Sunday, January 29, 2012

What I learned from Simon Sinek: To inspire is greater than gaining Alpha status

What I learned from Simon Sinek: To inspire is greater than gaining Alpha status

Most people believe that that when it comes to leadership and how you can be an influencer at the workplace, it’s either you need you need to be an “Alpha Male” or an “Alpha Geek” and other types of Alphas so others will follow you. 
We need to change this mindset.  Being the leader of the pack does not necessarily require gaining Alpha status. Let’s put this concept in a geek’s perspective. 
If you are behind the service desk, specifically the technical support department, others look up to you if you are the Alpha Geek; the person who knows almost every technical detail about the product or the service your company is offering.  You are the go to guy because you can troubleshoot complex issues in a breeze.  You can be the Subject Matter Expert (SME) in your organization.  An SME is someone who has expert –level knowledge on a specific subject; it may be industry laws and regulation, Service Level Agreements, database optimization, and other technical stuff.  You own this domain; you live and breathe on this stuff.  You can also be the guy or girl who gets things done because you know how to push and “Boss” people around.   These Alphas lead because of authority, others are forced to follow them or face their wrath.  These bossy Alphas are the ones that can go and speak directly to C-level executives because they simply have the balls to speak with them. 
You can be any of these types of Alphas and be the leader of your pack.  You are the leader because you possess something others don’t have, a skill, power and/or authority. However there is a different route to leadership.  We can still be leaders even though we are at the bottom of the organizational hierarchy or at the bottom of the food chain.   If you have the natural ability or at least try to make it your purpose to inspire others do better on what they do. 
Here are some simple things that you can do to inspire people you work with at the workplace:

If you know a success story, share it. 
Focus on how the hero was able to accomplish the goal and overcome adversity.  Everyone loves a monomyth; the story of a hero’s journey, leaving the comfort of his home to answer the call of adventure, and going back home victorious.  This bullet works best when dealing with a project gone astray and the deadline was yesterday.

Know the first names and last names of the people you work with.
This sounds obvious but in big companies, most only know each other by last name and what is their position at work.  Often times, the names of those with key positions are the ones mostly remembered by other employees. 

Make it a habit to always check “How is family doing?” before you ask for a work-related favor or task.
Show compassion towards the people you work with and be vocal that you always want them to do well in life.

Let the other person stuck at the cubicle right next to you that you are his friend first before his or her co-worker. 
Share stories, check on each other, and spend lunch and coffee breaks.  Developing a bond with people you work with makes problem-solving fun.

Show to the people you work with that you trust their experience over technology
You will always prioritize listening to what your co-worker has to say on a specific issue rather than focus on what software is saying about a specific issue or task.  In the absence of data, we rely on people with enough experience about an issue to make an intelligent decision what to do next.  Wisdom will never be a trait of computer software.

Approach people you work with at their desk and engage them about a work-related task or issue
Avoid wasting bandwidth through endless e-mail exchanges.  Nothing beats face-to-face communication when trying to clarify something.  A lot of issues gets escalated merely because of “lost in translation” – the e-mail thread has gone too long that the root cause of the issue is now buried with hearsay.

There you go. Thank you for reading my blog and I hope this works for you while you climb the corporate ladder.  Just don’t forget to help the people you work with in climbing their own ladders J

Monday, October 17, 2011

Yes, this blog is still alive, expect new posts by next month

es, this blog is still alive, and I plan to start posting new materials starting next month. Topics will range from Armitage for Metasploit, Artillery for Linux, Cloud Computing Security, QualysGuard Scanner, Nessus Scanner, ITIL and ISO27K, and of course, our favorite playground, Metasploit Open Source Framework. HD is the man!

I feel blessed for the past 10 months despite my inactivity from blogging.
I met an awesome mentor that paved the way for me to meet excellent minds in InfoSec (Thanks Gene Schultz, we miss you already R.I.P).

Through grit and passion I was able to get the position I want with my current company; without the hassle of starting new relationships with another company. How did I get the job?

