* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman(BuzzFeed News)](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Opting Out Like A Boss - The OSINT Way (Part 1) - learnallthethings.net](https://www.learnallthethings.net/blog/2018/1/23/opting-out-like-a-boss-the-osint-way)
* [Creating Your Own Citizen Database - Aiganysh Aidarbekova](https://www.bellingcat.com/resources/how-tos/2019/02/14/creating-your-own-citizen-database/)
* [Manage connections from Windows operating system components to Microsoft services - docs.ms](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
* [Cookies – what does ‘good’ look like? - UK Information Comissioner's Office - Ali Shah](https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/)
* [Project Feels: How USA Today, ESPN and The New York Times are targeting ads to mood - digiday](https://digiday.com/media/project-feels-usa-today-espn-new-york-times-targeting-ads-mood/)
* [The New York Times Advertising & Marketing Solutions Group Introduces ‘nytDEMO’: A Cross-Functional Team Focused on Bringing Insights and Data Solutions to Brands(2018)](https://investors.nytco.com/press/press-releases/press-release-details/2018/The-New-York-Times-Advertising--Marketing-Solutions-Group-Introduces-nytDEMO-A-Cross-Functional-Team-Focused-on-Bringing-Insights-and-Data-Solutions-to-Brands/default.aspx)
* [A DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And Fancy Events To Reach The NSA, FBI, And White House - Craig Silverman](https://www.buzzfeednews.com/article/craigsilverman/icit-james-scott-think-tank-fake-twitter-youtube#.dnqv2lQJr)
* [Toward an Information Operations Kill Chain - Bruce Schneier](https://www.lawfareblog.com/toward-information-operations-kill-chain)
* [Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf)
* [Designing Security for Billions - Facebook](https://newsroom.fb.com/news/2019/01/designing-security-for-billions/)
* [Passwords in a file - erratasec](https://blog.erratasec.com/2019/01/passwords-in-file.html)
* [Keyboard shortcuts in Windows - support.ms](https://support.microsoft.com/en-us/help/12445/windows-keyboard-shortcuts)
claude shannon
* [MarkOfTheWeb: How a Forgetful Russian Agent Left a Trail of Breadcrumbs - Yonathan Klijnsma](https://www.riskiq.com/blog/labs/markoftheweb/)
* [Normalization of deviance - Dan Luu](https://danluu.com/wat/)
* [One week of bugs - Dan Luu](http://danluu.com/everything-is-broken/)
* [Apache and Let's Encrypt Best Practices for Security - aaronhorler.com](https://aaronhorler.com/articles/apache.html)
* [Operation Luigi: How I hacked my friend without her noticing](https://www.youtube.com/watch?v=ZlNkIFipKZ4&feature=youtu.be)
* My friend gave me permission to "hack all her stuff" and this is my story. It's about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.
* [Welcome to Infosec (Choose your own Adventure) - primarytyler](https://docs.google.com/presentation/d/1_PjLGP28AH3HXbkwRkzGFeVPBmbBhp05mg7T6YofzRA/mobilepresent#slide=id.p)
* [Choose Your Own Red Team Adventure - Tim Malcomvetter](https://medium.com/@malcomvetter/choose-your-own-red-team-adventure-f87d6a3b0b76)
http://super-memory.com/articles/20rules.htm
* [When to Test and How to Test It - Bruce Potter - Derbycon7](https://www.youtube.com/watch?v=Ej97WyEMRkI)
* “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.
* [Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online](https://www.csoonline.com/article/3286604/security/salted-hash-ep-34-red-team-vs-vulnerability-assessments.html#tk.twt_cso)
* Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments
* [Encoding vs. Encryption vs. Hashing vs. Obfuscation - Daniel Messler](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/)
* [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247)
* **Security 101**
* [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
* [Access control best practices](https://srlabs.de/acs/)
* **General Good Stuff**
* [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
* [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e)
* explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
* **Careers in Information Security**
* **Educational/Informational**
* [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4)
@ -55,24 +106,51 @@
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
* [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions)
* **General Good Stuff**
* [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
* [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e)
* **How to Ask Better Questions**
* [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html)
* [The Six Types Of Socratic Questions - umich.edu](http://www.umich.edu/~elements/probsolv/strategy/cthinking.htm)
* [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247)
* [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions)
* [How To Ask Questions The Smart Way - wiki.c2.com](http://wiki.c2.com/?HowToAskQuestionsTheSmartWay)
* **Learning:**
* **Excel**
* [You Suck at Excel with Joel Spolsky(2015)](https://www.youtube.com/watch?v=0nbkaYsR94c&feature=youtu.be)
* The way you are using Excel causes errors, creates incomprehensible spaghetti spreadsheets, and makes me want to stab out my own eyes. Enough of the =VLOOKUPs with the C3:$F$38. You don't even know what that means.
* explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
* [A little collection of cool unix terminal/console/curses tools](https://kkovacs.eu/cool-but-obscure-unix-tools)
* **New Skills**
* [The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed - AzeriaLabs](https://azeria-labs.com/paradox-of-choice/)
* **Problem Solving**
* [Software Problem Solving Cheat Sheet - Florian Roth](https://www.nextron-systems.com/wp-content/uploads/2018/06/Software-Problem-Solving-Cheat-Sheet.pdf)
* [The XY Problem](http://xyproblem.info/)
* The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.
* [The AZ Problem](http://azproblem.info/)
* This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems.
* **Security 101**
* [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
* [Access control best practices](https://srlabs.de/acs/)
* [Hashicorp at Home part 2](https://www.mockingbirdconsulting.co.uk/blog/2019-01-08-hashicorp-at-home-part-2/)
* [Hashicorp at Home - Code](https://github.com/mockingbirdconsulting/HashicorpAtHome)
-------------------------
### <aname="general"></a> General
* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
* This page is supposed to be a collection of resources for building a lab for performing various security related tasks. Generally, the idea is that you setup a local VM hypervisor software(VMware, Virtualbox) and then install a virtual machine to perform testing and analysis without any impact to your "physical" machine.
