Petko D. Petkov

Who are you, and what do you do?

My name is Petko D. Petkov. People on The Internet know me simply as pdp or pdp architect. I tweet under @pdp.

I am founder of GNUCITIZEN (an Information Security Think Tank in London) and also founder of Websecurify (a Web Application Security product company - we make scanners, fuzzers, proxies, etc).

I have done many things around security research and even had the chance to contribute to several books. I used to spend most of my time discovering bugs - those that make you say “OMG, we broke The Internet”. Lately, however, I am more involved with building stuff. I love the startup community and I am also entrepreneur at heart.

What hardware do you use?

I like simplicity. Throughout my life I’ve have used countless of devices, which have been disposed as soon as they fulfil their purpose. I stick to one laptop and one phone. I prefer using Apple hardware. All other hardware is emulated and outsourced to other people to manage.

And what software?

I use the Terminal, TextMate and VIM all the time because I code. I use NodeJS, GO, Python and XCode. These are my 4 coding environments. At any given moment I have at least one of these programs open.

Oh, and I use browsers too - like all the time. My entire security testing toolkit is made of web apps, thanks to Websecurify (the company I founded). All tools are delivered as web apps but the actual testing occurs from the browser itself. This is pretty novel when it comes to Software as Service solutions because I can use web-based tools to test stuff on any computing environment that my browser can reach - localhost, virtual machines, stuff behind the corporate firewall, etc. In my mind this is the future for software distribution and this is what I’ve been working on to bring into the information security practice.

What would be your dream setup?

Unlike many quintessential hackers I don’t like the idea of being constantly exposed to radiation from multiple monitors. My perfect setup will be just a phone. All I need is one device that is small enough to carry, which I can plug into larger stations for work whenever I need to. I think we will eventually get there. It will take 5 to 10 years but it will happen.

In terms of software, I am not picky. I can make use of whatever is available.

How do you streamline your workflow?

Automation. Whatever I need to do more than once, I automate.

Is there anything you want to plug?

Yes! Websecurify. It is the best web application security testing software since sliced bread. No, but for real!

Jan Fry

Who are you, and what do you do?

My name is Jan Fry. I work for Corsaire as an IT Security Consultant and I am also the minormind behind this website. I spend most of my time assessing web applications and I still get a kick out of finding cross-site scripting after seven years in the industry.

What hardware do you use?

A bit like Uri, I have minimalist tendencies and therefore my tech collection is quite sparse but I don’t mind spending money on the right piece of kit. I currently use a Sony Vaio SVS13A, for me it offered the best balance for power, portability and screen resolution when I bought it two years ago. I was tempted at the time to stick with Lenovo, having used a X200s for years, but for some inexplicable reason, RAM on Lenovo’s more portable range seems to have stalled at 8GB. The Vaio offered 12GB is just the right amount for me to be able to run my virtual machines.

As soon as I bought the laptop, I dropped a 256GB Samsung SSD840 in it and remain continually amazed at how fast it boots. 256GB gives me enough space for my regularly used virtual machines and tools. Everything else (e.g. ISOs) lives on an assortment of USB keys.

I also have an iPhone 5; it has so far survived the upgrade itch and a selection of useful adapters and cables.

And what software?

My host OS is a pretty basic Windows 7 install, I use this mainly for Interweb browsing. My “toolkit” collection also lives on my host and I share the folder across my virtual machines. There are currently five main ones:

  • Windows Thin PC for daily testing - This is lightweight version of Windows 7 which I have found works for most of my testing requirements. This was the closest I could get to my old heavily stripped down Windows XP build without bluescreening daily. Occasionally I will need to build another full Windows 7 VM for particularly fussy thick-client applications.
  • Windows 8 for reporting and other office related work - I like to keep this stable and separate from my testing VMs. I built it using the WIMBoot option, it is a fairly small install size too.
  • Ubuntu for everything that won’t run on Windows Thin PC.
  • Kali as a backup.
  • BeeBox for testing tools.

The toolkit itself has a collection of tools, scripts and installers that I have built up over the years. I’ve gone through a few different attempts to organise it all and while I can generally find what I’m looking for there is definitely a lot of tidying up to do. I should really back it up more often than I do.

I could ramble on for a while about all the tools in my collection but I’ll stick to the most frequently used:

  • Firefox with addons - Still my favourite browser for everyday web app testing with add-ons like Tamper Data, FoxyProxy and HackBar. I realise you can get similar add-ons on Chrome but its permission requests weird me out (More tinfoil for your hat, sire?)
  • Burp Suite - No surprises there, (almost) everyone’s favourite proxy tool. I have been looking closely at ZAP’s development but find it hard to make the switch as I have a comfortable work flow with Burp. I will occasionally break out Fiddler for some proxy-chaining action if Burp is misbehaving, particularly for weird NTLM/Kerberos configurations.
  • DirBuster - Another soft spot of mine. I could probably cover the same ground with other tools or within Burp but I’m just used to DirBuster now. Combining it with Daniel Miessler’s awesome SecLists project makes for a very handy little tool.
  • SQLMap - Another predictable entry I suppose but still the best tool for finding SQLi in my experience.
  • SWFScan - Helps sniff out vulnerabilities like XSS and redirects on flash files. Comes in handy surprisingly often!