I pen tested my way to it :-)

I have some major milestones up ahead before the year ends. Hopefully I clear the following tasks so by 2012 I am back to blogging:

1. IAM Level III Certification Exam
2. Industry Compliance Initiatives with my current company

"Stay hungry. Stay foolish" - Steve Jobs 1955-2011

@guerilla7 on Twitter

Saturday, January 29, 2011

Confessions of a script kiddie and a l337 wannabe

Dear interviewer,

I do not know how to code. I only know a limited amount of Python and Ruby scripts. I can't figure out assembly language and C++. Shellcode scares me. Socket Programming, yeah, a little bit.

But there's a couple of tricks that I do know. I know how packets are made of and how they behave. The OSI layer and TCP-IP 3-way handshake is something close to my heart. I know how to leverage the MSF3 Framework for a goal-oriented penetration testing engagement. I know how to evade firewalls and overall detection using NMAP. I know how to craft my own packets using NPING. I know what a reflective DLL injection is. I know how to migrate an existing exploit from one running process to another. I know the difference between a compromised Windows XP and a clean one by just looking at a running Wireshark capture. I know how to maintain my connection. I know how clean my tracks.

I know how to go over a list of check boxes, namely SAS70 Type2 Audit (Now called Service Organization Control Reports), the legendary PCI-DSS, or HIPAA, or the ISO27001. I love the GAPP document by AICPA/CICA. Pretty straight forward.

Yes, I am a script kiddie. I do not breath and live codes. All I need to do is read and follow how to exploit a specific vulnerability. The l337 coders already made the codes, the payloads, and the guide how to attack. The difficult part is done and all I need to do is follow the guide from step 1. And yes I hate the command-line. Thank you Raphael for creating Armitage, makes MSF3 like child's play. Hail Mary see you tonight!

Thank you for hearing me vent by reading this blog. I am just frustrated because everyone is looking for "paper-certified" security researchers when I go over, and other job hunting websites.


Wednesday, December 15, 2010

Meet Evan Kohlmann: The Terrorist Search Engine

Meet Evan Kohlmann "The Terrorist Search Engine"

However, despite having an unprecedented success rate inside the court as an "Expert Witness" in putting bad guys to jail, a lot of IT Security Experts are questioning his research and investigation methods.

One good question from a fellow IT Security Professional posted at Schneier on Security:

@Clive "court recognized Expert Witnesses"

This is related to the profile on Kohlmann. There was the comment on "if his method is sound". Well what's an expert? Someone who knows what they are talking about. How can you tell they are an expert? They know more than me.

Kohlmann should be being challenged by the opposition lawyers as to his qualifications and knowledge. But what can a lawyer really know about any experts’ area? They usually just get the CV and "has testified in many trials of this nature" kinds of anecdotal assurance. While the opposition can try to challenge an expert's testimony they really can't try to impeach an expert, can they?

They are limited to putting their experts up to testify, to rebut the other side’s expert. So the jury has two sets of conflicting expert opinion. What's needed is an expert cross examining the witnessing expert to reveal those misstatements, lies, distortions, and 'reduction in detail' that technical people use to make complex ideas understandable by executives, lawyers, judges, and their juries.

In my opinion, every research and investigative methodology, framework, etc. in used by an expert for Computer Forensics purposes and presented in Court, should be heavily scrutinized no matter how effective and successful it is when it comes to putting bad guys to jail. Of course we value the credibility and integrity of the Expert based on his track record, but as technology progresses things are getting easier to be digitally manipulated, even worst, "hacked".

But Evan Kohlmann, I think this guy is legitimate. His obsession in tracking terrorist on the Internet for years is what made him an expert in this field of investigative IT research slash counter-terrorism. I think you can compare him to an 18 year-old teenager; obsessed in browsing Facebook, looking for new and old friends.

Sunday, October 10, 2010

Defenders of the Cloud: Certificate of Cloud Security Knowledge (CCSK)

As Cloud Computing adoption rises, more and more experienced IT Security Professionals are suiting up for the challenge, upgrading their existing arsenal with new concepts and best practices in securing the various layers and components that makes up Cloud Computing.