-------------------------
### <aname="vm"></a> Virtual Machines
* **101**
@ -49,7 +66,6 @@
* [Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper](https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/)
* [CyRIS: Cyber Range Instantiation System](https://github.com/crond-jaist/cyris)
* CyRIS is a tool for facilitating cybersecurity training by automating the creation and management of the corresponding training environments (a.k.a, cyber ranges) based on a description in YAML format. CyRIS is being developed by the Cyber Range Organization and Design (CROND) NEC-endowed chair at the Japan Advanced Institute of Science and Technology (JAIST).
* **VMs Designed to be Attacked**
* [List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
* [The Hacker Games - Hack the VM before it hacks you](http://www.scriptjunkie.us/2012/04/the-hacker-games/)
* [‘Thought Leader’ gives talk that will inspire your thoughts | CBC Radio (Comedy/Satire Skit)](https://www.youtube.com/watch?v=_ZBKX-6Gz6A)
* Self proclaimed “thought leader,” Pat Kelly gives his talk on “thought leadership” at the annual This Is That Talks in Whistler, B.C. In the seminar, Kelly covers: How to talk with your hands, how to get a standing ovation, and how to inspire people by saying nothing at all.
* [Why are large companies so difficult to rescue (regarding bad internal technology) - Lawrence Krubner](http://www.smashcompany.com/business/why-are-large-companies-so-difficult-to-rescue-regarding-bad-internal-technology)
* [Ten Simple Rules for Doing Your Best Research, According to Hamming](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2041981/)
* [‘Thought Leader’ gives talk that will inspire your thoughts | CBC Radio (Comedy/Satire Skit)](https://www.youtube.com/watch?v=_ZBKX-6Gz6A)
* Self proclaimed “thought leader,” Pat Kelly gives his talk on “thought leadership” at the annual This Is That Talks in Whistler, B.C. In the seminar, Kelly covers: How to talk with your hands, how to get a standing ovation, and how to inspire people by saying nothing at all.
* [Lack of progress exposed by the Canary MacGuffin - rachelbythebay](https://rachelbythebay.com/w/2018/10/23/idle/)
* [Strategy Letter I: Ben and Jerry’s vs. Amazon - Joel on Software](https://www.joelonsoftware.com/2000/05/12/strategy-letter-i-ben-and-jerrys-vs-amazon/)
* [Defining The Corporate Hierarchy - Erik Dietrich](https://daedtech.com/defining-the-corporate-hierarchy/)
* [The Beggar CEO and Sucker Culture - Erik Dietrich](https://daedtech.com/the-beggar-ceo-and-sucker-culture/)
* **Business**<aname="business"></a>
* [When Everything That Counts Can’t Be Counted - Joshua M. Brown](https://thereformedbroker.com/2019/06/13/when-everything-that-counts-cant-be-counted/)
* [The Trillion-Dollar Vision of Dee Hock - Mitchell Waldrop(FastCompany)](https://www.fastcompany.com/27333/trillion-dollar-vision-dee-hock)
* [The Longest Yard: Reorganizing IT for Success - Bruce F. Webster](http://brucefwebster.com/2008/04/14/the-longest-yard-reorganizing-it-for-success/)
* [How Complex Systems Fail - Richard I. Cook](http://web.mit.edu/2.75/resources/random/How%20Complex%20Systems%20Fail.pdf)
* [Big companies v. startups - Dan Luu](https://danluu.com/startup-tradeoffs/)
* [How Developers Stop Learning: Rise of the Expert Beginner - Erik Dietrich](https://daedtech.com/how-developers-stop-learning-rise-of-the-expert-beginner/)
* [Your Job Title of Tomorrow: Efficiencer - Erik Dietrich](https://daedtech.com/your-job-title-of-tomorrow-efficiencer/)
* [Things I Learnt The Hard Way (in 30 Years of Software Development) - juliobiason.net](https://blog.juliobiason.net/thoughts/things-i-learnt-the-hard-way/)
* [Recommended Reading for Developers(2015) - blog.codinghorror.com]
* **Careers in Information Security**<aname="infosec-careers"></a>
* [Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models](https://www.usenix.org/conference/usenixsecurity18/presentation/mickens)
* Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization. In my keynote, I will explain why the proliferation of ubiquitous technology is good in the same sense that ubiquitous Venus weather would be good, i.e., not good at all. Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits. At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks.
* **Educational/Informational**
* [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4)
* Making career choices can be intimidating and stressful. Perhaps this presentation can help. The tidal forces affecting technology impact our careers as well. If we're not actively managing them, we're leaving decisions to chance (or to others), and may not like the outcomes. This presentation describes a framework I've used over the past few years to evaluate both ongoing job satisfaction as well as new opportunities as they appear. I'm happy with the outcomes I've obtained with it, and have used this same framework when providing advice to others, and it has been well received. Hopefully it can help others as well.
@ -33,11 +71,14 @@
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
* [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
* [How to Get Any Job You Want (even if you’re unqualified) - Raghav Haran](https://medium.com/the-mission/how-to-get-any-job-you-want-even-if-you-re-unqualified-6f49a65f5491)
* [Getting Hired: A Few Tips - Mubix](https://malicious.link/post/2018/getting-hired-a-few-tips/)
* **Interview Preparation**
* [How to prepare for an infosec interview - Timothy DeBlock](http://www.timothydeblock.com/eis/135)
* The NICE Framework, NIST Special Publication 800-181, establishes taxonomy and common lexicon that is to be used to describe all cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors. (USA Focused)
* **Autonomous Vehicles**
* [Want to become an autonomous vehicle engineer? - Kyle Martin](https://becomeautonomous.com/)
* **Data Scientist**
* [What Data Scientists Really Do, According to 35 Data Scientists - HBR](https://hbr.org/2018/08/what-data-scientists-really-do-according-to-35-data-scientists?mc_cid=f8f788d39e&mc_eid=f956a0c5ca)
* [How to Become a Data Scientist - On your own - Zeeshan Usmani](https://www.datasciencecentral.com/profiles/blogs/how-to-become-a-data-scientist-for-free)
@ -72,25 +113,71 @@
* [Pushing Left, Like a Boss: Part 1 - SheHacksPurple](https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95)
* [The Secret Rules For Getting Hired - Terence Eden](https://shkspr.mobi/blog/2019/04/the-secret-rules-for-getting-hired/)
* [How To Land A Job In Infosec](https://www.secjuice.com/getting-a-job-in-infosec/)
* [How to Get a Programming Job without a Degree - Erik Dietrich](https://daedtech.com/programming-job-without-degree/)
* **Startups**
* [20 Questions To Ask Before Joining A Startup - Harrison Harnisch](https://hharnisc.github.io/2018/11/25/twenty-questions-to-ask-before-joining-a-startup.html)
* [How to Choose a Startup to Work For by Thinking Like An Investor - Harj Taggar(TripleByte)](https://triplebyte.com/blog/how-to-choose-a-startup-to-work-for)
* **Company Culture**<aname="culture"></a>
* [American Cultural Assumption - wiki.c2.com](http://wiki.c2.com/?AmericanCulturalAssumption)
* [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224)
* **Compensation/Equity**<aname="comp"></a>
* [The Holloway Guide to Equity Compensation](https://www.holloway.com/g/equity-compensation)
* Stock options, RSUs, job offers, and taxes—a detailed reference, including hundreds of resources, explained from the ground up and made to be improved over time.
