I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

This is one of my favorite meals, I don't make it very often but it is super good.

  • 1 Roasted Chicken, you can get it already cooked at most grocery stores or Costco
  • 1 cup frozen or wilted fresh chopped spinach (thawed and squeeze water out so it is dry)
  • 4 tablespoons of chopped chives
  • 1 cup of grated Monterrey jack cheese
  • 1 teaspoon salt
  • 1/4 teaspoon pepper
  • 1 1/2 cup cream of chicken soup

  • Take the chicken apart, and cube 3 cups in 1/4 size cubes, set aside
  • Mix all of the above ingredients together
  • Purchase Pepperidge Farm Patty Shells (2 Pkgs) and let thaw to room temp
  • Roll out with a little flour to approx. a 5" circle size
  • Place the mixture on the lower half of the circle approx 2 tablespoons,
  • Fold over top half and crimp with a fork to look like a turnover.
  • Brush the tops with a mixture of beaten egg and 1teaspoon water
  • Bake in over temp. of 425 for 18 minutes or until golden brown.

I've been thinking a lot about Survival lately, what with the 8th season of Walking Dead starting up and our impending nuclear war with North Korea. In my day job as a networking nerd I deal with communication on a daily basis, but as a society our world is becoming much to dependent on Digital communication.  In a survival scenario ain't no one got time to troubleshoot packet loss!

This has got me thinking about radio and the role they might play in self sufficient communications.

I've been telling myself I am going to take the HAM radio test, but haven't got around to it yet. So I started researching the GMRS and FRS radio systems and was surprised just how capable the GMRS systems are and how easy it is to get an FCC license.

GMRS, FRS and MURS radios are excellent for local communications, but are much more capable then just those 19 dollar radio shack hand held units. FRS and MURS do not require an FCC license, they’re cheap, and easy to use. They’ve pretty much replaced CB radios for a lot of families. In fact they share a lot of the same limitation on power and range. There is something to be said for their availability though, and in a disaster scenario you could probably scrounge up a number of these radios from anywhere.

If you have a true GMRS radio, you have a much more capable radio.

GMRS radios have the ability to tap into a repeater, which expands the radio's range to possibly hundreds of miles — meaning your local family radio can be transformed into a life saving communication device. GMRS radios are also allowed to operate at higher power than a lot of other radios, this will expand their local communication even without a repeater. You do need an FCC license to operate the GMRS radios, but they are easy to get, with no test required (a big bonus considering how hard the HAM test is), and they cost around $70 dollars. Also, you only have to renew the license every 5 years and one license covers your entire family.

So here's the rub!  Getting your License for GMRS is a no brainer, and playing around to build a repeater sounds pretty fun. But in a true emergency you should give your self every advantage. So buying a GMRS radio might not be the way to go. In a true life threatening emergency you can communicate on HAM radio frequencies as a last resort. So what should I get?

Well, it's not illegal for a non-HAM licensed individual to own a HAM radio...its just illegal for a non-licensed individual to transmit on the designated amateur radio frequencies.  That being said, many of the HAM radios can be programmed to transmit on the same GMRS FRS channels your store bought hand held radios transmit on. In addition to leveraging the thousands of GMRS and FRS radios, you can program channels/bookmarks for GMRS and HAM radio repeaters in your area, NOAA weather channels, frequencies used by emergency personnel and groups, as well as maritime radio frequencies.  Having these frequencies pre-programed and documented can truly make the difference in a stressful emergency situation. The best part is you can get some of these radios for pretty cheap.

To start exploring the world of radio you probably don't want to go drop hundreds of dollars on radio equipment so my suggestion (and the radio I have been exploring) is the BaoFeng UV-5R Dual Band Two Way Radio (Black). This radio can be programmed as a HAM radio as well as FRS and GMS frequencies. I know a lot of hardcore peppers are going to disagree with this radio and I agree the quality and reliability will be less than more expensive radios. But if you want to get your feet wet $30 dollars is an acceptable amount for most people to experiment with to see if this solution works for them. The radio is small and has an operating Frequency Range of 65-108 MHz (only commercial FM radio reception) VHF: 136-174 MHz(Rx/Tx). UHF: 400-520 MHz(Rx/Tx).  You will probably want to purchase the USB programming cable as well, this makes uploading and downloading the frequencies a way easier. Baofeng Programming Cable for BAOFENG UV-5R/5RA/5R Plus/5RE, UV3R Plus, BF-888S


Radio Configuration:
There are a ton of people out there with great articles on how to program this radio specifically, so I have put together a list I used to set up mine:

Programing the Radio:
Both guides were straight forward the only issue I ran into was downloading the correct driver for my radio programming cable.
Survival Channels for the Baofeng Radio (this is step by step guide on how to config your radio)
Manually Programming the Baofeng Radio (the same thing but a really good youtube resource)
CHIRP (Radio programing software)

GMRS Radio License:
Getting your GMRS License (This is a guide to getting your GMRS license put out by the AGRC)
FCC Website (The FCC Website discussing the GMRS license regulations)

General Survival Radio Sites:
Graywolf Survival (Their post discusses survival radio options as well as emergency frequencies)

At the end of the day HAM radio is still the defacto survival communication standard, and is an important institution that needs to survive. I just wanted to pose an option that seems practical and more attainable to those who may not feel they are capable to getting a HAM radio license.