Since I am in the IT Security and Cloud Computing industry, I am starting to notice the certification initials "CCSK" alongside their CISSP, CISA, CEH, Security+, PMP, ITIL and other noteworthy titles. This is a strong indication that IT Security Professionals do recognize the new challenges that Cloud Computing brings to the table.

The Certificate for Cloud Security Knowledge (CCSK) is pioneered by the Cloud Security Alliance (CSA) So far, the industry support for the first ever certificate in cloud security knowledge is showing accelerated growth garnering support and participation even from major companies.

As one of the members of the early adopters of the certification, the main reason why I want to be part of the initiative is to show my dedication and passion in the new technology and play my part in generating positive public perception on how individuals, small business and large enterprise can harness the power of the cloud without thinking of too many risks.

There is a gap that exists big between traditional Information Technology security concepts and Cloud Computing security concepts. The co-mingling of data from various customers in a centralized or shared server, is one of the major characteristics of Cloud Computing as defined by the National Institute of Science and Technology (NIST). This gap is what the Cloud Security Alliance aims to fill, by providing industry-standard best practices on how to adopt and implement Cloud Computing securely. Cloud Computing adoption is all about losing control in a gracious manner.

Learn more about the Cloud Security Alliance Certificate in Cloud Security Knowledge (CSA-CCSK) here:
Cloud Security Alliance

Other noteworthy links:
NIST Cloud Computing Group

Thursday, July 29, 2010

RTP Packet inspection without hurting the quality of the voice

Nice, I would like to try this solution, deep packet inspection on RTP streams coming in (and out) of your enterprise network without degrading the quality of the voice:


Attackers can spoof the firewall and SBC into determining that the RTP stream is safe to relay. Passing the attacks through the RTP stream is called Vunneling. The alternative is to inspect the RTP packets which can slow down the transmission and distorts the voice.

The Salare solution , vPurity software, relies on a number of techniques to solve the Vunneling problem. Network Behavior Analysis (NBA) is employed by Salare. The passive NBA technique is well known for producing many false positive and false negative alerts. Salare's Active NBA virtually eliminates false positives. This is accomplished by introducing stimulus events and observing the reaction or non-reaction This provides accurate and precise recognition of the traffic types passing through the network.

The Salare technique inserts distortion in the packet that destroys embedded data and executable transmissions; this distortion is not perceptible by the listener. The insertion does not impact the quality of the voice conversation.

Complete article and links here:

Wednesday, April 7, 2010

Making the Cloud Trustworthy

Yet another Cloud Security initiative, is an initiative by pioneer computer networking company Novell.

"Mission Statement: To Promote Education, Research and Certification of Secure and Interoperable Identity in the Cloud

The Trusted Cloud Initiative will help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. We well develop reference models, education, certification criteria and a cloud provider self-certification toolset in 2010. This will be developed in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate."

Trusted Cloud focuses on the notion that eventually it will be us users and the industry itself, that will make the Cloud more secure and trustworthy. We need to start trusting the Cloud, we need to start educating users what to and what not to expect when they join the bandwagon of Cloud Computing, we need to reiterate to users that the Cloud is not the solution for the recession, and finally, we need to let them know that Cloud Computing services, may it be Software-as-a-Service (SaaS), Platform-as-A-Service (PaaS) and Infrastructure-as-a-Service (IaaS) is now a mature and capable platform that promotes business and IT objectives alignment. Trusting the Cloud is a win-win situation, but of course with a few caveats.

We just don't have the solid security framework yet to manage and implement effective IT controls. Which is what the guys at and is working on. It might be early, but I would like to thank these guys for driving the Cloud Computing community to the right path of security with a common sense in mind, and not completely reliant on well-known IT controls and "best practices" which does not really scale and apply well to Cloud Computing.


A playground for network security enthusiasts, innovators and early adoptors

Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.