* [Salary strategies everyone in tech already knows — but you don't - Candor](https://teamcandor.com/salary/guide/)
* [Why A Billable Hours Model Does not Work in Consulting - firmsconsulting.com](https://www.firmsconsulting.com/quarterly/billable-hours-strategy-consulting/)
* [How To Build Your Own Infosec Company - Mario Heiderich (BSides Lisbon 2018: Keynote)](https://www.youtube.com/watch?reload=9&v=UE5xS7-kFjE)
* [Not A Full Timer: Slight difference from Pro to cattle - Mohamed Hayibor](https://mohamedhayibor.github.io/blog/post/Not-A-Full-Timer/)
* [Our 6 Must Reads for Cutting Through Conflict and Tough Conversations - firstround.com](https://firstround.com/review/our-6-must-reads-for-cutting-through-conflict-and-tough-conversations/)
* [7 Tips for Difficult Conversations - Daisy Wademan Dowling(HBR)](https://hbr.org/2009/03/7-tips-for-difficult-conversat)
* [How to Have Difficult Conversations When You Don’t Like Conflict - Joel Garfinkle(HBR)](https://hbr.org/2017/05/how-to-have-difficult-conversations-when-you-dont-like-conflict)
* **Books**
* [Difficult Conversations How to Discuss What Matters Most By Douglas Stone, Bruce Patton and Sheila Heen](https://www.penguinrandomhouse.com/books/331191/difficult-conversations-by-douglas-stone-bruce-patton-and-sheila-heen/9780143118442/)
* **Employee Attrition**<aname="attrition">
* [How To Keep Your Best Programmers - Erik Dietrich](https://daedtech.com/how-to-keep-your-best-programmers/)
* [The Wetware Crisis: the Dead Sea effect - Bruce Webster](http://brucefwebster.com/2008/04/11/the-wetware-crisis-the-dead-sea-effect/)
* [The Elves Leave Middle Earth – Sodas Are No Longer Free - Steve Blank](https://steveblank.com/2009/12/21/the-elves-leave-middle-earth-%E2%80%93-soda%E2%80%99s-are-no-longer-free/)
* **General**<aname="general"></a>
* [Mozilla Enterprise Information Security](https://infosec.mozilla.org/)
* [Career advice I wish I’d been given when I was young - 8000 Hours](https://80000hours.org/2019/04/career-advice-i-wish-id-been-given-when-i-was-young/)
* [In Nobel Prize lecture, lessons for managing employee incentives - Kara Baskin(MIT Sloan)](https://mitsloan.mit.edu/ideas-made-to-matter/nobel-prize-lecture-lessons-managing-employee-incentives)
* **Hiring**
* **Hiring**<aname="hiring"></a>
* [What I Learned Doing 250 Interviews at Google - Moishe Lettvin](https://www.youtube.com/watch?v=r8RxkpUvxK0)
* [F*** You, I Quit — Hiring Is Broken - Sahat Yalkabov](https://medium.com/@evnowandforever/f-you-i-quit-hiring-is-broken-bb8f3a48d324)
* [Hiring is Broken And Yours Is Too - RajivPrab.com](https://software.rajivprab.com/2019/07/27/hiring-is-broken-and-yours-is-too/amp/)
* [In Head-Hunting, Big Data May Not Be Such a Big Deal - Adam Bryant](https://www.nytimes.com/2013/06/20/business/in-head-hunting-big-data-may-not-be-such-a-big-deal.html)
* "This interview with Laszlo Bock, senior vice president of people operations at Google, was conducted and condensed by Adam Bryant."
* [Here's Google's Secret To Hiring The Best People - Lazlo Bock(Wired - 2015)](https://www.wired.com/2015/04/hire-like-google/)
* [Hiring is Broken… And It Isn’t Worth Fixing - Erik Dietrich](https://daedtech.com/hiring-is-broken/)
* [A Players Don’t Hire A Players — They Partner with A Players - Erik Dietrich](https://daedtech.com/a-players-dont-hire-a-players-they-partner-with-a-players/)
* [The Hiring Post - sockpuppet.org](https://sockpuppet.org/blog/2015/03/06/the-hiring-post/)
* [On Secretly Terrible Engineers - Danny Crichton](https://techcrunch.com/2015/03/08/on-secretly-terrible-engineers/)
* **Impostor Syndrome**<aname="imposter"></a>
* [Would the real imposter please stand up? - Dr. Jessica Barker(SteelCon2016)](https://www.youtube.com/watch?v=tGyBFOWsFbk&feature=share)
* [Dark Matter Developers: The Unseen 99%(2012) - Scott Hanselman](https://www.hanselman.com/blog/DarkMatterDevelopersTheUnseen99.aspx)
* [Why You Should Charge Clients More Than You Think You’re Worth - Dorie Clark(HBR)](https://hbr.org/2017/10/why-you-should-charge-clients-more-than-you-think-youre-worth)
* [How to Write a Statement of Work - Mary K Pratt](https://www.computerworld.com/article/2555324/how-to-write-a-statement-of-work.html)
* The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull.
* The Dilbert principle refers to a 1990s theory by Dilbert cartoonist Scott Adams stating that companies tend to systematically promote their least competent employees to management (generally middle management), to limit the amount of damage they are capable of doing.
* [The Iron Law of Bureaucracy](https://www.jerrypournelle.com/reports/jerryp/iron.html)
* Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":
* `First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.`
* `Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.`
* The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.
