I know him, even if no one else does now

Every so often something hits the Internet that rocks the foundation of a group. Not simply because it's something new, something innovative, something that changes the way you think, but because you also know the guy who did it. Now I've had friends who've made their impact on the net. I've even been involved myself a few times. I had a friend who beat up a mugger with an iPod Mini, leading to a whole slew of jokes on various Apple related blogs.

This takes the cake.

In an act of extreme interest in the betterment of mankind and improving the security for us all an associate of mine, a one Mr. Mark Lance, has shown a huge flaw in the policies and procedures of the NoVA DMV.

Video 1


Video 2


Now this demonstrates many things about the insecurity of our main system of identification in this country. I don't think I need to insult you, nor repeat the already well spoken words of Mr. Bruce Schneier. But yeah, I know that guy. Crazy isn't it.

The Degree Debate - Is a degree necessary in tech?

This post is a little close to the vest (is that the actual phrase?) so I'm not quite sure where it's gonna go.

As I state quite freely in my 'About Me' bit on my blog I have not yet fully completed my Bachelors of Sciences degree in Information Sciences and Technology from Penn State. It's close, only 10.5 credits away.

The Breakdown:
- 3 credits of IST331 - An Introduction to Human/Computer Interaction.
- 3 credits of either IST412 (Structured Programming) or IST413 (User Interface Design).
- 3 credits of IST440w - IST Senior Capstone Class.
- 1.5 credits of Kinesology (aka Gym Class).

I planned on finishing all these requirements this past fall, taking a ninth semester. This choice was made last spring, and a week after got my job offer from my present employer. After deliberation I decided it was too good an offer to pass up, and so here I am outside our nations capitol, doing my thing.

Ever since then everyone and their brother (or more often mother) has harped on me about how important it is that I get my degree. I hear reasons like "You're so close!" or "You'll only go so high without a degree!" or "What if you lose your job?" day in and day out. I'm already wondering how many conversations I have with my family this Christmas will be 3 minutes about my new job and 7 minutes having a family member, who most likely is making less money than I do with lower job security and multiple mouths to feed, lecturing me about how I'm in an unstable situation and need to finish my degree.

The more I think about it I just want to turn to them all and ask "Do I really? I'm not so sure I really do." Honestly I'm not convinced. I have a few reasons for this. The computer industry is not the business industry of the 1980s. A Bachelors degree is not a magic ticket. While there are many talented people in this business that have degrees there are nearly as many equally talented people who don't have them. Nicholas Negroponte is building his own computer to change the world, and he has a PhD. Bill Gates and Steve Jobs also built their own computers that changed the world, and they were drop outs. Bruce Schneier has a Masters in computer science and is (or was depending on peoples opinions) a leader in the security field and holds a Masters from American University. H.D. Moore is also a leader of the security field and as far as I can tell never went to college at all. Even closer to home I have good friends who are leaders in the computer security world, some with degrees, many without.

Since it seems to have little to do with my overall success in my chosen field I always question what will a degree do to benefit me? If you scroll back up and look again at the classes I'm going to have to take I think you'll agree that they aren't really relevant to my career path. IST440w especially seems stupid, since the whole point is to prove you can survive in the business world. Guess what, I think I'll be ok. Maybe it's the gym class that I need.

Now that I've ranted enough about this I'm going to admit that I do plan to finish my degree soon. Between the combined forces of being so close, having an employer who will pay for it, the desire to be a professor someday (and thus need PhD to go with a BS), and my parents wishes are too much for me to fight against. I'm still not convinced it's necessary, nor a real boon in the InfoSec/Computer field anyway.

I'd love to hear various peoples thoughts on this. Do you think a degree has or will help you? What skills do you think you gained in an educational environment that will help you in business? What gym class should I take? These are all important question, and I hope some of you, my readers, will take the time to answer them.

AIM 6.0 Ad Removal Hack

Recently I downloaded the new AIM 6.0 for Windows. I don’t want to this to turn into a review of the new client, but I do want to say I am a huge fan. My main problems with previous versions of the official AIM clients were that they were littered with bugs and less then user friendly designs. For the most part AIM 6.0 as cleared all this up. Unfortunately the ad on the buddy list itself is still there.

