Saturday, June 4, 2016

How to become a hacker: Part 1

I know it's been a long time since blogging, I have been finishing up with coaching clients, working, and studying in the evenings.  I have decided to show you what I have been learning and how you can do the same if you want.

The biggest advantage I have with becoming a hacker has been having a friend ( who is a hacker ) agree to mentor me.  My end goal is to get hired as a Ethical Hacker / Pen Tester, I am not simply learning to learn.  I want to learn how to hack and be good enough to actually go out and get hired as a hacker.  I am not learning to impress anyone or look cool, the mission is:

Get good enough to land a job as a hacker.

One of the first questions my mentor asked me ( who is on a Red Team currently ) was what type of security testing / hacking do you want to get into?  He compared me wanting to become a hacker as the same as someone saying:

"I want to get into Computer Science."

That is too vague, computer science is not specific enough, you could become a programmer, you could become a test automation engineer, you could do Big Data, the possibilities are endless.  The same is true with becoming a hacker, that is too vague, you need to get clear on what you will be security testing / hacking.

I decided on web application security pen testing since I like working with web apps and am most familiar with them.  My hacking training is specifically geared toward learning web application pen testing techniques.

So the first rule to becoming a hacker is:

Get clear on what type of security testing / hacking you want to do, don't try to learn everything.

On that note, I am learning some of the lingo used by real world hackers, and have found that they actually do not like the term 'Ethical Hacker', they call themselves 'pen testers', or penetration testers' but almost never Ethical Hackers.

The next issue is where and what to start learning?

There are so many resources and places to learn you can absolutely waste your entire life trying different courses and tutorials.  Everything I am writing about is my own personal journey to becoming a web application pen tester, with that said here is the first resource that you need:

http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html


Start on lesson 16and go through lesson 19.  The other lessons are good, but I am told are over my head for now.  The hardest part of this training is the homework, reading 80 - 100 pages after each lesson takes a long time and even longer to really understand what you are reading.  The book you will need is:

Web Application Hackers Handbook.

The to learning pen testing is not simply watching a video and reading a book, pen testing is all about hands on.  You absolutely must do what the book recommends as exercises or else you will only get the theory but not the actual how to.

How to actually do the exercises?

You need a web application that you are actually allowed to pen test without going to jail or being illegal.  The solution is:

https://github.com/WebGoat/WebGoat

Web goat is the best way to actually try out all the techniques you have read about.  Watch the lesson, read the homework go through some challenges using web goats insecure web application.  This is how I am learning and will be for sometime. 


Tools:

The first thing you need to do is to only use a Virtual Box or VM for all of your testing in case something goes wrong, you can simply delete it.  I did this wrong before, trust me you need a VM.

Install Virtual Box

Install Kail:
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/

On Kali install:

Firefox
Burp suite ( latest version )

There are more things you need to know, you will need to know how to set up a browser proxy to talk to Burp Suite so that you can test the web app.  If there is interest I will write some more posts on more specifics ( as they can be tricky when you are new to it ) if I receive enough emails.

The last thing I will say is that learning how to code was tough, getting an actual junior dev job was even harder, but none of this will be even close to how hard it will be to land an actually job as a pen tester at a company.  Companies want you to basically be able to hack an international bank and not get caught with very little supervision.  I am nowhere even remotely close to that level of skill but know I will get there eventually.  Follow along on this journey if you want me to show you the way!

Never give up, you can do it!

















Saturday, March 26, 2016

End of coaching, start of Ethical Hacking journey...

There is only so much time in a day, we all have the same amount, doesn't matter who you are or how much money you make :-)

My original goal with learning to code was to become a senior Rails developer one day.  I still like Rails and love coding, but I am turning my focus towards one day becoming an Ethical Hacker.  This goal will take a while I am sure, as breaking into the field is much harder than getting hired as a developer.

I love coaching and have several clients that I am currently working with, I love seeing people get hired and change their lives for the better!  I spend my evenings always learning something new, whether it is coaching a client or something related to programming / testing.  I have a lot to learn if I am ever to get hired as an Ethical Hacker, and as such need to create more time for myself to grow.  I have decided to stop coaching people from this point forward.  I will finish the coaching plans that I have with current clients, but I will no longer be accepting any new clients.

I have helped around 30 people land testing or development positions since starting my blog.  In my book 'No Degree, No Problem' I share a lot of knowledge about switching careers, but I think down the road I will write a new book that gives secrets that I kept for coaching clients only.  Secrets that make landing a job mere child's play :-)  I don't have the time to write the book now, but I think I will write it if I get enough interest from people.  I think the book would change the way that people go about trying to get an entry level job in the testing or development field.