* [Ten Rules for Negotiating a Job Offer - Haseeb Qureshi](https://haseebq.com/my-ten-rules-for-negotiating-a-job-offer/)
* [How Not to Bomb Your Offer Negotiation - Haseeb Qureshi](https://haseebq.com/farewell-app-academy-hello-airbnb-part-i/)
* [Deploying Guerrilla Tactics to Combat Stupid Tech Interviews - Erik Dietrch](https://daedtech.com/deploying-guerrilla-tactics-combat-stupid-tech-interviews/)
* **Interviewing**<aname="interviewing"></a>
* [What I Learned Doing 250 Interviews at Google - Moishe Lettvin](https://www.youtube.com/watch?v=r8RxkpUvxK0)
* [Raising the Bar - The Unconventional Interview Method That Really Works - socialtalent](https://www.socialtalent.com/blog/recruitment/raising-the-bar-unconventional-interview-method-really-works)
* [The Trouble With "Culture Fit" - Rich Moy](https://www.stackoverflowbusiness.com/blog/the-trouble-with-culture-fit)
* [Salary Negotiations: Win by Losing - Erik Dietrich](https://daedtech.com/salary-negotiations-win-by-losing/)
* **Management**<aname="mgmt"></a>
* [Up Or Out: Solving The IT Turnover Crisis - Alex Papadimoulis](http://thedailywtf.com/articles/Up-or-Out-Solving-the-IT-Turnover-Crisis)
* [The Wetware Crisis: the Dead Sea effect - Bruce F. Webster](http://brucefwebster.com/2008/04/11/the-wetware-crisis-the-dead-sea-effect/)
* [The Tyranny of Structurelessness - Jo freeman](https://www.jofreeman.com/joreen/tyranny.htm)
* [Reaching Peak Meeting Efficiency: Meetings are a critical tool for building a diverse, high-performance team with shared values - Steven Sinofsky](https://medium.learningbyshipping.com/reaching-peak-meeting-efficiency-f8e47c93317a)
* [Maker's Schedule, Manager's Schedule - Paul Graham(2009)](http://www.paulgraham.com/makersschedule.html)
* **Mental Health**<aname="mentalh"></a>
* **Burnout**
* [13 Surprising Signs of Burnout You May Be Missing - thriveglobal](https://thriveglobal.com/stories/13-surprising-signs-of-burnout-you-may-be-missing/)
@ -115,25 +221,64 @@
* **Stress**
* [Stress management - Mayo Clinic](https://www.mayoclinic.org/healthy-lifestyle/stress-management/in-depth/stress/art-20046037)
* [Understanding chronic stress - American Psychological Association](https://www.apa.org/helpcenter/understanding-chronic-stress)
* [Chronic Stress and a Life: How Stress Almost Killed Me - Sergio Caltagirone](http://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/)
* [Chronic Stress and a Life: How Stress Almost Killed Me - Sergio Caltagirone](http://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/)
* **Abusive Behaviour**
* [Sick systems: How to keep someone with you forever - Issendai](https://issendai.livejournal.com/572510.html)
* **Mentoring**<aname="mentor"></a>
* [How to get coaching, mentoring, and attention - Jake Seliger](https://jakeseliger.com/2010/10/02/how-to-get-your-professors%E2%80%99-attention-or-how-to-get-the-coaching-and-mentorship-you-need/)
* **Metrics**<aname="metrics"></a>
* [Be Careful What You Measure - Mark Graham Brown](https://corporater.com/en/the-chicken-kpi-be-careful-of-what-you-measure/)
* **Networking**<aname="network"></a>
* [That’s still not my RJ 45 Jack - IRL Networking for Humans Pt 2 - Johnny Xmas](https://www.irongeek.com/i.php?page=videos/converge2015/%22track112-how-to-dress-like-a-human-being-irl-networking-for-humans-pt-2-johnny-xmas%22)
* We're smart. We're incredibly tech savvy. We can rock some mad OSINT with our Google-Fu. We're 85% +-10% sure which part of the body a hat goes on. We think you can never have enough beard. WE THINK THAT'S ACCEPTABLE. The second in his multi-part series on building social prowess, this talk will focus on the inconvenient truth of your book always, always, always being judged by its cover, and how to deal with that with minimal effort so you can get back to sewing more pockets on your utilikilt. This talk covers both male and female situations, though it is primarily unisex. We'll get you set up with a core wardrobe and hygenic skillset so you'll be able to roll out of bed, spend minimal time "getting ready," rock the dreaded client-facing meeting or industry meetup, and get you back home where you can safely take your pants off.