While this ad space on the list is a nuisance, I have my own concerns about the security of such ads. Since they are from 3^rd party providers (not AOL itself), it makes me wonder if this space could eventually be used as a carrier for exploits. Sure, this may be paranoid thinking, but as the old cliché goes, better to be safe than sorry.

My theory behind removing the ads was simple – just block the connection to the ads. The first step was close down all those little programs that liked to talk to the internet (skype, gmail notifier, etc). Next, I booted up wireshark and starting listening while I signed on to aim. From there it was simply a matter of analyzing the conversation between the client and all its outbound connections. With a little trial and error I was able to map out the dubious domains. Utilizing my Hosts file I was able to prevent the AIM client from successfully retrieving ads.

Without further adieu…

1. Open your hosts file (%systemroot%/system32/drivers/etc) with a text editor - I recommend wordpad.
2. Add entry 127.0.0.1 ar.atwola.com (removes the ads)
3. Add entry 127.0.0.1 ads.web.aol.com (doesn't remove the ads, but added for good measure)
   

As you can see, the ad removal is simply a matter of adding two lines to the hosts file. Unfortunately, while this does remove the ads, it does not remove the designated space for the ad. Also, an interesting side effect - apparently it removes ads from the aol.com-related sites as well.

Yeah, that'll protect 'em.

I don't normally walk in and introduce myself with a rant, but this I actually found rather funny. Now, I understand that protecting the safety and sanity of legal minors is an altogether important issue that should be addressed by society as a whole. In cyberspace, networks can be configured and monitors set up to protect little kiddles from objectionable material. And then there are the currently unsuccessful attempts by web service to do the same. Granted, this is no easy task! As someone who's had to (and still has to) consider mitigation strategies against the risk of a minor meeting a cyber someone-up-to-no-good, I can empathize with the difficulties. But honestly, some of these implementations I've encountered are just plain ridiculous.

At the risk of being über-cliché, let's focus on MSN. When my university email account expired, so did my messenger service (despite there not being any logical or necessary relationship between the two -- oops, tangent). Since MSN Messenger has been the conventional link to my cousins in Asia (during their office hours anyway), I decided to sign up for a new account. Yeah, umm, that was an interesting experience...

No, I don't have a hotmail account, nor do I want one, so I decide to use one of those throwaway email addresses. First page is the usual registration stuff -- pick a password, pick a security question, verify your non-botness. Second page asks personal info. "This information will help to personalize your MSN features." Mmm, okay, I've never seen these personalizations during my last account, so I check to see if these were optional. No, unfortunately, they're serious about wanting my birthdate and field of work (even though I was born on January 1, 2006). They even insist that my zip code (somewhere in Wisconsin, apparently) match my California location. I guess if you're asking for personal information, might as well do some basic location validation.

"Before you can sign in and use Microsoft online services, a parent needs to give you permission. You can get permission right now by asking your parent to come to the computer. Or, you can send an e-mail asking your parent for their permission." -- Third page.

This is where the game is played. Long story short, they want the adult to sign in with their LiveID, or create one if they don't have it. Not like this "adult" has actually ever been verified as an adult... It would've been much easier if I had listed my birthday as over 18 to begin with, but I'm not really in the mood to go back and redo my answers. So I try clicking on the "I'm an adult. Why am I seeing this page?" link...

Are You an Adult?

Your birth date indicates that you're a child. A parent must give permission before a child can sign in and use Microsoft online services.

If you made a mistake when you entered your birth date, and you're an adult, click Yes below. We'll ask you to provide a valid credit card number so we can verify your age. We will not charge your credit card. [emphasis mine]

Nice try.

I mean, this is not even a "kill a fly with a brick" situation so much as a "kill a fly by turning off the light" non sequitur. I faintly wonder what they'd do when fed a legitimate credit card number of a sixteen-year-old Daddy's girl. I wasn't interested enough to find out, and I ended up starting the whole process over again anyway.

Obviously, current server-side child-protection measures leave much to be desired; that's a given. My guess is, until the day comes when Big Brother can fully ID you on the other side of the wire, there will not be any effective mitigation at all. And in this case, who are they really trying to protect here? Their own butts, really. I wonder if the parents of the world actually feel any safer at all with these mechanisms.

That said, honestly, the best firewall / content-based IPS one can ever set up to protect one's kids is by providing them with the knowledge to make their own informed decisions. Hopefully that will be a cliché and we can get over this credit card number silliness.

