Posts

Thirty Two: Nationals

It’s been a little bit since I wrote my last blog post. That is because I am lazy. At the end of April, our Northeastern CCDC team went to CCDC Nationals! Being on the Windows side, I was given about five boxes to secure (our hardening scripts are pretty great!) and triage. None of my boxes ended up getting broken into, which is great! Unfortunately, we had a little firewall hiccup which had our servers down for a few hours at one point; as a result, we came out as 7th!

Thirty-One: Winning CCDC Regionals

What is CCDC? CCDC is the Collegiate Cyber Defense Competition. In a nutshell, you put a bunch of college students in a corporate-modeled environment with Linux and Windows machines. You get some professional red teamers to attack them, while they try to keep their critical services up and also perform “injects” – random surprise tasks which give you extra points when you complete them, such as setting up a fileshare or making DNS changes.

Thirty: Goodbye, AWS EC2

RIP The time has come. As much as I enjoy having a cloud instance available 24/7 for any shenanigans I think of, it has come time for me to part ways with the instance. To be honest, I don’t really have any reasons to abandon the EC2 instance other than the fact that I don’t want to pay it anymore. I have my Pi set up now, so it is my own little EC2 instance.

Twenty Nine: Pi Playground

As promised, I ended up doing a couple of fun Raspberry Pi projects that I will quickly go over. Project 1: Pi Hole For those who don’t know, Pi Hole is basically where you route your internet traffic through a raspberry pi to use it as your DNS and it blocks ad websites. It has a list of known domains which serve ads, so if those requests never go through, then there can be no ads!

Twenty Eight: CCDC Cat and Mouse

Being on the CCDC team, I’ve been trying to prepare for the upcoming competition season. I’m on the Windows team, so I am trying to compile some scripts to run in the first couple minutes when we get access to the infrastructure. I have yet to participate in an actual CCDC competition (only Cyberforce), so I’d like to hit the ground running. While I work on that, it makes me think about (and appreciate) the vicious cat-and-mouse game that is played between Red Team and Blue team in the competition environment.

Twenty Seven: New toy

Now that the holiday season is nearing its close, I have luckily found myself with a new toy to play around with once I get back to school. I now am the proud owner of a Raspberry Pi! Raspberry Pi’s, for those who don’t know, are really just mini computers. However, there is a massive online community of Raspberry Pi enthusiasts who make insane projects with them, from DNS-based ad blockers to home security systems.

Twenty Six: Makings of a Keyboard Warrior

I think that I am following the path set by some supreme being. I see myself becoming interested in the things that I made fun of in the past. One of the things that I had once made fun of was keyboards. After I built a PC over COVID, I noticed the big presence of keyboard enthusiasts on the internet. People who built their own keyboards, hand-chose the switches, found cool keycaps, modded their keyboards, collected them, etc.

Twenty Five: SUB-Z3R0 CTF

Check my LinkedIn post on this topic! On Saturday, Dec 2, CTF Club, NUWiCyS, and NUSecurity collaborated to put on Northeastern’s biggest ever student-led security event, SUB-Z3R0 CTF. I have never organized such a large event – over 60 people came to take on the challenge. It was an honor to have been a leader of the team that organized this event. From making challenges to applying for funds to booking the room, I got to help run the show for this event.

Twenty Four: I Broke AWS Again

Again? Yes, again. You may remember that last time, I broke AWS because I wiped my harddrive and therefore lost my SSH key. This time, I made a different error that literally broke my Debian instance. The sin Admittedly, I don’t really blame myself for this one. I was busy setting up a Docker compose file for a CTF challenge (Sub-Z3R0 CTF coming soon, Dec 2!). For reasons I prefer not to get into, I was trying to do something janky and I copied my sudo binary into the container and changed the permissions.

Twenty Three

[redacted]

Twenty-Two: EU

This post will be short. It is just a note of appreciation for what I have seen in the news about the EU lately. For those who don’t know, the EU – at least in the recent past – have been champions of the consumer in a digital age. They have forced Apple to use USB-C and allow app sideloading (coming soon?), and now they are forcing Microsoft to allow Windows users to uninstall Edge/Bing/Cortana/etc.