* **Non-Competes**<aname="noncomp"></a>
* [Why I Turned Down an AWS Job Offer - Corey Quinn](https://www.lastweekinaws.com/blog/why-i-turned-down-an-aws-job-offer/)
* **Non-Technical Skills**<aname="non-tech"></a>
* [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions)
* [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html)
* [Why are large companies so difficult to rescue (regarding bad internal technology) - Lawrence Krubner](http://www.smashcompany.com/business/why-are-large-companies-so-difficult-to-rescue-regarding-bad-internal-technology)
* [The normalization of deviance in healthcare delivery - John Banja](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2821100/)
* [Bedford and the Normalization of Deviance - Ron Rapp](https://www.rapp.org/archives/2015/12/normalization-of-deviance/)
* [Resilience In Complex Adaptive Systems - Richard Cook(Velocity NY 2013)](https://www.youtube.com/watch?v=PGLYEDpNu60)
* [A Beginner’s Guide to Giving Performance Reviews - Advice for new managers on the most effective way to deliver feedback(Rebecca Fishbein)](https://medium.com/s/story/a-beginners-guide-to-giving-performance-reviews-963aba23bd)
* **Post-Mortems**<aname="postmort"></a>
* [A List of Post-mortems! - Dan Luu](https://github.com/danluu/post-mortems)
* **Project Management**<aname="projm"></a>
* [Anatomy of a runaway IT project - Bruce F. Webster](http://brucefwebster.com/2008/06/16/anatomy-of-a-runaway-it-project/)
* [Why “Agile” and especially Scrum are terrible - Michael O. Church](https://michaelochurch.wordpress.com/2015/06/)
* [17 things that make this the perfect résumé - Áine Cain and Shayanne Gal(BusinessInsider)](https://www.businessinsider.com/why-this-is-an-excellent-resume-2013-11)
* Worthwhile for the first comment in response to the article: "I don’t see anything “senior” about it, or even “engineer”. Seeing problems and solving them is what everyone does. Documenting the solution is one part of solving a problem. An apprentice carpenter does these things, too, and so does a farmer, and a waiter. Unfortunately, it’s not what most software companies reward, or how they operate. Whenever I did this, my manager, at every software company I’ve worked for, would say: “That’s cool, but you’re supposed to add the FooBar feature, and it needs to be done this Friday. Don’t waste time with reverse-engineering, or documentation. Just add one new field to the protocol somewhere. We can clean it up Later(TM).” This is Conway’s Law at work. What sort of company encourages the creation of two critical components which are completely undocumented? The sort of company which doesn’t reward documentation of critical components. That’s not likely to change because the engineer that created them happened to leave. (It took more time to reverse-engineer the protocol than it would have to document it when the knowledge was fresh.) The PM and QA who allowed this to happen are still there, right? What “Senior Engineer” really means is someone who’s spent enough time in the trenches to have earned a job title that allows them the latitude to make these sorts of improvements, and not have a PM question why they aren’t, instead, doing exactly what they were assigned. Look back at the story. Did the “senior engineer” go through proper channels to schedule a “reverse-engineer and document network protocol” task? No, he clearly didn’t trust that it would happen. Or maybe it was already there, but lowest priority (way below “fix CSS on IE”, of course). What was his actual responsibility that week? The story doesn’t say, but I don’t see any remarks about a PM breathing down his neck asking about the CSS fix he asked for (because that PM is the only user of the system, anywhere, of course, who uses IE and sees that particular bug). Documentation is not on this week’s “Sprint”! The process is fundamentally broken. We hear fables like this about how life would be better if we all did something one way (you’ll get promoted to Senior Engineer!), while in practice we’re punished for doing so."
* “Institutions will try to preserve the problem to which they are the solution.” — Clay Shirky
* [Law #8: The Law of Duality - ericsink.com](https://ericsink.com/laws/Law_08.html)
* [Apple’s Software “Problem” and “Fixing” It (via twitter)](https://medium.learningbyshipping.com/apples-software-problem-and-fixing-it-via-twitter-c941a905ba20)
* [Revisiting L0pht testimony – 20yrs later -Space Rogue](https://www.spacerogue.net/wordpress/?p=709)
* **Industry History**
* [15 Months of Fresh Hell Inside Facebook - Nicholas Thompson and Fred Vogelstein](https://www.wired.com/story/facebook-mark-zuckerberg-15-months-of-fresh-hell/)
* [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html)
* [Apple’s Software “Problem” and “Fixing” It (via twitter)](https://medium.learningbyshipping.com/apples-software-problem-and-fixing-it-via-twitter-c941a905ba20)
* [How Google Protected Andy Rubin, the ‘Father of Android’ - Daisuke Wakabayashi and Katie Benner(NYT)](https://www.nytimes.com/2018/10/25/technology/google-sexual-harassment-andy-rubin.html)
* [Newly unsealed documents show Steve Jobs' brutal response after getting a Google employee fired - Mark Ames](https://pando.com/2014/03/25/newly-unsealed-documents-show-steve-jobs-brutally-callous-response-after-getting-a-google-employee-fired/)
* [Static Analysis of Docker image vulnerabilities with Clair - Petr Kohut](https://www.nearform.com/blog/static-analysis-of-docker-image-vulnerabilities-with-clair/)
* [Docker Security Best Practices: Part 3 – Securing Container Images - Jeremy Valance](https://anchore.com/docker-security-best-practices-part-3-securing-container-images/)
* [How to implement Docker image scanning with open source tools - Mateo Burillo](https://sysdig.com/blog/docker-image-scanning/)
* [How to Lose a Container in 10 Minutes - Sarah Young(BSidesSF 2019)](https://www.youtube.com/watch?v=fSj6_WgDATE&list=PLbZzXF2qC3RvGRbNQwKcf2KVaTCjzOB8o&index=4)
* Moving to the cloud and deploying containers? In this talk I will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We'll also look at what happens to a container that's been left open to the Internet for the duration of the talk.
Understanding and HardeningLinux Containers - NCCGroup
* [Install and run a SPIRE Server and Agent locally on a Kubernetes cluster](https://spiffe.io/spire/getting-started-k8s/)
* This tutorial walks you through getting a SPIRE Server and SPIRE Agent running in a Kubernetes cluster, and configuring a workload container to access SPIRE.
* [Optimising Docker Layers for Better Caching with Nix - Graham Christensen](https://grahamc.com/blog/nix-and-layered-docker-images)
* [Hacking and Hardening Kubernetes Clusters by Example - Brad Geesaman(KubeCon 2017)](https://www.youtube.com/watch?v=vTgQLzeBfRU)
* "an eye-opening journey examining real compromises and sensitive data leaks that can occur inside a Kubernetes cluster, highlighting the configurations that allowed them to succeed, applying practical applications of the latest built-in security features and policies to prevent those attacks, and providing actionable steps for future detection."
* An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides.
