Writing show intros provides a brief and enjoyable creative outlet. I have yet to present a haiku, although I have dipped into limericks – of which I have several more drafts in the queue. In one October episode I reimagined a stanza from The Raven.

And now I have a few experiments with haikus.

Today is the fourth anniversary of the fourth edition of Anti-Hacker Tool Kit. Technology changes quickly, but many of the underlying principles of security remain the same. The following is an excerpt from the introduction.

Welcome to the fourth edition of the Anti-Hacker Tool Kit. This is a book about the tools that hackers use to attack and defend systems. Knowing how to conduct advanced configuration for an operating system is a step toward being a hacker. Knowing how to infiltrate a system is a step along the same path. Knowing how to monitor an attacker’s activity and defend a system are more points on the path to hacking. In other words, hacking is more about knowledge and creativity than it is about having a collection of tools.

Computer technology solves some problems; it creates others. When it solves a problem, technology may seem wonderful. Yet it doesn’t have to be wondrous in the sense that you have no idea how it works. In fact, this book aims to reveal how easy it is to run the kinds of tools that hackers, security professionals, and hobbyists alike use.

A good magic trick amazes an audience. As the audience, we might guess at whether the magician is performing some sleight of hand or relying on a carefully crafted prop. The magician evokes delight through a combination of skill that appears effortless and misdirection that remains overlooked. A trick works not because the audience lacks knowledge of some secret, but because the magician has presented a sort of story, however brief, with a surprise at the end. Even when an audience knows the mechanics of a trick, a skilled magician may still delight them.

The tools in this book aren’t magical; and simply having them on your laptop won’t make you a hacker. But this book will demystify many aspects of information security. You’ll build a collection of tools by following through each chapter. More importantly, you’ll build the knowledge of how and why these tools work. And that’s the knowledge that lays the foundation for being creative with scripting, for combining attacks in clever ways, and for thinking of yourself as a hacker.

I chose magic as a metaphor for hacking because it resonates with creative thinking and combining mundane elements to achieve extraordinary effects. Hacking (in the sense of information security) involves knowing how protocols and programs are constructed, plus the tools to analyze and attack them. I don’t have a precise definition of a hacker because one isn’t necessary. Consider it a title to be claimed or conferred – your choice.

Another reason the definition is nebulous is that information security spans many topics. You might be an expert in one, or a dabbler in all. In this book you’ll find background information and tools for most of those topics. You can skip around to chapters that interest you.

The Anti- prefix of the title originated from the first edition’s bias towards forensics that tended to equate Hacker with Attacker. It didn’t make sense to change the title for a book that’s made its way into a fourth edition. Plus, I wanted to keep the skull-themed cover.

Consider the prefix as an antidote to the ego-driven, self-proclaimed hacker who thinks knowing how to run canned exploits out of Metasploit makes them an expert. They only know how to repeat a simple trick. Hacking is better thought of as understanding how a trick is constructed or being able to create new ones of your own.

Each chapter sets you up with some of that knowledge. And even if you don’t recognize an allusion to Tenar or Gaius Helen Mohiam, there should be plenty of technical content to keep you entertained along the way. I hope you enjoy the book.

The summer conference constellation rises over Las Vegas for about one week every year. The trio of Black Hat, BSidesLV, and DEF CON historically generates loud, often muddled, concerns about personal device security. Sometimes the concern is expressed through hyperbole in order to point out flawed threat models. Sometimes it’s based on ignorance tainted with misapplied knowledge. Either way, perform the rituals and incantations that make you feel better. Enjoy the conferences, have fun, share knowledge, learn new skills.

Whatever precautions you take, ask why they’re necessary for one special week of the year. If the current state of security for devices and web sites can’t handle that week, I find that a failure of infosec and an indictment of appsec’s effectiveness after three decades.

It’s another way of asking why a device’s current “default secure” is insufficient, or asking whether we need multi-page hardening guides vs. a default hardened configuration.

Keep in mind there are people with security concerns all 52 weeks of the year. People who are women. People in minority groups. People in abusive relationships. People without political representation, let alone power. Most often these are people who can’t buy a “burner phone” for one week to support their daily needs. Their typical day isn’t the ambiguous threat of a hostile network. It’s the direct threat from hostile actors – those with physical access to their devices, or knowledge of their passwords, or possibly just knowledge of their existence. In each case they may be dealing with a threat who desires access to their identity, data, and accounts.

There are a few steps anyone can take to improve their baseline security profile. However, these are just a starting point. They can change slightly depending on different security scenarios.

(1) Turn on automatic updates.

(2) Review authentication and authorization for all accounts.

• Use a password manager to assign a unique password to every account.
• Enable multi-factor authentication (MFA), aka two-factor authentication (2FA) or two-step verification (2SV), for all accounts that support it.
• Prioritize enabing MFA for all accounts used for OAuth or social logins (e.g. Apple, Facebook, Google, LinkedIn).
• Prefer WebAuthn authentication flows. It cryptographically binds credentials between the user device and server. This prevents replay attacks if the traffic is intercepted and reuse attacks if the server’s credential store is compromised.
• Review third-party app access (usually OAuth grants) and remove any that feel unnecessary or that have more permissions than desired.

(3) Review MFA support (or activation factors as NIST 800-63B calls them)

• Prefer factors that rely on FIDO2 hardware tokens, biometrics, or authenticator apps.
• Only use factors based on SMS or email if no better option is available.
• For authenticator apps, enable backups or multi-device support in order to preserve access in case of a lost device.
• Record and save recovery codes associated with enabling MFA. Choose a storage mechanism sufficient for your needs, such as printed and placed somewhere safe or in a password-protected keychain.

Talk to someone who isn’t in infosec. Find out what their concerns. Help them translate those concerns into ways of protecting their accounts and data.

Apple recently released Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura. It provides users with increased protection for their system by ensuring a secure default as well as disabling features that typically have security issues. It’s effectively a one-click hardening guide and attack surface reduction. By disabling feeatures prone to abuse, it carries a useability cost. But ultimately it’s an easy way for any user to have more security when they need it.

Not everyone has an iPhone and not everyone has threats limited to account takeover.

One resource with technical recommendations in non-technical jargon is Speak Up & Stay Safe(r).

The EFF has a wide collection of practices and tools in its Surveillance Self-Defense guide. Notably, it lists different security scenarios you might find yourself in and how to adapt practices to each of them.

The expectation for modern devices and modern web sites should be that they’re safe to use, even on the hostile network of an infosec conference. If an industry can’t create a safe environment for itself, why should it be relied on to create a safe environment for anyone else.