After tasting every drink at our local Tiki bar my wife and I wanted to reproduce our favorite The Macadamia Nut Chi Chi. This drink is easy to make, but the most important part of the drink is a good quality Macadamia Nut liqueur. We cheeped out the first time and the drink tasted horrible, after finding the Trader Vics Macadamia Nut liqueur we reproduced the drink exactly.

- 2 ounce Vodka
- 1 ounce Macadamia Nut liqueur
- 1 ounce Creme of Coconut
- 4 ounces Pineapple Juice

Fill a shaker with crushed ice
Add ingredients to the shaker and shake like crazy
(Longer you shake frothier it gets)
Poor into your favorite tiki mug


Enjoying Disneyland is different for everyone.  There are different ride preferences and different priorities whether you're old, young, or have kids; whether you flew around the world for a one-time experience or if you go to Disneyland frequently.

For my wife and I, enjoying the park when we were younger meant going hard for 16 hours to ride every ride as many times as we could.  Back then we'd only go once every 5-10 years. Now that we are a little bit older and were lucky enough to justify an annual pass this year we turned from young-go-hards to Disney pros. I am not saying we are the best at Disneyland — as if that's even a thing — but we have found time to enjoy the intricacies Imagineers and cast members put into the park.

Everyone one does Disneyland differently but we have found a system that works for us and lets us ride all the rides we want to normally by noon. So this is how we do it.

First key is to plan a trip on days that aren't expected to get too busy.  We like to use isitpacked.com and undercovertourist.com crowd prediction calendars.  The next key is to get to the park early.  I don't mean when its still dark, and at opening is already getting busy, so somewhere in-between.

Since about 2015 Disney instituted a security check point to ensure everyone enjoys a safe visit.  That will be your first line.  And it makes the day a lot brighter to be extra nice to the security officers as well as having any bags open and clear of contraband.  Nowadays we don't bring bags into the park at all, even my wife leaves the purse at home.  Only items that we can carry in our pockets, which is usually credit cards/Disneyland ticket in a wallet, a phone, sunglasses, and sometimes an expandable shopping bag that clips onto a belt loop if we know we're going to buy souvenirs.  Again, no kids. And on that note, find a line with the least strollers and backpacks and you'll breeze through security.

A rare time when there was no security line first thing in the morning.

Normally the park opens at 8am and we will arrive around 7am (although always check because times vary day-to-day, including Extra Magic Hour and Magic Mornings). That gets us through security and a good place in the line without waiting for hours. Also, the majority of families with kids aren't at the gate that early. We feel you families - its hard enough to get our adult-selves ready.

Then you'll get in line to enter the park.  We normally pick a line in the middle of the gates because they tend to move slightly faster. Strollers slow the line down as do first-day visitors because they get a picture taken.

Disneyland actually opens its front gates about 15 minutes prior to the actual opening time everyday. This allows them to start moving people through to the back of the park without stopping at Main Street shops.  They keep the park roped off either at the end of Main Street stores on a normal day, or around the entrances to the lands in the Plaza if you're enjoying an early morning such as Magic Morning (3 or more-day park hopper) or Extra Magic Hour (Disneyland Resort guests).  If you're at the park for an early morning, only Fantasyland and Tomorrowland are open.  People will queue up at the rope in anticipation of a magical morning!

Now to the meat of the morning.  The majority of visitors will sprint to the castle to get in line for Peter Pan (please walk in the park!).  Who voted Peter Pan the "Best Ride Ever", I don't know.  I mean I love it, but I love every ride.  If you want to ride Peter Pan without waiting 45+ minutes then do head that way and watch for the line that usually forms out towards the drawbridge on the right. It will seem long but the cast members "release" the line in stages as it fills.  If you don't go to Peter Pan first thing, another option is to hit Peter Pan right after fireworks in the evening.

Immediately after or instead of Peter Pan, we usually go straight into Tomorrowland.  This land is very popular and will become extremely packed as the day goes on, but in the early morning it's usually fairly empty.  Of course you'll want to take advantage of Fast Passes or Max Pass.  We usually book a fast pass for Space Mountain right away.  With the old fast pass system this means you walk all the way to the entrance in the back to get a fast pass.  Then we'll hop on Star Tours once or twice while the wait is 10-15 minutes and do Astro Blasters (walk on as many times as you want).

Next its on to New Orleans Square on the opposite side of the park.  You really get your steps in at Disneyland!  We always ride Pirates of the Caribbean first and as many times as we can.  Ever since Johnny Depp visited the ride its become a bit more popular.  After Pirates we ride Haunted Mansion. Then Pirates or Haunted again if the wait times are 20 minutes or less. At this point its usually time for Space Mountain (around 9:15 maybe) and that means we can get another fast pass!  We usually get a Big Thunder Railroad fast pass which allows us to walk directly on the ride - no waiting in the 30 minute line.  Nice right?  Then we head back over to Tomorrowland to ride Space Mountain.  If we can get another reasonable fast pass for Space Mountain or Star Tours (11 or 12 am), we do it.