* [On Docker security: 'docker' group considered harmful - Andreas Jung](https://www.zopyx.com/andreas-jung/contents/on-docker-security-docker-group-considered-harmful)
* [Securing The Docker Containers At CI/CD Pipeline Level - Alina Radu(BSidesBCN 2019)](https://www.youtube.com/watch?v=4whoQoNpu9Y&list=PLDuy2rk8e-D-foVf0ylfnHhSo2elmxRqy&index=10&t=0s)
### <aname="docker"></a> Docker
* [How to write excellent Dockerfiles - Jakub Skalecki](https://rock-it.pl/how-to-write-excellent-dockerfiles/)
* [Reducing Deploy Risk With Docker’s Health Check Instruction - newrelic.com](https://blog.newrelic.com/engineering/docker-health-check-instruction/)
* [What is the purpose of VOLUME in Dockerfile - StackOverflow](https://stackoverflow.com/questions/34809646/what-is-the-purpose-of-volume-in-dockerfile)
* [Controlling access to user namespaces - lwn.net](https://lwn.net/Articles/673597/)
* [Namespaces in operation, part 1: namespaces overview - lwn.net](https://lwn.net/Articles/531114/#series_index)
* [Linux LXC vs FreeBSD jail - Are there any notable differences between LXC (Linux containers) and FreeBSD's jails in terms of security, stability & performance? - unix.StackExchange](https://unix.stackexchange.com/questions/127001/linux-lxc-vs-freebsd-jail)
* **Docker**
* [Docker Security Best-Practices - Peter Benjamin](https://dev.to/petermbenjamin/docker-security-best-practices-45ih)
* [Is it possible to escalate privileges and escaping from a Docker container? - StackOverflow](https://security.stackexchange.com/questions/152978/is-it-possible-to-escalate-privileges-and-escaping-from-a-docker-container)
* [The Dangers of Docker.sock](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)
* [Abusing Privileged and Unprivileged Linux Containers - nccgroup](https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/)
* [Understanding and Hardening Linux Containers - nccgroup](https://www.nccgroup.trust/uk/our-research/understanding-and-hardening-linux-containers/)
* Linux containers offer native OS virtualisation, segmented by kernel namespaces, limited through process cgroups and restricted through reduced root capabilities, Mandatory Access Control and user namespaces. This paper discusses these container features, as well as exploring various security mechanisms. Also included is an examination of attack surfaces, threats, and related hardening features in order to properly evaluate container security. Finally, this paper contrasts different container defaults and enumerates strong security recommendations to counter deployment weaknesses-- helping support and explain methods for building high-security Linux containers. Are Linux containers the future or merely a fad or fantasy? This paper attempts to answer that question.
* [Hash collisions and exploitations - Ange Albertini and Marc Stevens](https://github.com/corkami/collisions)
* The goal is to explore extensively existing attacks - and show on the way how weak MD5 is (instant collisions of any JPG, PNG, PDF, MP4, PE...) - and also explore in detail common file formats to determine how they can be exploited with present or with future attacks. Indeed, the same file format trick can be used on several hashes (the same JPG tricks were used for MD5, malicious SHA-1 and SHA1), as long as the collisions follow the same byte patterns. This document is not about new attacks (the most recent one was documented in 2012), but about new forms of exploitations of existing attacks.
* Firefed is a command-line tool to inspect Firefox profiles. It can extract saved passwords, preferences, addons, history and more. You may use it for forensic analysis, to audit your config for insecure settings or just to quickly extract some data without starting up the browser.
* [Forensics: Monitor Active Directory Privileged Groups with PowerShell - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2014/12/17/forensics-monitor-active-directory-privileged-groups-with-powershell/)
* A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.
* [Vulnerability Management Program Best Practices – Irfahn Khimji](https://www.tripwire.com/state-of-security/vulnerability-management/vulnerability-management-program-best-practices-part-1/)
* [Using security policies to restrict NTLM traffic - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865668(v=ws.10))
* [New feature in Office 2016 can block macros and help prevent infection](https://web.archive.org/web/20180527161910/https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/?source=mmpc)
* [Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017](https://www.youtube.com/watch?reload=9&v=O1lglnNTM18)
* [What is conditional access in Azure Active Directory? - docs.ms](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview)
* [What is Active Directory Red Forest Design? - social.technet.ms](https://social.technet.microsoft.com/wiki/contents/articles/37509.what-is-active-directory-red-forest-design.aspx)
* [Securing Privileged Access Reference Material - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material)
* [Understanding “Red Forest”: The 3-Tier Enhanced Security Admin Environment (ESAE) and Alternative Ways to Protect Privileged Credentials - ultimatewindowsecurity](https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1409)
* [Planting the Red Forest: Improving AD on the Road to ESAE - Jacques Louw and Katie Knowles](https://www.mwrinfosecurity.com/our-thinking/planting-the-red-forest-improving-ad-on-the-road-to-esae/)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
* [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening)
* This repository contains various hardening guides compiled by ERNW for various purposes. Most of those guides strive to provide a baseline level of hardening and may lack certain hardening options which could increase the security posture even more (but may have impact on operations or required operational effort).
* [Planning for Compromise - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/planning-for-compromise)
* [Recon by Fire](https://github.com/HewlettPackard/reconbf)
* Recon is a tool for reviewing the security configuration of a local system. It can detect existing issues, known-insecure settings, existing strange behaviour, and options for further hardening. Recon can be used in existing systems to find out which elements can be improved and can provide some information about why the change is recommended. It can also be used to scan prepared system images to verify that they contain the expected protection.
* [How to Allow Non-Admin Users to Start/Stop Windows Service - woshub.com](http://woshub.com/set-permissions-on-windows-service/)
* [Protect your enterprise data using Windows Information Protection (WIP) - docs.ms](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
* [Security WatchLock Up Your Domain Controllers - Steve Riley - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc160936(v=msdn.10))
* [Creating a Secure Environment using PowerShell Desired State Configuration - blogs.ms](https://blogs.msdn.microsoft.com/powershell/2014/07/21/creating-a-secure-environment-using-powershell-desired-state-configuration/)
* This script can inventory Firefox and/or Chrome extensions for each user from a list of machines. It returns all the information back in a csv file and prints to console a breakdown of that information.
https://github.com/Schillings/SwordPhish
* [Detect Password Spraying With Windows Event Log Correlation](https://www.ziemba.ninja/?p=66)
* [Hunting for SILENTTRINITY - Wee-Jing Chung](https://countercept.com/blog/hunting-for-silenttrinity/)
* [BloodHound and the Adversary Resilience Model](https://docs.google.com/presentation/d/14tHNBCavg-HfM7aoeEbGnyhVQusfwOjOyQE1_wXVs9o/mobilepresent#slide=id.g35f391192_00)
* [CIS Amazon Web Services Foundations](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
* [Blocking Remote Use of Local Accounts - blogs.technet](https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/)
* [Weaponizing Active Directory - David Fletcher](https://www.youtube.com/watch?reload=9&v=vLWGJ3f3-gI&feature=youtu.be)
* This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise.