Snort 3: Preview

Lately I've had an increasing interest in Snort, everyones favorite open source Intrusion Detection System. While my last project with it ended up being less than effective it has led to the possibility of a much more interesting project, so I count it a blessing in disguise.

I've been using Snort quite a bit since starting my new job but since this last project I've been studying it on a new level. Running two installations was a start, sometimes even running a third, since HenWen is easy and pretty. Last Monday I attended my first meeting of the new Northern Virgina Snort Users Group (no link sadly), a nice collection of professionals very willing to share their knowledge about Snort.

But this is where Snort is now. For those of your curious about the future here it is. A good read if you're interested in the future of IDS as it looks like Snort is going to push the envelope of what's expected from Intrusion Detection.

Frameworks - The Way of the Future

I've finally done something I've been promising to do more lately. I've been programming more. SCARP, yes it needs a new name and no I'm not telling you what it is, has been my project of late and it's great getting back on the wagon. In spite of what I said in a previous post (Does this sound Scripted?: My Love/Hate Relationship) I've been back to learning Ruby. The draw of getting involved again with the Metasploit Project and the evangelism of my friend al3x has convinced me, and it's fully worth it. Ruby, once I got away from Why's Guide, has been a joy. My current project has been good, and it's already leading to a larger project that should be quite interesting.

One of the things that makes Ruby most interesting is Rails; defined by it's inventors as:

"...an open source web framework that's optimized for programmer happiness and sustainable productivity."

A nice application by the folks at 37 Signals, Rails will make my next project possible and I look forward to working with it.

In addition I'm also looking forward to renewing my involvement with the Metasploit Project, which moves to Ruby for version 3.0. Metasploit is defined as:

"...an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research."

Now before you start thinking that this post is going to be about me espousing my love of Ruby you should know I'm not there yet, though on the way. No, what sparked this post was coming across the Backframe Project. Not familiar? Neither was I. Backframe is:

"...an experiment to create a full featured attack console for exploiting web browsers, web users and remote applications. Those who are familiar with XSS Proxy or even BEEF might already be familiar with the core principles of the project.
...
The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as "the separation of concerns model". This is highly effective practice which allows to easily extend upon the core elements."

What struck me is the fact that frameworks, like Rails, Metasploit, and Backframe, are becoming the new elements of object oriented programming. Since the beginning of OOP there have been classes, even libraries, but now so many modern projects are moving well beyond that, complete applications, complex, intricately designed, with no other use than to facilitate the creation of other applications. The full featured APIs that are coming out of web projects from people like Google and sites like Remember The Milk are close relatives, but they are interfaces, where frameworks are going above and beyond.

What's my conclusion? I don't really know, I'm waiting to see. All I know is that projects like Rails and Metasploit are turning their respective industries on their heads. Rails has made Web 2.0 applications something that aren't just created by the likes of Google, but by some kid sitting in a coffeeshop on a MBP sucking down americanos wearing a goofy Puma sweater. Metasploit took cutting edge exploits, made them easy to develop, and even easier to fire, drastically changing the threat landscape for people like yours truly.

So check out Rails, Metasploit, and Backframe. They're all interesting projects with nice frameworky goodness. I'm not sure if frameworks will be the way of the future, but frameworks have largely become 2006's contribution to the idea of object oriented programming. I'm eager to see what 2007 may offer. And keep your eyes peeled, more fun is on the way.

'The customer is always right'

Back in my foray with minimum wage, I spend a lot of my time working in the service industry. Needless to say, the jobs had exposed me to more ‘The Customer is Always Right’-esque clichés than I’d like to admit. Conversely, the more time I had spent in that industry, the less I believed such a motto. Even when I was placed in a management position and handed out a free ::insert commodity here:: to an obnoxious customer in reparation for how he or she was ‘wronged’, rarely did I think the customer was correct. So why would I (or any other person in my position) reward a person in such a situation? The answer is quite simple. They won’t come back if you don’t.

The more I reflect, the more I realize the security industry must embrace some of the philosophies of the traditional service industry. We must focus on appeasing our customers. We must make our solutions more user-friendly. If the end-users are not happy with our security suggestions (and therefore not utilizing them), then perhaps we are in the wrong.