Normally I don't ask for help on the blog, but I have decided since I have many thousands of readers, why not ask for advice myself with my Ethical Hacker journey.  I have Googled the term, I have read many online articles and sites suggesting certifications, but I would love to hear from someone who actually got hired in Cyber Security.  If that is you, I would greatly appreciate any and all advice that you can give me!  My email is: joshuakemp85@gmail.com

Again, this will take me some time I am sure, I will keep you all posted as things progress.  I still love coding and use Ruby almost everyday which is my favorite language, I still plan on blogging as usual!


Keep coding peeps, you can do it!

Friday, March 4, 2016

How to make work easier and more productive.

I landed a couple of more coaching clients and have come to the realization that I can only coach so many people at any one time.  As of right now, I can only take on 1 more client ( until a current client gets hired ).  After 1 more client, I will be starting a wait list, first come first serve, if you want to be on that list let me know.  I never want to get so busy I can’t give high quality, individual attention.  

I was hired in August 2013 at ZipList in Reston Va, as of March 4th 2016 I have worked at 4 companies.

Ziplist - Where I wore many hats as a junior developer
Perfect Sense Digital - Where I started learning automation using Ruby
Fidelity Investments - Where I used Javascript to automate a SPA application
IBM - Where I am currently

 Through all of those companies I have learned a lot and have found common things I do at each new job that have helped me to be significantly better and more productive at work.  I hope they can help you as well!

Pocket - you find something you want to read but don’t have time right now.  I use  Pocket browser Addon for Fire Fox and Chrome, as well as on my iphone.  This way I can always find what I want to read.

Evernote - Simialr as above.  I use Evernote for personal notes, potential ideas, blog posts, I even have a note for interesting things I learn about Ruby :-)  These notes aren’t tied down to any one machine and you can use the app on your phone as well to sync.

Here's an example of my Evernote:



Bookmarks - I used to hate Bookmarks, but now I love keeping a detailed list of all the URLS I may need, especially when at a new company.  I make folders for ruby, rails, automation, hacking, work, and save URLS that I want to reference later.

Alfred - Alfred is basically a tool I use for web shortcuts. I used to use a lot bash shell aliases, but find myself using Alfred more to quickly and easily go to places on the web.  You can even add different parameters to the end of a URL to go to different JIRA tickets.

Here's an example of how to add a custom Jira ticket search.

Go into the Alfred Preferences:


Next add the 'custom web search' in this case for JIRA:

Hit the 'option key and the space bar' to open Alfred and call the Jira URL shortcut:




Chrome - I used to get to a new job and then have to download and slowly add all the things that I liked on the new computer.  I realized that if I sign in as my own profile on Chrome browser that no matter where I go or which computer I use, I always have all the addons and everything I like without having to do any setup!

I used to use a super long bash alias called ‘sd’ ( start day )  I would open my computer at work. Open the terminal and the first thing I would do is type ‘sd’.  I would then go get a drink or use the restroom while that long alias would open all the applications that I typically used each day, open up all browsers I wanted open and then go to the most common URLS that I needed to look at first thing in the morning. 

Now I use some bash aliases, but for common URLS that I need open each morning, I simply use Chrome’s built in settings and have it open the 4 URLS I look at every morning by default whenever it opens up Chrome.

Here's my browser toolbar just as an example you can also see the Pocket icon:


Here is where to set the deafult URLS to open in Chrome:




I still love Bash aliases ( shortcuts ) to go to any place in the terminal quickly. For example
if you have a developer section where you always write your code simply have a word like
‘developer’ that takes you to that PATH without having to type in the long PATH everytime.

Here's an example of some ~/.bash_profile aliases that I use:




I also like the Brew add-on ‘ack’ its like a much easier version of grep.  You simply type in a phrase ( string ) and it will search in that folder and all sub folders for whatever you are looking for.  It also highlights all the matches.  Very simple, very easy, I love it!

Here's an example of me using 'Ack':




As a general rule, whenever you do something more than 3 - 4 times, you should try to find some way to automate it.  One of the biggest failings I have had in this area was not using a Gmail signature.  Instead every time I would write my name and a farewell ending.  I wrote that manually thousands of times till just recently, when I  realized that I should use a signature and save time.

All these things are small, but they add up and make you faster and more productive.  It also helps you to start looking for anyway to automate repetitive tasks.  If something can be automated at work or on your computer that is simply boring and redundant, you should do it!

Learn to type. it will make you WAY more productive and will help your neck to stop hurting from hunching over looking at the keyboard.  In August 2014 at my first job after ZipList launched a new version of their app, I was tasked with responding to 100 - 200 emails every week.  I understood why they needed me to spend all day trying to reproduce bugs and then sending a response back to the user, but I soon found it very boring.  