Ah, the magic of no people in the park yet!

Then we head to Fantasyland to ride the original kiddie rides in the castle area.  Fantasyland is usually pretty empty by this point because the Peter Pan overflow rush is over and visitors are hitting the bigger rides we've already done.  Also, since these rides are older the AC does not work as well in lines and LA is hot.  Riding in the afternoon tends to be a bit warm in line.

After Fantasyland we like to take the path by Red Rose Taverne and head back to Adventureland/New Orleans Square.  Maybe get a fast pass for Indiana Jones at this point.  Watch that ride though as it frequently breaks down throughout the day.  It's usually repaired within the hour. We can ride Big Thunder, Pirates, and Haunted again as these are favorites.  Alternatively you could also ride Jungle Cruise, the Mark Twain Riverboat, or head around to Critter Country.  Splash Mountain is a good ride in the afternoon, cuz you will get wet.  But the line will get long so if you want to ride this one, around noon is a good time or take advantage of single rider.

This is a good time to eat and we like Bengal Barbecue a lot in Adventure Land. There are many eateries in Disneyland to choose from and that's another blog post!

The remainder of the morning/early afternoon we'll wander around and ride maybe The Many Adventures of Winnie the Pooh, Autotopia, and other Fantasyland rides we may have skipped if the line was long, like Alice in Wonderland.  We may also visit Toon Town.  Around 3 or 4pm you might want to hop on the Disneyland Railroad and take a lap or two around the park.  It's a good way to give your feet a break and cool down.  The best place to get on (with the shortest line) that we've found is in Tomorrowland.  We also love to ride the Monorail but usually time-it to when we want to go to Downtown Disney or if we're hopping to California Adventure.  Its nice in the evening too and since the Monorail does not have AC, it could be taken out of commission during hot days for safety reasons.

Of course there are a few rides we don't really care to ride (which may shock some readers so please be warned!).  We don't ride the Finding Nemo Submarine Voyage...bad experience...and we typically only ride Matterhorn Bobsleds and It's a Small World if we're visiting with others who haven't ridden or really want to ride these.  So these are missing from our tour on purpose.  From experience, Matterhorn line will get a very long during the day/evening and either riding in the morning or getting a fast pass are the ways to go. 

In the afternoon and evening you'll notice the park is much, much busier. Because you had a perfect Disney morning and hit all the rides, this is a good time to slow down and enjoy shops on Main Street, do some shows, read about the park (all in AC - LA is still hot).  We also like to do the Tiki Bar in the evening and get a Dole Whip.  If you're planning a show or parade, you'll usually need to start saving a seat at least an hour ahead of time.  You can always walk up last minute but you're not guaranteed a good spot.

Of course the key to all of this is to use the Disneyland app or any of the other wait time apps available to monitor ride times.  Don't wait if the ride is too long - get a fast pass and ride something else in between.

And think about investing in an annual pass if you are going to visit the park more than six days in the year.  At the end of 2016 we knew we had a couple trips lined up so we did the math on buying several 3-day park hoppers versus the annual pass.  At the price of a 2017 3-day park hopper pass (approximately $315), an annual pass (approximately $600) broke even for us if we went 6 days or more.  To do the math as prices adjust each year, just take the amount of the passes you would normally buy, divide by the total number of days visited in the year.  Then take the current annual pass price and divide by the same number of days to compare which is better.

We've ended up going 20+ days in 2017.  Tons of money saved on tickets....don't ask how much spent in support of the habit!
A delicious evening at Trader Sam's tasting some secret menu drinks. I will post the recipes as I find them in this post so keep checking back.

1. Krakatoa, this isn't a secret menu item but gets an honorable mention due to its excessive rum content.

(Krakatoa in a souvenir mug)

2. Old Kungaloosh, delicious drink it's vodka, coconut rum, midori and pineapple juice. I wasn't sure about the midori but it ads a subtle layer that balances the drink out perfectly. It was 9 out of 10 Recommend.

(Old Kungaloosh)
Recipe from my friend at SasakiTime.com (check out his blog it is Awesome)
Old Kungaloosh Recipe -- Circa 1997 
1 1/4 ounce vodka
1 1/4 ounce Malibu Rum
3/4 ounce Midori (melon liqueur)
2 tablespoons pineapple juice
1 splash cranberry juice 
Mix well.

3. Adult Dole Whip, holy crap this is so good. I think it taste better then the real thing. You get the familiar Dole Whip taste, but there is an undertone of vanilla that just takes it to the next level. 10 out of 10 must try!

(Adult Dole Whip)
This is the closest i could find courtesy of mirlandraskitchen.com
Adult Dole Whip
1 shot whipped vodka
4 oz pineapple juice
vanilla ice cream optional
strawberry and lemon for garnish if desired
Fill a cocktail shaker half full with ice. 
Add vodka and pineapple juice. Shake.
Pour into chilled glass and serve with ice cream or desired garnish.

