I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me


So the F5 is a tricky beast often refereed to as the swiss army knife of network appliances. The appliances primary role in many networks is to load balance and is a beast negotiating SSL. That being said its not always easy to determine how to configure the clients SSL profiles to be secure and still service the public. F5s documentation is helpful but designed to be vague because cipher suites and browser support is always changing. https://support.f5.com/csp/article/K8802


SSL Labs has become the de-facto to use tool that helps the public understand the nuances of SSL by giving an easy to understand letter grade, https://www.ssllabs.com . The website runs a multitude of tests from insuring your certificate is chained correctly to end device OS and browser simulations, to commonly found vulnerability testing. The down fall of having such a sophisticated tool issuing a simple letter score, is not every environment can be configured for an A or B plus.


So I wanted to through an F5 Client SSL Profile out there that at the time of testing got a solid A- and still supported a ton of OS and browser combinations. You will mostly want to keep the defaults but I will highlight what changes you will want to make to get an A. You will need to select Advanced to see some of these settings.

  • The first step is to add your public certificate and the intermediate certificates if applicable as well as the key.
    •  this is what create the certificates chain
  • Next you will want to customize the Ciphers that will be used by the F5 to negotiate SSL with the client. This is where 99% of the magic will happen.
    • DEFAULT:HIGH: (are pre canned cipher settings created by F5, the additional settings are additional customization.
    • !RSA: Do not use RSA ciphers
    • !SSLV3: Do not use SSL version 3
    • !RC4: Do not use RC4 ciphers
    • !EXP: Do not use Cipher length of 40 or 56 bits export strength
    • !DES: Do not use Des or triple Des ciphers
    • !TLSv1_1: Do not use TLS version 1.1
    • !TLSv1: Do not use TlS version 1.0
    • !ADH: Do not use ADH ciphers
    • !EXPORT: Do not use EXPORT grade (weak) ciphers
    • !SHA: Do not use Message Authentication Code SHA 128
  • The complete string looks like this:
  • Lastly you will want to set up strict SSL renegotiation:
    • Check the  Renegotiation box
    • Next set Secure Renegotiation to "Require Strict"


From here save your SSL client profile, apply it to a public accessible virtual server, and run SSL labs against your server. Its kind of fun testing and playing around to see what modifying the cipher settings.




**Update 8/8/2020**
I have been spending some time in the #lobby-bar channel on the Defcon Discord. We have been reminiscing of Defcons' past and one of the attendees posted up a couple Docs from the AP they had worked on. I wanted to post them because they pretty much sum up a lot of peoples Defcon experience at the AP.
**Update 8/8/2020**
Dark Tangent just posted in the info-booth Discord channel a link to the Defcon info page.  Really nice easy to use interface and search functionality:
**Update 8/7/2020**
Wall of Sheep aka Packet Hacking Village talk schedule is online.
Where to watch:

**Update 8/6/2020** 
DCTV just posted their twitch channel.  
**Update 8/6/2020 13:21**
 "The following Twitch Streams are available depending on the schedule for each specific track or village. The schedule can be found at https://info.defcon.org/.

I have found if you follow the channels within twitch you can see what channels are live or not.

**Update 8/6/2020 10:00**
I have found a method to engage in Defcon that works well with me. 
  1. Identify the talks I want to watch
  2. Create a youtube playlist listing the talks in order of the live Q&A's (then watch them)
  3. Created calendar events of the live Q&A with the speaker on the Defcon Twitch channel (https://www.twitch.tv/defconorg)
  4. between live Q&A I want to watch I stream the Defcon Entertainment channel on twitch (https://www.twitch.tv/defcon_music)
  5. Hang out on the Defcon Discord server in #linecon, #dcg, #pool-1, and the #pool-3 channels we will see which ones i spend the most time in. Currently linecon is holding most of my attention.
We will see when the Villages open up tomorrow how much time I will hang in there.

Defcon 28 Safe Mode is a culture shock, and for me the move to online does not feel as natural as I though it would. I am fighting 18 years of routine and habit that I need to kick. That being said I wanted to create a page where I could keep track of whats going on and where it happening,  I imagine there will be a lot of spin off twitch channels and discord channels I will try to keep it up.

Defcon Talks:
The schedule was released https://defcon.org/html/defcon-safemode/dc-safemode-schedule.html One interesting point about the lineup it looks like all the talks will be sequential so you can see every talk if you want.

Defcon Forums:
This is the major jumping off point for everything going down at Defcon 28. Explore the forums that interest you and get involved. Some of the villages have already set up active discord channels and the will list them in their forum channel.

Defcon Entertainment:
Here is a link to some of the live entertainment that will be going down. Defcon has posted the schedule of the live sets and published the twitch channel that will be streaming the performances.

Defcon Swag Shop:

Discord Servers:
Defcon 28 Main Server: https://discord.gg/defcon
Blue Team Village: https://discord.gg/nqMrrJ
Wireless Village: https://discord.gg/pfu9mu
Ham Radio Village: https://discord.gg/Dv38mc
Biohacking Village: https://discord.gg/G3TyUp

Defcon Reddit Post
Below is an extensive list that was posted by Defcon on Reddit (https://www.reddit.com/r/Defcon/comments/hzafso/lots_of_links_defcon_and_village_info_pages/)I wanted to capture it here to share with everyone.