* [Practical PowerShell Security: Enable Auditing and Logging with DSC - Ashley McGlone](https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/)
* [Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators - Rob VandenBrink](https://isc.sans.edu/diary/Where+have+all+the+Domain+Admins+gone%3F++Rooting+out+Unwanted+Domain+Administrators/24874)
* [Why Does the Penetration Testing Team Hate Me? - Ryan Oberfelder](https://medium.com/@ryoberfelder/why-does-the-penetration-testing-team-hate-me-67a981c5e10c)
* [Weaponizing Active Directory - David Fletcher](https://www.youtube.com/watch?v=vLWGJ3f3-gI&feature=youtu.be)
* This webcast covers basic techniques to catch attackers attempting lateral movement and privilege escalation within your environment with the goal of reducing that Mean Time to Detect (MTTD) metric. Using tactical deception, we will lay out strategies to increase the odds that an attacker will give away their presence early after initial compromise.
* [Introducing the Adversary Resilience Methodology — Part One - Andy Robbins](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604)
* [Introducing the Adversary Resilience Methodology — Part Two - Andy Robbins](https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-two-279a1ed7863d)
@ -34,6 +151,11 @@
* Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
* **Amazon AWS**<aname="aws"></a>
* **AWS**
* [The Open Guide to Amazon Web Services](https://github.com/open-guides/og-aws)
* A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively.
* **Lambda**
* [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler)
* The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
* **S3**
* [Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050)
* **Blue team Tactics**<aname="antired"></a>
@ -70,7 +192,6 @@
* Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
* **(General) Hardening**<aname="hardening"></a>
* **101**
* **Browsers**
* **Guides**
* [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening)
* Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
* **User Awareness Training**<aname="uat"></a>
* **Web**
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
* [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler)
* The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
* [The Open Guide to Amazon Web Services](https://github.com/open-guides/og-aws)
* A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively.
* **Web Browsers**
* **User-Profiling**
* [Browser fingerprints for a more secure web - Julien Sobrier & Ping Yan(OWASP AppSecCali2019)](https://www.youtube.com/watch?v=P_nYYsaVi1w&list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ&index=30&t=0s)
* **WAF**<aname="waf"></a>
* **General**
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
* NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
@ -442,6 +562,8 @@
* [Awesome Windows Domain Hardening](https://github.com/PaulSec/awesome-windows-domain-hardening)
* A curated list of awesome Security Hardening techniques for Windows.
* **Documentation**
* [Introducing the security configuration framework: A prioritized guide to hardening Windows 10 - Chris Jackson(MS)](https://www.microsoft.com/security/blog/2019/04/11/introducing-the-security-configuration-framework-a-prioritized-guide-to-hardening-windows-10/)
* [Harden windows IP Stack](https://www.reddit.com/r/netsec/comments/2sg80a/how_to_harden_windowsiis_ssltls_configuration/)
@ -471,6 +593,21 @@
* In this article you will learn some best-practice suggestions for using service applications according to the IT security rule of least privilege.
* [Best Practice: Securing Windows Service Accounts and Privileged Access – Part 1 - SecurIT360](https://www.securit360.com/blog/best-practice-service-accounts/)
* [Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2 - SecurIT360](https://www.securit360.com/blog/best-practice-service-accounts-p2/)
* The Five Stages of Vulnerability Management(tripwire) - https://www.tripwire.com/state-of-security/vulnerability-management/the-five-stages-of-vulnerability-management/
* SANS - Implementing a Vulnerability Management Process: https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180
* Building a Model for Endpoint Security Maturity: https://www.tripwire.com/state-of-security/vulnerability-management/building-a-model-for-endpoint-security-maturity/
* Towards Improving CVSS - CMU SEI: https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf
* When CVSS Fits and When it Doesn’t(NCC Group): https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/when-cvss-fits-and-when-it-doesnt/
* Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/dont-substitute-cvss-for-risk-scoring-system-inflates-importance-of-cve-2017-3735/
* Microsoft Exploitability Index: https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1
* [The Ultimate Workflow for Writers Obsessed with Quality - Rob Hardy](https://betterhumans.coach.me/the-ultimate-workflow-for-writers-obsessed-with-quality-5b2810e1214b)
* [The Elements Of Style: UNIX As Literature - Thomas Scoville](http://theody.net/elements.html)
-----------------
### Start Here
@ -49,15 +54,22 @@
* Curated list of public penetration test reports released by several consulting firms and academic security groups
* [Penetration tests done by cure53, good examples of how a report should be done.](https://cure53.de/#publications )
* [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
* [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
* [HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/)
* [ The Penetration Testing Report - websecuritywatch](https://web.archive.org/web/20180201103151/http://www.websecuritywatch.com/the-penetration-testing-report/)
* [Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/)
* **Writing a Penetration Test Report**
* **Articles**
* [Writing a Penetration Testing Report by SANS](https://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343)
* [Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
* [Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
* [HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/)
* [ The Penetration Testing Report - websecuritywatch](https://web.archive.org/web/20180201103151/http://www.websecuritywatch.com/the-penetration-testing-report/)
* [Excellent blog post breaking down the various parts, a must read](http://wwwwebsecuritywatch.com/the-penetration-testing-report/)
* [Your Reporting Matters: How to Improve Pen Test Reporting - Brian B. King](https://www.blackhillsinfosec.com/your-reporting-matters-how-to-improve-pen-test-reporting/)
* [Hack for Show, Report for Dough - Brian B. King(WWHF 2018)](https://www.youtube.com/watch?v=c_LBWqNDY0M)
* The fun part of pentesting is the hacking. But the part that makes it a viable career is the report. You can develop the most amazing exploit for the most surprising vulnerability, but if you can't document it clearly for the people who need to fix it, then you're just having fun. Which is fine! But if you want to make a career out of it, your reports need to be as clear and useful as your hacks are awesome. This talk shows simple techniques you can use to make your reports clear, useful, and brief. You'll see some before-and-after examples of a bad report made good, with clear explanations of what makes the difference. Those things will be useful no matter what tools you use to create reports. Then, if we have time, we'll look at some Microsoft Word hacks that will save you time and improve consistency.
* wordy is not a grammar checker. Nor is it a guide to proper word usage. Rather, wordy is a lightweight tool to assist you in identifying those words and phrases known for their history of misuse, abuse, and overuse, at least according to usage experts.
* Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.
* [GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies - usenix conference](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf)
https://github.com/moloch--/wire-transfer
##### End Sort
https://github.com/TarlogicSecurity/Arecibo
* [Secure WebDav Egress: AMZ EC2, Apache, and Let's Encrypt - Chris Patten](http://rift.stacktitan.com/alternate-unc-webdav-ssl-and-lets-encrypt/)
* [Return-Oriented Programming without Returns - Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy](https://hovav.net/ucsd/papers/cddssw10.html)
* We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets. Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.
