery 0
$450 KLCP Compliments Linux Essentials 0
$1000 OSCP Mother of all RedTeam certs. 0

Blue team and system administration related path after OSCP:

$170 A+ In a lab, not from a book. 3
$400 LPIC-1 BlueTeam support for Linux. 5
$400 LPIC-2 BlueTeam support for Linux. 5

Bug bounty and more red team and zero-day stuff:

OSWE Web attacks. 0
OSCE Permiter attacks. 0
OSWP Wifu. 0
OSEE Malware. 0

I would definitely want the rest of the OS stuff before more of the blue team and sysadmin because I already have all that knowledge. Getting the Linux Essentials and KLCP is just a formality at this point for me. I’m practically sure I’ll pass without any review but will go thorough everything to make sure not missing something. Getting it fresh makes my knowledge of taking the test more valuable to those I’m mentoring.

Having worked successfully in the industry for more than two decades it seems rather silly, but the process and helping others through it is paramount. I never like mentoring people in things I have not already done. Since I’m moving more toward mentoring in security it makes sense that I supplement it. When I was mentoring in software development and systems administration that was a no-brainer because I did it everyday for decades. But the current pentesting stuff has been nothing but a hobby that I need to bolster if I’m going to help others get the most sought after technology occupation in the world right now, Security Analyst (per https://bls.gov).

Saturday, February 29, 2020, 3:09:44PM

Over the last six years I have been constantly fighting the feeling that I just want to teach Linux and cybersecurity and hardware stuff. Slowly I’ve morphed from catering to what kids want to essentially trick them into learning serious tech skills through enticements with Minecraft or web pages or PhaserJS games or memes to go with Python. But honestly I fucking tired of it. I would much rather work with people who already get why this stuff is important and interesting and don’t need any enticement. If anything they simply need the encouragement and support to take on the learning and become their own guru.

Yep, I’m fucking apologizing for thinking that your prepubescent obsession with doing nothing more than learning to make a game is okay and worth my wasting my time. I’m happy to help you when you get stuck. But I am done teaching that shit and keeping up on it and paying the money to the asset store and every place else — especially when so many seriously entertaining alternatives that teach pentesting as a game are available and yet to be made.

“Mr. Rob, I wanna make a game.”

“Get the fuck out!”

ROFL. And no, I’m through listening to people tell me what a great way that is to reach out to young intelligent minds. I was fucking hacking my Bruce Lee games by randomly scanning and deleting sectors on huge floppy disks and enjoyed that far more than even playing the thing. I know there are other like-minded people out there and not that my community spans much larger than the great state of North Carolina I think such a focus is justified from every angle.

Saturday, February 29, 2020, 10:12:36AM

Definitely need to tweak the schedule some more. I am getting better at focusing on stuff that is needed but given the goals for the stream and skilstak I have got to make more changes:

One thing I absolute love about the Twitch community on my stream is how welcoming it has become. It has become the place to go if you want to get started with Linux with the least amount of judgement and plain, no-nonsense discussion of how to really use it and get a job in it. It wasn’t really the plan initially but it has sort of become that.

Friday, February 28, 2020, 8:45:02PM

Stuff is coming in so fast even blogging it isn’t fast enough, so Twitter stream it is. I’m handling stuff every day in Coffee Talk so that covers it. Stuff that needs to be searched will land here eventually.

I imagine these are the challenges a talk show host must face every day, being able to keep up on the news and events, process and curate that information, and then create a monologue (something to say about it). It’s exhausting all by itself. Keeping up is nearly impossible.

Thursday, February 27, 2020, 8:52:00PM

Boy do I feel stupid. Starting writing a figlet command to convert text to figlet ASCII art and discovered an entire ecosystem and command already exist for it, including the .ftf font file format.

Thursday, February 27, 2020, 6:46:25PM

Best way to capture the news since yesterday is to make a tweet about every item to cover in the news. That way people see the Twitter stream, have the links, and I have something to refer to when doing Coffee Talk about it.

I had experimented with storing up email and bookmarks but neither are very efficient and can’t be easily shared with the end user watching the stream. For Twitter stuff someone just has to follow to get it. Hell, they don’t even have to watch the video, but if they do they will get more details about the tweets.

In short, tweet and then cover the tweets daily in live summary explaining them and putting them into context.

Thursday, February 27, 2020, 10:37:38AM

Made a fun personal status tool that just changes the current ASCII letter status and also updates the ~/.now text file to pull into the schedule scene in OBS. It detects being AFK and sets “away” status. Bash is fun.

Wednesday, February 26, 2020, 6:07:11PM

Looks like InfluxDB is moving to rust for their version 2. Their Flux parser clearly has a version implemented in Rust. I have one person interviewing for their internship he happens to be obsessed with Rust.

InfluxDB is a major player in the IoT time-series database line up, and it is in the absolute sweet spot for Rust. Alacritty is as well and is so fucking amazing people cannot ignore that most of the advantage of that terminal is simply because it was written in Rust. GoDot game engine is in Rust and another studio has announced it will only code further games in Rust (can’t find the name though right now).