4. Finally the coconut cake, again not on the menu but it is a must have at least once every Disney trip. It is the most Moist! Ya I said moist cake you'll ever have. The cake is infused with a coconut custard and the icing is a light whip cream and coconut topping. 11 out of 10 if you like coconut. 

(coconut cake)
Sad to Say the cake is no longer available. :(

Most of the people who have found this post on the internet are already familiar with Palo Alto Firewalls and everything they can do. One of the features I really like is the IPS functionality built into the firewall, but - and its a BIG BUT - if you're terminating SSL after the traffic ingresses your untrusted security zone you're loosing a lot of the PAN's IPS functionality because the traffic is encrypted.

Here is a reference diagram of what I am talking about:

So how do we fix it? PAN has a feature called SSL Inbound Inspection. This feature as of 7.1.x code does not terminate the SSL session or work as a proxy, but at a high-level takes a copy of the traffic and uses your imported certificate and key to inspect the traffic against the policies that have been configured. It's really easy to setup, but there are a couple caveats that I wanted to outline in this post.

SSL and Supported Ciphers: As many of you know the SSL negotiation is determined between the client and the server during the SSL handshake.  Because the firewall does not work as a SSL proxy, or "man in the middle", you have to insure that the client and server negotiate a cipher that the firewall is able to decrypt. This is where we ran into a little confusion.  Much of the documentation on the PAN site is focused around outbound SSL decryption.  This gets confusing when PAN doesn't document what feature they are discussing in an article. For example they have an article of supported decryption ciphers and they did not specify on the document if these were the ciphers used in outbound decryption or inbound inspection.  Then, when I asked for documentation of supported inbound SSL inspection ciphers, they could not point me to a document. FYI if you look at an SSL decryption profile there is a disclaimer in small print that only the listed RSA ciphers are supported for inbound inspection. I was told this was going to fixed.

So to help you out here is what is supported for inbound SSL inspection:

To ensure your firewall can decrypt all inbound SSL traffic it is important you configure your servers or load balancers to only offer ciphers supported by your firewall. If you're using an F5 to terminate SSL here is the string you can define in the cipher list within your SSL client profile.


APP-ID and Application Default Services: Many of you out here have enabled APP-ID on your firewalls and probably leveraged the application default service setting to let the firewall determine the port to allow traffic on.  I have been told application default setting in the services section of a security policy is best practice and, to be honest, I actually like it and use it; but it can break SSL Inbound Inspection. To understand where it breaks we first need to understand how a firewall processes a packet when you have enabled inbound SSL Inspection:

  1. The firewall looks to see if the packet is allowed by the security policy.
  2. The firewall identifies the traffic as SSL
  3. The firewall looks to see if the destination is configured with a SSL decryption policy
  4. If the destination address matches a protected IP address, it is decrypted and processed through the security policies once again as web-browsing still on port 443. 
  5. Bang! Connection is broken.

When you have application default set it is expecting specific ports based on the application that has been identified by APP-ID.  So if you have SSL and web-browsing configured in the APP-ID portion and application default configured in the services portion of your security policy...once the firewall decrypts the packets and runs it back through the security polices as web-browsing traffic on port 443 the firewall drops or resets the connection.

To resolve this issue you can still use APP-ID but you will need to explicitly list the ports the firewall will allow traffic on. This will allow any application, in this case web-browsing traffic on TCP port 443, to be allowed on any of the listed ports.

Configure SSL Inbound Inspection: You can click here to go to the Palo Alto Networks website and they will walk you though the SSL Inbound Inspection configuration.

Friend, co-worker, and guest blogger Matt Krieg owner of Krieg Productions talks about his video setup. You can find him at his website www.kriegproductions.com or check out his youtube channel.

So, you want to be a videographer?
It seems like everyone with a camera wants to make money creating videos these days. But there’s a lot more that goes into video production than you might think. From the monthly software or subscription fees to the thousand dollar stabilizers, the investment needed for professional level video is much higher than you may think. However, that isn’t to say it can’t be done on a budget and I’m going to show you the bare minimum you’ll need to get started in professional video production.

Alright - just accept this bitter reality right now - camera equipment is very expensive. Don’t try to cut corners on everything by buying the cheapest gear y
ou can find because you’ll pay the difference later down the road. Trust me. You don’t need a whole lot to get started but you’ll probably end up buying more equipment for each project you take on. Don’t get caught up in all the gear specs right now, if your brand new to videography just understand this one concept on gear. The diminishing return on camera equipment starts a lot sooner than you may expect. There is a huge difference between a $100 camera and a $1,000 camera but there is very little difference between a $1,000 camera and a $3,000 camera. You’ll want to stay at this sweet spot of about $1,000 for your camera. Maybe even lower if you’re on a serious budget. So, once you understand that you don’t need to drop $5,000 on your first camera let’s get right into the gear.