* [Cambridge Analytica explains how the Trump campaign worked](https://www.youtube.com/watch?v=bB2BJjMNXpA)
* Molly Schweickert, Vice President Global Media from Cambridge Analytica on "How digital advertising worked for the US 2016 presidential campaign". How they used Facebook user data and other sources to target specific users with individual messages for the 2016 Trump election campaign. She is Alexander Nix' digital marketing expert.
* [Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else - Cooper Quintin(EFF)](https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else)
* SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end- to-end proof of noninterference for this model.
* [Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA? - Billy Rios - BHUSA 2014](https://www.youtube.com/watch?reload=9&v=hbqVNlwfjxo)
* Every day, millions of people go through airport security. While it is an inconvenience that could take a while, most are willing to follow the necessary procedures if it can guarantee their safety. Modern airport security checkpoints use sophisticated technology to help the security screeners identify potential threats and suspicious baggage. Have you ever wondered how these devices work? Have you ever wondered why an airport security checkpoint was set up in a particular configuration? Join us as we present the details on how a variety of airport security systems actually work, and reveal their weaknesses. We’ll present what we have learned about modern airport security procedures, dive deep into the devices used to detect threats, and we’ll present some the bugs we discovered along the way.
* [Real-life experiences in avionics security assessment (A. Barisani)](https://www.youtube.com/watch?v=xtSmPgXw34I&feature=youtu.be&app=desktop)
* **Attacking**
* [It’s all about the timing. . . Blackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf)
* Description: This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites
* [It’s all about the timing... - lackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf)
* Description: This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites
* [A Look In the Mirror: Attacks on Package Managers](https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf)
* [VM as injection payload ](http://infiltratecon.com/downloads/python_deflowered.pdf)
* [Thousands of MongoDB installations on the net unprotected](http://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf)
* Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools.
* **Network**
* [Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
* [You Suck at Excel with Joel Spolsky(2015)](https://www.youtube.com/watch?v=0nbkaYsR94c&feature=youtu.be)
* The way you are using Excel causes errors, creates incomprehensible spaghetti spreadsheets, and makes me want to stab out my own eyes. Enough of the =VLOOKUPs with the C3:$F$38. You don't even know what that means.
* [Maker's Schedule, Manager's Schedule - Paul Graham(2009)](http://www.paulgraham.com/makersschedule.html)
* [Reaching Peak Meeting Efficiency: Meetings are a critical tool for building a diverse, high-performance team with shared values - Steven Sinofsky](https://medium.learningbyshipping.com/reaching-peak-meeting-efficiency-f8e47c93317a)
* [Salary Comparison Across Various companies](https://www.levels.fyi/)
* [How to Apply Critical Thinking Using Paul-Elder Framework - designorate](https://www.designorate.com/critical-thinking-paul-elder-framework/)
* [When to Test and How to Test It - Bruce Potter - Derbycon7](https://www.youtube.com/watch?v=Ej97WyEMRkI)
* “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.
* [Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models](https://www.usenix.org/conference/usenixsecurity18/presentation/mickens)
* Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization. In my keynote, I will explain why the proliferation of ubiquitous technology is good in the same sense that ubiquitous Venus weather would be good, i.e., not good at all. Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits. At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks.
* [Organizational Theory - Wikipedia](https://en.wikipedia.org/wiki/Organizational_theory)
* **Compensation/Salary Negotiation**
* **Culture**
* [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224)
* The Peter principle is a concept in management developed by Laurence J. Peter, which observes that people in a hierarchy tend to rise to their "level of incompetence". In other words, employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another. The concept was enunciated in the 1969 book The Peter Principle by Peter and Raymond Hull.
* The Dilbert principle refers to a 1990s theory by Dilbert cartoonist Scott Adams stating that companies tend to systematically promote their least competent employees to management (generally middle management), to limit the amount of damage they are capable of doing.
* [The Iron Law of Bureaucracy](https://www.jerrypournelle.com/reports/jerryp/iron.html)
* Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":
* `First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.`
* `Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.`
* The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.
* **Management**
* [The Tyranny of Structurelessness - Jo freeman](https://www.jofreeman.com/joreen/tyranny.htm)
* [That’s still not my RJ 45 Jack - IRL Networking for Humans Pt 2 - Johnny Xmas](https://www.irongeek.com/i.php?page=videos/converge2015/%22track112-how-to-dress-like-a-human-being-irl-networking-for-humans-pt-2-johnny-xmas%22)
* We're smart. We're incredibly tech savvy. We can rock some mad OSINT with our Google-Fu. We're 85% +-10% sure which part of the body a hat goes on. We think you can never have enough beard. WE THINK THAT'S ACCEPTABLE. The second in his multi-part series on building social prowess, this talk will focus on the inconvenient truth of your book always, always, always being judged by its cover, and how to deal with that with minimal effort so you can get back to sewing more pockets on your utilikilt. This talk covers both male and female situations, though it is primarily unisex. We'll get you set up with a core wardrobe and hygenic skillset so you'll be able to roll out of bed, spend minimal time "getting ready," rock the dreaded client-facing meeting or industry meetup, and get you back home where you can safely take your pants off.
* **Problem Solving**
* [The XY Problem](http://xyproblem.info/)
* The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.
* [The AZ Problem](http://azproblem.info/)
* This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems.
* **Surrounding Environment**
* [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html)
* [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/en-gb/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809#windows-error-reporting-events)
* [The Role of Evidence Intention - Chris Sanders](https://rhinosecuritylabs.com/application-security/simplifying-api-pentesting-swagger-files/)
* [$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase - Matthew Dunwoody, Daniel Bohannon(BruCON 0x0A)](https://www.youtube.com/watch?v=YGJaj6_3dGA)
* Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach. As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks.
https://github.com/miriamxyra/EventList
* [Different Approaches to Linux Monitoring - Kelly Shortridge](https://capsule8.com/blog/different-approaches-to-linux-monitoring/)
* [Detecting the Elusive Active Directory Threat Hunting - Sean Metcalf(BSidesCharm2017)](https://www.youtube.com/watch?v=9Uo7V9OUaUw)
* Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected? This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks. One of the latest tools in the offensive toolkit is ""Kerberoast"" which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed. The attacker's playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.