Please also consider "The One!", a unofficial consolidated schedule of all the Villages, Talks, Contests, and various Events occurring during DEFCON 28. One page, one look, all things happening!

Lots of things are still missing, As various schedules get released and processed they will appear. Keep coming back to get the latest.

DEFCON home page
DEFCON 28 Schedule and Speakers pages
DEFCON 28 Demolabs Schedule
DEFCON 28 Entertainment
DEFCON 28 Villages

Village info derived from the following pages
DEF CON 28 Villages page
DEF CON 28 Villages Forum page

Village Name & Web PageForum LinkDC Village DescDiscord ChanSoc Media Links
AI VillageForumAIV Desc#aiv-general-textTW @AIvillage_DC
AeroSpace VillageHack-A-SatForumAEV Desc#av-lounge-bar-textTW @SecureAerospace TW @Hack-A-Sat
AppSec VillageForumASV Desc#asv-general-textTW @AppSec_Village YT AppSec Village
BioHacking VillageForumBHV Desc#bhv-general-textTW @DC_BHV YT Biohacking Village TI biohackingvillage
BlockChain VillageForumBCV Desc#bcv-general-textTW @BCOSvillage
Blue Team VillageForumBTV Desc#btv-general-textTW @BlueTeamVillage TI BlueTeamVillage
Car Hacking VillageForumCHV Desc#chv-welcome-textTW @CarHackVillage
Career Hacking VillageForumCRV Desc#cahv-general-textTW @HackingCareer
Cloud VillageForumCSV Desc#cloudv-general-textTW @cloudvillage_dc
Crypto and Privacy VillageForumCPV Desc#cpv-general-textTW @CryptoVillage TI cryptovillage SL cryptovillage YT Crypto and Privacy Village
Data Duplication VillageForumDDV Desc#ddv-general-textTW @DDV_DC
Ethics VillageForumETV Desc#ev-general-textTW @EthicsVillage
Hack The SeaForumHSV Desc#htsv-general-textTW @hack_the_sea
Ham ExamsForumHRV Desc#ham-general-text@DC_Ham_Exams
Ham Radio VillageForumHRV Desc#ham-general-textTW @HamRadioVillage TI hamradiovillage
Hardware Hacking VillageSolder Skills VillageForumHHV Desc#hhv-infobooth-textTW @DC_HHV
ICS VillageForumICS Desc#ics-general-textTW @ICS_Village YT ICS Village TI ics_village
IoT VillageForumIOT Desc#iotv-general-textTW @IOTvillage TW @ISEsecurity TW @Villageidiotlab TI iotvillage
Lock Bypass VillageForumLBV Desc#lbpv-social-textTW @bypassvillage
Lockpick VillageForumLPV Desc#lpv-general-textTW @toool TI toool_us
Monero VillageForumMOV Desc#mv-general-textTW @MoneroVillage TI MoneroVillage YT Monero CommunityWorkgroup
Password VillageForumPWDV Desc#pwdv-general-textundefined
Payment VillageForumPAYV Desc#pay-labs-textTW @paymentvillage YT Payment Village TI paymentvillage
Packet Hacking VillageForumPHV Desc#phv-infobooth-textTW @WallOfSheep FB @WallOfSheep
Recon VillageForumRCV Desc#rv-general-textTW @ReConVillage FB @ReConVillage
Red Team VillageForumRTV Desc#rtv-briefings-textTW @VillageRedTeam YT Red Team Village TI redteamvillage DC Red Team Village
Rogues VillageForumRGV Desc#rov-announcements-textTW @RoguesVillage TI RoguesVillage
Social Engineering VillageForumSEV Desc#sev-general-textTW @HumanHacker FB SocialEngineerInc
Voting Machine VillageForumVMV Desc#vmhv-general-textTW @VotingVillageDC
Wireless VillageForumWLV Desc#wv-general-textTW @WiFi_Village DC Wireless Village
Other Interesting Links
Defcon MUD a Multi User Dungeon. An old school game style that uses telnet to connect to a remote server. Check it out https://mud.mog.ninja/

Other cons during #SummerHackerCamp

BlackhatT @BlackHatEventsFB Black Hat Events
BSides Las VegasT @BSidesLV
r00tz AsylumT @r00tzasylum
QueerconT @QueerconFB @queercon
The Diana InitiativeT @DianainitiativeFB @dianainitiative


General / previous years
JK-47 - BSidesLV & DEFCON Conference Tips
Just another DEF CON guide
On Attending DefCon

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Below is an excerpt from the Wikipedia page, they did a nice job explaining what mutual authentication is.

By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer (for example, username and passwords.) TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications. But at a small scale or proof of concept this is completely reasonable.