Your camera is going to be your workhorse, so leave a little more room on the budget for a solid camera. Since our main objective is video I’m going to focus on the two powerhouse brands in the video market right now: Panasonic and Sony. I’m not going to discuss which is the better camera, but Sony seems to run on the more expensive side compared to Panasonic’s line. I think the best budget friendly 4k camera on the market today is the Lumix G7 from Panasonic. It currently cost around $600 with the kit lens but I’ve seen them as low as $500 during sales. You get a ton of features for the price and you’ll be future proof for a bit longer with the 4k video resolution. If you do end up going the Sony route be aware that you’ll be paying a premium for lens’ and accessories.

Lenses are often overlooked when getting into videography; however, I believe having the right lens can be more important than having a high-end camera in most cases. You’ll want to keep a little money for a nice quality lens or two. Most kit lenses are sufficient, but having a couple focal lengths to choose from will definitely step up your quality game. I like to use a 25mm fixed (equivalent to a 50mm in full frame) and a 12–60mm zoom lens. The 25mm is one of the cheapest lenses out there and it is very versatile. The 12–60mm, or 14–42mm if you get the G7, will be a great ‘run & gun’ lens.

Sound is just as important as video and if you’re lacking in the sound department, no one will watch your videos. The brain actually processes sound before visuals so it is crucial to spend just as much, if not more time, perfecting audio than video. The on-board audio from your camera is garbage.  But you do have a few options as far as audio recording goes. If you’re not sure what kind of videos you’ll be making, I’d recommend going with a small shotgun mic that attaches to the camera’s shoe mount and plugs directly into the camera. Rode makes a nice line of mics for this category and the two big options are the VideoMic GO or the VideoMic Pro. The Pro version has a built-in audio processor while the GO version is just a shotgun microphone using the cameras audio processing. There is plenty of info out there comparing these mics so you’ll have to make the call on which one will fit your needs. Of course, in some cases a lavalier mic (worn on the collar) or external shotgun mic will work better but this is going to cost a lot more and won’t be as versatile.
Here are a few of my recommended microphones on the market:
VideoMic Pro - http://amzn.to/2i4KEg7
VideoMic GO -  http://amzn.to/2wOmI3Q 
Great wireless lavalier - http://amzn.to/2i38Pvg
Affordable lavalier - http://amzn.to/2vZKaxm
Solid external shotgun mic - http://amzn.to/2vGOAXB 

You will go crazy trying to find the best lighting equipment on a budget so, to make this easy for you, just pick up some 700W softbox lights for $60 - $80. For most shoots, I like to use as much natural light as possible and I find myself rarely using artificial light. But it is great to have some as a backup just in case. Good lighting will take creativity and practice so don’t spend a ton of money on lighting early on.

Everything else

Tripod – Amazon basics makes an affordable tripod that gets the job done, however if you have more to spend I’d recommend the Manfrotto 290 Xtra as it is a much higher quality. You can watch my review if it here: https://youtu.be/U-0_l_zkncQ 
Manfrotto tripod - http://amzn.to/2vBRdv3
AmazonBasics tripod - http://amzn.to/2wOxLKq 

Batteries – Four batteries should be plenty for a day of shooting and you can find batteries for your camera relatively cheap from numerous brands on Amazon.

SD Cards – The one thing you’ll want to look out for here is the speed of the card. Make sure the card says U3 which is usually 95MB/s. Having two 64GB SD cards should give you just over 2hours of 4k recording.
95MB/s - http://amzn.to/2fIJJkJ
150MB/s - http://amzn.to/2vGXUL3

Storage – You’re going to go through hard drives like never before when you start importing all the 4k video files so make sure you set aside some money for external hard drives. If you’re getting paid to do video work you will need to back up everything at least twice. The last thing you want is a corrupt or failed hard drive with someone’s valuable footage on it so save yourself that headache and back it all up.

Editing software – This is mainly personal preference but you can’t go wrong with Adobe Premiere Pro CC which is available in the Adobe Creative Cloud service. Another good editing program is Sony Vegas but I haven’t used that brand nearly as much as Adobe’s programs. If you’re a student in college you can get a nice discount on the creative cloud membership and it’s well worth it.

Remember this is the bare minimum of what you would need to start shooting professional videos. There are TONS of other accessories that would help you create the best possible product however it would also cost a lot more for all of it. You will more than likely end up like me - purchasing a new piece of gear for every new project, with some reason to justify your guilty spending. But in the end, it comes down to you as a creative videographer and your ability to create a meaningful story through the lens. If it all came down to who had the best equipment then all the richest filmmakers would have the best content and this is simply not the case. So do your research, buy a camera that fits your budget, and start filming.

But keep in mind - the best camera is always the one you have with you.

Everybody has heard of secret menu items at Disneyland, and almost every eatery has at least one.  So myself and some friends have started a living document to track and rate the secret menu items we run across.

Captive portals have become synonymous with guest Wi-Fi in enterprise environments. From Starbucks to your doctor's office people expect free and easy to use Wi-Fi,  but what was once easy to do is getting more difficult. Browser security is always improving which has made the goal of HTTPS redirects even more difficult. Captive portal redirection for users going to HTTPS websites has always created SSL related errors -- this has helped create a cry wolf scenario when it comes to HTTPS redirection errors. This error rich environment has helped HSTS errors fly under the radar.