I gotta say, I’ve been watching Rust for a few years now and 2019 it really came onto the scene hard. Then this last week Rust chatter is really off the chart. Even big Go people saying essentially, “Well duh, that is obviously an application that would be better done in Rust.” Ryan Dahl went with Go for Deno for almost a year before picking up Rust. Brian Cantrill says Rust isn’t the pick for a full operating system but just might be the single best language for all the other stuff. Even Fuscia (the brain-dead project from Google to replace Android with C++ and Dart) even very publicly stated its support for Rust and “banned” Go for any development on the operating system because of Go’s bigger runtime and such.

Combine that with the minor fail that is Go 1.14 and the waning governance of the Go project (having lost a core founder as well) and I think something significant is happening in that space. There’s certainly no cause for alarm, but the systems programming space is shaping up to be Go or Rust.

What do I care?

Because I need to make sure those focusing on the back-end of things, the systems people really get a solid handle on both Rust and C. In fact, Rust is far more important in that space than Python ever will be. Python will hold the machine learning and a lot of the cybersecurity stuff for a while, but will eventually give way to Go, which has better concurrency that is easier to implement, which is what both machine learning and cybersecurity really need at the core.

Wednesday, February 26, 2020, 3:22:52PM

Arvo Bold is the font I’m using for the heading title in the schedule scene for OBS.

Wednesday, February 26, 2020, 9:54:36AM

After reading the following on GitLab’s page about their GraphQL API I did some research (pulling up bad memories) and concluded it’s probably still okay to use GraphQL even though it comes from that massive turd of a company (Facebook):

Although there were some patenting and licensing concerns with GraphQL, these have been resolved to our satisfaction by the relicensing of the reference implementations under MIT, and the use of the OWF license for the GraphQL specification.

Wednesday, February 26, 2020, 9:31:30AM

Looks like you can use personal access tokens as “OAuth-compliant” headers as well according to GitLab. This is good information because we see them all the time documented differently but knowing the two are equivalent is useful:

curl --header "Private-Token: <your_access_token>" https://gitlab.example.com/api/v4/projects

Or more commonly:

curl --header "Authorization: Bearer <your_access_token>" https://gitlab.example.com/api/v4/projects

Tuesday, February 25, 2020, 6:11:50PM

This is been an uttering exhausting week. I barely recovered from the month of streaming on Twitch and all that goes into setting that up and then doing it regularly. It is every bit as time consuming as most people would guess.

The bright side is that it has forced me to be even more organized in my work and to follow a strict schedule, which has been proven over and over again to improve productivity no matter what the endeavor. Here is the current one for reference later (when I will be like, “Woah, he was crazy back then.”)

Weekly Schedule

Tuesday, February 25, 2020, 7:03:23PM

Found confirmation that let, const and fat-arrow functions in modern JavaScript are not hoisted (thank God).

Monday, February 24, 2020, 6:19:31PM

Feeling the pull to put up a schedule again. I vacillate between wanting to keep to a general schedule and being able to switch things up from time to time. The science on those who keep a schedule is pretty clear. They get shit done. But they also have a lot more stress in their lives. Every time I start following a schedule I become a little hard to live with if I can’t keep it (for whatever reason). But that discipline is something to be valued. It’s the basis of the Ashtanga approach.

When I look back I can’t help but acknowledge that the times of my life where I was the most ripped and educated have always been when I followed a perty darn strict schedule (triathlon, continuous learning on public transportation going and coming from work, guitar practice and gigs, etc).

That settles it, creating a new schedule it is. I imagine that will help out those wanting help from me a lot as well.

Monday, February 24, 2020, 4:54:18PM

The great cleanup continues. Everything will be on GitLab when this is over, but I have hours of work. Need to decide if coding a port tool using the APIs of both services is worth it.

Monday, February 24, 2020, 4:35:03PM

Okay it’s insane how much time streaming takes out of my day. I really love it and want to keep it up, but my God no wonder more people who actually are focused on getting shit done during the day don’t touch it. Ironically so many YouTubers I have run into are frankly kinda clueless, or at the very least inexperienced. I won’t name names, but people reading this would definitely know them.

As usual, those who take time to write and blog and stream are physically limited from using that time for other things. Overall I think this is the same problem people have when teaching. All the logistics of teaching takes so much time during the day — especially for a traditional institution — that having any time left to work or do the things that are what people want to learn is severely limited. This is why on-the-job mentoring makes so much sense, but our society doesn’t permit for it because of the break-neck pace of devilry on everything that would make someone learning just seem like they are in the way of the 10x tech doing what they do best. It’s something of a dilemma for sure.

I think the best solution to the problem is simply to live-stream as much as possible. I was talking about this with my sculptor wife who has had the most likes on Instagram posts showing her just doing what she does. People just want to observe what is happening and either learn from it or glean some motivation from watching someone really get into it. Besides, the best way to teach anything is through example.

On the other had, creating video is far easier than writing once you hit your stride. In the time of creating this blog post I could have covered all this material and a lot more. Words are supreme because they can be found through searches, but video is so much faster to produce. In fact, creating videos has taken a huge hit on my blogging because of it. There is a happy medium in there someplace. I think it has something to do with just making the video first, and then getting to the finished writing later. The problem is we all never return to things. We just move forward. Something as simple as exporting a video to YouTube won’t get done if I don’t do it in that moment while I’m thinking about it. That means that a lot of videos will never make it into writing. But it also means that only those videos that absolutely need to be written will ever get attention.

I’m sticking with the earlier conclusion that video is for talking through things to arrive at conclusions and blogging is for capturing that process lightly and focusing on the conclusion itself, which is what people are most interested in.