On the non-testing side (i.e. report writing), there are the usual “necessary evils” of Microsoft Word and Excel.

What would be your dream setup?

I am, once again, drawn to the Apple ecosystem. The ideal would be a 12” MacBook Air with 12+GB RAM and a retina display. I’d like to be able to run most of my tests from the host OS (although the idea of not being able to snapshot gives me the heebie-jeebies). It would be super-awesome-cool if I could run any of my tools without having to consider which OS they require (Docker mayhap?)

I’d also like to find a more elegant way to organise, maintain and backup my toolkit but I’m not sure what that really looks like yet! I have attempted on a couple of occasions to create a local wiki of sorts, but inevitably end up neglecting them and reverting back to random text files and poorly organised folders of scripts and applications.

I realise I may be trying to reinvent the wheel and that half of the two people, who will still be reading this far, will be thinking “use Kali, you idiot” but I actually quite enjoy thinking about my setup and trying to streamline it to my own requirements. Having said that, suggestions are welcome ;)

Larry W. Cashdollar

Who are you, and what do you do?

I’m Larry W. Cashdollar. I’m a hobbyist vulnerability researcher, exploit coder. For my day job I work in the CSIRT group at Akamai Technologies. I mostly enjoy legacy Unix systems, but recently I’ve been looking at ruby gems. I think I’ve contributed around 75 CVEs since 1998 ranging from /tmp race conditions to remote buffer overflows.

What hardware do you use?

I have an 8 core AMD Athlon with 8GB of RAM and 750GB of disk. I also have various laptops from a 486 dx100 to a 2 CPU 1.6GHz HP netbook. I’ve also got 2 dual core x86 desktops with 4GB of RAM each and various rooted Android devices ranging from Droid Bionics to my sons old Nabi Tab.I also have three Raspberry PI’s.

And what software?

A few flavors of Linux running under Virtual Box, but I also run Solaris x86. I think I’ve got Windows XP and Vista running too. My website www.vapid.dhs.org is running on a Raspberry PI with an HTTP server I wrote in C. It’s behind Akamai’s CDN so you could say I have the smallest origin on the largest CDN.

What would be your dream setup?
A collection of Legacy Unix systems, Dec Alpha, HP, SGI, RS6000 all running IRIX, HP-UX,AIX etc.

Russell Howell

Russell Howell

Who are you and what do you do?

I’m Russ Howell and I am the senior consultant at FINAO LLC. I entered the IT field in 1994 as a bench tech, and left the corporate slave ship in 1999 as IT Director for a Fortune 500 division. FINAO started as an IT services company for healthcare, you know server builds, broken printers fixed etc. Over the past five years we have moved away from network/hardware as our focus and into security and media.

I do mostly Risk Assessments, policy and procedure audit and authoring, and firewalls and VPN’s. However I have also done physical pen testing, red teaming and even work “undercover” as an employee for process and stop loss audits. Oh and we get the occasional “I think my office is bugged” call. Unfortunately some of the jobs we do end in closings, arrests, and terminations so physical threats are real.

What hardware & operating systems do you use?

I am rarely in our office, so I live out of a Vertx bag most days. It’s usual contents include HP Elitebook 2540P from the refurb shelf (love the little flip out light for the keyboard) it normally runs Win7 pro, but I also have Tails on USB and 8.1 E on USB. The working tools are Open Office, ZenMap, John The Ripper, Backtrack and Wireshark. Twitter, and Wordpress along with Evernote and Firefox with Ghostery or Chrome are mainly where I spend time

Also in the bag is a small USB battery pack for recharging the Samsung 4s, IronKey thumb drives and Ironkey USB hard drives, a pair of mini binoculars, pens, Rite-in Rain pad, entry kit, Fenix flashlight, Israeli trauma bandage, Swiss Army Knife, patch cables, Business cards etc. Oh and a Fuente Cigar and an ITS Tactical Urban kit (modified).

On bigger jobs a second bag with an aging Pentax DSLR and lenses, Uniden BCD436HP scanner, Optoelectronics Scout, and other OPSEC sensitive equipment.

At the office we have 3 Wintel Servers (Quad core, multi processor, raid 5 and 10 arrays) for VM’s and to brute force with, and my antique PC which is used for well, office work. It’s an old Emachine with Win7 64bit and multiple video cards so I can multi-task on two 23” Samsung displays.

Furniture is an old 6 foot long table, Black and Decker coffee pot and whatever chair I steal from other tenants in the building that day.

What would be your dream setup?

Moving that way before year end. Likely a Macbook Air, but might also look into a Chromebook or even a surface. I am most anxious to add more staff and get away from the mundane. I really enjoy doing employee security awareness training for clients along with the red-team/pen testing so my goal is to lighten up my daily gear and make my office fit entirely on a 3-4lb device and everything else in my pockets unless I am on an active Pen test job.