At a high level HSTS (HTTP Strict Transport Security) is a policy that, when enabled, forces a browser to use an HTTPS connection over a HTTP and allows for the SSL certificate to be cached on the browser for a predetermined length of time. With HSTS enabled, clients are protected from protocol downgrading, man in the middle attacks, and cookie hijacking. Most modern browsers (Google Chrome, Mozilla Firefox, Microsoft Edge) come preloaded with a list of sites supporting STS (Strict Transport Security).  Along with the pre-configured list built into browsers, developers can take it upon themselves to enable this policy on their sites. Once enabled a timeout will be sent with the HTTPS header that contains a HSTS TTL Strict-Transport-Security: max-age=31536000”. The certificate received from the site will be honored until the timeout expires. Future attempts to access the site will reference the certificate and,  if the certificate does not match, the browser will not allow the connection to site to be established.

For a more in depth HSTS description check out Troy Hunt's post Understanding HSTS.

So how does HSTS break captive portals?  HSTS enforces the use of HTTPS. It enforces this using two methods that where mentioned earlier the HSTS header or STS preload lists in the browser. When a user connects to a captive portal and launches their browser, normally the wireless controller would intercept their Internet request and a redirect is sent back to the client. This redirect to the captive portal will obviously be a different CN than their original request so, many times, this creates an SSL error. Many users have become numb; accepting the error and continuing to the portal. But HSTS is a little different.

Because HSTS already knows the website should be using HTTPS the browser issues an internal HTTP 307 redirect redirecting the traffic to HTTPS even before it attempts to connect to the server. Once it connects to the server it attempts to validate the HSTS valid certificate. In the case of a redirection the captive portal would not be insuring the same HTTPS HSTS validated certificates. When this happens the browser will assume something nefarious is going on and not allow the redirection to occur. I know one vendor has a bug report filed for this issue - even though its not really a bug - and I don't know if its a fix the wireless vendors can provide.

Bottom line for users connected to a captive portal today:
  • If the user visits an HTTP site, they are immediately redirected to the captive portal. This works regardless of what browser they are using
  • If the user visits an HTTPS site that does not use HSTS, they receive a warning. If they click "Continue" they are redirected to the captive portal. This works regardless of browser
  • If the user visits an HTTPS site that does use HSTS and they are using the browser that supports HSTS they are dead-ended. The only way to get redirected to the captive portal is to visit a different site. Many people have https://www.google.com or Facebook set as their homepage. Both of these sites use HSTS so this might confuse some users.

This issue of not being redirected to a captive portal affects every wireless vendor. As more and more sites use HSTS, getting a proper redirect becomes harder. Hopefully the wireless vendors are sitting on the working group for this new standard and are pushing hard to get it ratified. 

In the long run, if something is not done, enterprises will quit using captive portals if it becomes really tough to get a proper redirect. But for now, being forced to use captive portals, I have not seen a sure fire technical way of getting around the issue.  But you can get around the HSTS errors through communication and policy. 

For example:
I am considering turning off HTTPS redirection all together. What this does is create a predictable environment for the users and the system admins. By not redirecting HTTPS you take the confusion of redirection issues based on SSL certificates, HSTS, or any new security the browsers builds in and level the playing field. Then in the case of using a sponsored portal, the email notification that is sent to visitor and/or person being visited can include the verbiage, "If you are not redirected to the guest portal please type a non secured HTTP website into your browser".  

Just got back from Disneyland and with rumors of guest Wifi in the park I thought I would do a little war walking. I didn't bring a sophisticated set up, just an android phone running Wigle connected to an external battery.  Also I didn't make a point to map the entire park so this is just a sample of the first half of the first day.

As of 4/25/2017 it does not appear that Disney has rolled out park wide guest access, but the infrastructure is impressive. Again this is a very small data sample, but perhaps the 161 networks that where not broadcasting an SSID could be the pre deployed guest network. Also it looked to  be a Cisco wireless deployment based on the mac addresses of the radios.

Guest network or not Disneyland has an impressive wireless infrastructure, and providing guest wifi for a property as large and as densely populated as Disneyland will be an impressive feat of engineering.

Lastly Disney if you see this post I have a suggestion for the guest network SSID. 
"Be Our Guest"

SSID                                 # of APs        Icon
WLAN-TWDC                 198              
no  SSID                           161               
ShowNET-TWDC            33                
Disney Guest                    13                
Internet-TWDC                10                
Disneyland_Resort           6                  

The captive portal for Internet-TWDC

This is the 2.0 version of my previous Defcon Prep Guide. Every year more people ask me about attending Defcon for the first time. Many are intimidated or not sure if they should attend. I hope to address their concerns and sway them toward checking out Defcon.

Should I Attend: This is probably the first and most frequent question I get about Defcon. There is a lot of lore and hype around Defcon much of which is earned and deserved, but you don't have to be a 1137 black hat hacker to go to Defcon. Defcon has something for everyone, and I mean everyone. Defcon is usually broke up into 4 tracks that are loosely themed and diverse. So diverse you can generally find talks that interest you in any of the tracks. Check out this link to Defcon 24's schedule to get an idea of what the talks are about.