In order to deal with the boredom, and because my neck was killing me,  I decided to simply stop looking at my hands anymore, cold turkey.  I seriously sucked!  When I went on http://play.typeracer.com/  I averaged 12 - 14 words per minute.  I was so slow people at work asked me what I was doing sometimes ( apparently they noticed me using the delete key every other letter ) 😃

Long story short 18 months later I just got the greatest compliment from a co worker who said:  “Wow, you type really fast!”  I don’t really, I type around 50 WPM.  Typing is not as powerful as coding, but it really does help you to have a much easier time and be far more productive while working.  Also if you are going to be using a computer for 8 - 10 hours per day you should learn how to type.



You don’t have to do my method of learning to type ( no training or typing courses ) just cold turkey not looking at my fingers anymore.  Try to learn to type some way that works for you!


Keep coding peeps, you can do this! 

Saturday, February 20, 2016

How to easily pass Free Code Camp's Algorithm Scripting challenges - OR - Why you shouldn't use the browser challenges

New coaching testimonial coming on Sunday!

While researching Free Code Camp ( It changes quickly so I wanted to make sure what I was saying was up to date ), I found out some issues with the browser based scripting challenges that really bothers me.  As of last year, I was able to use the Ramda.js library in the browser challenges online.

I tried every way to call/require the Ramda.js or Lodash.js libraries without any success.  I searched online for 30 minutes trying to figure out how to use Ramda.js with the online coding challenges and couldn't find any information.  I personally think the Ramda.js library was removed.  Either way, it should not be this hard to figure out how to use a Javascript library like Lodash or Ramda with the challenges.

I know as of August last year (2015) Quincy Larson said on Quora that you could use Ramda and Lodash in the online challenges:
https://www.quora.com/What-are-some-websites-to-practice-mini-problems-for-coding

I also can show you how I used Ramda.js last year with Free Code Camp online challenges:
https://github.com/joshuakemp1/FREE-CODE-CAMP/tree/master/ecc


I hope I am wrong, I hope someone will clear up this issue and show me how to use Ramda.js with Free Code Camp, without it, I don't think you should use the online editor.  I recommend copying and pasting the challenge into a text editor and then using Lodash or Ramda libraries.

The article below is how I used to easily solve the Free Code Camp challenges, hopefully, this will help you solve the challenges easier or switch over to Ruby :-)


This was my original post as of a month ago.

I've been asked by many people to write how to pass the Free Code Camp scripting challenges.  Here goes:


NOTE:  I love Free Code Camp's Algorithm challenges and recommend them to my coaching clients all the time.


There are several reasons why Free Code Camp's challenges are hard:



  • When you run your code you don't get to see the output ( sometimes you get some sort of output, put it's not the same as running it in a REPL on your terminal ).
  • You can use the Ramda.js Library but it is not advertised on the site at all.
  • Nowhere does it tell you on Free Code Camp how to call the Ramda.js Library.
  • Why would you have a Javascript library built into the Bonfire Algorithm challenges but not tell beginners how to call a Library?
  • Using built-in methods is frowned upon in the community, using nested loops is considered better and more 'vanilla Javascript'.



8 steps to solve them easily

Here's how to get around these issues:

(1)  As soon as you get to Bonfire Algorithm Challenge, the very first thing to do is click on the 'Run tests' button.

You want to find out all of the edge cases that you need to solve with your code. Leave this browser window open to reference.

(2)  Next copy and paste the Bonfire Algorithm Challenge code into your text editor.  This is where you will actually work on solving the challenge.  Once you solve one of the cases you need to solve for the challenge, paste it into the browser and run the tests.  Using this approach you will eventually solve the entire challenge.

(3)  Look at the 'helpful links', they are basically the methods you will be using to solve the challenge.  NOTE:  This is the best new feature that Free Code Camp has added lately, this is exactly what I used to do in the past, look for a Javascript method that could solve the challenge first before doing anything else.


(4)  Next look at Ramda.js Docs and see if you can find a built-in method that you can use to solve or partially solve the challenge.


(5)  Make sure you test that you are requiring and using the Ramda.js library correctly on your local machine.  First install Ramda with NPM, if you don't have NPM you will need to install Node.js.  After installing Node and Ramda, open the REPL from the command line and make sure you can access the Ramda methods.

(6)  Always be checking your codes output.  Use 'console.log' all through your code if you don't know what something is doing or want to see output for a particular piece of code.

(7)  Always avoid using multiple nested loops if possible as your solution.  No company will ever want you writing code like that in production.  Ignore people who say to learn that way first and then use methods.  Everytime you use a loop you add another layer of complexity to your code, use the built-in methods as much as possible.