Awhile back, a friend of mine continuously used a simple dictionary word as her password. ::insert cringe here:: I immediately pointed out her err and brought up the fact it should be x amount of characters long with at least this and that in it. Sure, she nodded and smiled... but did it stick? Of course not. I pestered her for awhile and eventually it came out that my method was too complicated. -- This is where I learned it was I who messed up, not her. I had left out the methodology of how to easily remember such passwords (using the first letter of song lyrics, etc). I had provided the security without the usability.

The customer is always right and will only act on what he or she thinks is right. It doesn’t matter what we think. Our customers will only adopt our newest security concepts if it’s important and (perhaps more importantly) easy on them.

Or course, the trick is knowing your customer.

Tell me if I'm too open about this...

So this past Friday I was lucky enough to compete in the 2006 edition of UCSB's iCTF academic information security competition. I can't say I played nearly as much of a part as I would have liked to, as my secret weapon, a culmination of my skill in both attack and defense was 1) not quite completed and 2) not relevant to the way UCSB set up the competition this year, drastically different from most CTFs.

I'm not quite sure yet what I'm going to do with my application. It's really very specialized, only useful in a computer security competition, though I hope it will be both functionally complete and feature complete in time for Defcon, where it might be useful. I think it's going to get integrated into another upcoming project. Anyway this post isn't about that, it's about something else I realized though my work setting up Snort on my iBook.

Why on earth does the OSX firewall force you to open the firewall to access ports on the localhost? To run Snort, using MySQL for my back end database and the BASE package for my user interface I needed to connect to ports 80/tcp and 3306/tcp. Now that makes sense, to connect to localhost:80 to see my BASE setup (running PHP in Apache) while both Snort and BASE connect to 3306/tcp to get to MySQL. Now those connections make sense, but the fact that I have to open my firewall to access these ports is ludicrous.

Now I don't know all the inner workings of ipfw but this doesn't seem necessary, but simply laziness on the part of Apple. It wouldn't have been hard to set up the rules in such a way that the localhost connection would be available, but not allow connections from outside hosts. I know many people who would make use of this, such as the multitude of web devs I know, and it seems ridiculous that this hasn't been implemented. There are many conceivable reasons for needing port based services without running a server that needs to be publicly accessible. Is this really too difficult or too much to ask for?

There are many things that can be done to reduce the risk to security, but by far the largest in my mind is simply reducing the attack surface of a given system. This often means minimizing access and exposure by limiting a system to necessary services. In this case, while these services are necessary they are not publicly necessary, and it is merely unnecessarily widening the attack surface to force the firewall to be opened to run these services even when the only connections necessary will be from localhost.

I hate to say this is another example of Apple being too content, bordering on complacent, in their own sense of security and not trying as hard as they could to keep their leading position. I hope someone stands up and notices, before its too late.

Also congrats to Blue Blood Alpha, top 10 next year!

How did I miss this?!

In a recent conversation with al3x about things that can quickly divide groups of hackers I started doing some Wikipedia link following and ended up reading a lot about some of the significant hacking groups of the 1980s and 1990s, like LoD, MoD, L0pht, and cDc. All of these are interesting reads, and if you're interested at all in hacker culture they're worth browsing.

But did you know there was a Great Hacker War? How did I never hear about that? Almost makes me wanna get a posse together and pick a fight. But I've got things to do, so right now I'm just gonna keep coding, and I recommend you give it a read.

Is infosec all about the benjamins?

Author's Note: This post has been a very long time in coming and has been reworked more times than I care to count. Coming up with the correct perspective was tough, but I think I captured it. Finally. (On a second note I wrote this before I started my hopefully last set of revisions, so we'll see.)

There was a somewhat depressing message board post that I stumbled across today in the Security Basics list of SecLists.org:

Date: Fri, 01 Dec 2006 22:09:12 +0000

Evening,
Showing my age I'm finding it increasingly difficult to find security geeks who
are truly passionate about security. There seems to be a recent trend in
unpassionate people chasing either the money, an easy ride or something that
isn't as dull as network or system administration.
So how would you identify passion quickly, personally I like what cons have you
been to? If they are passionate but poor they would reply none but I'd like
to .... What books have they bought, what tools do they use what sites
do they visit email them at night and see how long it takes them to reply

what else?

--
Andy Cuff

I've been thinking a lot lately about the polarization of the information security industry as it's grown. Lets take a look back.