But the talks are just a small portion of a much bigger convention. As a first time attendee, I would recommend spending most of your time in the different villages, and competition areas. These are smaller convention within the convention where people who are interested in anything from Ham radios, to social engineering, to car hacking can spend the entire day hanging out with people who share their interests.  Here is a link to Defcon 24's Village Talks.

It may seem overwhelming but just find something that interests you and don't try to do everything.  Oh ya and drink some beer, there will be a lot of it.

When is Defcon: Its normally held towards the end of July or beginning of August. It's a good idea to get there a day early, usually Thursday, to buy SWAG and get your badge because it gets super busy the day of.

ProTip: You will want to go down Thursday morning or stay up parting Wednesday night to get your badge.  People start lining up around 4:00am for the Convention passes.

How Much is Defcon:  The registration fee goes up a little every year, and they will post the fee as we get closer to the Con. Most everything at Defcon is cash only including the ticket, and for the love of god don't use an ATM any where near the convention.
  • Registration: $230 to $250 (just a guess)
  • Hotel: Defcon room rates differ depending when you book, but Defcon usually negotiates a good price.

Where to Stay: Staying at the hosting hotel is a must.  It's nice to just head up to your room between talks, and attending the late night festivities are a breeze since you only have stumble to the elevators. Reserve your rooms early for Defcon, the hosting hotel sells out quickly. 

Added bonus; If you stay at hosting hotels Defcon will stream the talks and schedules to the hotel rooms. This is not always guaranteed especially when they move to a new venue, but they usually work it out.  

What to Bring:  A few essentials I bring to Vegas.
  • Snacks because eating at the CON can get kinda pricey, plus a lot people save the money for drinking.
  • Buy a cheap throw away cooler for refreshments and ICE in the room.
  • A laptop "AT YOUR OWN RISK" If you bring your laptop do not bring it to the Con, leave it in your room and even then disable your wifi, bluetooth, and do not use the hotel Internet.  Defcon's network, including the hotels, have been deemed the most hostile network in the world.  Even the cellular network is hostile and usually sucks anyway, "Thanks Ninja Tel". That being said, if you have a fresh wiped laptop and you want to partake in the festivities bring it just don't use it for anything other then hacking, and reformat when you get home.
  • Cell Phone, if you have an old school flip phone bring it.  If you bring your smart phone make sure to turn off the radios, i.e. wifi, bluetooth, etc. Nothing is safe.
  • Aspirin for obvious reasons
  • Your finest hacker tees, there kinda a big thing, and a comfortable pair of shoes.  You will be standing in some lines, imagine a Disneyland for hackers...
Useful Links:

Twitter to Follow:
  • @defcon
  • @wallofsheep
  • @DC_HHV
  • @toool
  • @dcib

Hope to see you there, you can hit me up at @hackercult on twitter and the convention

So the congress and senate decided to look out for its constituents and protect the privacy of the people who put them in office.  In the immortal words of Borat, "NOT"! The repealing of the FCC's Broadband Privacy Rules only benefits the internet providers. It actually provides a substantial revenue stream for big business, Comcast, Time Warner, ATT, .etc. that did not exist before. One of the analogies used to justify the vote was, "it evens the playing field", what they meant was because the Googles, Yahoos, and Facebooks, can use your information to deliver targeted ads why can't we (the ISPs) do it?

Well let's start with the reality.  Today Google does deliver targeted ads from information they gather through browsing history, email, etc. For most this is a trade off for service. Google can provide the most popular free email client and web browser in the world because of the advertising they sell. When you sign up for Google or Yahoo, you are the product.  That is a well understood concept, and most people are willing to trade their information for free services. This is where the level playing filled analogy breaks down. ISPs such as Comcast or Time Warner charge for their services, and in most cases a lot. Its true they have been monitoring your traffic, just ask anyone who has received a cease and desist letter after a torrent download. Now they can act on that information, they can start injecting adds into your web browsing, selling your non identifiable browsing data, and collecting everything you do online.

So what impact does that have ultimately on the users? In the short term for the average user maybe not a lot, but these are different times. We should trust our ISP to be responsible for our privacy, but with the collection of this data it makes them a rich target not only for hackers, but the government. Think about a world where the government in conjunction with the internet providers have identified every person using the internet. With their browsing data is able to conclude their illnesses, banking information, relatives, sexuality, hobbies - I challenge you to think about your life and what if any part you have never searched on the internet or uploaded to social media.

That is an extreme example, I hope, but very plausible. Our privacy and freedom of speech is a cornerstone of America and to just give it up to benefit- lets face it- horrible companies make more money seems like a stupid thing to do.

Check out these links if your interested:
EFF Electronic Frontier Foundation
ACLU American Civil Liberties Union
Bruce Schneier Schneier.com

Please check out the EFF's Surveillance Self-Defenense site.  It has a ton of tools and information to help you understand and what to do about your online privacy.  Of course it was original put together to aide individuals in repressive regimes, but maybe thats where we are at.