(8)  First try to solve the challenge anyway possible, if you get it solved, then see if you can clean up your code or solve the challenge in a cleaner way.  Don't strive for perfect when you are just starting out.  Focus on completion and solving the challenge first, pretty second.


Learn to use your REPL and local machine instead of relying on the Free Code Camp online editor.  Focus on the output of your program and try to slowly solve one piece of the challenge at a time.  Never get discouraged, if it takes you 3 days to solve a challenge that's okay, you will have learned a lot about coding in those 3 days.  Don't worry if someone else can solve a challenge in 3 minutes, they have probably seen similar challenges before.


Keep coding peeps, you can do this!!!




Friday, February 5, 2016

Why you should learn to code but not become a developer

I sell several copies of my book everyday that promises you can learn to code and land a Rails job.  That is still true.  What I am saying with the title of this blog, is this:  

It is soo much easier to learn how to code and land a QA or Test Automation position, than it is to start out as a full blown developer.  Being able to solve basic coding algorithms on Free Code Camp is not the same as being a developer.  NOTE:  Free Code Camp is great, this is not about them.


At my first job, I wore many hats, did some email management of the support Queue, did some testing, some front end work but it wasn't a full blown developer only position.  At my second job I did test automation which basically meant I was using Ruby to keep track of performance metrics and wrote several different scripts that solved/tested various things.  I think the longest script I personally wrote was 387 lines of code.  


There is nothing wrong with what I did, I mean my code worked, it solved the problem and the company still uses it to this day everytime a certain build is triggered.  Honestly, the script was me 'hacking' trying to figure out how to solve the issue, which I did.  The script wasn't written in OOP, ( Object Oriented Programming ), it was just me functionally writing code to solve the issue.  It could have been written in probably 100 lines of code if it was written in OOP.


I am not very good at OOP.  I don't instinctively think in that manner, I am learning more about OOP, I need to improve the way I write code.  I love learning and love programming, so this is a 'good problem' to have :-)

So back to my point, you can learn to code and land a full blown Rails job.  What I am seeing in my coaching and from the emails I receive is that most humans who have zero coding backgrounds will not be comfortable doing this.  You may be able to land the job, but you will be struggling all the time.  I love that I get to use Ruby at my day job to write automation, every day I get to improve my coding abilities.

I think learning to code can be broken down like this:

Learn the basics of coding:

If, else statements
Loops
variables
data structures:  Arrays, Strings.

Knowing the above you can do a lot.  You can solve most problems that you will face in test automation at an entry level.  This is what I did at my first job, I knew Arrays and Strings well and could always solve an issue by looping over it enough times and throwing in some control statements.  You can solve 80% of problems with the above which I think is a really positive and encouraging thing for beginners new to code.  NOTE: Yes, I knew more than the above, yes I passed tutorials on Classes and OOP concepts, but I didn't actually ever use them in real life.

Learn more of the language:

Hashes
Recursion
Different types of loops
Ternary operators
Case statements
Code indentation
Cleaner code, not being redundant with code.


The second job I started to use this more, this is when I started to use things like 'Robo-cop' and 'Ruby linters' to help me learn more about how to write code better.



OOP

This is where I am now.  I know of OOP but typically if I have something that I need to solve I will do it functionally.  This is the year I am trying to get away from that and really embrace OOP.

 I need to better understand and use:

Classes  ( most basic algorithm challenges don't involve using classes and can be solved by writing a few simple methods )
Modules
Inheritance
Clean Code ( I am currently reading the book, and am trying to implement it in real life )
Deeper knowledge of the Ruby language, trying out and playing with new methods just to learn more about Ruby.

In order to be good at Rails ( I'm not ) you need to be good at OOP and not simply be hacking things together until they work :-)

The above is why I also switched to Ruby Mine IDE instead of Sublime Text 3 for many reasons.



This is why I suggest to learn to code and then get a job that involves coding but not at a level like being a full-blown developer.  I think you will make your life easier and not become frustrated with coding but instead, will still find it fun, and will enjoy the journey of learning more and more every day.

I plan on writing a post on how to easily solve the first 30+ of Free Code Camp algorithm challenges ( people have been emailing me asking ).  It's actually quite simple and not too hard.  Which brings me to my point, solving algorithm challenges exclusively will not make you a good developer.  I think OOP is where things get harder, learning to think in OOP, is a different skill set in itself.

I don't think you should sit in your basement for 5 years until you are amazing at OOP and then try to get a job.  No, I think you should get an entry level job in QA that involves 50% of the time writing code.  Then you will get to grow and learn all the while being paid!

Keep coding peeps, you can do this!