A few years ago there were no security jobs, and very little security industry. Hackers were pesky, annoying people who sysadmins had to cope with. Network worms were largely theoretical. Security was merely a secondary function of many different jobs, such as website designers, network managers, and client support teams. These admins, programmers, and support reps began learning new skills as necessary, related to their primary responsibilities. As security events became more prevalent, with more high profile computer compromises and worms like Code Red and Slammer, these people morphed into the vanguard of information security. Different jobs by trade, they quickly moved in to fill this emerging need. These were the first, the armatures who became more. Most of the information security ranks, large as they are now, are filled with these people. They come from computer science degrees, information systems degrees, business degrees. Many have no degree at all, merely drive, the ability to learn, and the desire to be pioneers. Many of them have been blackhat hackers themselves, turning over a new life, reinventing themselves as today's protectors, giving them an insight and understanding that few can conceive.

A few years ago this model was realized by the military, and later academic, community. They realized that as more and more value was placed on computers and on the Internet that we'd need more of these people. Until around 2000 these people had grown and learned organically, but universities decided they needed to be manufactured. The result? Degrees like: Security and Risk Analysis (from my own Alma Mater), Information Technology Security, Information Assurance, even (my personal favorite) Information Security Engineering, and many others. All these programs under all these names resulted in one thing, a new breed, 75% computer scientist, 15% script kiddie, 10% policy wonk, the Information Security Professional.

The piece of this post I've been missing, my point, was exactly what Andy brought up. I'm frustrated that this new generation, these Information Security Professionals, have no passion, no desire for it, no deep abiding curiosity. At first I figured it was more about the old guard hackers vs the new school professionals and thought that was the difference, but it didn't feel right. I got in my fair share of trouble and may have done some things in high school that wold loosely be defined as compromising a system, but I can't lay claim to ever being a blackhat. I can't claim to be a hacker in the media given sense of someone who pops boxes for fun. I am, have, and will, for most of my career, be a defender. I've been trained not from Phrack or attending 2600 meetings, but through personal research and even some classroom activity. Yet I feel more akin to those from that older group than these new "professionals". I wondered why this was as it often feels, based on my technical aptitude that I fall closer to the new breed. Passion I realized, that was the difference, the deciding factor. It's not taught, no matter how many 400 level Security Architecture, Ethical Hacking, and Risk assessment courses a person takes. That's the missing element, that's the difference, and I somehow think the future of this industry is going to hurt as a result.

So where's that leave us? I don't know, give me 10 years and I'll tell you. I hope things turn around but between now and then I know I am going to continue to try to surround myself with those who have the passion for what we do. Those people will be the difference between innovation, and simply firewall maintainers.

New Names and New Opinions

For those of you who actually read my site in its browser form you may have noticed some changes recently. From me to us, from mine to ours, from a personal profile to a list of contributors.

After a lot of consideration I've decided to change Vulnerable Minds into a group blog from my sole place on the web, a decision I've been wavering on for a long time, but think I'm ready for at this point. I have a number of associates with good things to say, who's opinions I'm happy to support and put out in the wide world.

The idea of Vulnerable Minds was began as a group, a small collection of young, ambitious, future leaders of the field, banding together to share ideas, work on projects, and generally have a good time. I'm happy to see Vulnerable Minds is heading back towards that, and look forward to seeing what's coming in the future.

So first up I'd like to welcome Alice Chang and Timothy Martin.

Before you mention it...

One of my least favorite things is when something from the infosec world makes the "real" news. There's stuff going on all the time that could drastically affect everyone who's ever even thought of being near a computer, but they're often ignored, and it's a mystery to see what becomes big news, and what's ignored.

Example:

Big issue That Was Largely Ignored: Net Neutrality

The Internet being segmented based solely on how much money you spend to be on the Internet. Spent millions per year to have multiple OC-3 connections directly to a backbone? You get priority. Spent $40 per month (which is still way too expensive Comcast) to get a mid range home cable connection? You're a second tier citizen who's needs an wants come second.
Results: Companies like Microsoft, Comcast, Verizon, and others paying to control the Internet to make even more money than they do now. For people like you and me YouTube becomes impossible to use, those with the desire to can run even fewer home servers than now, and the general expectations you have of how the Internet should act go out the window.