Mutual TLS authentication (mTLS) is much more widespread in business-to-business (B2B) applications, where a limited number of programmatic and homogeneous clients are connecting to specific web services, the operational burden is limited, and security requirements are usually much higher as compared to consumer environments. The factor that impacts scaling of this design is not the technology, devices are built to handle millions of SSL transactions, but the policy and procedures around the certificate management and client on-boarding. 

In this example a client will be connecting to an Apache web server and authenticate using mutual TLS authentication.

First you must build the web server running SSL. You can find a lot of step by step articles online about how to build an Apache web server preferably on Linux. Also take a look at Lets Encrypt, it's a free SSL certificate issuer that is freaking awesome.

Once you have your web server up and running you will want your client to generate a certificate. This can be done using OpenSSL the de facto for everything SSL on the internet. There are some awesome guides on how to build out the mutual SSL authentication and the accompanying Apache config. The best one I found was on stefanocapitanio.com they do a great job of outlining each step that makes up the mutual TLS authentication. In this example I will Jump ahead to the certificate creation,

This will generate your private key and certificate. You will need to answer the following questions when prompted this makes up the attributes of your client certificate.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Here is an example what it will look like.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []:US
State or Province Name (full name) []:State 
Locality Name (eg, city) []:City
Organization Name (eg, company) []:Anything
Organizational Unit Name (eg, section) []:Anything
Common Name (eg, fully qualified host name) []:Username
Email Address []:youremail

Next we will combine the Key and Certificate in PKCS#12 file:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out bundle-certificate.p12
This file will be the private key and certificate combined with a secure password. This is what you will install on your OS or browser (such as firefox) to encrypt your data and issue to the server as your identity.

Once you have generated and installed your client certificate you will want to send ONLY THE PUBLIC CERTIFICATE, in this case client-certificate.pem to the server admin. Your public certificate will be what is used to identify your machine when it attempts to connect tot he web server. Read up on the Apache man pages about he SSLVerifyClient options there is quit a but out there. This is a very basic config.

The server admin will place your certificate in their certificate store and configure Apache.
<VirtualHost *:443>
  ServerName secure.example.com
  DocumentRoot "/var/www/html"
  ServerAdmin [email protected]
  SSLEngine on
  SSLCertificateFile /home/sempla1/ssl/server-cert.pem
  SSLCertificateKeyFile /home/sempla1/ssl/private/server-key.pem

  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLCACertificateFile /home/sempla1/ssl/client-certificate.pem

Once the server has been configured you can attempt to connect. Normally you will be prompted to provide your client certificate if it is working. This is apache asking for your public certificate to validate it is the same one that Apache was configured with. In firefox you can go into Preferences then Security and Privacy and tell the browser to automatically issue that certificate if you like.

That's it I had a good time playing with this I hope you do as well.

Defcon is Canceled!

The meme that never dies finally became a reality. I have attended Defcon for nearly 2 decades and every year I am excited to see friends but dread staying in Vegas. This year my dread turned into mourning. After Jeff's initial COVID post, the progression of the pandemic, and the physical conference cancellation, I feel Defcon is more important than ever.

Most con attendees identify Defcon as a way of life just not a conference. It is our responsibility to keep Defcon alive, share in the intellectual, the consciousness, and the bonds that make up Defcon. If this means meeting in smaller groups locally or hanging with friends online we can still make Defcon, Defcon...

**One Idea**
Perhaps, depending on the state of the pandemic locally, DC groups could throw classic Defcon parties. DJs, drinks, and attendees bring a Defcon badge from any year to be admitted. Of course, the badge idea could be a loose requirement since we wouldn't want to exclude anyone who hasn't been to Defcon. It might be a cool way to locally create that Defcon atmosphere.

Here is another classic Carthay Circle favorite I found on the ohmy.disney.com blog. The Double Pear Martini is a very light and sweet pear cocktail that if you haven't tried you need to. This is the perfect cocktail on a hot day while relaxing in the cool dark Carthay Circle Lounge.

The Double Pear Martini:
  • 1 ounce Double Cross vodka
  • 1 ounce Absolut Pears vodka
  • 1 ounce Kern’s Pear Nectar
  • 1/2 ounce fresh lime juice
  • 1/4 ounce Monin agave nectar
  • Garnish: 1 Chilean baby Pear

Pour all ingredients into a mixing glass. Add ice and shake for 10 seconds. Strain into a chilled martini glass and garnish with a Chilean baby Pear.

Since the parks have been closed Disneyland has been publishing some of their delicious and popular recipes online. I stumbled across their Manhattan recipe from Carthay Circle in DCA and it is one of the best I have had. So I wanted to share. Enjoy!

The Carthay Manhattan:
  • 2 Oz Rye Whiskey  (If you don’t have Rye Whiskey, you can use Bourbon or blended Whiskey)
  • 1/2 Oz Sweet Vermouth 
  • 3 dashes of bitters 
  •  Garnish (A cherry, usually) 

Stir it with some ice and then strain it into a lowball glass.

Join the EFF

Join the EFF
#privacy #digitalrights

Contact Me


Email *

Message *