If your a techy and do it your self kind of person, here is a link to Open VPN's AWS guide to deploying your own VPN server in AWS.  If you want to give it a try AWS will give you  free year and OpenVPN includes a free 3 device license with their OpnVPPN Access Server. It was really easy to set up and it will work with PC, Mac, IOS, and Android.
Open VPN Access Server on AWS

The Blue Bayou Gumbo Recipe

A friend of mine gave me a copy of Disneyland's The Blue Bayou Gumbo recipe. I have not yet tried to make this recipe, but I have eaten my fair share of Blue Bayou Gumbo and it is Delicious! I also included a scan of the original recipe at the bottom.

Step 1: Brown Roux
1 cup   Flour
1 cup   Butter
In a small pan, over medium heat, melt the butter and mix with flour.
Stir to remove lumps and cook, mixing constantly, for a few minutes until dark brown.
Cool at room temperature and set aside for later use.

Step 2: Meats
1 oz        Olive oil
1/2 cup   Chicken chunks
1/4 cup   Tasso ham
1/2 cup   Andouille sausage, 1/4" portions
In a saute pan, heat and sauce the chicken, ham, and sausage.
Set aside for later use.

Step 3: Vegetables and Spices
1 oz        Olive oil
1/4 Cup  Celery, diced
1/4 Cup  Green peppers, diced
1/4 Cup  Onion, Chopped
3 tbsp     Garlic, Chopped
1/8 tsp    Bay leaves, ground
1/8 tsp    Thyme leaves, dry
1/8 tsp     Oregano, dry
1/4 tsp     Onion powder
1 Gal       Water
2 oz         Chicken base
In a 2 gallon sauce pan, heat the oil and lightly sauté the vegetables and herbs.
Next add onion powder.
Then add the sautéed meats from step 2, water, and chicken base.
Bring to a boil.

Step 4: Gumbo
1/4 Cup    Tomatoes, diced
2 tbsp       Green onion, diced
3 oz         Okra, frozen
1/8 tsp     Gumbo file (seasoning)
Add the brown roux from step 1 to the 2 gallon sauce pan.
Add in small amounts mixing to prevent lumps.
Reduce the heat and cook for 5 minutes.
Add the tomatoes, green onions, okra, and Gumbo File.

The Original Recipe

Cord cutting has been a way of life for the early adopters, but technology has moved forward and cord cutting is becoming easier and more reliable. But is it ready for your parents? Well that is a question only you as the sole IT person for your entire family can answer. How much time will you need to dedicate to support, and does the outrages prices of your local ISP's Triple or Quadruple Play package have a better return on investment then the time you'll need to invest in support.

I am going to outline the first steps of cord cutting for my mother in-law. She is pretty tech savvy but does worry about stuff not working, so what we put in place better work. I will go over the service we are looking to replace and see how far we get.  I will actively update this post with status and well see how it goes.

Currently she has a triple play package, VOIP phone, Internet, and Cable TV. She is currently using the ISP modem so right off the top getting rid of that will save $10.00 a month. Also she recently moved to a different area and wanted to keep her original phone number from the 80s. Unfortunately she was unable to transfer it so we hacked together a plan to port her original number to a pay as you go mobile phone. Then from her mobile phone port the number to google voice.  I should do a blog post about it because it was quit an adventure.

First step testing the VOIP replacement:

The Device: I set up an OBI device to connect her google voice number and her telephone lines in her house. Here is the one I am going to get her. OBi200 1-Port VoIP Phone Adapter Since we set up here google voice under her gmail account setting up the OBI is super straight forward.  Also now she can use here original phone number again.

Cost Savings: Yet to be seen she is under contract for the Triple Play, once that expires we will re negotiate with the ISP.

Outcome: Good so far, one issue we ran into was the phone not ringing. I think it is a setting in google voice to ring the google chat account I will let you know what the outcome is.

Next step will be replacing the Modem:

The Device: Currently she has the ISP rented modem with built in wireless.  We disabled the built in wireless but it still advertises the ISP's SSID. The modem is also the digital to analog converter for her VOIP service.  This is why we are testing to make sure the OBI is a viable solution before we return the rented ISP modem. We are going to buy a ARRIS SURFboard SB6183 DOCSIS 3.0 Cable Modem. I think she will get even better throughput with the Arris modem then the ISP rented modem.

Cost Savings: The modem is $80.00 and her modem rental fee is $10.00 a months so in 8 months her modem would be paid off, and once paid off she will be saving $120.00 a year.

Outcome: Yet to be seen.

The final and most difficult hurdle:

The Device: Cable television will be the most difficult replacement. My mother in-law is an avid TV watcher and DVR master, but she hates the offered DVR menu and management. So I am looking for a solution.  I don't think services like Hulu, Sling, or direct TV are mature enough to replace cable tv.  Netflix and Hulu are great but don't offer the shows she watches in a format she is used to. So for now we will wait and see. I might look into the Tivo and a cable card, this might give her a better management interface, but may not be cost effective.

Cost Savings: Tivo Bolt 1TB $300.00 one time cost. Monthly service is $12.50 a month if you buy is per year. From the cable provider you get a free cable card and a $2.50 credit every month. You could also drop the equipment rental and DVR fees yet to be seen how much those are.

Stay tuned for updates and more fun.