Minor Issue That Is Getting Huge Attention: The "Cyber Jihad" Against the United States Banking System

One small extremist website has announced they're going to attack the US financial infrastructure during the month of December. Hmmm, terrifying. Guess what, attacks happen all the time. Theres already attacks coming from every edge of the globe all the time. Crime goes where the money goes. Banks have money. Put two and two together. Figured it out?
Guess what, the banks have too, most of them back in the 1990's, and vast majority of them are well prepared. While I have no evidence to support this I feel pretty safe saying that the financial world is second only to the military in being ready to deal with cyber threats. In some cases the military could probably even learn a thing or two. I'm not really concerned that I'm going to wake up in the morning and find my bank compromised by Muslim extremists any more than I'm worried about the Falun Gong, the Tamil Tigers, or some random kid in a basement in Idaho.

Now I don't blame the people around me who get worked up about this sort of thing. I blame the media, their biases and their ignorance, for which stories get big play and make the 6 o'clock news, and which ones never get mentioned off the infosec specific news sites. That's not my friends and families fault. What I am tired of is when everyone from my friends and family to random people I meet on the street want to tell me about whatever issue makes it into the media as though I've never heard of it before, insinuating that I personally, and the security industry in general, aren't prepared for it, and in such a way that they've done me a favor by informing me of it.

Now asking me about something like the Cyber Jihad, knowing the field I'm in, is fine and I'd be happy to give my opinion if asked for it (I'm sure you're muttering something about my willingness to provide opinions right now). I actually enjoy that. That being said, don't insult me though by expecting I have no idea about something that you caught on CNN and acting like you're helping me out. Security people, be it information security, physical security, homeland security, or any other security, are news junkies of the highest caliber. Security thrives on being aware of the changing threat landscape, so it's safe to assume that not only is any security person you know very in tune with main stream media, but is also tapped into many industry specific news sources, and was probably intimately aware and already moved on past any event before it even makes it to some mainstream media editors desk.

So thanks for the tip, whatever it was, but I was already aware. Save the energy and give Security Focus or the Internet Storm Center a look. You might learn something.

Out of curiosity: Am I the only one who deals with this and feels this way?

Might have been better as a Haiku

Dave Aitel, someone who I've disagreed with on a number of occasions but ultimately recognize as one of the best of the offensive end of infosec, put up an interesting little post in his list "Daily Dave". It was almost poetic really, and since many people don't really keep up with Daily Dave (seriously, who likes mailing lists anymore?) I figured I'd repost it here and maybe add a thought or two:

Date: Sat, 2 Dec 2006 21:04:32 -0500

Give up all your Solaris RPC remotes. All your Tru64 tricks, all your
Microsoft client-sides. The bug classes no one has seen yet, forgotten. The
kernel trojans you use daily, gone. All your shells. The ISPs, the wacky
personal servers of the developers everyone else reveres. Your
ex-girlfriend's laptop. Every exploit and click-script. Lose everything you
know.

Give it all up, and never look back. If you are a Unix hacker, switch to
Microsoft. If Win32, install Linux and never call a Windows API ever again.

Now try again.

-dave

I for one couldn't agree more. As security professionals it's easy to get locked into our tools, especially operating systems. It's natural. We're creatures of habit as human beings, and this is only exacerbated with our work in the security world. We spend our lives looking at and for anomalies, the new things, the cutting edge. I think many of us get very habitual about things because we're trying to give ourselves the slightest bit of consistency as a framework in the constant search of the anomalous.

Still, Dave's point has nearly infinite merit. Every bit of time spent with new tools, new systems, new malware, new operating systems, all of it is increased knowledge, gained familiarity, the chance to discover something new. Sometimes it's done to learn something specific, more often we don't even know when it will come in handy. Being comfortable with your tools is good, but being comfortable with a more diverse set of tools is even better.

I'm the first to admit I've become fairly comfortable, even though I'm fairly diverse. My personal laptop, called Kaylee, is running OSX. My desktop, called Book, is running my Linux distro of choice, Ubuntu. Beyond that I use Windows here and there, but I'm still far from as familiar as I'd like to be, especially as I attempt to better learn the offensive end of infosec. I could also stand to spend some time digging around some of the other big operating systems out there, most notably Solaris.

Maybe it'll be like getting a new piece of furniture, not so familiar, but functional, and maybe more in style.That being said everyone has that old, beat up, junky couch they just can't throw out, I guess there just has to be a place for both.