As the office grows (we really just have a big “team room” now), I’d like to turn one of our server class units into a quad monitor workstation running a VM or three. Being a news-junky I could dedicate one 35” display to news, one to stocks, one to email and one to actual work. Oh and a couple of drones one for camera and wireless work and one to fetch me coffee and scare off interns.

Robert Graham

Who are you, and what do you do?

My name is Robert Graham. I write lots of code. I hack lots of things. I write lots of blogs.

What hardware do you use?

My desktop is an old 6-core Nehalem system with 24-gigs of RAM with a Radeon 6790. These are fairly old specs, but really, modern specs aren’t significantly faster than this. My laptop is a MacBook Air 2012, 13-inch. I split my time about half-and-half between them.

I have a three monitor setup, a 30-inch 2560x1600, a 19-inch 1280x1024 to the side, and a 42-inch 1080p TV up above. The TV is for BluRay or NetFlix, it’s too impractical to do anything useful on. I restrict myself to the two monitors because I keep losing the damn mouse pointer when there’s too many.

The coolest thing about my setup is that the computer is in the closet on the other side of the wall. USB and monitor cables go through a hole in the wall to the other side. It means the room is utterly quiet without fan noise. Even with password cracking going with the fan set manually to high, I still can’t hear the loud computer on the other side of the wall.

My desktop boots from an SSD, with a mirrored 3-terabyte drives for local storage. For mass storage, I have a Synology 8-bay NAS with 3-terabyte drives in a RAID6 configuration (18-terrabytes). It’s dual 1-gig Ethernet from the desktop to the hub to the NAS. The hub is a 24-port managed hub (for doing things like setting up monitor ports to watch things). I had to upgrade the hub to get link aggregation to work.

In addition, the desktop has a quad-port RAID card with four SSD drives that delivers 1.6 gigabytes-per-second of bandwidth on reads. Among the things I do is write very fast file and network parsers, which are much faster than network drives. Therefore, I need a fast enough drive so that it’s not the bottleneck. So, for example, my DNS server that I wrote parses the 8-gigabyte .com zonefile about 3 times faster than ‘wc’ (wordcount), or about 30 seconds. Being that ‘wc’ is a damn simple parser, and the DNS server must not only parse but also insert the records into the database, this is really fast. The upshot is that if I don’t have a quad SSD RAID, the disk rather than my code becomes the bottleneck. Also, Diablo III loads insta-fast off the quad SSDs :)

The desktop and the laptop are old because my hardware budget goes to other things. I have a mini-rack with an 8-port 10-gbps Ethernet hub, with three servers attached: quad-core 3-ghz IvyBridge server processors with 32-gigs of RAM and a dual port 10-gbps Ethernet card. These servers are 1U half-length tiny devices: there’s just enough room for the motherboard, the Ethernet card, and an SSD boot drive. This little rack allows me to do 10-gbps testing with things like my masscan port scanner or my DNS server.

Also, I have a five Radeon 290x system mining Litecoin, which I occasionally also use for password cracking. The lesson here is that having the latest graphics cards in your desktop is for chumps – they should be in your cracking/mining server.

I also have a variety of build machines like Raspberry Pi and “netbooks” that automatically download my software every night and build/regression test it. I have a little MacMini with a lot of RAM as the test target, running a bunch of different target servers in VMs.

I have only 75-mbps connection to the Internet, which is sufficient to shelling out to hosting environments where I have 1-gbps connections for doing things like Internet scanning.

And what software?

My desktop runs Windows, though always with a Linux VM in the background (usually Kali, though sometimes Ubuntu, or both). Partly this is because Linux desktops are still a pain, it’s just a ton easier running Windows with Linux in a VM. Partly this is because Microsoft’s VisualStudio programming environment is much better than anything on Linux. I’m not trolling here. My standard paradigm is to write a few lines of code, then step through with the debugger to make sure what I wrote works, then write a few more lines of code. This works in VisualStudio, this doesn’t work well in any Linux environment I’ve tried, though Eclipse will work in a pinch.

My laptop runs Mac OS X most of the time, mostly to use XCode to debug Unixy things that don’t work on Windows. XCode is not as friendly to debugging as VisualStudio, but it’s still a lot better than Linux stuff. I also have Bootcamp loaded with Windows, but I find I use Windows less and less on the notebook. More and more, apps are just inside Chrome, so operating system doesn’t really matter.

Other than that, I use the standard apps: Chrome, Word, PowerPoint, Google Docs.

What would be your dream setup?

What I have, except I’d like a 10-gbps connection to the Internet for insane scanning.

How do you streamline your workflow?

Two years ago I got an 18-terabyte NAS. It means I stop having to manage disk space, and helped me organize all the data tremendously. I use the cloud, like github, to organize things as well. These days, if I have file, I always know where it is. In the past, I had to hunt across slow disks to find it.