Twenty-One: Mortality

This will be one of the few non-nerd posts that I publish. Enjoy. Today, I was having breakfast with my family at a diner. As I left, an elderly man fell at the front door of the diner. We helped him up, and, with difficulty, got him to a chair to sit down. As I left, I looked back at him. He was sitting in the chair, eyes wide open, looking around.

Twenty: CPTC

What is CPTC? CPTC refers to the Collegiate Penetration Testing Competition. The New England region’s competition this year wsa held in New Haven, CT. While I can’t say I was a huge fan of the city of New Haven (although admittedly I didn’t see much of it), I was pleasantly surprised with the tight ship that was run by CPTC staff. The infrastructure was interesting and did not have any major problems, the documentation was mostly clear and answered many of the questions one might have, and the event was overall pretty structured and simple.

Nineteen: Learning with Trial by Fire

I have chronicled in past blog posts some events that have not gone my way. Take, for example, wiping my hard drive while trying to dual boot Arch. Yes, I have made many mistakes in my computing career (?), only a few of which I have posted on my blog; however, I am certain that I would not know what I know today if I had not made consistent mistakes that had costed me.

Eighteen: Cyberforce: 9th/107

This past weekend, the Northeastern Collegiate Cyber Defense Team sent some of the members down to Chicago to participate in the Cyberforce competition. I was one of the students sent to this competition. We ended up placing 9th out of 107 teams. Pretty solid result! It was not quite as I had imagined; I expected to mostly be defending my machine (I was in charge of the DC), but it was much more based on solving anomalies (basically ctf challenges) and solving forensics-type challenges (“Red Team just got into your PLC server, what did they do and how did they get in?

Seventeen: Why I'm Interested in DevSecOps

I’ve explored, in shallow depth, a lot of the domain map of cybersecurity (see here). I’ve looked at the domains overviewed in Security+ (physical security, cloud security, frameworks and standards, risk management, security policy, etc.), as well as domains I have learned about on my own or in school, such as cryptography, security engineering, red-teaming, network infrastructure, SIEMs, incident response, etc. Security is a huge space, which I think not a lot of people understand.

Sixteen: CTF Club

Starting this past summer, I have co-founded and became the first president of Northeastern’s new CTF Club. CTF Club, unlike what many people have thought, is NOT a physical capture-the-flag club. I was under the guise that most people, especially Computer Science students, knew what a CTF was. To my surprise, it was much less well-known than I thought. Nonetheless, our club is based around cybersecurity CTFs, which are competitions that go a little bit like this: You get a list of “challenges” – a web page, a program, even something like a list of numbers (it can be anything!

Fifteen: Dual Boot Hiccup

This post will be short, but I wanted to ensure that I write the issue and solution down, because the likelihood that I run into it again is extremely high. Without further ado: The issue: Windows Update I did not think twice about updating my Windows system post-dualboot. However, when I updated, it took a comically long amount of time. At that point, I knew it was messing with my dualboot.

Fourteen: Why Arch?

In my previous post, I documented the difficult story of how I wiped my entire hard drive trying to dual boot Arch and Windows 11. However, I never went over exactly why I chose Arch to dualboot, instead of a distro like NixOS or a stable choice like Debian. Here was my reasoning: Reason 1: Package repository, Wiki, Community Arch has a massive package repository, all of which are continually updated and maintained by the community.

Thirteen: Arch Dualboot -- Fool me Once

In an earlier post, I chronicled my misadventures with dual booting Arch linux onto my gaming PC, in which I wiped Windows off of it because I didn’t really know what I was doing. To be honest, once I get an idea in my head, it’s very difficult for me to get it out. I just have to do it. In this case, I was convinced that I had to dual boot Arch and Windows 11 on my daily laptop.

Twelve: CompTIA Security+

After years of studying on and off, I finally took my Security+ exam, and passed. Frankly, I am really happy that I studied for Security+ for years, even if I wasn’t consistent about it. The fact that I started early and took my time with it gave me a wonderful knowledge baseline that was extremely helpful for not only some of my classes but also just general knowledge that every security professional needs to know.

Eleven: Confessions of a DistroHopper

DistroHopper “someone that keeps switching from one linux distribution to another, not with the intention to just test a certain Linux distribution, but with the illusion to find the perfect Linux distribution that suits all his/her needs and to install that as his/her main Operating System. Ofcours [sic] that distro does not exist.” (Urban Dictionary) Why I distrohop(ped) What is the point of distrohopping? Why not just get used to one Linux distribution and stick with it?

Ten: Improvement and Change

Hello Hugo I have migrated my self-made website to Hugo, a static website generator. So far, it’s been great: extremely fast, easy to use, and looks good. I also am now self-hosting the server on a cloud machine. While making these changes, I thought about improvement and change. While migrating my blog posts to Hugo, I realized that I have learned much more since my original posts and have changed my thoughts on several things that I have said before.

Nine: Troubleshooting

I called this post the 'art' of troubleshooting, but I'm not sure if it should instead be considered a science. The way I troubleshoot certainly cannot be considered an art at all, unless you consider a massive amount of open, unmanaged tabs to be artwork. I began the process of troubleshooting when I played my first Pokemon game. I received Pokemon Diamond and tried to play it, but got stuck in the very first room.

Eight: Breaking Nix

NixOS is hailed as an 'unbreakable' distribution because of its generations system, where you can go back in 'generations' -- i.e. saved versions of your configuration each time you change it -- so as to always have a backup where your system once worked. However, this does not necessarily mean that it is impossible to break, as I have figured out. I started using NixOS via VirtualBox to get a feel of it.

Seven: Arch & Windows Dual Boot

A long time ago, I got a gaming PC for Christmas. At that time, the PC was pretty top- notch; now, not so much. A GTX 660TI graphics card, 8GB RAM, and an i5-3330; by today's standards, it's dated. However, it was sitting around collecting dust, so I decided to load Arch on it, so I can then say that I use arch, btw. I booted up the PC and the performance wasn't really that bad.

Six: Nix!

I plan to make several posts on my experience so far with NixOS, but this first post will be more about a specific feature that I really like. Long story short, NixOS is a fully declarative Linux distribution based on the Nix package manager. I'll talk more about what I know about it in a different post. Nix has an amazing feature called flakes. Flakes can probably do a lot of things that I am currently unaware of, but for the purposes of this specific blog post, I'll highlight one possible usage of them.

Five: Mental Outlaw

Recently, I stumbled upon a new YouTuber named Mental Outlaw. He makes videos ranging from cryptocurrency to internet privacy to Linux distros and beyond. He is incredibly knowledgeable and all of his videos are extremely informative and also pretty funny. He has a lot of great views on software and privacy, for example: Proprietary, closed-source software is spyware. Open-source software (as well as open-source forks of software, like Librewolf [forked off Firefox]) is both more secure and private.

Four: GNOME woes

For weeks, my Ubuntu VM (no judgment, I plan to switch to NixOS this summer) was abnormally slow. I didn't really think too much of it because I just cracked it down to me not giving the machine enough RAM or CPUs or something. However, it got to the point where I decided to see if anything was going wrong. I ran a top to see if something was eating my CPU.

Three: VPN lies

There are lots of commercial VPNs available today. NordVPN, PrivateInternetAccess, ExpressVPN, ... etc. Commercial VPNs are heavily marketed: your favorite YouTuber has a special 20% off code, the ads pop up on the websites you browse, etc. Their marketing scheme promises a few things: Be more "private": protect your credit cards, passwords, sensitive info, etc. Spoof your location and trick some site into thinking you're in London or Frankfurt or something.

Two: Wireshark

Wireshark is an extremely powerful tool. Sure, its usage is throttled in absence of a decryption key that can let you see the plaintext traffic. Plaintext or encrypted, Wireshark has some beautiful features that make analyzing network traffic a breeze. You may even consider it fun (if you're a big nerd)..! Wireshark lets you filter traffic in plenty of ways, but there are a few that are most useful. My favorites: ip.

One: Omegle Doxxing

Before the internet, we were told to not talk to strangers, and never give any information to them about where you live or who you are. Then the internet came, and people began doing live face calls on Omegle.com on a peer-to-peer connection. What could go wrong? Unsurprisingly, a lot. Back when I was in high school, my friend notified me of something he had seen on YouTube that took advantage of this great security misstep.